CN117676577A - An IPv6 single-stack campus 5G private network access method with endogenous security attributes - Google Patents

Abstract

The invention belongs to the field of network security, and in particular relates to an IPv6 single stack park 5G private network access method with endophytic security attribute, which comprises the following steps: receiving a network access request of a terminal, and authenticating the user legitimacy of the terminal; and sending an IPv6 real address acquisition request corresponding to the terminal passing through the validity authentication to an IPv6 real address generation server of the park network, carrying and returning the IPv6 real address to the network access terminal through an authentication message after acquiring the corresponding IPv6 real address for accessing the IPv6 single stack park 5G private network by the terminal user, wherein the IPv6 real address is a 64-bit network ID before the IPv6 address for accessing the park 5G private network by the terminal user, and is divided into an n-bit ISP ID and a 64-n-bit info ID, wherein the info ID is obtained by mapping user identity information and can be used for realizing identity tracing by combining the information corresponding relation recorded in the mapping process. The generation and distribution of the IPv6 real address effectively ensure the endophytic safety of the park 5G private network access.

Description

An IPv6 single-stack campus 5G private network access method with endogenous security attributes

Technical field

The present invention belongs to the field of network security, and more specifically, relates to an IPv6 single-stack campus 5G private network access method with endogenous security attributes.

Background technique

IPv6 and 5G are two important technologies for my country to build a new generation of information infrastructure. Their integration in the new era is inevitable for the development of information technology. In terms of 3GPP standard design and equipment implementation, 5G has been able to support IPv6 well. However, how to use the technical advantages of IPv6 in 5G networks to improve the comprehensive capabilities of the network is not clearly stated in the relevant 3GPP standards.

5G has three major characteristics: high speed, ultra-large connections, and ultra-low latency. 5G private networks can extend the geographical space of the campus network and provide high-quality network services for campus network users. At the same time, it also brings security issues. Because it is targeted at many scenarios , 5G private network has a high number of connections and the content transmitted is more complex, so it must have a complete addressing scheme and traceability scheme to ensure that the access behavior of users and terminals can be traced. In networks supported by traditional IPv4, although NAT technology has greatly expanded the network access space, security auditing requires the preservation of massive logs.

The IPv6 address space has 128 bits and can accommodate more information. In traditional networks, relevant information is often embedded in the last 64 bits and then distributed to end users through the DHCP mechanism. However, IPv6 address allocation in 5G networks is based on 3GPP standards. The IPv6 address allocation process in the 3GPP network is basically the same as that in ordinary networks. It first uses an interface identifier to generate a link-local address, and then starts communication within the link range. After obtaining the network prefix from the router, a globally available IPv6 is generated. address to complete automatic address configuration. However, due to the extremely tight bandwidth resources of wireless networks, in order to save bandwidth resources, 3GPP has modified some details of automatic address configuration, that is, no repeated address detection is performed, resulting in IPv6 links that can be used. Multiple network prefixes in different ranges and end devices cannot generate other interface identifiers on their own. In order to overcome the above shortcomings, IETF proposed some improvement mechanisms in RFC3314, which uses a fixed 64-bit boundary to divide the network prefix and interface identifier in the global unicast address. That is, the length of the network prefix and interface identifier is both 64 bits, which means that each Each terminal needs to correspond to a unique 64-bit network prefix, which is then combined with the last 64 bits generated by the interface identifier to generate a 128-bit IPv6 address.

However, in the existing address allocation method, the 64-bit IPv6 address prefix info ID part is randomly allocated. In order to ensure security, the address allocation system needs to establish a corresponding relationship between the allocated address and the terminal, resulting in the generation of a large number of logs. On the one hand, a large capacity is required A storage system is required to save a large amount of logs. On the other hand, these logs are also time-sensitive. When the storage is exhausted, user identity tracing cannot be carried out. There is no geographical space limit for the access of the 5G private network in the park, which is easy to use, but safe and traceable. It is a key issue that needs to be solved urgently for current IPv6 access.

Contents of the invention

In view of the shortcomings and improvement needs of the existing technology, the present invention provides an IPv6 single-stack campus 5G private network access method with endogenous security attributes. Its purpose is to embed the user in the address based on the characteristics of the large IPv6 address space. The identity information establishes the corresponding relationship between the real IPv6 address and the user's identity, while ensuring user privacy. This allows the user's identity to be traced based on the information embedded in the IPv6 address, without querying massive logs and without time constraints.

In order to achieve the above object, according to one aspect of the present invention, an IPv6 single-stack campus 5G private network access method with endogenous security attributes is provided. The method steps implemented by the campus 5G private network authentication server include:

Receive the terminal's network access request and perform user legality authentication on the terminal;

Send the IPv6 real address acquisition request corresponding to the terminal that has passed the legality authentication to the campus network IPv6 real address generation server. After obtaining the corresponding IPv6 real address, it is returned to the network access terminal through the authentication message, so that the terminal user can access IPv6. Single-stack campus 5G private network, where the real IPv6 address is the first 64-bit network ID of the IPv6 address used for end users to access the campus 5G private network, which is divided into an n-bit ISPID and a 64-n-bit info ID, info ID is obtained by mapping user identity information, and can be used to implement identity traceability in combination with the information correspondence recorded in the mapping process.

The present invention also provides an IPv6 single-stack campus 5G private network access method with endogenous security attributes. The method steps implemented by the campus network IPv6 real address generation server include:

Receive the IPv6 real address acquisition request sent by the campus 5G private network authentication server;

Query the address to obtain the real IPv6 address of the end user corresponding to the request and send the address to the campus 5G private network authentication server to allocate the real IPv6 address to the end user through the 5G private network. The real IPv6 address is used for all The end users described above access the IPv6 single-stack campus 5G private network;

Among them, the real IPv6 address is the first 64-bit network ID of the IPv6 address used by the end user to access the campus 5G private network, which is divided into an n-bit ISPID and a 64-n-bit info ID. The info ID is composed of The campus network IPv6 real address generation server is obtained by mapping user identity information, and can be used to implement identity traceability by combining the information correspondence recorded in the mapping process.

