[go: up one dir, main page]

WO2019033822A1 - Methods for generating and authenticating digital certificate, communication device, and storage medium - Google Patents

Methods for generating and authenticating digital certificate, communication device, and storage medium Download PDF

Info

Publication number
WO2019033822A1
WO2019033822A1 PCT/CN2018/088853 CN2018088853W WO2019033822A1 WO 2019033822 A1 WO2019033822 A1 WO 2019033822A1 CN 2018088853 W CN2018088853 W CN 2018088853W WO 2019033822 A1 WO2019033822 A1 WO 2019033822A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital certificate
base station
certificate
blockchain
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/088853
Other languages
French (fr)
Chinese (zh)
Inventor
阎军智
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Research Institute of China Mobile Communication Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Research Institute of China Mobile Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, Research Institute of China Mobile Communication Co Ltd filed Critical China Mobile Communications Group Co Ltd
Publication of WO2019033822A1 publication Critical patent/WO2019033822A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • the present disclosure relates to the field of mobile communications technologies, and in particular, to a digital certificate generation, authentication method, communication device, and storage medium.
  • Digital certificates are a series of numbers in the Internet communication that identify the identity information of the parties to the communication. They provide a way to verify the identity of the communicating entity on the Internet.
  • the digital certificate is not a digital ID card.
  • the network element of the gateway or core network needs to authenticate the base station with a digital certificate installed in the base station.
  • the base station may be various types of base stations, for example, a small base station, a micro base station, and a home base station.
  • the home base station also known as a home evolved Node B (Home Evolved Node B), is a miniaturized, low-power cellular technology that accesses the mobile core network through fixed-line broadband to provide traditional cellular mobile services for user equipment.
  • Fixed mobile convergence services including communication infrastructure services.
  • the 3GPP HeNB security specification TS 33.320 has defined the authentication mode of the HeNB, and the digital certificate is used between the HeNB and the security gateway for device bidirectional authentication.
  • the small base station needs to be configured to install a digital certificate. This process needs to be performed before accessing the core network. There are usually two methods: offline application and online application.
  • the offline application method requires the equipment provider to first generate a public-private key pair for the small base station, and then provide certificate generation materials to the Certificate Authority (CA) organization, including the public key of the small base station, and the CA organization creates and issues a certificate according to the application materials, and the device After obtaining the certificate, you need to configure the installation certificate for the small base station.
  • CA Certificate Authority
  • the online application mode is initiated by the small base station, first generates a public-private key pair, generates a certificate generation request according to the online certificate generation protocol, initiates a certificate generation process, and the CA organization creates and issues a certificate according to the certificate generation request, and the small base station receives and installs the certificate issued by the CA. .
  • the equipment manufacturer needs to apply for a digital certificate from the CA center.
  • the digital certificate is generated by the CA center. Because different small base stations use different digital certificates, there are large differences between individuals, so it is difficult to implement batch configuration in the production line. These digital certificates need to be installed in different small base stations separately, and one configuration is required, and the implementation efficiency is low.
  • the above online application method may adopt a standard certificate generation protocol (for example, CMPv2) or a private online application protocol.
  • CMPv2 a standard certificate generation protocol
  • the problem with CMPv2 is that the protocol is complex, and multiple signatures and verification signatures are required during the process.
  • the mutual trust problem of multiple CAs is involved.
  • the CA used for online certificate application needs to trust the certificate preset on the device.
  • the equipment vendor, the CA needs to maintain a list of multiple root certificates.
  • embodiments of the present disclosure are expected to provide a digital certificate generation, authentication method, communication device, and storage medium, at least partially solving the problem of low efficiency of digital certificate generation.
  • a first aspect of the embodiments of the present disclosure provides a method for generating a digital certificate, including:
  • the predetermined device acquires a device identifier of the base station and a public key, where the predetermined device is a base station that uses the digital certificate, a vendor device of a manufacturer that produces the base station, or a carrier device that uses an operator of the base station;
  • the method further includes:
  • the digital certificate that is in effect is written to the corresponding base station.
  • the method further includes:
  • the predetermined device acquires the device identifier and the public key of the base station, including:
  • the base station reads the device identifier stored in advance
  • the predetermined device generates a digital certificate, including:
  • the base station generates the digital certificate according to the predetermined information
  • the method further includes:
  • the predetermined device acquires the device identifier and the public key of the base station, including:
  • the public key is generated using a key generation algorithm.
  • reading the pre-stored device identifier includes:
  • the base station reads the pre-stored device identifier after receiving the network and before being configured to access the network element, or after being configured to access the network element;
  • the broadcasting the digital certificate to the blockchain digital certificate system comprises:
  • the digital certificate is broadcast to the blockchain digital certificate system based on a pre-stored communication address of the blockchain digital certificate system.
  • a second aspect of the embodiments of the present disclosure provides a method for authenticating a digital certificate, which is applied to a gateway, and includes:
  • the authentication request is used to authenticate the digital certificate of the base station;
  • the digital certificate is generated by the base station itself or generated by a vendor device; The equipment of the manufacturer of the base station;
  • the receiving the authentication request sent by the base station includes:
  • the status information of the digital certificate stored by the query blockchain digital certificate system based on the authentication request includes:
  • the receiving the authentication request sent by the base station includes:
  • the status information of the digital certificate stored by the query blockchain digital certificate system based on the authentication request includes:
  • the gateway is a billing node of the blockchain digital certificate system
  • the state information is locally queried
  • the status information is sent to the blockchain digital certificate system when the gateway is not a billing node of the blockchain digital certificate system.
  • a third aspect of the embodiments of the present disclosure provides a communication device, wherein the communication device is a predetermined device; the predetermined device is a base station using the digital certificate, a vendor device of a manufacturer that produces the base station, or an application base station Operator's carrier equipment, including:
  • An obtaining unit configured to acquire a device identifier and a public key of the base station, where
  • a certificate generating unit configured to generate a digital certificate according to the device identifier and the public key, where the digital certificate is used by the blockchain digital certificate system to generate a certificate block, and when the certificate block passes the consensus-based mechanism Effective after verification.
  • a fourth aspect of the embodiments of the present disclosure provides a communications device, where the communications device is a gateway, including:
  • a receiving unit configured to receive an authentication request sent by the base station, where the authentication request is used to authenticate the digital certificate of the base station; the digital certificate is generated by the base station itself or generated by a vendor device; The manufacturer equipment is the equipment of the manufacturer of the base station;
  • a query unit configured to query status information of the digital certificate stored in the blockchain digital certificate system based on the authentication request
  • An authentication unit configured to authenticate the digital certificate based on the status information
  • a sending unit configured to return an authentication response to the base station when the digital certificate passes the verification.
  • a fifth aspect of the embodiments of the present disclosure provides a communications device, including:
  • a processor connected to the transceiver and the memory for controlling information transmission and reception of the transceiver, storage of information of the memory by execution of a computer program, and realizing generation of the digital certificate provided by any one of claims 1 to 6.
  • a sixth aspect of the embodiments of the present disclosure provides a communication device, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;
  • the processor is respectively connected to the transceiver and the memory, and is configured to implement, by using the execution of the computer program, one or more methods for generating a digital certificate applied to a predetermined device, or implement one or more of the foregoing Authentication methods applied to digital certificates in the gateway.
  • a seventh aspect of the embodiments of the present disclosure provides a computer storage medium storing a computer program; after the computer storage is executed, the method for generating the one or more digital certificates applied to the predetermined device can be implemented Or an authentication method that implements one or more of the aforementioned digital certificates applied to the gateway.
  • the digital certificate generation, the authentication method, the communication device, and the storage medium of the embodiments of the present disclosure the generation of the digital certificate is no longer a third-party institution that is not associated with the base station manufacturer or the operator, for example, CA generation.
  • the digital certificate can be generated by the base station, the vendor device, or the operator device.
  • the queue waiting time when the CA generates the digital certificate is reduced, the digital certificate can be accelerated, and the digital certificate generation can be reduced.
  • the resulting delay improves the efficiency of digital certificate generation; and it can realize the generation of a complete digital certificate when the base station is configured to access the network element or before, which has the characteristics of high efficiency.
  • FIG. 1 is a schematic flowchart of a method for generating a first digital certificate according to an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of a method for generating a second digital certificate according to an embodiment of the present disclosure
  • FIG. 3 is a schematic flowchart of a method for authenticating a first digital certificate according to an embodiment of the present disclosure
  • FIG. 4 is a schematic structural diagram of a preset device according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic structural diagram of a gateway according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of a first communication device according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a second communication device according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic flowchart diagram of a method for generating a third digital certificate according to an embodiment of the present disclosure
  • FIG. 9 is a schematic flowchart diagram of a method for generating a fourth digital certificate according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic flowchart of a method for authenticating a second digital certificate according to an embodiment of the present disclosure
  • FIG. 11 is a schematic flowchart diagram of a method for authenticating a third digital certificate according to an embodiment of the present disclosure.
  • this embodiment provides a method for generating a digital certificate, including:
  • Step S110 The predetermined device acquires the device identifier and the public key of the base station, where the predetermined device is a base station using the digital certificate, a vendor device of a manufacturer that produces the base station, or a carrier device of an operator that applies the base station. ;
  • Step S120 Generate a digital certificate according to the device identifier and the public key, where the digital certificate is used for generating a certificate block by the blockchain digital certificate system, and after the certificate block passes the verification based on the consensus mechanism Effective.
  • the embodiment provides a method for generating a digital certificate.
  • the device for generating a digital certificate is no longer a CA of a third party, but a base station that needs to use the digital certificate, a manufacturer device of a manufacturer that generates the base station, or a base station that applies the base station.
  • the carrier equipment of the operator who builds the communication network, etc. produces or uses a non-third-party device such as a base station to generate a digital certificate.
  • the required information for generating the digital certificate in this implementation includes: a device identifier of the base station and a public key.
  • the device identifier of the base station is a unique identifier of the entire network.
  • the device identifier may include multiple sequences: a first sequence composed of a serial number of the base station generated by the vendor device, a random sequence consisting of randomly generating random numbers, and a verification sequence for verifying the identifier of the device.
  • the device identification can include: 128 bits or 256 bits, and the like.
  • the plurality of sequences forming the device identifier form an identification sequence of a predetermined bit length in a certain order.
  • the public key may be a key disclosed in the network generated by using a key generation algorithm; the private key is a key that is not publicly disclosed corresponding to the public key. Typically the private key is only stored in the base station, the public key being published in the network. The public key and the private key form a key pair, and the information exchange after the base station is configured to access the network element may be configured by using asymmetric encryption.
  • the public key is one of the basis parameters for generating the digital certificate.
  • the content of the digital certificate may include:
  • the certificate identifier of the digital certificate may be a certificate serial number
  • each digital certificate has a unique certificate serial number, which may be applied to a specific device when the digital certificate is generated; and the specific device is based on the application of each device , unified delivery of the unique certificate serial number of the entire network;
  • the organization information of the certificate generation mechanism may be, for example, vendor information in this embodiment.
  • the general institution information can be the name of the institution, and the naming rules generally adopt the X.500 format;
  • the validity period of the digital certificate, the general data word certificate generally adopts the UTC time format, and the UTC time range is 1950-2049;
  • the name of the digital certificate owner, the naming rules are generally in the X.500 format; the owner here may be the manufacturer of the base station or base station using the digital certificate.
  • the public key of the numerical certificate owner that is, the public key
  • the signature of the digital certificate by the digital certificate issuer is the signature of the digital certificate by the digital certificate issuer.
  • the mandatory content included in the digital certificate described in this embodiment may be a certificate identifier, a device identifier of a base station, and a public key.
  • the digital certificate may further include: a signature algorithm, a certificate effective use authority, and the like.
  • the step S120 may specifically include: performing, by using the signature algorithm, the device identifier and the public key signature processing, and generating the digital certificate including the certificate identifier, the public key, the device identifier, and the signature information.
  • the certificate identifier may be generated according to a preset rule in this embodiment, and generally needs to ensure that the certificate identifier of each digital certificate is unique to the entire network.
  • the device identifier is a unique identifier of the entire network, and the certificate identifier may be generated based on the device identifier.
  • the certificate identifier may also be a unique identifier of a manufacturer that is pre-issued to the base station by the corresponding organization.
  • the digital certificate that is currently in an unused state may be assigned to the corresponding digital certificate.
  • the preset device may further request the digital certificate from a specific device when the digital certificate is generated, thereby obtaining the digital certificate.
  • there are many ways to obtain the digital certificate and are not limited to any of the above.
  • the digital certificate is generated by a base station that uses the certificate or a manufacturer that produces the base station, and the information exchange is performed with respect to the information generated by the CA without returning, thereby improving the efficiency of digital certificate generation, especially when CA The problem of large configuration delay caused by receiving many requests.
  • the method further includes:
  • the digital certificate that is in effect is written to the corresponding base station.
  • the digital certificate is generated and stored by using a blockchain technology. Therefore, if a digital certificate is generated in this embodiment, the digital certificate needs to be broadcasted to the blockchain digital certificate system, and the accounting node in the blockchain digital certificate system performs verification of the corresponding certificate block based on the consensus mechanism. . Only the certificate block corresponding to the digital certificate is verified, and the corresponding digital certificate takes effect.
  • the predetermined device is the vendor device, and the vendor device is connected to the blockchain digital certificate system, and the generated digital certificate is broadcasted to the blockchain digital certificate system.
  • the valid digital certificate will be written to the corresponding base station. For example, if the current digital certificate A is generated based on the device identifier of the base station A, the valid digital certificate A is written into the base station A. In this way, after the base station is configured to access the network element, the digital certificate A can be directly used, or the digital certificate A can be used after being authenticated.
  • the device that generates the digital certificate is also a vendor device, but the vendor device is not connected to the blockchain system, and the digital certificate is not validated. Therefore, in this embodiment, the method further includes:
  • the manufacturer device directly writes the generated digital certificate to the base station, and after the base station connects to the network, it broadcasts itself to the blockchain digital certificate system to make the digital certificate take effect.
  • the preset device may also be a base station.
  • the step S110 may include step S111; and the step S111 may include:
  • the pre-stored device identifier is read and the public key is obtained.
  • the obtaining the public key may include: reading a pre-stored public key, or generating the public key by using a key generation algorithm; for example, generating a random number, and then generating a key pair by using a key generation algorithm, thereby Obtain the public key.
  • the step S120 may include step S121; the step S121 may include:
  • the base station generates the digital certificate according to the predetermined information.
  • the method further includes:
  • Step S130 Broadcast the digital certificate to a blockchain digital certificate system
  • Step S140 When the certificate block passes the verification, it is confirmed that the digital certificate is valid.
  • the digital certificate is generated by the base station itself. After the digital certificate is generated, the base station broadcasts the digital certificate to the blockchain digital certificate system to validate the digital certificate.
  • the step S110 may include: reading the pre-stored device identifier after the base station is connected to the network; and generating the public key by using a key generation algorithm.
  • the base station does not initiate the generation of the digital certificate when it is turned on, but starts the generation of the digital certificate after the base station is connected to the network, thereby reducing the short period of validity of the actual use due to the early generation of the digital certificate.
  • the step S110 may include:
  • the base station reads the pre-stored device identifier after receiving the network and before being configured to access the network element, or after being configured to access the network element;
  • the step S120 may include:
  • the digital certificate is broadcast to the blockchain digital certificate system based on a pre-stored communication address of the blockchain digital certificate system.
  • the base station pre-writes the communication address of the blockchain digital certificate system, where the communication address may be a network protocol (IP) address of the blockchain digital certificate system.
  • IP network protocol
  • the communication address may be a communication address of a blockchain node in a plurality of blockchain digital certificate systems, and may be stored in the base station in the form of an address table.
  • the communication address may also be an IP address, for example, a broadcast address of the blockchain digital certificate system, or the like.
  • the base station in performing the initial configuration of the base station to configure the base station as an access network element, the base station may be based on a pre-stored communication address.
  • the digital certificate is validated. In this case, after the subsequent base station is configured, the valid digital certificate can be directly used, or the digital certificate can be directly verified.
  • the base station may also start the digital certificate generation process to generate the digital certificate after the configuration is completed.
  • the method further includes:
  • the digital certificate is initially verified before the digital certificate is broadcast to the blockchain digital certificate system.
  • the initial verification here can include at least one of the following:
  • the initial verification is performed before the corresponding digital certificate is broadcasted to the digital certificate blockchain system, and the data certificate is only performed after the initial verification is passed.
  • the broadcast will only take effect.
  • this embodiment provides a method for authenticating a digital certificate, which is applied to a gateway, and includes:
  • Step S210 Receive an authentication request sent by the base station, where the authentication request is used to authenticate the digital certificate of the base station; the digital certificate is generated by the base station itself or generated by a vendor device; a device of the manufacturer of the base station;
  • Step S220 Query status information of the digital certificate stored in the blockchain digital certificate system based on the authentication request;
  • Step S230 authenticating the digital certificate based on the status information
  • Step S240 When the digital certificate passes the verification, the authentication response is returned to the base station.
  • the method for authenticating a digital certificate provided in this embodiment is a method applied to a security gateway of a base station.
  • the digital certificate that the gateway needs to verify is first generated by the base station itself or generated by the vendor equipment of the base station.
  • the base station After the initial configuration is configured as the access network element, the base station initiates an authentication request to the gateway.
  • the authentication request carries at least the certificate identifier of the digital certificate that needs to be authenticated.
  • the gateway After receiving the authentication request, the gateway authenticates the authenticity, reliability, and legality of the digital certificate through the docking of the blockchain digital certificate system. Specifically, the status information is acquired in step S220.
  • the status information may include: indicating whether the digital certificate is stored in a storage state of the blockchain digital certificate system, and if the currently verified digital certificate is an illegal certificate, the digital certificate is not in the blockchain digital certificate system. The record is stored, so the validity and authenticity of the digital certificate can be verified by the storage state.
  • the status information may also include: validity status information; for example, if a private key is compromised, and other circumstances may result in the private key being no longer secure if a private key is compromised, and other circumstances may result in the private key being no longer secure, to ensure Security, the validity of the certificate should be terminated early, and the status of the digital certificate needs to be modified to be invalid. Through the validity status information, it is possible to reject the authentication of a part of the digital certificate that has been invalidated.
  • the status information may further include: an integrity status, for example, in some forged digital certificates, a certificate identifier that may falsify a legal certificate; and an integrity status may be used to transmit a digital certificate submitted by the base station to a blockchain data integer system. All the information is compared by the system, and the status information indicating whether the digital certificate requesting the authentication is complete is obtained after the comparison.
  • the status information in this embodiment may be various status information, and may be various combinations of the foregoing status information, but is not limited to any one of the above.
  • step S230 based on the status information returned by the blockchain digital certificate system, it is determined whether or not the authentication of the digital certificate is passed. If the authentication is passed, the information carrying the digital certificate authentication is directly or indirectly indicated in step S240. If the authentication fails, the information returned to the base station directly or indirectly indicating the authentication failure is returned in step S240.