Further, the info ID is constructed in the following way:

Map the user identity information into the user network identity identifier UNID, and record the first correspondence between the user network identity identifier UNID and the user identity information;

Calculate the time difference hash value timehash between the latest moment corresponding to the current time and the reference time, and obtain the time difference hash value timehash based on the time difference hash value timehash and the real-time constructed time difference hash value and the dynamic key. The latest dynamic key is used to encrypt the user network identity UNID through symmetric encryption to obtain the address identification ciphertext preAID;

XOR the first half and the second half of the address identification ciphertext preAID to obtain the address identification AIDnTH without embedded time hash value, and record the third correspondence between preAID and AIDnTH;

Embed the time difference hash value timehash into the address identifier AIDnTH without embedded time hash value, obtain the address identifier AID with embedded time information, and record the fourth correspondence between AID and AIDnTH;

Truncate the address identification AID embedded with time information into invisible AID and 64-n bit visible AID, and record the fifth correspondence between visible AID and invisible AID, where the 64-n bit visible AID is is the 64-n bit info ID.

Further, before encrypting the user network identity UNID through symmetric encryption, it also includes:

Calculate the second-level timestamp difference between the current time and the reference time to obtain the time difference timeInfo; where the current time is the accurate time under Beijing time, and the reference time is the New Year's Day time of the current year under Beijing time; combine the UNID and The time difference timeInfo is spliced into the address identification plain text rawAID;

Then, encrypting the user network identity identifier UNID through symmetric encryption is specifically: encrypting the address identifier plaintext rawAID through symmetric encryption to obtain the address identifier ciphertext preAID.

Further, the implementation method of mapping user identity information into user network identity identifier UNID is:

The attribute information including user name, mobile phone number and name is mapped through a hash algorithm to obtain a bit string. After intercepting a number of bits from the bit string, the user's additional information is determined based on the user type information, and the user network identity is generated after merging. UNID.

The present invention also provides a campus 5G private network authentication server, which is used to execute the above-mentioned IPv6 single-stack campus 5G private network access method with endogenous security attributes, including:

An authentication unit is used to receive the terminal's network access request and perform user legitimacy authentication on the terminal;

The IPv6 real address acquisition unit is configured to send the IPv6 real address acquisition request corresponding to the terminal that has passed the legality authentication to the campus network IPv6 real address generation server, and receive the corresponding IPv6 real address, wherein the IPv6 real address is for the terminal The first 64 bits of the network ID of the IPv6 address of the user accessing the campus 5G private network are divided into n-bit ISPID and 64-n bit info ID. The info ID is mapped from the user identity information and can be used to combine the mapping process. The corresponding relationship of the information recorded in realizes identity traceability; sends the real IPv6 address to the end user so that the end user can access the IPv6 single-stack campus 5G private network;

The authentication and authentication unit is also used to carry the real IPv6 address in the authentication message and return it to the terminal that has passed the legality authentication.

The present invention also provides a campus network IPv6 real address generation server for executing the above-mentioned IPv6 single-stack campus 5G private network access method with endogenous security attributes, including:

The receiving unit is used to receive the IPv6 real address acquisition request sent by the campus 5G private network authentication server;

The IPv6 real address allocation unit is used to query the IPv6 real address of the end user corresponding to the IPv6 real address acquisition request and send the IPv6 real address to the campus 5G private network authentication server to provide the end user with the 5G private network. Assign the IPv6 real address, which is used by the end user to access the IPv6 single-stack campus 5G private network; where the IPv6 real address is the IPv6 address used by the end user to access the campus 5G private network. 64-bit network ID, which is divided into n-bit ISPID and 64-n-bit info ID;

The address generation unit is used to perform IPv6 real address generation operations.

The present invention also provides an IPv6 address identity traceability method. Based on the IPv6 single-stack campus 5G private network access method with endogenous security attributes as described above, identity traceability of IPv6 addresses is performed, including:

Extract the 64-n bit info ID from the IPv6 address, obtain the invisible AID according to the fifth correspondence, and splice the info ID and the invisible AID to obtain the address identification AID;

According to the fourth corresponding relationship, obtain AIDnTH from the address identification AID;

XOR operation is performed on the address identifier AID and AIDnTH to obtain the corresponding time hash value timehash; according to the second correspondence relationship, the corresponding dynamic key is obtained; according to the third correspondence relationship, the corresponding preAID is obtained from AIDnTH; using The obtained dynamic key decrypts the preAID, obtains user identity information, and completes IPv6 real address user identity tracing.

The present invention also provides an IPv6 address identity traceability method. Based on the IPv6 single-stack campus 5G private network access method with endogenous security attributes as described above, identity traceability of IPv6 addresses is performed, including:

Extract the 64-n bit info ID from the IPv6 address, obtain the invisible AID according to the fifth correspondence, and splice the info ID and the invisible AID to obtain the address identification AID;

According to the fourth corresponding relationship, obtain AIDnTH from the address identification AID;

XOR operation is performed on the address identifier AID and AIDnTH to obtain the corresponding time hash value timehash; according to the second correspondence relationship, the corresponding dynamic key is obtained; according to the third correspondence relationship, the corresponding preAID is obtained from AIDnTH; using The obtained dynamic key decrypts the preAID to obtain the address identification plaintext rawAID. Based on the address identification plaintext rawAID, the corresponding user identity information is obtained, completing the IPv6 real address user identity tracing.

The invention also provides a campus network address management system, which includes:

The campus network IPv6 real address generation server is used to perform the IPv6 real address generation operation described in the above-mentioned IPv6 single-stack campus 5G private network access method with intrinsic security attributes;

The identity traceability server is used to perform an IPv6 address identity traceability method as described above.

Generally speaking, through the above technical solutions conceived by the present invention, the following beneficial effects can be achieved:

(1) The present invention proposes an IPv6 single-stack campus 5G private network access method with endogenous security attributes. The endogenous security attributes of the method are reflected in the generation and distribution of IPv6 real addresses. Specifically, the IPv6 real addresses are used for The first 64-bit network ID of the IPv6 address of the end user accessing the private network is divided into an n-bit ISPID and a 64-n-bit infoID. The info ID is mapped from the user identity information and can be used to combine the mapping process. The corresponding relationship of the information recorded in realizes identity traceability; in addition, the allocation of IPv6 real addresses uses the authentication server to connect the private network and the IPv6 real address generation server. First, the authentication server performs user legality authentication on the terminal users, and then authenticates the terminal users who have passed the authentication. The user's access request sends an address acquisition request to the IPv6 real address generation server. After obtaining the corresponding IPv6 real address, it is carried in the authentication message and returned to the network access terminal. The entire allocation process ensures the legitimacy of the user and the validity of the address allocation. Therefore, The generation and distribution of IPv6 real addresses both reflect endogenous security attributes.

(2) The present invention proposes a specific method of generating IPv6 real addresses, recording the corresponding information correspondence at each step of the generation process, thereby ensuring that the user's real identity information can be traced back based on the IPv6 real address, and further traceability Time information, specifically, parses the user identity information field based on the first 64 bits of the IPv6 real address structure, uses the dynamic secret key to decrypt the user network identity, restores the original user network identity, and obtains the IPv6 real address generation time and corresponding user identity. information to realize IPv6 address traceability.

Description of drawings

Figure 1 is a flow chart of an IPv6 single-stack campus 5G private network access method with endogenous security attributes provided by an embodiment of the present invention.

Figure 2 is a structural diagram of the IPv6 real address of the campus 5G private network provided by the embodiment of the present invention;

Figure 3 is a flow chart of addressing and generating real IPv6 addresses of the campus 5G private network provided by the embodiment of the present invention;

Figure 4 is a flow chart of IPv6 real address tracing of the campus 5G private network provided by the embodiment of the present invention;

Figure 5 is a flow chart of service activation of the 5G private network provided by the embodiment of the present invention;

Figure 6 is a flow chart of 5G private network abnormality authentication provided by an embodiment of the present invention;

Figure 7 is a normal authentication flow chart of a 5G private network provided by an embodiment of the present invention;

Figure 8 is a structural diagram of an IPv6 single-stack campus 5G private network system provided by an embodiment of the present invention.

Detailed ways

In order to make the purpose, technical solutions and advantages of the present invention more clear, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention and are not intended to limit the present invention. In addition, the technical features involved in the various embodiments of the present invention described below can be combined with each other as long as they do not conflict with each other.

In networks supported by traditional IPv4, although NAT technology greatly expands the network access space, security audits require the storage of massive logs; IPv6 has a larger address space and can embed user information based on the address structure. Realize user identity tracing without being limited by log storage space and time. According to the 3GPP standard IPv6 address allocation mechanism, user information in the 5G network can only be embedded in the first 64 bits. For this reason, the present invention proposes an IPv6 single-stack campus 5G private network access method with endogenous security attributes. The information is embedded into the IPv6 address and assigned to the corresponding 5G end user. This address can realize user identity traceability. Examples are given below.

Embodiment 1

An IPv6 single-stack campus 5G private network access method with endogenous security attributes. As shown in Figure 1, the method steps implemented through the campus 5G private network authentication server include:

Receive the terminal's network access request and perform user legality authentication on the terminal;

Send the IPv6 real address acquisition request corresponding to the terminal that has passed the legality authentication to the campus network IPv6 real address generation server;

After obtaining the corresponding real IPv6 address, the authentication message is carried and returned to the network access terminal, so that the terminal user can access the IPv6 single-stack campus 5G private network;

Among them, the real IPv6 address is the first 64-bit network ID of the IPv6 address used by end users to access the campus 5G private network, which is divided into an n-bit ISPID and a 64-n-bit info ID. The info ID is determined by the user's identity. The information is mapped and can be used to implement identity traceability by combining the information correspondence recorded in the mapping process.

It can be seen from the method flow that in order to implement the access method proposed in this embodiment, it is necessary to deploy a private network UPF and a campus 5G private network AAA server (which provides authentication services. In this embodiment, this part that performs the authentication service function is called the authentication server) , realize the connection between 5G private network and campus network, and complete the allocation of IPv6 real addresses. Among them, the real IPv6 address is the first 64-bit network ID of the IPv6 address used by end users to access the private network, which is divided into an n-bit ISPID and a 64-n-bit infoID. The info ID is mapped from the user identity information. It can be used to achieve identity traceability by combining the information correspondence recorded in the mapping process. That is, an IPv6 real address generation server needs to be developed and deployed to realize the generation and storage management of IPv6 real addresses embedded with user identity information. In addition, before the campus 5G private network AAA server sends an IPv6 real address acquisition request to the campus network IPv6 real address generation server, it needs to authenticate the legitimacy of the end user. At this time, it needs to communicate with the campus network user identity management server of the campus network. docking. To this end, based on the deployment configuration as described above, the campus 5G private network AAA server can interface with the IPv6 real address generation server and the campus network user identity management server to allocate IPv6 real addresses to legitimate users accessing the 5G private network. Among them, the IPv6 real address This feature makes it possible to trace user identities based on IPv6 real addresses without being limited by network access log storage space and time. Embodiment 1 is to implement an access method with endogenous security attributes from the perspective of the subject on the campus 5G private network authentication server side.

Embodiment 2

An IPv6 single-stack campus 5G private network access method with endogenous security attributes. The method steps implemented through the campus network IPv6 real address generation server include:

Receive the IPv6 real address acquisition request sent by the campus 5G private network authentication server;

The query address obtains the real IPv6 address of the end user corresponding to the request and sends the address to the campus 5G private network authentication server to allocate the real IPv6 address to the end user through the 5G private network. The real IPv6 address is used for the end user to access Enter the IPv6 single-stack campus 5G private network;

Among them, the real IPv6 address is the first 64-bit network ID of the IPv6 address used for end users to access the campus 5G private network, which is divided into an n-bit ISPID and a 64-n-bit info ID. The info ID is determined by the campus network The IPv6 real address generation server is obtained by mapping user identity information, and can be used to implement identity traceability by combining the information correspondence recorded in the mapping process.

The difference from the method analysis in the above-mentioned Embodiment 1 is that this embodiment implements an access method with endogenous security attributes from the perspective of the subject on the side of the IPv6 real address generation server.