  • the method for generating the digital certificate after the base station receives the authentication different authentication response further includes:
  • the valid regenerated digital certificate is sent to the gateway to request authentication.
  • the gateway receives the authentication request for authenticating the regenerated digital certificate again, and performs step S210 to step S240 again.
  • the step S210 may include:
  • the step S220 includes:
  • the authentication request only carries the certificate identifier of the digital certificate, but does not carry the complete content of the digital certificate.
  • the gateway queries the digital certificate in the blockchain digital certificate system to obtain the digital certificate of the base station, so as to facilitate subsequent communication with the base station by using the digital certificate.
  • the step S210 may include:
  • the digital certificate has been received from the base station, and the digital certificate is not requested from the blockchain digital certificate system in step S220.
  • the step S220 may include locally querying the status information when the gateway is a billing node of the blockchain digital certificate system. If the gateway itself is a billing node of the blockchain digital certificate system, the gateway may record all the certificate blocks in the entire blockchain digital certificate system, and the gateway may obtain the digital certificate by querying the certificate block locally. Status information.
  • the step S220 may include transmitting the status information to the blockchain digital certificate system when the gateway is not a billing node of the blockchain digital certificate system.
  • the gateway records at least the broadcast address of the blockchain digital certificate system or the communication address of the plurality of billing nodes, and the gateway can receive the query request at least by the integer identifier of the digital certificate to be authenticated. Status information of the digital certificate returned by the blockchain digital certificate system.
  • the embodiment provides a communication device, where the communication device is a predetermined device; the predetermined device is a base station using the digital certificate, a vendor device of a manufacturer that produces the base station, or an application base station.
  • Operator's carrier equipment including:
  • the obtaining unit 110 is configured to acquire a device identifier and a public key of the base station, where
  • a certificate generating unit 120 configured to generate a digital certificate according to the device identifier and the public key, where the digital certificate is used by the blockchain digital certificate system to generate a certificate block, and when the certificate block passes the consensus The verification of the mechanism takes effect.
  • the communication device is a base station itself or a communication device of a manufacturer that produces the base station.
  • the manufacturer device may be a device such as a desktop computer or a notebook computer of a base station manufacturer.
  • the obtaining unit 110 and the certificate generating unit 120 may correspond to a processor, which may be a central processing unit, a microprocessor, a digital signal processor, an application processor, a programmable array, or a dedicated processor. Integrated circuits, etc.
  • the processor may implement the foregoing device identification and public key acquisition by executing computer executable code such as a computer program, and generate a digital certificate for the base station based on the device identifier and the public key.
  • the generation of the digital certificate of the base station can be automatically generated by the manufacturer of the base station or the base station, and is not used for multiple information interactions of third-party organizations such as CA, thereby greatly improving the efficiency of digital certificate generation.
  • the vendor device when the predetermined device is the vendor device or the carrier device, the vendor device further includes: a first broadcast unit corresponding to various communication interfaces such as a network interface, for using the number The certificate is broadcasted to the blockchain digital certificate system; the first determining unit corresponds to a processor or the like having information processing, and is configured to confirm that the digital certificate is valid when the certificate block passes the verification; the first write The unit may correspond to a communication interface connected by the base station, and may be used to write the valid digital certificate into the corresponding base station.
  • a first broadcast unit corresponding to various communication interfaces such as a network interface, for using the number The certificate is broadcasted to the blockchain digital certificate system
  • the first determining unit corresponds to a processor or the like having information processing, and is configured to confirm that the digital certificate is valid when the certificate block passes the verification
  • the first write The unit may correspond to a communication interface connected by the base station, and may be used to write the valid digital certificate into the corresponding base station.
  • the vendor device when the predetermined device is the vendor device or the carrier device, the vendor device further includes:
  • a second writing unit configured to write the generated digital certificate to the base station; wherein the digital certificate is used by the base station to broadcast to the blockchain digital certificate system after connecting to the network.
  • the predetermined device may be a base station; the base station may include:
  • a reading unit configured to read the device identifier stored in advance
  • the public key obtaining unit for acquiring the public key, may include: reading a pre-stored public key, or generating the public key by using a key generation algorithm;
  • the certificate generating unit is specifically configured to generate the digital certificate according to the predetermined information
  • the base station further includes:
  • a second broadcast unit configured to broadcast the digital certificate to a blockchain digital certificate system
  • An effective unit is configured to confirm that the digital certificate is valid when the certificate block passes the verification.
  • the second broadcast unit herein which may also correspond to a communication interface, may be used to broadcast the generated digital certificate to the blockchain digital certificate system.
  • the effective unit may correspond to the receiving interface, and by interacting with the information of the blockchain digital certificate system, it is found that the certificate block where the digital certificate is located is validated by the consensus mechanism, and the digital certificate is considered to be valid. Can be put into use.
  • the reading unit is specifically configured to: when the base station is connected to the network, read the pre-stored device identifier; and generate the public key by using a key generation algorithm.
  • the reading unit is configured to read the pre-stored after the base station is connected to the network and is set to access the network element, or is configured to access the network element.
  • the second broadcast unit is configured to broadcast the digital certificate to the blockchain digital certificate system according to a pre-stored communication address of the blockchain digital certificate system.
  • the embodiment provides a communication device, where the communication device is a gateway, and includes:
  • the receiving unit 210 is configured to receive an authentication request sent by the base station, where the authentication request is used to authenticate the digital certificate of the base station; the digital certificate is generated by the base station itself or generated by a vendor device; The manufacturer equipment is the equipment of the manufacturer of the base station;
  • the query unit 220 is configured to query, according to the authentication request, the digital certificate and/or the status information of the digital certificate stored in the blockchain digital certificate system;
  • the authentication unit 230 is configured to authenticate the digital certificate based on the status information
  • the sending unit 240 is configured to return an authentication response to the base station when the digital certificate passes the verification.
  • the gateway provided in this embodiment may be a security gateway of a base station.
  • the base station may be a non-macro base station such as a small base station or a home base station.
  • the receiving unit 210 may correspond to a communication interface, may be a network interface connected to the base station, and the like, and may receive the authentication request from the base station.
  • the query unit 220 and the authentication unit 230 may correspond to a processor; the processor may be a central processing unit, a microprocessor, a digital signal processor, an application processor, a programmable array, or a dedicated processor. Integrated circuits, etc.
  • the processor can be used to implement local query of the status information and authentication of the digital certificate by execution of the computer program.
  • the query unit 220 can be a communication interface that is coupled to the blockchain digital certificate system, by sending a query request to the blockchain digital certificate system, and receiving the blockchain digital certificate system based on The query response returned by the query request carrying at least the status information obtains the status information.
  • the sending unit 240 may correspond to a communication interface with the base station, and may send an authentication response to the base station, where the authentication response carries at least information indicating whether the authentication is passed.
  • the receiving unit 210 is specifically configured to receive an authentication request that carries the certificate identifier of the digital certificate.
  • the query unit 220 is specifically configured to query the blockchain based on the certificate identifier.
  • the receiving unit 210 is configured to receive an authentication request that carries the certificate identifier of the digital certificate and the digital certificate.
  • the query unit 220 can query the status information remotely or remotely.
  • the query unit 220 is configured to locally query the status information when the gateway is a billing node of the blockchain digital certificate system.
  • the query unit 220 is further configured to send the status information to the blockchain digital certificate system when the gateway is not a billing node of the blockchain digital certificate system.
  • the embodiment provides a communication device, which is a base station, a vendor device of a manufacturer that produces a base station, or a gateway for a base station to access the network, including:
  • the transceiver 21 is configured to perform information transmission and reception
  • the processor 23 is connected to the transceiver 21 and the memory 22, respectively, for controlling the information transmission and reception of the transceiver 21 and the information storage of the memory 22 by execution of a computer program, and can be one or more of the foregoing
  • the processor 23 can be used to implement the foregoing method for generating a digital certificate.
  • the method for generating the digital certificate shown in FIG. 1 and/or FIG. 2 can be implemented.
  • the processor 23 can be used to implement the foregoing authentication method of the digital certificate, and at least the authentication method of the digital certificate as shown in FIG. 3 can be implemented.
  • the transceiver 21 may include a communication interface such as a transceiver antenna or a network interface.
  • the memory 22 may include: various types of storage media; the storage media may include storage media such as a memory and a hard disk.
  • the processor 23 can be coupled to the transceiver 21 and the memory 22 via an integrated circuit (IIC) bus.
  • IIC integrated circuit
  • an embodiment of the present disclosure further provides a UE, including: a transceiver 31, a memory 32, a processor 33, and a computer program 34 stored on the memory 32 and executed by the processor 33;
  • the processor 33 is connected to the transceiver 31 and the memory 32, respectively, for controlling the information transceiving of the transceiver and the information storage of the memory by the execution of the computer program 34, and capable of the foregoing Or a method for generating a digital certificate provided by a plurality of technical solutions, or an authentication method for implementing a digital certificate provided by the foregoing one or more technical solutions.
  • the transceiver 31 may include a communication interface such as a transceiver antenna and a network interface.
  • the memory 32 may include: various types of storage media; the storage media may include: a storage medium such as a memory and a hard disk.
  • the computer program 34 can optionally be stored on a non-transitory storage medium included in the memory 32.
  • the processor 33 can be coupled to the transceiver 31 and the memory 32 via an integrated circuit (IIC) bus, for example, by reading the computer program 34 via a bus and executing the computer program 34 to implement one or more of the foregoing
  • IIC integrated circuit
  • the processors shown in Figures 6 and 7 can each be a combination of any one or more of a central processing unit, a microprocessor, a digital signal processor, an application processor, a programmable array, or a proprietary integrated circuit.
  • the embodiment of the present disclosure is a computer storage medium storing a computer program; after the computer program is executed, the method for generating a digital certificate provided by one or more of the foregoing technical solutions can be implemented, or the foregoing A method of authenticating a digital certificate provided by one or more technical solutions.
  • the example provides a digital certificate generating method, including:
  • Step S1 The provincial company (operator) or the equipment manufacturer generates a device identification (ID) and a private key of the small base station, and generates a digital certificate of the self-signed small base station.
  • ID contains the serial number part, the random number part, and the verification part, ensuring that it is not duplicated by others and is not generated by others.
  • the blockchain certificate contains the small base station ID, thereby ensuring that one small base station corresponds to one blockchain certificate.
  • Step S2 The provincial company or the equipment manufacturer initiates the reporting of the digital certificate, and reports the digital certificate of the small base station to the blockchain digital certificate system.
  • the communication company referred to here by the provincial company corresponds to a province's communication equipment.
  • Step S3 The blockchain digital certificate system performs certificate issuance, which may include: verifying the digital certificate of the small base station, and only the legal small base station certificate can pass the verification.
  • the blockchain certificate system then records the small base station certificate into the blockchain through a consensus mechanism. Once the digital certificate is written into the blockchain, it means that the digital certificate is issued, and the digital certificate is valid and can be used for subsequent authentication.
  • verifying the small base station certificate the validity of the certificate itself can be verified, such as whether the format is correct, whether the ID is the same as other certificates, and whether the small base station is within the permitted range, such as configuring the black/white of the small base station ID. For the list, only the small base station certificate in the licensed range can pass the verification.
  • Step S4 The blockchain digital certificate system returns the result of the issuance of the digital certificate. For example, if the signing fails, the corresponding processing needs to be performed according to the reason for the failure.
  • Step S5 After the digital certificate is valid, the device identifier (ID) and the private key of the small base station are installed on the production line of the small base station, and the digital certificate can be loaded to the small base station.
  • ID device identifier
  • the private key of the small base station are installed on the production line of the small base station, and the digital certificate can be loaded to the small base station.
  • Step S6 If the signing fails due to a duplicate name or the like, steps S1 to S5 are re-executed.
  • digital certificates can be batch generated and broadcast in batches so that digital certificates can be batched.
  • the manufacturer device or the carrier device can generate multiple digital certificates in a large batch at a time, and can write to the small base station when the small base station is produced.
  • the digital certificate is not directly stored in the small base station, and only information such as the public key and the device identifier is stored, and the generation of the digital certificate includes:
  • the provincial company/equipment provider generates the small base station ID, the private key, and the public key, and installs the ID, the private key, and the public key to the small base station on the production line of the small base station.
  • the ID contains the serial number part, the random number part, and the verification part, ensuring that it is not repeated with others and will not be generated by others.
  • the provincial company/equipment provider creates a self-signed certificate according to the ID, private key and public key of the small base station, and the certificate contains the small base station ID, thereby ensuring that one small base station corresponds to one blockchain certificate.
  • the base station After the base station is connected to the network, it uses its ID and public key to generate a digital certificate, and broadcasts its own generated digital certificate through interaction with the blockchain digital certificate system. After the digital certificate is carried, the certificate block is verified based on the consensus mechanism. After that, the digital certificate is valid.
  • the example provides a method for generating a digital certificate, including:
  • Step S11 The small base station configures an ID before leaving the factory, and the ID has a certain randomness, and the description of the same batch digital certificate generating part.
  • Step S12 The small base station generates a public-private key pair, and generates a self-signed digital certificate according to the ID.
  • Step S13 The small base station sends its own self-signed digital certificate to the blockchain digital certificate system, and requests to issue a certificate, that is, information for reporting the digital certificate.
  • Step S14 The blockchain digital certificate system verifies the digital certificate submitted by the small base station to issue a digital certificate, and if the verification passes, it is recorded into the blockchain through a consensus mechanism. This step is the same as the one provided in Example 1.
  • Step S15 The blockchain digital certificate system returns a certificate issuance result.
  • Step S16 If the signing fails due to the duplicate name or the like (that is, the application fails), the corresponding processing needs to be performed according to the reason for the failure, for example, step S11 to step S15 are re-executed.
  • This example provides a method for authenticating a digital certificate, including:
  • the security gateway After receiving the digital certificate of the small base station, the security gateway verifies the validity of the small base station certificate, including: whether the certificate identifier (for example, the certificate name) of the digital certificate matches the small base station ID, and whether the digital certificate is in the valid period, and then
  • the blockchain digital certificate system queries the status information of the digital certificate, and the query request includes certificate information, such as a hash value of a complete digital certificate or digital certificate.
  • the blockchain digital certificate system searches for the latest status information of the certificate based on the certificate information, and returns the status information to the security gateway.
  • the security gateway authenticates the digital certificate of the small base station according to the certificate status.
  • the security gateway can be used as part of the blockchain digital certificate system, for example, storing a complete blockchain to achieve local query and authentication of the digital certificate of the small base station.
  • this example provides a method for authenticating a digital certificate, including:
  • Step S21 starting the small base station
  • Step S22 The small base station sends an initialization request to the security gateway.
  • Step S23 The small base station receives the initialization response of the security gateway
  • Step S24 The small base station sends an authentication request for the digital certificate to the security gateway; the authentication request does not carry the complete content of the digital certificate and carries the certificate identifier;
  • Step S25 The security gateway sends a query request to the blockchain digital certificate system
  • Step S26 The blockchain digital certificate system queries the status information of the digital certificate.
  • Step S27 The blockchain digital certificate system returns status information of the digital certificate to the security gateway;
  • Step S28 The security gateway authenticates the digital certificate of the small base station based on the status information.
  • Step S29 Calculate an authentication authorization field (IKE-AUTN) based on the digital certificate passed by the authentication; the generated content is returned to the small base station as an authentication response;
  • IKE-AUTN authentication authorization field
  • Step S30 The security gateway sends an authentication response to the small base station.
  • Step S31 Verify the digital certificate of the gateway based on the authentication response.
  • the small base station needs to notify the security gateway of the ID of the digital certificate in the authentication process with the security gateway, and the security gateway sends the number to the blockchain.
  • the certificate system queries the digital certificate of the response and the status of the certificate. For example, after receiving the certificate identifier (CERT_ID) submitted by the small base station, the security gateway queries the blockchain digital certificate system for status information of the digital certificate.
  • the blockchain digital certificate system searches for the corresponding certificate and certificate status based on the certificate information, and returns the digital certificate and status to the security gateway.
  • the security gateway authenticates the small base station based on the digital certificate and its status.
  • the solution provided by this example reduces the communication between the small base station and the security gateway on the one hand, and reduces the certificate management requirements of the small base station, such as certificate generation and update, on the other hand, and reduces the cost.
  • the authentication method of the digital certificate provided by this example may be as shown in FIG. 11 and includes:
  • Step S41 the small base station is started
  • Step S42 The small base station sends an initialization request to the security gateway.
  • Step S43 The small base station receives the initialization response of the security gateway
  • Step S44 The small base station sends an authentication request for the digital certificate to the security gateway; the authentication request carries the complete content of the digital certificate and the certificate identifier;
  • Step S45 The security gateway sends a query request to the blockchain digital certificate system.
  • Step S46 The blockchain digital certificate system queries the status information of the digital certificate and the corresponding digital certificate;
  • Step S47 The blockchain digital certificate system returns status information and a digital certificate of the digital certificate to the security gateway;
  • Step S48 The security gateway authenticates the digital certificate of the small base station based on the status information.
  • Step S49 Calculate an authentication authorization field (IKE-AUTN) based on the digital certificate passed by the authentication; the generated content is returned to the small base station as an authentication response;
  • IKE-AUTN authentication authorization field
  • Step S50 The security gateway sends an authentication response to the small base station; the authentication response may also carry a digital certificate of the gateway.
  • Step S51 Verify the digital certificate of the gateway based on the authentication response.
  • the method for generating and authenticating a digital certificate provided by the embodiment of the present disclosure, the base station, the operator equipment, or the equipment manufacturer itself generates a digital certificate, and the CA organization does not need to make and issue a digital certificate, so that the digital certificate can be configured before the small base station enters the network or even leaves the factory. Batch operations can be implemented to improve certificate generation and configuration efficiency.
  • the portion in the dotted line frame is an improved process of performing digital certificate authentication when the base station initializes the configuration by interacting with the blockchain digital certificate system.
  • the small base station can only store the public key, does not store the digital certificate, can reduce the communication between the small base station and the security gateway, and can also reduce the requirements of the small base station for digital certificate management and reduce the cost of the small base station.
  • Deblocking is implemented by using a blockchain. Since the blockchain distributes digital certificates in a distributed manner, a large number of requests are generated when the small base station and the security gateway are inquired about the certificate status of the CA organization. This example does not have a CA mechanism, which avoids CA construction and maintenance costs. The existing schemes are less modified and the transformation costs are lower.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present disclosure may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.
  • ROM read-only memory
  • RAM random access memory
  • magnetic disk or an optical disk.
  • optical disk A medium that can store program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Disclosed in an embodiment of the present disclosure are methods for generating and authenticating a digital certificate, a communication device, and a storage medium. The method for generating a digital certificate comprises: acquiring, by a pre-determined device, a device identifier of a base station and a public key, wherein the pre-determined device is a base station using a digital certificate, a manufacturer device of the manufacturer that produced the base station or an operator device of an operator using the base station; and generating the digital certificate according to the device identifier and the public key, wherein the digital certificate is used by a blockchain digital certificate system to generate a certificate block, and the certificate block is valid after passing verification performed by a consensus mechanism.