As a preferred implementation, the info ID described in the above-mentioned Embodiment 1 and 2 can be constructed in the following manner:

Map the user identity information into the user network identity identifier UNID, and record the first correspondence between the user network identity identifier UNID and the user identity information;

Calculate the time difference hash value timehash between the latest moment corresponding to the current time and the reference time. Based on the time difference hash value timehash and the second correspondence relationship between the time difference hash value and the dynamic key constructed in real time, the dynamic key at the latest moment is obtained. key, and use it to encrypt the user network identity UNID through symmetric encryption to obtain the address identification ciphertext preAID;

XOR the first half and the second half of the address identification ciphertext preAID to obtain the address identification AIDnTH without embedded time hash value, and record the third correspondence between preAID and AIDnTH;

Embed the time difference hash value timehash into the address identifier AIDnTH without embedded time hash value, obtain the address identifier AID with embedded time information, and record the fourth correspondence between AID and AIDnTH;

Truncate the address identification AID embedded with time information into invisible AID and 64-n bit visible AID, and record the fifth correspondence between visible AID and invisible AID, where the 64-n bit visible AID is It is the above 64-n bit info ID.

It may be further preferred that before encrypting the above-mentioned user network identity UNID through symmetric encryption, it also includes:

Calculate the second-level timestamp difference between the current time and the reference time to obtain the time difference timeInfo; where the current time is the accurate time under Beijing time, and the reference time is the New Year's Day time of the current year under Beijing time; the UNID and time difference timeInfo are spliced into Address identifies plaintext rawAID;

Then, the above-mentioned encryption of the user network identity identifier UNID through symmetric encryption is specifically: encrypting the address identifier plaintext rawAID through symmetric encryption to obtain the address identifier ciphertext preAID.

It may be further preferred that the above-mentioned implementation method of mapping user identity information into user network identity identifier UNID is as follows:

The attribute information including user name, mobile phone number and name is mapped through a hash algorithm to obtain a bit string. After intercepting a number of bits from the bit string, the user's additional information is determined based on the user type information, and the user network identity is generated after merging. UNID.

In order to more clearly express the above-mentioned info ID construction method preferably proposed by the present invention, the overall description is as follows in the form of examples:

According to 3GPP standards, 5G private networks can only deliver the first 64 bits of IPv6 addresses to terminals, so user identity information needs to be embedded into the first 64 bits of the IPv6 address. As shown in Figure 2, the IPv6 address can be divided into the first 64-bit network ID and the last 64-bit interface ID. The first 64 bits can be divided into n-bit ISPID and 64-n bits according to the actual network prefix size used. info ID, info ID is the addressable space of the real IPv6 address. Embedding user identity information in the 5G private network IPv6 address means using an appropriate algorithm to map the user identity into a 64-n-bit infoID, while ensuring user privacy. and address traceability. Specifically, it includes: user identity generation, dynamic key generation, and address generation. As shown in Figure 3, the specific content is as follows:

1) User network identity generation

User identity generation first maps user identity information into User Network ID (UNID). UNID is a string of several bits that can uniquely identify user information (user name, mobile phone number, password, name and other attributes) , record the corresponding relationship. The specific method is to map the username, mobile phone number, name and other attributes to the 256-bit space through the national secret SM3 hash algorithm to obtain a bit string, intercept a number of bits from the bit string, and then determine the user based on the user type and other information. Additional information is combined to generate UNID, as shown in formula (1). For example, take the first 38 bits of the hash result and append 2 bits to form a 40-bit identifier, which is the user UNID.

UNID = SM3Hash(userID+phoneNumber+username)+extraBits (1)

2) Privacy protection of user identity information

In order to protect identity information, symmetric encryption is performed using dynamic keys. Set up a scheduled task to dynamically and randomly generate a key. The time difference hash value (timehash) between the "latest time" and the "base time" will be bound to the dynamic key (ideakey) to establish a corresponding relationship. The "latest time" refers to the hour closest to the current time under Beijing time. The "base time" is the New Year's Day time of the current year under Beijing time, with an accuracy of seconds. The second-level timestamp difference between the two is MD5 hashed. Calculate and obtain timehash, as shown in formula (2).

timehash=MD5(currentTime - baseTime) (2)

Address generation uses symmetric encryption based on the dynamic key at the current time, which can improve the privacy protection of IPv6 real addresses. Even if an attacker enumerates a certain encryption key, it is impossible to know whether this key is the encryption key at the time of address generation. Key; it also lays the foundation for address generation and address tracing. Address generation mainly encrypts UNID, and address tracing can obtain the encryption key for decryption based on the corresponding relationship between the IPv6 address and the timestamp.

3) IPv6 real address generation with variable length address prefix

The corresponding IPv6 address is generated based on the user identity information, which mainly includes: encryption of the user network identity identifier UNID, embedding time information to form the address identifier AID, and IPv6 address generation. The flow chart of address generation is shown in Figure 3. The detailed process is:

Step 1: User network identity encryption

Calculate the second-level timestamp difference between "current time" and "base time". Considering that users may repeat operations, in order to avoid this problem, divide the difference by 10 to avoid repeated acquisition by end users, and finally obtain the time difference timeInfo. The "current time" here is the accurate time under Beijing time, and the "base time" is the New Year's Day time of the current year under Beijing time, with an accuracy of seconds. In this step, the UNID and time difference are first spliced into 8-byte plaintext rawAID, as shown in formula (3).

rawAID = UNID + HexString((currentTime-baseTime)/10) (3)

According to the "latest moment" corresponding to the "current time", the time difference hash value timehash is calculated. According to the time difference hash value and the corresponding relationship, the key of the "latest moment" is obtained, which is used to encrypt rawAID through symmetric encryption, and we get The 16-byte address identifies the ciphertext preAID. As shown in formula (4), the first 8 bytes and the last 8 bytes of preAID are XORed to obtain AIDnTH without embedded time hash value, that is, without embedded time hash value. The unformatted IPv6 address is as shown in formula (5). At the same time, the corresponding relationship between AIDnTH and preAID is recorded for subsequent identity tracing. The "unembedded time hash value" here does not mean that the time difference timeInfo is not embedded, but that the timestamp hash value corresponding to the key during encryption is not embedded. If this timestamp hash value is not embedded, it will make address tracing difficult: It is difficult to obtain the symmetric encryption key during address tracing. After obtaining the timestamp information during source tracing, you need to find the nearest hourly timestamp of the timestamp, and then run the key generation process again.

preAID＝encrypt(rawAID,ideaKey) (4)

AIDnTH = preAID[0:8] ^ preAID[8:16] (5)

Step 2: Embed time hash value to form address identification AID

When dynamically generating a key, the present invention saves the corresponding relationship between the dynamic key ideakey and its corresponding time hash value timehash, and embeds the timehash into AIDnTH to obtain the address identification AID, as shown in formula (6), which can be While not interfering with the uniqueness and security of the address, the key is obtained based on timehash with constant time complexity, reducing the time overhead of address traceability and improving the accuracy of address traceability.

AID = AIDnTH ^timehash (6)

After encrypting to obtain AIDnTH, calculate the hash value timehash of the time difference between "latest moment" and "base time", XOR AIDnTH and timehash to obtain an 8-byte AID with embedded time information, and at the same time record the correspondence between AID and AIDnTH relation.

Step 3: Real IPv6 address generation

The campus 5G private network has a unified ISPID as shown in Figure 2. After obtaining the 8-byte AID, the excess length needs to be truncated. According to the length of the info ID, AID will be truncated into visible AID (visibleAID) and invisible AID (hiddenAID), and a fourth correspondence relationship between AID (visibleAID) and invisible AID (hiddenAID) will be established and stored, where visibleAID is the info ID , ISPID and info ID are spliced together to form a 64-bit network ID that the user finally gets.

The campus 5G private network IPv6 address generation server generates the first 64-bit IPv6 network ID with user identity for users. After the user terminal receives the network ID, it combines it with the self-generated interface ID to form a legal IPv6 address.

In order to save valuable wireless bandwidth resources during the design, 3GPP limited the IPv6 address DAD duplication detection mechanism in the IPv6 address allocation process. At the same time, in order to avoid duplicating the allocation of a unique 64-bit IPv6 prefix to each terminal. It should be noted that in the present invention, the 64-bit prefix consists of ISP ID and info ID, where info ID is generated by visibleAID after AID truncation. Since the phone number carried by the terminal in the 5G private network is unique, the corresponding AID is also Unique, but truncated visibleAID may be duplicated. The IPv6 real address generation server will detect the duplication of the generated 64-bit IPv6 address prefix. If it is repeated, it will regenerate the dynamic password to encrypt the UNID to generate AID, and then truncate it to generate visibleAID to ensure the uniqueness of the 64-bit prefix of the IPv6 real address.

Correspondingly to Embodiment 1, Implementation 3 is proposed, that is, a campus 5G private network authentication server, used to perform an IPv6 single-stack campus 5G private network access method with endogenous security attributes as described in Embodiment 1 above. It includes: an authentication and authentication unit, used to receive the terminal's network access request and perform user legality authentication on the terminal;

The IPv6 real address acquisition unit is used to send the IPv6 real address acquisition request corresponding to the terminal that has passed the legality authentication to the campus network IPv6 real address generation server, and receive the corresponding IPv6 real address, where the IPv6 real address is used for terminal user access. The first 64-bit network ID of the IPv6 address entering the campus 5G private network is divided into an n-bit ISPID and a 64-n-bit info ID. The info ID is mapped from user identity information and can be used to combine all the information in the mapping process. The recorded information correspondence realizes identity traceability; the IPv6 real address is sent to the end user for the end user to access the IPv6 single-stack campus 5G private network; the authentication and authentication unit is also used to carry the IPv6 real address through the authentication message and return it to Terminals that have passed legality authentication.

Correspondingly to Embodiment 2, Implementation 4 is proposed, that is, a campus network IPv6 real address generation server, used to perform an IPv6 single-stack campus 5G private network access method with endogenous security attributes as described in Implementation 2 above. It includes: a receiving unit, used to receive the IPv6 real address acquisition request sent by the campus 5G private network authentication server; an IPv6 real address allocation unit, used to query the IPv6 real address of the end user corresponding to the IPv6 real address acquisition request, and assign the IPv6 real address The real IPv6 address is sent to the campus 5G private network authentication server to allocate the real IPv6 address to the end user through the 5G private network. The real IPv6 address is used for the end user to access the IPv6 single-stack campus 5G private network; where, the real IPv6 address The address is the first 64-bit network ID of the IPv6 address used for end users to access the campus 5G private network, which is divided into an n-bit ISPID and a 64-n-bit info ID; the address generation unit is used to generate IPv6 real addresses. operate.

For identity traceability, two traceability methods are provided corresponding to the two preferred info ID generation methods mentioned above, as shown in the following embodiment five and embodiment six.

Embodiment 5

An IPv6 address identity traceability method, based on the IPv6 single-stack campus 5G private network access method with endogenous security attributes as described above, performs identity traceability on IPv6 addresses, including:

Extract the 64-n bit info ID from the IPv6 address, obtain the invisible AID according to the above-mentioned fifth correspondence, and splice the info ID and the invisible AID to obtain the address identification AID;

According to the above fourth corresponding relationship, AIDnTH is obtained from the address identification AID;

XOR the address identifier AID and AIDnTH to obtain the corresponding time hash value timehash; according to the above-mentioned second correspondence relationship, obtain the corresponding dynamic key; according to the above-mentioned third correspondence relationship, obtain the corresponding preAID from AIDnTH; use the obtained The dynamic key decrypts the preAID, obtains user identity information, and completes IPv6 real address user identity tracing.

Embodiment 6

An IPv6 address identity traceability method, based on the IPv6 single-stack campus 5G private network access method with endogenous security attributes as described above, performs identity traceability on IPv6 addresses, including:

Extract the 64-n bit info ID from the IPv6 address, obtain the invisible AID based on the fifth correspondence above, and splice the info ID and invisible AID to obtain the address identification AID;

According to the above fourth corresponding relationship, AIDnTH is obtained from the address identification AID;

XOR the address identifier AID and AIDnTH to obtain the corresponding time hash value timehash; according to the above-mentioned second correspondence relationship, obtain the corresponding dynamic key; according to the above-mentioned third correspondence relationship, obtain the corresponding preAID from AIDnTH; use the obtained The dynamic key decrypts the preAID to obtain the address identification plaintext rawAID. Based on the address identification plaintext rawAID, the corresponding user identity information is obtained, completing the IPv6 real address user identity tracing.