Description

数字证书的生成、认证方法、通信设备及存储介质Digital certificate generation, authentication method, communication device, and storage medium

相关申请的交叉引用Cross-reference to related applications

本申请主张在2017年8月16日在中国提交的中国专利申请号No.201710703108.0的优先权,其全部内容通过引用包含于此。Priority is claimed on Japanese Patent Application No. 201710703108.0, filed on Aug.

技术领域Technical field

本公开涉及移动通信技术领域,尤其涉及一种数字证书的生成、认证方法、通信设备及存储介质。The present disclosure relates to the field of mobile communications technologies, and in particular, to a digital certificate generation, authentication method, communication device, and storage medium.

背景技术Background technique

数字证书就是互联网通讯中标志通讯各方身份信息的一串数字,提供了一种在Internet上验证通信实体身份的方式,数字证书不是数字身份证。例如,网关或核心网的网元需要利用安装在基站内的数字证书对基站进行验证。Digital certificates are a series of numbers in the Internet communication that identify the identity information of the parties to the communication. They provide a way to verify the identity of the communicating entity on the Internet. The digital certificate is not a digital ID card. For example, the network element of the gateway or core network needs to authenticate the base station with a digital certificate installed in the base station.

所述基站可为各种类型的基站,例如,小基站、微基站和家庭基站等。所述家庭基站,又称HeNB,(Home evolved Node B,家庭演进基站),是一种小型化、低功率蜂窝技术,通过固网宽带接入到移动核心网,为用户设备提供包括传统蜂窝移动通信基础业务在内的固定移动融合业务。The base station may be various types of base stations, for example, a small base station, a micro base station, and a home base station. The home base station, also known as a home evolved Node B (Home Evolved Node B), is a miniaturized, low-power cellular technology that accesses the mobile core network through fixed-line broadband to provide traditional cellular mobile services for user equipment. Fixed mobile convergence services, including communication infrastructure services.

目前3GPP HeNB安全规范TS 33.320已经定义了HeNB的认证方式,HeNB与安全网关之间采用数字证书进行设备双向认证。为了实现对基站设备的认证,小基站需要配置安装数字证书,该过程需要在接入核心网之前进行,通常有离线申请和在线申请两种方式。Currently, the 3GPP HeNB security specification TS 33.320 has defined the authentication mode of the HeNB, and the digital certificate is used between the HeNB and the security gateway for device bidirectional authentication. In order to implement the authentication of the base station device, the small base station needs to be configured to install a digital certificate. This process needs to be performed before accessing the core network. There are usually two methods: offline application and online application.