In order to express the above-mentioned identity traceability method proposed by the present invention more clearly, the overall description is as follows in the form of examples:

IPv6 real address user identity tracing is to parse user identity information based on IPv6 addresses, which is the reverse process of address generation. It mainly includes: parsing IPv6 addresses, obtaining encryption keys, and decrypting user information. The flow chart of address tracing is shown in Figure 4, as follows:

Step 1: IPv6 address resolution

The IPv6 addresses of the campus 5G private network have the same ISPID. According to Figure 2, the info ID is extracted. The info ID is visibleAID. According to the fourth corresponding relationship between visibleAID and hiddenAID, the AID can be spliced out.

Step 2: Get the encryption key

The system will embed the time hash value timehash into AIDnTH to form AID, and efficiently obtain the encryption key based on the first correspondence between timehash and ideaKey. According to formula (6), we can know that as long as two of the three AID, AIDnTH and timehash are known, the value of the third one can be obtained by XOR. According to the third corresponding relationship between AID and AIDnTH, AIDnTH can be obtained. From this, timehash can It is obtained by XORing the two, so the encryption key ideaKey can also be obtained based on timehash.

Step 3: Decrypt user information

In address generation, AIDnTH is obtained by XORing the first 8 bytes and the last 8 bytes of preAID, and the second correspondence between AIDnTH and preAID is recorded. Therefore, you only need to use the encryption key to decrypt preAID to obtain the plaintext rawAID. , as shown in formula (7).

rawAID＝decrypt(preAID,ideaKey) (7)

rawAID has a total of 8 bytes, the first 5 bytes are UNID, and the last 3 bytes are timeInfo information. According to timeInfo, the time when the IPv6 address was created can be obtained. Based on the obtained UNID, the corresponding user identity information can be queried to realize IPv6 address traceability.

Since the identity traceability method is based on the specific generation method of IPv6 real addresses, therefore, for the methods described in Embodiment 5 and Embodiment 6, the following Embodiment 7 is given, which is a campus network address management system, including:

The campus network IPv6 real address generation server is used to perform the IPv6 real address generation operation described in the IPv6 single-stack campus 5G private network access method with intrinsic security attributes as described in Embodiment 1 or 2 above. ;

The identity traceability server is used to perform an IPv6 address identity traceability method as described in Embodiment 5 or Embodiment 6 above.

The relevant technical solutions are the same as those mentioned above and will not be described again here.

In general, the technical solution of the present invention involves IPv6 real address generation, user authentication and user identity tracing. The IPv6 real address is generated by embedding user identity information in the first 64 bits to achieve network endogenous security, using a hash algorithm to protect user privacy, and using a dynamic symmetric encryption algorithm to embed user identity information and ensure the uniqueness of the address; IPv6 address traceability analyzes the first 64 bits in real time The user identity corresponding to the addressable space information in the addressable space realizes safe traceability; the AAA server and the campus network user identity management system are connected to realize user authentication and user identity registration and cancellation, and the IPv6 real address generation server is connected based on custom semantics to obtain the first 64 Bit addresses are assigned to end devices.

Regarding the generation and traceability of real IP addresses, here is a specific example:

Combining specific examples, this article explains the IPv6 address addressing and allocation method for user identities in the park's 5G private network, including: ISPID allocation, user creation, IPv6 real address generation, and IPv6 real address traceability. The details are as follows:

①ISPID allocation. The IPv6 address CIDR assigned to the campus 5G private network is 2001:250::/32, which means that the ISPID of all IPv6 addresses in the 5G private network is 32 bits, the hexadecimal identifier is: 2001:250, and the info ID is 32 bits, that is, the address The generated space is the 33rd to 64th bit.

②User creation. The user information is: username (U201814812), password (1323119614), mobile phone number (18062310269), and name (wcnasg). First, the username, mobile phone number, and name are spliced into the string "U20181481218062310269wcnasg", which is hashed by the SM3 function The result is: "CF209A760C33FEAB597BA97906CDE78379B165B065B188401139336A4E6C8DBA". The user name starts with "U". In order to clarify the user type, 2 bits of type information "00" are appended. The final UNID result is the string "CF209A760C" formed by the first 38 bits of hashStr plus the "00" bit. ".

③IPv6 real address generation. The system calculates the time difference timeInfo based on the "current time" and the "base time", and then splices the user's UNID and timeInfo into plaintext rawAID "CF209A760C27064B". The rawAID is encrypted by the dynamic key ideaKey to obtain the 16-byte ciphertext preAID "7b8fd6cdf064bcf29259c6a8af5311d4". XOR the first 8 bytes and the last 8 bytes to get AIDnTH "e9d610655f37ad26". Afterwards, the hash value timehash "abbcfd8058b3c58a" of the time difference between "current time" and "base time" is calculated, and then XORed with AIDnTH to obtain AID "426aede5078468ac". The AID is truncated according to the address aggregation prefix length to obtain the 64-bit final IPv6 real address. The prefix is "2001:0250:426a:ede5".

④IPv6 real address traceability. When the isp ID is known, the info ID is parsed from the IPv6 address, which is visibleAID, and then the corresponding hiddenAID is queried, and the AID "426aede5078468ac" is obtained by splicing. The corresponding AIDnTH "e9d610655f37ad26" and prefix "7b8fd6cdf064bcf2", XOR AID with AIDnTH to get timehash "abbcfd8058b3c58a", XOR AIDnTH with prefix to get preAID "7b8fd6cdf064bcf2", get the corresponding dynamic key ideakey "962ebf4895fffdff3b68742f231777e2" based on timehash, use This key will preAID Decrypt it to get rawAID "cf209a760c27064b". The first 5 bytes of rawAID are the user's UNID, and the last 3 bytes are the timestamp information of the registration time. The user's identity information is queried based on the UNID to realize IPv6 real address traceability.

Regarding authentication and authentication, additional explanations are as follows:

Campus 5G private network user authentication and authentication, through relevant settings, enable data within the campus network to be transmitted only within the campus network and not to the external network, ensuring data security within the campus network. Through the regular synchronization of data between the campus private network AAA server and the campus user identity management system, user permissions are verified, and user 5G private network real-name authentication, authorization control and senseless connection are realized. Specifically include:

1) 5G private network user service activation process

The 5G private network user service activation process is shown in Figure 5. The specific steps are as follows:

Step 1: The user applies for service activation at the 5G private network service point in the operator's park and enters user information (name, ID type, ID number, identity type, mobile phone number, etc.). The operator's park marketing platform verifies the information and verifies the user through the verification code. real identity;

Step 2: The park marketing platform sends user information to the user identity management system to apply for activation;

Step 3: The user identity management system calls the corresponding interfaces of the unified identity authentication system and the campus network authentication system, inputs the ID number and mobile phone number information, and queries the name, account number and status information;

a) If there are multiple pieces of data or no data, the direct service activation will fail and the corresponding failure reason and code will be returned.

b) If the identity information is legal, then further determine whether the status is within the range of states that allow activation. If activation is not allowed, activation will fail and the corresponding failure reason and code will be returned.

c) If the user status allows activation, the authentication system data will be called to determine whether the account exists in the campus network authentication system. If it does not exist or the status is suspended, the activation will fail and the corresponding failure reason and code will be returned. Otherwise, the activation will be successful and the corresponding information will be returned. To marketing platform.

2) The cancellation process for 5G campus private network user services is as follows:

Step 1: The user applies for business cancellation at the park 5G private network service point, enters the user information (name, ID type, ID number, identity type, mobile phone number, etc.), and the operator's park marketing platform verifies the information to verify the user's identity;

Step 2: The park marketing platform sends the user information to the user identity management server to apply for cancellation;

Step 3: The user identity management server queries the service activation status based on the above information. If it has been activated, the service is logged out locally. If it is not activated, the logout fails and the corresponding message is returned.

3) User-less authentication

Whether the campus 5G private network terminal can access the campus network needs to be authenticated by the AAA server. A firewall is set up between the AAA server and SMF to implement secure access control. The specific authentication steps are as follows:

Step 1: The campus 5G private network terminal and SMF auto-negotiate the corresponding DNN (Data Network Name), and the terminal initiates a data communication request to SMF;

Step 2: SMF determines whether to send the campus dedicated AAA server for authentication based on the DNN information, and sends the mobile phone number and contracted DNN carried by the terminal to the AAA service for authentication;

Step 3: The park’s exclusive AAA service performs authentication based on the mobile phone number and DNN information:

a) If the DNN information is incorrect and rejected, the user cannot use the 5G private network;

b) The mobile phone number and DNN information are correct, and the user identity is verified locally to see if it is a legal user on the campus. If the verification fails, the IPv6 address will not be issued and the user cannot use the 5G private network. The abnormal authentication process is shown in Figure 6;

If the verification is successful, the IPv6 address bound to the mobile phone number is issued and access to the campus network is allowed. The normal authentication process is shown in Figure 7.

Regarding the authentication and authentication steps, let’s change the angle and explain it from the perspective of the private network as follows:

The system structure of the campus 5G private network is shown in Figure 8. The process for the terminal UE to obtain the real IPv6 address is as follows:

①The terminal UE interacts with the base station (R)AN through the wireless network;

②The base station transmits signaling to the AMF for mobility access management;

③Perform number authentication through AMF and UDM interaction;

④After the number authentication is successful, the terminal sends a message to SMF to request the allocation of an IPv6 address;

⑤SMF initiates secondary authentication to the AAA server to obtain an IPv6 address;

⑥The 5G private network AAA server determines whether the information between the SMF and the user identity management server matches, queries the IPv6 real address generation server for the corresponding IPv6 address, and returns it to the SMF;

⑦SMF returns the assigned IPv6 address to the UE terminal through AMF. SMF selects the private network UPF to establish a session. The UE terminal carries the IPv6 address and initiates a service request to the private network UPF through the base station RAN;

⑧Users access the campus network through the private network UPF to establish business channels for business interaction.

4) User identity information synchronization

A. The 5G private network AAA system regularly initiates data collection tasks to the campus network identity management system.

a) Real-time interface: When a user applies for service activation, the 5G private network AAA system queries the identity management system for user identity information based on the mobile phone number.

b) Regular synchronization: In response to the information that the service has been activated, the 5G private network AAA system regularly initiates a full comparison of user data to the identity management system (to verify whether the identity, ID card and mobile phone number match at the same time), and updates the user status based on the returned message.

B. Timing synchronization information between 5G private network AAA system and IPv6 real address generation server

The 5G private network AAA system initiates a service information synchronization request to the IPv6 real address generation server, including user identity information, mobile phone number, activation status, IPv6 real address, etc.

a) The IPv6 real address generation server obtains user information, confirms that it is activated, generates a real IPv6 address, and binds it to the corresponding mobile phone number;

b) The 5G private network AAA server obtains the real IPv6 address corresponding to the user, and returns after receiving the user's IPv6 address request message.

It is easy for those skilled in the art to understand that the above descriptions are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent substitutions and improvements, etc., made within the spirit and principles of the present invention, All should be included in the protection scope of the present invention.

Claims (10)