离线申请方式需要设备商首先为小基站产生公私钥对,之后向证书认证(Certificate Authority,CA)机构提供证书生成材料,其中包括小基站的公钥,CA机构根据申请材料制作并签发证书,设备商获得证书之后需要为小基站配置安装证书。The offline application method requires the equipment provider to first generate a public-private key pair for the small base station, and then provide certificate generation materials to the Certificate Authority (CA) organization, including the public key of the small base station, and the CA organization creates and issues a certificate according to the application materials, and the device After obtaining the certificate, you need to configure the installation certificate for the small base station.

在线申请方式由小基站发起,首先产生公私钥对,并根据在线证书生成协议生成证书生成请求,发起证书生成流程,CA机构根据证书生成请求制作并签发证书,小基站接收并安装CA签发的证书。The online application mode is initiated by the small base station, first generates a public-private key pair, generates a certificate generation request according to the online certificate generation protocol, initiates a certificate generation process, and the CA organization creates and issues a certificate according to the certificate generation request, and the small base station receives and installs the certificate issued by the CA. .

上述离线申请方式,设备商需要向CA中心申请数字证书,数字证书由CA中心生成,由于不同小基站使用不同的数字证书,个体之间存在较大差异,因此难以在生产线实现批量配置,设备商需要将这些数字证书分别安装到不同的小基站中,需要一台一台进行配置,实施效率较低。In the above offline application mode, the equipment manufacturer needs to apply for a digital certificate from the CA center. The digital certificate is generated by the CA center. Because different small base stations use different digital certificates, there are large differences between individuals, so it is difficult to implement batch configuration in the production line. These digital certificates need to be installed in different small base stations separately, and one configuration is required, and the implementation efficiency is low.

上述在线申请方式,可以采用标准的证书生成协议(例如CMPv2),也可使用私有的在线申请协议。CMPv2的问题在于协议复杂,期间需要进行多次签名和验证签名的操作,此外还涉及多个CA的互信问题,用于在线申请证书的CA需要信任设备上预置的证书,如果存在较多的设备商,CA需要维护多个根证书列表。The above online application method may adopt a standard certificate generation protocol (for example, CMPv2) or a private online application protocol. The problem with CMPv2 is that the protocol is complex, and multiple signatures and verification signatures are required during the process. In addition, the mutual trust problem of multiple CAs is involved. The CA used for online certificate application needs to trust the certificate preset on the device. The equipment vendor, the CA needs to maintain a list of multiple root certificates.

故提升数字证书的配置效率是亟待解决的问题。Therefore, improving the efficiency of digital certificate configuration is an urgent problem to be solved.

发明内容Summary of the invention

有鉴于此,本公开实施例期望提供一种数字证书的生成、认证方法、通信设备及存储介质,至少部分解决数字证书的生成效率低的问题。In view of this, embodiments of the present disclosure are expected to provide a digital certificate generation, authentication method, communication device, and storage medium, at least partially solving the problem of low efficiency of digital certificate generation.

为达到上述目的,本公开的技术方案是这样实现的:To achieve the above object, the technical solution of the present disclosure is implemented as follows:

本公开实施例第一方面提供一种数字证书的生成方法,包括:A first aspect of the embodiments of the present disclosure provides a method for generating a digital certificate, including:

预定设备获取基站的设备标识及公钥,其中,所述预定设备为使用所述数字证书的基站、生产所述基站的厂商的厂商设备或应用所述基站的运营商的运营商设备;The predetermined device acquires a device identifier of the base station and a public key, where the predetermined device is a base station that uses the digital certificate, a vendor device of a manufacturer that produces the base station, or a carrier device that uses an operator of the base station;

根据所述设备标识及公钥生成数字证书,其中,所述数字证书,用于供区块链数字证书系统生成证书区块,且当所述证书区块通过基于共识机制的验证后生效。Generating a digital certificate according to the device identifier and the public key, wherein the digital certificate is used by the blockchain digital certificate system to generate a certificate block, and is valid after the certificate block passes the verification based on the consensus mechanism.

基于上述方案,当所述预定设备为所述厂商设备或运营商设备时,所述方法还包括:Based on the foregoing solution, when the predetermined device is the vendor device or the carrier device, the method further includes:

将所述数字证书广播到区块链数字证书系统;Broadcasting the digital certificate to a blockchain digital certificate system;

当所述证书区块通过验证时,确认所述数字证书生效;When the certificate block passes the verification, it is confirmed that the digital certificate is valid;

将生效的所述数字证书写入对应的基站。The digital certificate that is in effect is written to the corresponding base station.

基于上述方案,所述方法还包括:Based on the foregoing solution, the method further includes:

当所述预定设备为所述厂商设备或运营商设备时,将生成的数字证书写 入所述基站;其中,所述数字证书,用于所述基站在连接到网络之后自行广播到所述区块链数字证书系统。Writing the generated digital certificate to the base station when the predetermined device is the vendor device or the carrier device; wherein the digital certificate is used by the base station to broadcast to the area after connecting to the network Blockchain digital certificate system.

基于上述方案,所述预定设备获取基站的设备标识及公钥,包括:Based on the foregoing solution, the predetermined device acquires the device identifier and the public key of the base station, including:

所述基站读取预先存储的所述设备标识;The base station reads the device identifier stored in advance;

获取公钥;Obtain the public key;

所述预定设备生成数字证书,包括:The predetermined device generates a digital certificate, including:

所述基站根据所述预定信息生成所述数字证书;The base station generates the digital certificate according to the predetermined information;

所述方法还包括:The method further includes:

将所述数字证书广播到区块链数字证书系统;Broadcasting the digital certificate to a blockchain digital certificate system;

当所述证书区块通过验证时,确认所述数字证书生效。When the certificate block passes the verification, it is confirmed that the digital certificate is valid.

基于上述方案,所述预定设备获取基站的设备标识及公钥,包括:Based on the foregoing solution, the predetermined device acquires the device identifier and the public key of the base station, including:

当所述基站连接到网络后,读取预先存储的所述设备标识;Reading the pre-stored device identifier after the base station is connected to the network;

利用密钥生成算法生成所述公钥。The public key is generated using a key generation algorithm.

基于上述方案,所述当所述基站连接到网络后,读取预先存储的所述设备标识,包括:Based on the foregoing solution, after the base station is connected to the network, reading the pre-stored device identifier includes:

所述基站在接到网络后并在被设置成接入网网元之前,或被设置成接入网元之后,读取预先存储的所述设备标识;The base station reads the pre-stored device identifier after receiving the network and before being configured to access the network element, or after being configured to access the network element;

所述将所述数字证书广播到区块链数字证书系统,包括:The broadcasting the digital certificate to the blockchain digital certificate system comprises:

根据预先存储的所述区块链数字证书系统的通信地址,将所述数字证书广播到所述区块链数字证书系统。The digital certificate is broadcast to the blockchain digital certificate system based on a pre-stored communication address of the blockchain digital certificate system.

本公开实施例第二方面提供一种数字证书的认证方法,应用于网关中,包括:A second aspect of the embodiments of the present disclosure provides a method for authenticating a digital certificate, which is applied to a gateway, and includes:

接收基站发送的认证请求,其中,所述认证请求,用于对所述基站的数字证书进行认证;所述数字证书为所述基站自身生成的或厂商设备生成的;所述厂商设备为所述基站的生产厂商的设备;Receiving an authentication request sent by the base station, where the authentication request is used to authenticate the digital certificate of the base station; the digital certificate is generated by the base station itself or generated by a vendor device; The equipment of the manufacturer of the base station;

基于所述认证请求,查询区块链数字证书系统中存储的所述数字证书的状态信息;And querying, according to the authentication request, status information of the digital certificate stored in the blockchain digital certificate system;

基于所述状态信息认证所述数字证书;And authenticating the digital certificate based on the status information;

当所述数字证书通过验证时,向所述基站返回认证响应。When the digital certificate passes verification, an authentication response is returned to the base station.

基于上述方案,所述接收基站发送的认证请求,包括:Based on the foregoing solution, the receiving the authentication request sent by the base station includes:

接收携带有所述数字证书的证书标识的认证请求;Receiving an authentication request carrying the certificate identifier of the digital certificate;

所述基于所述认证请求,查询区块链数字证书系统存储的所述数字证书的状态信息,包括:The status information of the digital certificate stored by the query blockchain digital certificate system based on the authentication request includes:

基于所述证书标识,查询所述区块链数字证书系统中存储的所述数字证书及所述状态信息。And querying, according to the certificate identifier, the digital certificate and the status information stored in the blockchain digital certificate system.

基于上述方案,所述接收基站发送的认证请求,包括:Based on the foregoing solution, the receiving the authentication request sent by the base station includes:

接收携带有所述数字证书的证书标识及所述数字证书的认证请求。Receiving a certificate identifier carrying the digital certificate and an authentication request of the digital certificate.

基于上述方案,所述基于所述认证请求,查询区块链数字证书系统存储的所述数字证书的状态信息,包括:Based on the foregoing solution, the status information of the digital certificate stored by the query blockchain digital certificate system based on the authentication request includes:

当所述网关是所述区块链数字证书系统的记账节点时,本地查询所述状态信息;When the gateway is a billing node of the blockchain digital certificate system, the state information is locally queried;

或者,or,

当所述网关不是所述区块链数字证书系统的记账节点时,向所述区块链数字证书系统发送所述状态信息。The status information is sent to the blockchain digital certificate system when the gateway is not a billing node of the blockchain digital certificate system.

本公开实施例第三方面提供一种通信设备,其中,所述通信设备为预定设备;所述预定设备为使用所述数字证书的基站、生产所述基站的厂商的厂商设备或应用所述基站的运营商的运营商设备,包括:A third aspect of the embodiments of the present disclosure provides a communication device, wherein the communication device is a predetermined device; the predetermined device is a base station using the digital certificate, a vendor device of a manufacturer that produces the base station, or an application base station Operator's carrier equipment, including:

获取单元,用于获取基站的设备标识及公钥,其中,An obtaining unit, configured to acquire a device identifier and a public key of the base station, where

证书生成单元,用于根据所述设备标识及公钥生成数字证书,其中,所述数字证书,用于供区块链数字证书系统生成证书区块,且当所述证书区块通过基于共识机制的验证后生效。a certificate generating unit, configured to generate a digital certificate according to the device identifier and the public key, where the digital certificate is used by the blockchain digital certificate system to generate a certificate block, and when the certificate block passes the consensus-based mechanism Effective after verification.

本公开实施例第四方面提供一种通信设备,所述通信设备为网关,包括:A fourth aspect of the embodiments of the present disclosure provides a communications device, where the communications device is a gateway, including:

接收单元,用于接收基站发送的认证请求,其中,所述认证请求,用于对所述基站的数字证书进行认证;所述数字证书为所述基站自身生成的或厂商设备生成的;所述厂商设备为所述基站的生产厂商的设备;a receiving unit, configured to receive an authentication request sent by the base station, where the authentication request is used to authenticate the digital certificate of the base station; the digital certificate is generated by the base station itself or generated by a vendor device; The manufacturer equipment is the equipment of the manufacturer of the base station;

查询单元,用于基于所述认证请求,查询区块链数字证书系统中存储的所述数字证书的状态信息;a query unit, configured to query status information of the digital certificate stored in the blockchain digital certificate system based on the authentication request;

认证单元,用于基于所述状态信息认证所述数字证书;An authentication unit, configured to authenticate the digital certificate based on the status information;

发送单元,用于当所述数字证书通过验证时,向所述基站返回认证响应。And a sending unit, configured to return an authentication response to the base station when the digital certificate passes the verification.

本公开实施例第五方面提供一种通信设备,包括:A fifth aspect of the embodiments of the present disclosure provides a communications device, including:

收发器,用于信息收发;Transceiver for information transmission and reception;

存储器,用于信息存储;Memory for information storage;

处理器,分别与所述收发器及存储器连接,用于通过计算机程序的执行控制所述收发器的信息收发、存储器的信息存储,并实现权利要求1至6任一项提供的数字证书的生成方法,或实现权利要求7至10任一项提供的数字证书的认证方法。And a processor connected to the transceiver and the memory for controlling information transmission and reception of the transceiver, storage of information of the memory by execution of a computer program, and realizing generation of the digital certificate provided by any one of claims 1 to 6. A method, or an authentication method for implementing the digital certificate provided by any one of claims 7 to 10.

本公开实施例第六方面提供一种通信设备,包括:收发器、存储器、处理器及存储在存储器上并由处理器执行的计算机程序;A sixth aspect of the embodiments of the present disclosure provides a communication device, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;

所述处理器分别与所述收发器及所述存储器连接,用于通过所述计算机程序的执行,实现前述一个或多个应用于预定设备中的数字证书的生成方法,或实现前述一个或多个应用于网关中的数字证书的认证方法。The processor is respectively connected to the transceiver and the memory, and is configured to implement, by using the execution of the computer program, one or more methods for generating a digital certificate applied to a predetermined device, or implement one or more of the foregoing Authentication methods applied to digital certificates in the gateway.

本公开实施例第七方面提供一种计算机存储介质,所述计算机存储介质存储有计算机程序;所述计算机存储被执行后,能够实现前述一个或多个应用于预定设备中的数字证书的生成方法,或实现前述一个或多个应用于网关中的数字证书的认证方法。A seventh aspect of the embodiments of the present disclosure provides a computer storage medium storing a computer program; after the computer storage is executed, the method for generating the one or more digital certificates applied to the predetermined device can be implemented Or an authentication method that implements one or more of the aforementioned digital certificates applied to the gateway.

本公开实施例的数字证书的生成、认证方法、通信设备及存储介质,数字证书的生成不再是与基站生产商或运营商无关联的第三方机构,例如,CA生成。所述数字证书可以由基站、厂商设备或运营商设备自行生成,通过减少与CA之间的数据交互,减少在CA生成数字证书时的排队等待时间,可以加速数字证书的生成,减少数字证书生成所导致的延时,提升了数字证书的生成效率;并且可以实现在基站被配置为接入网网元时或之前,就完整数字证书的生成,具有效率高的特点。The digital certificate generation, the authentication method, the communication device, and the storage medium of the embodiments of the present disclosure, the generation of the digital certificate is no longer a third-party institution that is not associated with the base station manufacturer or the operator, for example, CA generation. The digital certificate can be generated by the base station, the vendor device, or the operator device. By reducing the data interaction with the CA, the queue waiting time when the CA generates the digital certificate is reduced, the digital certificate can be accelerated, and the digital certificate generation can be reduced. The resulting delay improves the efficiency of digital certificate generation; and it can realize the generation of a complete digital certificate when the base station is configured to access the network element or before, which has the characteristics of high efficiency.

附图说明DRAWINGS

图1为本公开实施例提供的第一种数字证书的生成方法的流程示意图;1 is a schematic flowchart of a method for generating a first digital certificate according to an embodiment of the present disclosure;

图2为本公开实施例提供的第二种数字证书的生成方法的流程示意图;2 is a schematic flowchart of a method for generating a second digital certificate according to an embodiment of the present disclosure;

图3为本公开实施例提供的第一种数字证书的认证方法的流程示意图;3 is a schematic flowchart of a method for authenticating a first digital certificate according to an embodiment of the present disclosure;

图4为本公开实施例提供的一种预设设备的结构示意图;FIG. 4 is a schematic structural diagram of a preset device according to an embodiment of the present disclosure;

图5为本公开实施例提供的一种网关的结构示意图;FIG. 5 is a schematic structural diagram of a gateway according to an embodiment of the present disclosure;

图6为本公开实施例提供的第一种通信设备的结构示意图;FIG. 6 is a schematic structural diagram of a first communication device according to an embodiment of the present disclosure;

图7为本公开实施例提供的第二种通信设备的结构示意图;FIG. 7 is a schematic structural diagram of a second communication device according to an embodiment of the present disclosure;

图8为本公开实施例提供的第三种数字证书的生成方法的流程示意图;FIG. 8 is a schematic flowchart diagram of a method for generating a third digital certificate according to an embodiment of the present disclosure;

图9为本公开实施例提供的第四种数字证书的生成方法的流程示意图;FIG. 9 is a schematic flowchart diagram of a method for generating a fourth digital certificate according to an embodiment of the present disclosure;

图10为本公开实施例提供的第二种数字证书的认证方法的流程示意图;FIG. 10 is a schematic flowchart of a method for authenticating a second digital certificate according to an embodiment of the present disclosure;

图11为本公开实施例提供的第三种数字证书的认证方法的流程示意图。FIG. 11 is a schematic flowchart diagram of a method for authenticating a third digital certificate according to an embodiment of the present disclosure.

具体实施方式Detailed ways

以下结合说明书附图及具体实施例对本公开的技术方案做进一步的详细阐述。The technical solutions of the present disclosure are further elaborated below in conjunction with the drawings and specific embodiments.

如图1所示,本实施例提供一种数字证书的生成方法,包括:As shown in FIG. 1 , this embodiment provides a method for generating a digital certificate, including:

步骤S110:预定设备获取基站的设备标识及公钥,其中,所述预定设备为使用所述数字证书的基站、生产所述基站的厂商的厂商设备或应用所述基站的运营商的运营商设备;Step S110: The predetermined device acquires the device identifier and the public key of the base station, where the predetermined device is a base station using the digital certificate, a vendor device of a manufacturer that produces the base station, or a carrier device of an operator that applies the base station. ;

步骤S120:根据所述设备标识及公钥生成数字证书,其中,所述数字证书,用于供区块链数字证书系统生成证书区块,且当所述证书区块通过基于共识机制的验证后生效。Step S120: Generate a digital certificate according to the device identifier and the public key, where the digital certificate is used for generating a certificate block by the blockchain digital certificate system, and after the certificate block passes the verification based on the consensus mechanism Effective.

本实施例提供一种数字证书的生成方法,生成数字证书的设备不再是第三方的CA机构,而是需要使用该数字证书的基站自身、生成该基站的厂商的厂商设备,或者应用该基站搭建通信网络的运营商的运营商设备等生产或使用基站等非第三方设备来自行生成数字证书。The embodiment provides a method for generating a digital certificate. The device for generating a digital certificate is no longer a CA of a third party, but a base station that needs to use the digital certificate, a manufacturer device of a manufacturer that generates the base station, or a base station that applies the base station. The carrier equipment of the operator who builds the communication network, etc., produces or uses a non-third-party device such as a base station to generate a digital certificate.

在生成数字证书之前,需要获取生成数字证书的所需信息。Before generating a digital certificate, you need to get the information you need to generate a digital certificate.

在本实施中生成所述数字证书的所需信息包括:基站的设备标识及公钥。在本实施中所述基站的设备标识为全网唯一的标识。The required information for generating the digital certificate in this implementation includes: a device identifier of the base station and a public key. In this implementation, the device identifier of the base station is a unique identifier of the entire network.

所述设备标识可包括多个序列:厂商设备生成该基站的序列号组成的第一序列、随机产生随机数组成的随机序列及验证该设备标识的验证序列。在一些实施例中,该设备标识可包括:128个比特或256个比特等。其中,形 成设备标识的多个序列,按照一定顺序组成预定比特长度的标识序列。The device identifier may include multiple sequences: a first sequence composed of a serial number of the base station generated by the vendor device, a random sequence consisting of randomly generating random numbers, and a verification sequence for verifying the identifier of the device. In some embodiments, the device identification can include: 128 bits or 256 bits, and the like. Wherein, the plurality of sequences forming the device identifier form an identification sequence of a predetermined bit length in a certain order.

所述公钥可为利用密钥生成算法生成的公开在网络中的密钥;私钥为与所述公钥对应不对外公开的密钥。通常所述私钥仅存储在所述基站中,所述公钥是公开在网络中。所述公钥和私钥形成密钥对,可以采用非对称加密对基站被配置为接入网元之后的信息交互。在本实施例中所述公钥为生成所述数字证书的依据参数之一。The public key may be a key disclosed in the network generated by using a key generation algorithm; the private key is a key that is not publicly disclosed corresponding to the public key. Typically the private key is only stored in the base station, the public key being published in the network. The public key and the private key form a key pair, and the information exchange after the base station is configured to access the network element may be configured by using asymmetric encryption. In the embodiment, the public key is one of the basis parameters for generating the digital certificate.

所述数字证书的内容可包括:The content of the digital certificate may include:

数字证书的版本信息;Version information of the digital certificate;

数字证书的证书标识,该证书标识可为证书序列号,每个数字证书都有一个唯一的证书序列号,可为生成所述数字证书时向特定设备申请的;而特定设备基于各个设备的申请,统一下发全网唯一的证书序列号;The certificate identifier of the digital certificate, the certificate identifier may be a certificate serial number, each digital certificate has a unique certificate serial number, which may be applied to a specific device when the digital certificate is generated; and the specific device is based on the application of each device , unified delivery of the unique certificate serial number of the entire network;

数字证书所使用的签名算法;a signature algorithm used by digital certificates;

证书的生成机构的机构信息,例如,在本实施例中可为厂商信息。一般机构信息可为机构名称,命名规则一般采用X.500格式;The organization information of the certificate generation mechanism may be, for example, vendor information in this embodiment. The general institution information can be the name of the institution, and the naming rules generally adopt the X.500 format;

数字证书的有效期,通用的数据字证书一般采用UTC时间格式,UTC的计时范围为1950-2049;The validity period of the digital certificate, the general data word certificate generally adopts the UTC time format, and the UTC time range is 1950-2049;

数字证书所有人的名称,命名规则一般采用X.500格式;这里的所有人可为使用该数字证书的基站或基站的厂商。The name of the digital certificate owner, the naming rules are generally in the X.500 format; the owner here may be the manufacturer of the base station or base station using the digital certificate.

数值证书所有人的公开密钥,即公钥;The public key of the numerical certificate owner, that is, the public key;

数字证书发行者对数字证书的签名。The signature of the digital certificate by the digital certificate issuer.

在本实施例中所述的数字证书包括的必选内容,可为证书标识、基站的设备标识及公钥等。在一些情况下,所述数字证书还可包括:签名算法及证书有效使用权限等。The mandatory content included in the digital certificate described in this embodiment may be a certificate identifier, a device identifier of a base station, and a public key. In some cases, the digital certificate may further include: a signature algorithm, a certificate effective use authority, and the like.

所述步骤S120具体可包括:利用所述签名算法对所述设备标识及公钥签名处理,并生成包括所述证书标识、公钥及设备标识及签名信息的所述数字证书。在一些实施例中,在本实施例中所述证书标识可为按照预设规则生成的,且通常需要保证每一个数字证书的证书标识是全网唯一的。例如,在本实施例中所述设备标识为全网唯一的标识,则可以基于所述设备标识生成所述证书标识。当然,在一些情况下,所述证书标识也可以是对应的机构预先 颁发给基站的生产厂商的唯一性标识,则这样的话,可以将目前为未使用状态的数字证书分配给对应的数字证书即可。再例如,预设设备还可以在生成数字证书时,向特定设备请求所述数字证书,从而获得所述数字证书。总之,获得所述数字证书的方式有多种,不局限于上述任意一种。The step S120 may specifically include: performing, by using the signature algorithm, the device identifier and the public key signature processing, and generating the digital certificate including the certificate identifier, the public key, the device identifier, and the signature information. In some embodiments, the certificate identifier may be generated according to a preset rule in this embodiment, and generally needs to ensure that the certificate identifier of each digital certificate is unique to the entire network. For example, in the embodiment, the device identifier is a unique identifier of the entire network, and the certificate identifier may be generated based on the device identifier. Certainly, in some cases, the certificate identifier may also be a unique identifier of a manufacturer that is pre-issued to the base station by the corresponding organization. In this case, the digital certificate that is currently in an unused state may be assigned to the corresponding digital certificate. can. For another example, the preset device may further request the digital certificate from a specific device when the digital certificate is generated, thereby obtaining the digital certificate. In short, there are many ways to obtain the digital certificate, and are not limited to any of the above.

在本实施例中所述数字证书是由使用该证书的基站或生产该基站的厂商生成的,相对于由CA生成,不用返回的进行信息交互,提升了数字证书的生成效率,尤其是当CA接收到请求很多时导致的配置时延大的问题。In the embodiment, the digital certificate is generated by a base station that uses the certificate or a manufacturer that produces the base station, and the information exchange is performed with respect to the information generated by the CA without returning, thereby improving the efficiency of digital certificate generation, especially when CA The problem of large configuration delay caused by receiving many requests.

当所述预定设备为所述厂商设备或运营商设备时,所述方法还包括:When the predetermined device is the vendor device or the carrier device, the method further includes:

将所述数字证书提交如广播到区块链数字证书系统;Submitting the digital certificate as broadcast to a blockchain digital certificate system;

当所述证书区块通过验证时,确认所述数字证书生效;When the certificate block passes the verification, it is confirmed that the digital certificate is valid;

将生效的所述数字证书写入对应的基站。The digital certificate that is in effect is written to the corresponding base station.

在本实施例中所述数字证书是利用区块链技术进行生成和存储的。故在本实施例中若生成了一个数字证书,需要将该数字证书广播到区块链数字证书系统中,由区块链数字证书系统中的记账节点基于共识机制进行对应证书区块的验证。仅有包对应数字证书的证书区块通过验证,对应的数字证书才生效。In the embodiment, the digital certificate is generated and stored by using a blockchain technology. Therefore, if a digital certificate is generated in this embodiment, the digital certificate needs to be broadcasted to the blockchain digital certificate system, and the accounting node in the blockchain digital certificate system performs verification of the corresponding certificate block based on the consensus mechanism. . Only the certificate block corresponding to the digital certificate is verified, and the corresponding digital certificate takes effect.

在本实施例中,所述预定设备为所述厂商设备,厂商设备会连接到区块链数字证书系统,会将生成的数字证书广播到区块链数字证书系统中。In this embodiment, the predetermined device is the vendor device, and the vendor device is connected to the blockchain digital certificate system, and the generated digital certificate is broadcasted to the blockchain digital certificate system.

最后当数字证书生效之后,会将生效的数字证书写入到对应的基站中。例如,当前数字证书A是基于基站A的设备标识生成的,则将生效的数字证书A写入到基站A中。这样后续,基站被配置为接入网网元之后,就可以直接使用该数字证书A,或在该数字证书A通过认证之后投入使用。Finally, when the digital certificate is valid, the valid digital certificate will be written to the corresponding base station. For example, if the current digital certificate A is generated based on the device identifier of the base station A, the valid digital certificate A is written into the base station A. In this way, after the base station is configured to access the network element, the digital certificate A can be directly used, or the digital certificate A can be used after being authenticated.

在一些实施例中,生成所述数字证书的设备还是厂商设备,但是厂商设备不与区块链系统连接,不对该数字证书进行生效验证,故在本实施例中,所述方法还包括:In some embodiments, the device that generates the digital certificate is also a vendor device, but the vendor device is not connected to the blockchain system, and the digital certificate is not validated. Therefore, in this embodiment, the method further includes:

当所述预定设备为所述厂商设备或运营商设备时,将生成的数字证书写入所述基站;其中,所述数字证书,用于所述基站在连接到网络之后自行广播到所述区块链数字证书系统。Writing the generated digital certificate to the base station when the predetermined device is the vendor device or the carrier device; wherein the digital certificate is used by the base station to broadcast to the area after connecting to the network Blockchain digital certificate system.