1. An IPv6 single-stack campus 5G private network access method with endogenous security attributes, which is characterized in that the method steps implemented by the campus 5G private network authentication server include: Receive the terminal's network access request and perform user legality authentication on the terminal; Send the IPv6 real address acquisition request corresponding to the terminal that has passed the legality authentication to the campus network IPv6 real address generation server, obtain the corresponding IPv6 real address and return it to the network access terminal through the authentication message, so that the terminal user can access IPv6 Single-stack campus 5G private network, where the real IPv6 address is the first 64-bit network ID of the IPv6 address used for end users to access the campus 5G private network, which is divided into an n-bit ISPID and a 64-n-bit info ID and infoID are obtained by mapping user identity information, and can be used to implement identity traceability in combination with the information correspondence recorded in the mapping process. 2. An IPv6 single-stack campus 5G private network access method with endogenous security attributes, which is characterized in that the method steps implemented by the campus network IPv6 real address generation server include: Receive the IPv6 real address acquisition request sent by the campus 5G private network authentication server; Query the address to obtain the real IPv6 address of the end user corresponding to the request and send the address to the campus 5G private network authentication server to allocate the real IPv6 address to the end user through the 5G private network. The real IPv6 address is used for all The end users described above access the IPv6 single-stack campus 5G private network; Among them, the real IPv6 address is the first 64-bit network ID of the IPv6 address used by the end user to access the campus 5G private network, which is divided into an n-bit ISPID and a 64-n-bit info ID. The info ID is composed of The campus network IPv6 real address generation server is obtained by mapping user identity information, and can be used to implement identity traceability by combining the information correspondence recorded in the mapping process. 3. The IPv6 single-stack campus 5G private network access method according to claim 1 or 2, characterized in that the info ID is constructed in the following manner: Map the user identity information into the user network identity identifier UNID, and record the first correspondence between the user network identity identifier UNID and the user identity information; Calculate the time difference hash value timehash between the latest moment corresponding to the current time and the reference time, and obtain the time difference hash value timehash based on the time difference hash value timehash and the real-time constructed time difference hash value and the dynamic key. The latest dynamic key is used to encrypt the user network identity UNID through symmetric encryption to obtain the address identification ciphertext preAID; XOR the first half and the second half of the address identification ciphertext preAID to obtain the address identification AIDnTH without embedded time hash value, and record the third correspondence between preAID and AIDnTH; Embed the time difference hash value timehash into the address identifier AIDnTH without embedded time hash value, obtain the address identifier AID with embedded time information, and record the fourth correspondence between AID and AIDnTH; Truncate the address identification AID embedded with time information into invisible AID and 64-n bit visible AID, and record the fifth correspondence between visible AID and invisible AID, where the 64-n bit visible AID is is the 64-n bit info ID. 4. The IPv6 single-stack campus 5G private network access method according to claim 3, characterized in that, before encrypting the user network identity UNID through symmetric encryption, it also includes: Calculate the second-level timestamp difference between the current time and the reference time to obtain the time difference timeInfo; where the current time is the accurate time under Beijing time, and the reference time is the New Year's Day time of the current year under Beijing time; combine the UNID and The time difference timeInfo is spliced into the address identification plain text rawAID; Then, encrypting the user network identity identifier UNID through symmetric encryption is specifically: encrypting the address identifier plaintext rawAID through symmetric encryption to obtain the address identifier ciphertext preAID. 5. The IPv6 single-stack campus 5G private network access method according to claim 3, characterized in that the implementation method of mapping user identity information into user network identity identifier UNID is: The attribute information including user name, mobile phone number and name is mapped through a hash algorithm to obtain a bit string. After intercepting a number of bits from the bit string, the user's additional information is determined based on the user type information, and the user network identity is generated after merging. UNID. 6. A campus 5G private network authentication server, characterized in that it is used to perform an IPv6 single-stack campus 5G private network access method with endogenous security attributes as described in any one of claims 1 or 3 to 5. ,include: An authentication unit is used to receive the terminal's network access request and perform user legitimacy authentication on the terminal; The IPv6 real address acquisition unit is configured to send the IPv6 real address acquisition request corresponding to the terminal that has passed the legality authentication to the campus network IPv6 real address generation server, and receive the corresponding IPv6 real address, wherein the IPv6 real address is for the terminal The first 64 bits of the network ID of the IPv6 address of the user accessing the campus 5G private network are divided into n-bit ISPID and 64-n bit info ID. The info ID is mapped from the user identity information and can be used to combine the mapping process. The corresponding relationship of the information recorded in realizes identity traceability; sends the real IPv6 address to the end user so that the end user can access the IPv6 single-stack campus 5G private network; The authentication and authentication unit is also used to carry the real IPv6 address in the authentication message and return it to the terminal that has passed the legality authentication. 7. A campus network IPv6 real address generation server, characterized in that it is used to perform an IPv6 single-stack campus 5G private network access with endogenous security attributes as claimed in any one of claims 2 or 3 to 5. methods, including: The receiving unit is used to receive the IPv6 real address acquisition request sent by the campus 5G private network authentication server; The IPv6 real address allocation unit is used to query the IPv6 real address of the end user corresponding to the IPv6 real address acquisition request and send the IPv6 real address to the campus 5G private network authentication server to provide the end user with the 5G private network. Assign the IPv6 real address, which is used by the end user to access the IPv6 single-stack campus 5G private network; where the IPv6 real address is the IPv6 address used by the end user to access the campus 5G private network. 64-bit network ID, which is divided into n-bit ISPID and 64-n-bit info ID; The address generation unit is used to perform IPv6 real address generation operations. 8. An IPv6 address identity traceability method, characterized by performing identity traceability on IPv6 addresses based on an IPv6 single-stack campus 5G private network access method with endogenous security attributes as claimed in claim 3, including: Extract the 64-n bit info ID from the IPv6 address, obtain the invisible AID according to the fifth correspondence, and splice the info ID and the invisible AID to obtain the address identification AID; According to the fourth corresponding relationship, obtain AIDnTH from the address identification AID; XOR operation is performed on the address identifier AID and AIDnTH to obtain the corresponding time hash value timehash; according to the second correspondence relationship, the corresponding dynamic key is obtained; according to the third correspondence relationship, the corresponding preAID is obtained from AIDnTH; using The obtained dynamic key decrypts the preAID, obtains user identity information, and completes IPv6 real address user identity tracing. 9. An IPv6 address identity traceability method, characterized by performing identity traceability on IPv6 addresses based on an IPv6 single-stack campus 5G private network access method with endogenous security attributes as claimed in claim 4, including: Extract the 64-n bit info ID from the IPv6 address, obtain the invisible AID according to the fifth correspondence, and splice the info ID and the invisible AID to obtain the address identification AID; According to the fourth corresponding relationship, obtain AIDnTH from the address identification AID; XOR operation is performed on the address identifier AID and AIDnTH to obtain the corresponding time hash value timehash; according to the second correspondence relationship, the corresponding dynamic key is obtained; according to the third correspondence relationship, the corresponding preAID is obtained from AIDnTH; using The obtained dynamic key decrypts the preAID to obtain the address identification plaintext rawAID. Based on the address identification plaintext rawAID, the corresponding user identity information is obtained, completing the IPv6 real address user identity tracing. 10. A campus network address management system, characterized by including: The campus network IPv6 real address generation server is used to perform the IPv6 real address generation operation described in the IPv6 single-stack campus 5G private network access method with endogenous security attributes as claimed in claim 3 or 4; The identity traceability server is used to perform an IPv6 address identity traceability method as described in claim 8 or 9.