厂商设备直接将生成的数字证书写入到基站中,由基站在连接到网络之 后,自行广播到区块链数字证书系统,以使所述数字证书生效。The manufacturer device directly writes the generated digital certificate to the base station, and after the base station connects to the network, it broadcasts itself to the blockchain digital certificate system to make the digital certificate take effect.

在一些实施例中,所述预设设备还可以是基站。这时可如图2所示,所述步骤S110可包括步骤S111;所述步骤S111可包括:In some embodiments, the preset device may also be a base station. At this time, as shown in FIG. 2, the step S110 may include step S111; and the step S111 may include:

读取预先存储的所述设备标识并获取公钥。所述获取公钥可包括:读取预先存储的公钥,或者,自行利用密钥生成算法生成所述公钥;例如,生成一个随机数,然后利用密钥生成算法分别生成密钥对,从而获得所述公钥。The pre-stored device identifier is read and the public key is obtained. The obtaining the public key may include: reading a pre-stored public key, or generating the public key by using a key generation algorithm; for example, generating a random number, and then generating a key pair by using a key generation algorithm, thereby Obtain the public key.

所述步骤S120可包括步骤S121;所述步骤S121可包括:The step S120 may include step S121; the step S121 may include:

所述基站根据所述预定信息生成所述数字证书。The base station generates the digital certificate according to the predetermined information.

所述方法还包括:The method further includes:

步骤S130:将所述数字证书广播到区块链数字证书系统;Step S130: Broadcast the digital certificate to a blockchain digital certificate system;

步骤S140:当所述证书区块通过验证时,确认所述数字证书生效。Step S140: When the certificate block passes the verification, it is confirmed that the digital certificate is valid.

在本实施中数字证书是由基站自身生成的,再生成所述数字证书之后,基站会将数字证书广播到区块链数字证书系统,以生效所述数字证书。In this implementation, the digital certificate is generated by the base station itself. After the digital certificate is generated, the base station broadcasts the digital certificate to the blockchain digital certificate system to validate the digital certificate.

具体地,所述步骤S110可包括:当所述基站连接到网络后,读取预先存储的所述设备标识;利用密钥生成算法生成所述公钥。Specifically, the step S110 may include: reading the pre-stored device identifier after the base station is connected to the network; and generating the public key by using a key generation algorithm.

基站不是一开启就启动数字证书的生成路程,而是在基站连接到网络之后,才启动所述数字证书的生成,减少因为数字证书生成早导致的实际投入使用的有效期较短的现象。The base station does not initiate the generation of the digital certificate when it is turned on, but starts the generation of the digital certificate after the base station is connected to the network, thereby reducing the short period of validity of the actual use due to the early generation of the digital certificate.

在一些实施例中,所述步骤S110可包括:In some embodiments, the step S110 may include:

所述基站在接到网络后并在被设置成接入网网元之前,或被设置成接入网元之后,读取预先存储的所述设备标识;The base station reads the pre-stored device identifier after receiving the network and before being configured to access the network element, or after being configured to access the network element;

所述步骤S120可包括:The step S120 may include:

根据预先存储的所述区块链数字证书系统的通信地址,将所述数字证书广播到所述区块链数字证书系统。The digital certificate is broadcast to the blockchain digital certificate system based on a pre-stored communication address of the blockchain digital certificate system.

总之在本实施例中所述基站预先写入了区块链数字证书系统的通信地址,这里的通信地址可以为区块链数字证书系统的网络协议(IP)地址等。一般情况下,所述通信地址可为多个区块链数字证书系统中区块链节点的通信地址,可以以地址表的形式存储在所述基站中。在一些实施例中,所述通信地址也可为一个IP地址,例如,可为所述区块链数字证书系统的广播地址等。In summary, in the embodiment, the base station pre-writes the communication address of the blockchain digital certificate system, where the communication address may be a network protocol (IP) address of the blockchain digital certificate system. In general, the communication address may be a communication address of a blockchain node in a plurality of blockchain digital certificate systems, and may be stored in the base station in the form of an address table. In some embodiments, the communication address may also be an IP address, for example, a broadcast address of the blockchain digital certificate system, or the like.

在一些情况下,所述基站被安装连接到网络之后,在执行所述基站的初始化配置,以将所述基站配置为接入网网元的过程中,所述基站可以基于预存储的通信地址完成数字证书的生效,这样的话,后续基站被配置完之后,就可以直接使用该生效的数字证书,或者,是直接对该数字证书进行验证了。In some cases, after the base station is installed and connected to the network, in performing the initial configuration of the base station to configure the base station as an access network element, the base station may be based on a pre-stored communication address. The digital certificate is validated. In this case, after the subsequent base station is configured, the valid digital certificate can be directly used, or the digital certificate can be directly verified.

当然在另一些情况下,所述基站也可以在完成配置之后,再启动数字证书的生成流程生成所述数字证书。Of course, in other cases, the base station may also start the digital certificate generation process to generate the digital certificate after the configuration is completed.

在本实施例中,所述方法还包括:In this embodiment, the method further includes:

在所述数字证书被广播到区块链数字证书系统之前,对所述数字证书进行初次验证。The digital certificate is initially verified before the digital certificate is broadcast to the blockchain digital certificate system.

这里的初次验证可包括以下至少其中之一:The initial verification here can include at least one of the following:

验证所述数字整数的信息格式是否正确;Verifying that the information format of the numeric integer is correct;

验证所述数字证书自身的合法性;Verifying the legitimacy of the digital certificate itself;

验证所述数字证书的证书标识的唯一性;Verifying the uniqueness of the certificate identifier of the digital certificate;

基于基站即将投入使用的地理位置,验证所述数字证书的地理范围是否在可允许范围内。Based on the geographic location where the base station is about to be put into use, it is verified whether the geographical extent of the digital certificate is within an allowable range.

总之,在本实施例中为了避免生效有瑕疵的数字证书,在将对应的数字证书广播到数字证书区块链系统之前先进行初次验证,仅有初次验证通过之后,才会对该数据证书进行广播,才会执行生效操作。In summary, in this embodiment, in order to avoid the effective digital certificate, the initial verification is performed before the corresponding digital certificate is broadcasted to the digital certificate blockchain system, and the data certificate is only performed after the initial verification is passed. The broadcast will only take effect.

如图3所示,本实施例提供一种数字证书的认证方法,应用于网关中,包括:As shown in FIG. 3, this embodiment provides a method for authenticating a digital certificate, which is applied to a gateway, and includes:

步骤S210:接收基站发送的认证请求,其中,所述认证请求,用于对所述基站的数字证书进行认证;所述数字证书为所述基站自身生成的或厂商设备生成的;所述厂商设备为所述基站的生产厂商的设备;Step S210: Receive an authentication request sent by the base station, where the authentication request is used to authenticate the digital certificate of the base station; the digital certificate is generated by the base station itself or generated by a vendor device; a device of the manufacturer of the base station;

步骤S220:基于所述认证请求,查询区块链数字证书系统中存储的所述数字证书的状态信息;Step S220: Query status information of the digital certificate stored in the blockchain digital certificate system based on the authentication request;

步骤S230:基于所述状态信息认证所述数字证书;Step S230: authenticating the digital certificate based on the status information;

步骤S240:当所述数字证书通过验证时,向所述基站返回认证响应。Step S240: When the digital certificate passes the verification, the authentication response is returned to the base station.

本实施例提供的数字证书的认证方法,为应用于基站的安全网关中的方法。The method for authenticating a digital certificate provided in this embodiment is a method applied to a security gateway of a base station.

在本实施例中网关需要验证的数字证书首先是基站自行生成的或者是基站的厂商设备生成的。In this embodiment, the digital certificate that the gateway needs to verify is first generated by the base station itself or generated by the vendor equipment of the base station.

基站在初始化被配置为接入网网元后,会向网关发起认证请求。该认证请求至少携带有需要认证的数字证书的证书标识。After the initial configuration is configured as the access network element, the base station initiates an authentication request to the gateway. The authentication request carries at least the certificate identifier of the digital certificate that needs to be authenticated.

网关接收到认证请求之后,会通过区块链数字证书系统的对接来认证该数字证书的真实性、可靠性及合法性。具体如,在步骤S220中获取所述状态信息,After receiving the authentication request, the gateway authenticates the authenticity, reliability, and legality of the digital certificate through the docking of the blockchain digital certificate system. Specifically, the status information is acquired in step S220.

所述状态信息可包括:指示该数字证书是否存储在区块链数字证书系统的存储状态,若当前验证的数字证书是一个非法证书,则在区块链数字证书系统中就没有该数字证书的存储记录,故可以通过存储状态验证数字证书的合法性和真实性。The status information may include: indicating whether the digital certificate is stored in a storage state of the blockchain digital certificate system, and if the currently verified digital certificate is an illegal certificate, the digital certificate is not in the blockchain digital certificate system. The record is stored, so the validity and authenticity of the digital certificate can be verified by the storage state.

所述状态信息还可包括:有效性状态信息;例如,如果发生私钥失密、以及其他可能导致私钥不再安全如果发生私钥失密、以及其他可能导致私钥不再安全的情况,为确保安全,应提前终止证书的有效性,需要将数字证书的状态修改为无效。通过有效性状态信息,可以剔除部分已经无效的数字证书的认证通过。所述状态信息还可包括:完整性状态,例如,在一些伪造的数字证书,可能伪造了合法证书的证书标识;完整性状态可为将基站提交的数字证书传输给区块链数据整数系统,由系统进行全部信息的比对,比对之后获得表征请求认证的数字证书是否完整的状态信息。The status information may also include: validity status information; for example, if a private key is compromised, and other circumstances may result in the private key being no longer secure if a private key is compromised, and other circumstances may result in the private key being no longer secure, to ensure Security, the validity of the certificate should be terminated early, and the status of the digital certificate needs to be modified to be invalid. Through the validity status information, it is possible to reject the authentication of a part of the digital certificate that has been invalidated. The status information may further include: an integrity status, for example, in some forged digital certificates, a certificate identifier that may falsify a legal certificate; and an integrity status may be used to transmit a digital certificate submitted by the base station to a blockchain data integer system. All the information is compared by the system, and the status information indicating whether the digital certificate requesting the authentication is complete is obtained after the comparison.

总之,本实施例中所述状态信息可为各种状态信息,可为上述状态信息的多种组合,但是不局限于上述任意一种。In summary, the status information in this embodiment may be various status information, and may be various combinations of the foregoing status information, but is not limited to any one of the above.

在步骤S230中基于区块链数字证书系统返回的状态信息,确定是否通过该数字证书的认证。若认证通过则在步骤S240中携带有直接或间接指示该数字证书认证通过的信息,若认证未通过,则通过步骤S240向基站返回直接或间接指示认证不通过的信息。In step S230, based on the status information returned by the blockchain digital certificate system, it is determined whether or not the authentication of the digital certificate is passed. If the authentication is passed, the information carrying the digital certificate authentication is directly or indirectly indicated in step S240. If the authentication fails, the information returned to the base station directly or indirectly indicating the authentication failure is returned in step S240.

在一些实施例中,所述基站若接收到认证不同的认证响应之后,所述数字证书的生成方法,还包括:In some embodiments, the method for generating the digital certificate after the base station receives the authentication different authentication response, further includes:

删除旧的数字证书;Delete old digital certificates;

利用设备标识及公钥重新生成数字证书;Regenerate a digital certificate using the device identification and public key;

将所述数字证书发送到区块链数字证书系统,以生成证书区块;Sending the digital certificate to a blockchain digital certificate system to generate a certificate block;

当所述证书区块生效后,再将生效的重新生成的数字证书发送给所述网关,请求认证。这样的话,网关会再次收到对重新生成的数字证书进行认证的认证请求,再次执行所述步骤S210至步骤S240。After the certificate block is valid, the valid regenerated digital certificate is sent to the gateway to request authentication. In this case, the gateway receives the authentication request for authenticating the regenerated digital certificate again, and performs step S210 to step S240 again.

在一些实施例中,所述步骤S210可包括:In some embodiments, the step S210 may include:

接收携带有所述数字证书的证书标识的认证请求;Receiving an authentication request carrying the certificate identifier of the digital certificate;

所述步骤S220包括:The step S220 includes:

基于所述证书标识,查询所述区块链数字证书系统中存储的所述数字证书及所述状态信息。And querying, according to the certificate identifier, the digital certificate and the status information stored in the blockchain digital certificate system.

在本实施例中,所述认证请求仅携带有数字证书的证书标识,但是未携带有数字证书的完整内容。此时,所述步骤S220中,网关会同步在区块链数字证书系统中查询数字证书,以获取该基站的数字证书,方便后续利用该数字证书与基站进行通信。In this embodiment, the authentication request only carries the certificate identifier of the digital certificate, but does not carry the complete content of the digital certificate. At this time, in the step S220, the gateway queries the digital certificate in the blockchain digital certificate system to obtain the digital certificate of the base station, so as to facilitate subsequent communication with the base station by using the digital certificate.

在另一些实施例中,所述步骤S210可包括:In other embodiments, the step S210 may include:

接收携带有所述数字证书的证书标识及所述数字证书的认证请求。Receiving a certificate identifier carrying the digital certificate and an authentication request of the digital certificate.

此时,所述数字证书已经从基站接收了,则不用在步骤S220中再从区块链数字证书系统请求该数字证书了。At this time, the digital certificate has been received from the base station, and the digital certificate is not requested from the blockchain digital certificate system in step S220.

在一些实施例中,所述步骤S220可包括:当所述网关是所述区块链数字证书系统的记账节点时,本地查询所述状态信息。若网关自身就是区块链数字证书系统的一个记账节点,则该网关可能记录整个区块链数字证书系统中所有的证书区块,则网关可以通过在本地查询证书区块,获取该数字证书的状态信息。In some embodiments, the step S220 may include locally querying the status information when the gateway is a billing node of the blockchain digital certificate system. If the gateway itself is a billing node of the blockchain digital certificate system, the gateway may record all the certificate blocks in the entire blockchain digital certificate system, and the gateway may obtain the digital certificate by querying the certificate block locally. Status information.

在另一些实施例中,所述步骤S220可包括:当所述网关不是所述区块链数字证书系统的记账节点时,向所述区块链数字证书系统发送所述状态信息。In still other embodiments, the step S220 may include transmitting the status information to the blockchain digital certificate system when the gateway is not a billing node of the blockchain digital certificate system.

一般这种状态下,所述网关至少记录有区块链数字证书系统的广播地址或多个记账节点的通信地址,网关可以至少通过携带有待认证的数字证书的整数标识的查询请求,接收到区块链数字证书系统返回的数字证书的状态信息。Generally, in the state, the gateway records at least the broadcast address of the blockchain digital certificate system or the communication address of the plurality of billing nodes, and the gateway can receive the query request at least by the integer identifier of the digital certificate to be authenticated. Status information of the digital certificate returned by the blockchain digital certificate system.

如图4所示,本实施例提供一种通信设备,所述通信设备为预定设备; 所述预定设备为使用所述数字证书的基站、生产所述基站的厂商的厂商设备或应用所述基站的运营商的运营商设备,包括:As shown in FIG. 4, the embodiment provides a communication device, where the communication device is a predetermined device; the predetermined device is a base station using the digital certificate, a vendor device of a manufacturer that produces the base station, or an application base station. Operator's carrier equipment, including:

获取单元110,用于获取基站的设备标识及公钥,其中,The obtaining unit 110 is configured to acquire a device identifier and a public key of the base station, where

证书生成单元120,用于根据所述设备标识及公钥生成数字证书,其中,所述数字证书,用于供区块链数字证书系统生成证书区块,且当所述证书区块通过基于共识机制的验证后生效。a certificate generating unit 120, configured to generate a digital certificate according to the device identifier and the public key, where the digital certificate is used by the blockchain digital certificate system to generate a certificate block, and when the certificate block passes the consensus The verification of the mechanism takes effect.

在本实施例中所述通信设备为基站自身或者为生产所述基站的厂商的通信设备。例如,所述厂商设备可为基站生产厂商的台式电脑或笔记本电脑等设备。In this embodiment, the communication device is a base station itself or a communication device of a manufacturer that produces the base station. For example, the manufacturer device may be a device such as a desktop computer or a notebook computer of a base station manufacturer.

在本实施例中,所述获取单元110及证书生成单元120可对应于处理器,所述处理器可为中央处理器、微处理器、数字信号处理器、应用处理器、可编程阵列或专用集成电路等。所述处理器可通过计算机程序等计算机可执行代码的执行,实现上述设备标识及公钥的获取,并基于设备标识及公钥为基站生成数字证书。In this embodiment, the obtaining unit 110 and the certificate generating unit 120 may correspond to a processor, which may be a central processing unit, a microprocessor, a digital signal processor, an application processor, a programmable array, or a dedicated processor. Integrated circuits, etc. The processor may implement the foregoing device identification and public key acquisition by executing computer executable code such as a computer program, and generate a digital certificate for the base station based on the device identifier and the public key.

这样的话,基站的数字证书的生成可以有基站或者基站的生产的厂商自动生成,而不用于CA等第三方机构的多次信息交互来生成,大大的提高了数字证书的生成效率。In this way, the generation of the digital certificate of the base station can be automatically generated by the manufacturer of the base station or the base station, and is not used for multiple information interactions of third-party organizations such as CA, thereby greatly improving the efficiency of digital certificate generation.

在一些实施例中,当所述预定设备为所述厂商设备或运营商设备时,所述厂商设备还包括:第一广播单元,对应于网络接口等各种通信接口,用于将所述数字证书广播到区块链数字证书系统;第一确定单元,对应于处理器等具有信息处理的模组,用于当所述证书区块通过验证时,确认所述数字证书生效;第一写入单元,可对应于基站连接的通信接口,可用于将生效的所述数字证书写入对应的基站。In some embodiments, when the predetermined device is the vendor device or the carrier device, the vendor device further includes: a first broadcast unit corresponding to various communication interfaces such as a network interface, for using the number The certificate is broadcasted to the blockchain digital certificate system; the first determining unit corresponds to a processor or the like having information processing, and is configured to confirm that the digital certificate is valid when the certificate block passes the verification; the first write The unit may correspond to a communication interface connected by the base station, and may be used to write the valid digital certificate into the corresponding base station.

在另一些实施例中,所当所述预定设备为所述厂商设备或运营商设备时,所述厂商设备还包括:In other embodiments, when the predetermined device is the vendor device or the carrier device, the vendor device further includes:

第二写入单元,用于将生成的数字证书写入所述基站;其中,所述数字证书,用于所述基站在连接到网络之后自行广播到所述区块链数字证书系统。And a second writing unit, configured to write the generated digital certificate to the base station; wherein the digital certificate is used by the base station to broadcast to the blockchain digital certificate system after connecting to the network.

进一步地,所述预定设备可为基站;所述基站可包括:Further, the predetermined device may be a base station; the base station may include:

读取单元,用于读取预先存储的所述设备标识;a reading unit, configured to read the device identifier stored in advance;

公钥获取单元,用于获取公钥,可包括:读取预先存储的公钥,或者,利用密钥生成算法生成所述公钥;The public key obtaining unit, for acquiring the public key, may include: reading a pre-stored public key, or generating the public key by using a key generation algorithm;

所述证书生成单元,具体用于根据所述预定信息生成所述数字证书;The certificate generating unit is specifically configured to generate the digital certificate according to the predetermined information;

所述基站还包括:The base station further includes:

第二广播单元,用于将所述数字证书广播到区块链数字证书系统;a second broadcast unit, configured to broadcast the digital certificate to a blockchain digital certificate system;

生效单元,用于当所述证书区块通过验证时,确认所述数字证书生效。An effective unit is configured to confirm that the digital certificate is valid when the certificate block passes the verification.

这里的第二广播单元,同样可对应于通信接口,可用于将生成的数字证书广播发送到区块链数字证书系统。The second broadcast unit herein, which may also correspond to a communication interface, may be used to broadcast the generated digital certificate to the blockchain digital certificate system.

所述生效单元可对应于接收接口,通过与区块链数字证书系统的信息交互,发现该数字证书所在证书区块基于共识机制通过验证之后,就可认为给数字证书生效了,该数字证书就可以投入使用了。The effective unit may correspond to the receiving interface, and by interacting with the information of the blockchain digital certificate system, it is found that the certificate block where the digital certificate is located is validated by the consensus mechanism, and the digital certificate is considered to be valid. Can be put into use.

可选地,所述读取单元,具体可用于当所述基站连接到网络后,读取预先存储的所述设备标识;利用密钥生成算法生成所述公钥。Optionally, the reading unit is specifically configured to: when the base station is connected to the network, read the pre-stored device identifier; and generate the public key by using a key generation algorithm.

进一步可选地,所述读取单元,具体用于所述基站在接到网络后并在并被设置成接入网网元之前,或被设置成接入网元之后,读取预先存储的所述设备标识;所述第二广播单元,用于根据预先存储的所述区块链数字证书系统的通信地址,将所述数字证书广播到所述区块链数字证书系统。Further, optionally, the reading unit is configured to read the pre-stored after the base station is connected to the network and is set to access the network element, or is configured to access the network element. And the second broadcast unit is configured to broadcast the digital certificate to the blockchain digital certificate system according to a pre-stored communication address of the blockchain digital certificate system.

如图5所示,本实施例提供一种通信设备,所述通信设备为网关,包括:As shown in FIG. 5, the embodiment provides a communication device, where the communication device is a gateway, and includes:

接收单元210,用于接收基站发送的认证请求,其中,所述认证请求,用于对所述基站的数字证书进行认证;所述数字证书为所述基站自身生成的或厂商设备生成的;所述厂商设备为所述基站的生产厂商的设备;The receiving unit 210 is configured to receive an authentication request sent by the base station, where the authentication request is used to authenticate the digital certificate of the base station; the digital certificate is generated by the base station itself or generated by a vendor device; The manufacturer equipment is the equipment of the manufacturer of the base station;

查询单元220,用于基于所述认证请求,查询区块链数字证书系统中存储的所述数字证书及/或所述数字证书的状态信息;The query unit 220 is configured to query, according to the authentication request, the digital certificate and/or the status information of the digital certificate stored in the blockchain digital certificate system;

认证单元230,用于基于所述状态信息认证所述数字证书;The authentication unit 230 is configured to authenticate the digital certificate based on the status information;

发送单元240,用于当所述数字证书通过验证时,向所述基站返回认证响应。The sending unit 240 is configured to return an authentication response to the base station when the digital certificate passes the verification.

本实施例提供的网关可为基站的安全网关。在本实施例中所述基站可为小基站或家庭基站等非宏基站。The gateway provided in this embodiment may be a security gateway of a base station. In this embodiment, the base station may be a non-macro base station such as a small base station or a home base station.

在本实施例中所述接收单元210,可对应于通信接口,可为与基站连接 的网络接口等,可以从基站接收所述认证请求。In this embodiment, the receiving unit 210 may correspond to a communication interface, may be a network interface connected to the base station, and the like, and may receive the authentication request from the base station.

在一些实施例中,所述查询单元220及认证单元230,可对应于处理器;所述处理器可为中央处理器、微处理器、数字信号处理器、应用处理器、可编程阵列或专用集成电路等。所述处理器可用于通过计算机程序的执行,可以实现所述状态信息的本地查询及数字证书的认证。In some embodiments, the query unit 220 and the authentication unit 230 may correspond to a processor; the processor may be a central processing unit, a microprocessor, a digital signal processor, an application processor, a programmable array, or a dedicated processor. Integrated circuits, etc. The processor can be used to implement local query of the status information and authentication of the digital certificate by execution of the computer program.

在另一些实施例中,所述查询单元220可为通信接口,该通信接口连接到区块链数字证书系统,通过向区块链数字证书系统发送查询请求,并接收区块链数字证书系统基于查询请求返回的至少携带有所述状态信息的查询响应,获得所述状态信息。In other embodiments, the query unit 220 can be a communication interface that is coupled to the blockchain digital certificate system, by sending a query request to the blockchain digital certificate system, and receiving the blockchain digital certificate system based on The query response returned by the query request carrying at least the status information obtains the status information.

所述发送单元240可对应于与基站之间的通信接口,可向基站发送认证响应,该认证响应至少携带有指示是否认证通过的信息。The sending unit 240 may correspond to a communication interface with the base station, and may send an authentication response to the base station, where the authentication response carries at least information indicating whether the authentication is passed.

在一些实施例中,所述接收单元210,具体用于接收携带有所述数字证书的证书标识的认证请求;所述查询单元220,具体用于基于所述证书标识,查询所述区块链数字证书系统中存储的所述数字证书及所述状态信息。In some embodiments, the receiving unit 210 is specifically configured to receive an authentication request that carries the certificate identifier of the digital certificate. The query unit 220 is specifically configured to query the blockchain based on the certificate identifier. The digital certificate and the status information stored in the digital certificate system.

在另一些实施例中,所述接收单元210,可用于接收携带有所述数字证书的证书标识及所述数字证书的认证请求。In other embodiments, the receiving unit 210 is configured to receive an authentication request that carries the certificate identifier of the digital certificate and the digital certificate.

所述查询单元220可本地查询也可以远程查询所述状态信息。例如,所述查询单元220,可用于当所述网关是所述区块链数字证书系统的记账节点时,本地查询所述状态信息。再例如,所述查询单元220,还可用于当所述网关不是所述区块链数字证书系统的记账节点时,向所述区块链数字证书系统发送所述状态信息。The query unit 220 can query the status information remotely or remotely. For example, the query unit 220 is configured to locally query the status information when the gateway is a billing node of the blockchain digital certificate system. For another example, the query unit 220 is further configured to send the status information to the blockchain digital certificate system when the gateway is not a billing node of the blockchain digital certificate system.

如图6所示,本实施例提供一种通信设备,该通信设备为基站、生产基站的厂商的厂商设备,或者供基站接入到网络的网关,包括:As shown in FIG. 6, the embodiment provides a communication device, which is a base station, a vendor device of a manufacturer that produces a base station, or a gateway for a base station to access the network, including:

收发器21,用于进行信息收发;The transceiver 21 is configured to perform information transmission and reception;

存储器22,用于信息存储;a memory 22 for information storage;

处理器23,分别与所述收发器21及存储器22连接,用于通过计算机程序的执行,能够控制所述收发器21的信息收发及所述存储器22的信息存储,并能够前述一个或多个技术方案提供的数字证书的生成方法,或,实现前述一个或多个技术方案提供的数字证书的认证方法。The processor 23 is connected to the transceiver 21 and the memory 22, respectively, for controlling the information transmission and reception of the transceiver 21 and the information storage of the memory 22 by execution of a computer program, and can be one or more of the foregoing The method for generating a digital certificate provided by the technical solution, or the method for authenticating the digital certificate provided by the foregoing one or more technical solutions.

当所述通信设备为基站自身或厂商设备时,所述处理器23可用于实现前述的数字证书的生成方法,例如,可实现图1和/或图2所示的数字证书的生成方法。When the communication device is the base station itself or the vendor device, the processor 23 can be used to implement the foregoing method for generating a digital certificate. For example, the method for generating the digital certificate shown in FIG. 1 and/or FIG. 2 can be implemented.

当所述通信设备为网关时,所述处理器23可用于实现前述的数字证书的认证方法,至少可以实现如图3所示的数字证书的认证方法。When the communication device is a gateway, the processor 23 can be used to implement the foregoing authentication method of the digital certificate, and at least the authentication method of the digital certificate as shown in FIG. 3 can be implemented.

所述收发器21可包括:收发天线或网络接口等通信接口。The transceiver 21 may include a communication interface such as a transceiver antenna or a network interface.

所述存储器22可包括:各种类型的存储介质;所述存储介质可包括:内存及硬盘等存储介质。The memory 22 may include: various types of storage media; the storage media may include storage media such as a memory and a hard disk.

所述处理器23可以通过集成电路(IIC)总线与所述收发器21及存储器22连接。The processor 23 can be coupled to the transceiver 21 and the memory 22 via an integrated circuit (IIC) bus.

如图7所示,本公开实施例还提供一种UE,包括:收发器31、存储器32、处理器33及存储在存储器32上并由处理器33执行的计算机程序34;As shown in FIG. 7, an embodiment of the present disclosure further provides a UE, including: a transceiver 31, a memory 32, a processor 33, and a computer program 34 stored on the memory 32 and executed by the processor 33;

所述处理器33,分别与所述收发器31及存储器32连接,用于通过所述计算机程序34的执行,能够控制所述收发器的信息收发及所述存储器的信息存储,并能够前述一个或多个技术方案提供的数字证书的生成方法,或,实现前述一个或多个技术方案提供的数字证书的认证方法。The processor 33 is connected to the transceiver 31 and the memory 32, respectively, for controlling the information transceiving of the transceiver and the information storage of the memory by the execution of the computer program 34, and capable of the foregoing Or a method for generating a digital certificate provided by a plurality of technical solutions, or an authentication method for implementing a digital certificate provided by the foregoing one or more technical solutions.

所述收发器31可包括:收发天线及网络接口等通信接口。The transceiver 31 may include a communication interface such as a transceiver antenna and a network interface.

所述存储器32可包括:各种类型的存储介质;所述存储介质可包括:内存及硬盘等存储介质。The memory 32 may include: various types of storage media; the storage media may include: a storage medium such as a memory and a hard disk.

所述计算机程序34可选为存储所述存储器32包括的非瞬间存储介质上。The computer program 34 can optionally be stored on a non-transitory storage medium included in the memory 32.

所述处理器33可以通过集成电路(IIC)总线与所述收发器31及存储器32连接,例如,通过总线读取位于所述计算机程序34,并执行所述计算机程序34,实现前述一个或多个技术方案提供的获取系统消息异常的处理方法,例如,执行如1、图2及图3所示的方法中的一个或多个。The processor 33 can be coupled to the transceiver 31 and the memory 32 via an integrated circuit (IIC) bus, for example, by reading the computer program 34 via a bus and executing the computer program 34 to implement one or more of the foregoing The processing method for obtaining system message anomalies provided by the technical solutions, for example, performs one or more of the methods as shown in FIG. 1, FIG. 2 and FIG.

图6及图7中所示的处理器,均可中央处理器、微处理器、数字信号处理器、应用处理器、可编程阵列或专有集成电路中的任意一种或多种的组合。The processors shown in Figures 6 and 7 can each be a combination of any one or more of a central processing unit, a microprocessor, a digital signal processor, an application processor, a programmable array, or a proprietary integrated circuit.

本公开实施例一种计算机存储介质,所述计算机存储介质存储计算机程序;所述计算机程序被执行后,能够并能够实现前述一个或多个技术方案提供的数字证书的生成方法,或,实现前述一个或多个技术方案提供的数字证 书的认证方法。The embodiment of the present disclosure is a computer storage medium storing a computer program; after the computer program is executed, the method for generating a digital certificate provided by one or more of the foregoing technical solutions can be implemented, or the foregoing A method of authenticating a digital certificate provided by one or more technical solutions.

在本申请提供的与数字证书相关的处理中,包括数字证书的生成及数字证书的认证两方面。以下结合上述任意一个实施例提供几个具体示例:In the processing related to the digital certificate provided by the present application, both the generation of the digital certificate and the authentication of the digital certificate are included. Several specific examples are provided below in connection with any of the above embodiments:

示例1:Example 1:

如图8所示,本示例提供一种数字证书生成方法,包括:As shown in FIG. 8, the example provides a digital certificate generating method, including:

步骤S1:省公司(运营商)或设备商生成小基站的设备标识(ID)、私钥,并生成自签名小基站的数字证书。ID中包含序列号部分、随机数部分、以及验证部分,确保不与他人重复,且不会被他人产生,区块链证书中包含小基站ID,从而确保一个小基站对应一个区块链证书。Step S1: The provincial company (operator) or the equipment manufacturer generates a device identification (ID) and a private key of the small base station, and generates a digital certificate of the self-signed small base station. The ID contains the serial number part, the random number part, and the verification part, ensuring that it is not duplicated by others and is not generated by others. The blockchain certificate contains the small base station ID, thereby ensuring that one small base station corresponds to one blockchain certificate.

步骤S2:省公司或/设备商发起数字证书的上报,将小基站的数字证书上报至区块链数字证书系统。这里的省公司指代的通信运营商对应于一个省的通信设备。Step S2: The provincial company or the equipment manufacturer initiates the reporting of the digital certificate, and reports the digital certificate of the small base station to the blockchain digital certificate system. The communication company referred to here by the provincial company corresponds to a province's communication equipment.

步骤S3:区块链数字证书系统进行证书签发,具体可包括:验证小基站的数字证书,仅合法的小基站证书能够通过验证。之后区块链证书系统通过共识机制将小基站证书记录到区块链中。一旦数字证书写到区块链中,就意味着数字证书被签发,该数字证书生效,可用于后续认证。其中,在验证小基站证书时,可验证证书自身的合法性,如格式是否正确,ID是否与其他证书相同,此外还可验证小基站是否在许可范围内,如配置小基站ID的黑/白名单,仅在许可范围的小基站证书才能通过验证。Step S3: The blockchain digital certificate system performs certificate issuance, which may include: verifying the digital certificate of the small base station, and only the legal small base station certificate can pass the verification. The blockchain certificate system then records the small base station certificate into the blockchain through a consensus mechanism. Once the digital certificate is written into the blockchain, it means that the digital certificate is issued, and the digital certificate is valid and can be used for subsequent authentication. When verifying the small base station certificate, the validity of the certificate itself can be verified, such as whether the format is correct, whether the ID is the same as other certificates, and whether the small base station is within the permitted range, such as configuring the black/white of the small base station ID. For the list, only the small base station certificate in the licensed range can pass the verification.

步骤S4:区块链数字证书系统返回数字证书的签发结果,例如,如果签发失败,那么需要根据失败原因进行相应处理。Step S4: The blockchain digital certificate system returns the result of the issuance of the digital certificate. For example, if the signing fails, the corresponding processing needs to be performed according to the reason for the failure.

步骤S5:在数字证书生效之后,在小基站的生产线上将小基站的设备标识(ID)、私钥、将该数字证书罐装到小基站。Step S5: After the digital certificate is valid, the device identifier (ID) and the private key of the small base station are installed on the production line of the small base station, and the digital certificate can be loaded to the small base station.

步骤S6:若由于重名等原因签发失败则重新执行步骤S1至S5。Step S6: If the signing fails due to a duplicate name or the like, steps S1 to S5 are re-executed.

在本示例中数字证书可以批量生成并批量进行广播,从而使得数字证书可以批量生效。这样厂商设备或运营商设备可以一次性大批量的生成多个数字证书,并在小基站生产时写入到小基站即可。In this example, digital certificates can be batch generated and broadcast in batches so that digital certificates can be batched. In this way, the manufacturer device or the carrier device can generate multiple digital certificates in a large batch at a time, and can write to the small base station when the small base station is produced.

示例2:Example 2:

本示例区别示例1的差异点在于:小基站中不直接存储数字证书,仅存 储公钥及设备标识等信息,所述数字证书的生成包括:The difference between the example and the example 1 is that the digital certificate is not directly stored in the small base station, and only information such as the public key and the device identifier is stored, and the generation of the digital certificate includes:

省公司/设备商生成小基站ID、私钥和公钥,在小基站的生产线上将ID、私钥、公钥安装至小基站。其中,ID中包含序列号部分、随机数部分、以及验证部分,确保不与他人重复,且不会被他人产生。The provincial company/equipment provider generates the small base station ID, the private key, and the public key, and installs the ID, the private key, and the public key to the small base station on the production line of the small base station. Among them, the ID contains the serial number part, the random number part, and the verification part, ensuring that it is not repeated with others and will not be generated by others.

省公司/设备商根据小基站的ID、私钥和公钥制作自签名证书,证书中包含小基站ID,从而确保一个小基站对应一个区块链证书。The provincial company/equipment provider creates a self-signed certificate according to the ID, private key and public key of the small base station, and the certificate contains the small base station ID, thereby ensuring that one small base station corresponds to one blockchain certificate.

基站连接到网络之后,自行利用ID及公钥生成数字证书,并通过与区块链数字证书系统的交互,广播其自身生成的数字证书,在数字证书被携带基于共识机制验证过后的证书区块之后,生效该数字证书。After the base station is connected to the network, it uses its ID and public key to generate a digital certificate, and broadcasts its own generated digital certificate through interaction with the blockchain digital certificate system. After the digital certificate is carried, the certificate block is verified based on the consensus mechanism. After that, the digital certificate is valid.

如图9所示,本示例提供一种数字证书的生成方法,包括:As shown in FIG. 9, the example provides a method for generating a digital certificate, including:

步骤S11:小基站在出厂前配置ID,该ID具有一定随机性,同批量数字证书生成部分的描述。Step S11: The small base station configures an ID before leaving the factory, and the ID has a certain randomness, and the description of the same batch digital certificate generating part.

步骤S12:小基站生成公私钥对,并根据ID生成自签名生成数字证书。Step S12: The small base station generates a public-private key pair, and generates a self-signed digital certificate according to the ID.

步骤S13:小基站将自己的自签名的数字证书发送给区块链数字证书系统,请求签发证书,即上报数字证书的信息。Step S13: The small base station sends its own self-signed digital certificate to the blockchain digital certificate system, and requests to issue a certificate, that is, information for reporting the digital certificate.

步骤S14:区块链数字证书系统验证小基站提交的数字证书,以签发数字证书,如果验证通过则通过共识机制记录到区块链中。该步骤与示例1中提供的方案相同。Step S14: The blockchain digital certificate system verifies the digital certificate submitted by the small base station to issue a digital certificate, and if the verification passes, it is recorded into the blockchain through a consensus mechanism. This step is the same as the one provided in Example 1.

步骤S15:区块链数字证书系统返回证书签发结果。Step S15: The blockchain digital certificate system returns a certificate issuance result.

步骤S16:若由于重名等原因导致签发失败(即申请失败),则需要根据失败原因进行相应处理,例如,重新执行步骤S11至步骤S15。Step S16: If the signing fails due to the duplicate name or the like (that is, the application fails), the corresponding processing needs to be performed according to the reason for the failure, for example, step S11 to step S15 are re-executed.

示例3:Example 3:

本示例提供一种数字证书的认证方法,包括:This example provides a method for authenticating a digital certificate, including:

安全网关在接收到小基站的数字证书之后,对小基站证书的合法性进行验证,包括:数字证书的证书标识(例如,证书名称)与小基站ID是否匹配,数字证书是否处于有效期,之后向区块链数字证书系统查询该数字证书的状态信息,查询请求中包含证书信息,如完整的数字证书或数字证书的散列值。After receiving the digital certificate of the small base station, the security gateway verifies the validity of the small base station certificate, including: whether the certificate identifier (for example, the certificate name) of the digital certificate matches the small base station ID, and whether the digital certificate is in the valid period, and then The blockchain digital certificate system queries the status information of the digital certificate, and the query request includes certificate information, such as a hash value of a complete digital certificate or digital certificate.

区块链数字证书系统根据证书信息查找证书最新的状态信息,且将状态信息返回给安全网关。The blockchain digital certificate system searches for the latest status information of the certificate based on the certificate information, and returns the status information to the security gateway.

安全网关根据证书状态对小基站的数字证书进行认证。The security gateway authenticates the digital certificate of the small base station according to the certificate status.

该方案中,安全网关可以作为区块链数字证书系统的一部分,例如存储完整的区块链,即可实现对小基站的数字证书的本地查询和认证。In this solution, the security gateway can be used as part of the blockchain digital certificate system, for example, storing a complete blockchain to achieve local query and authentication of the digital certificate of the small base station.

如图10所示,本示例提供一种数字证书的认证方法包括:As shown in FIG. 10, this example provides a method for authenticating a digital certificate, including:

步骤S21:小基站启动;Step S21: starting the small base station;

步骤S22:小基站向安全网关发送初始化请求;Step S22: The small base station sends an initialization request to the security gateway.

步骤S23:小基站接收到安全网关的初始化响应;Step S23: The small base station receives the initialization response of the security gateway;

步骤S24:小基站向安全网关发送数字证书的认证请求;该认证请求没有携带数字证书的完整内容及携带有证书标识;Step S24: The small base station sends an authentication request for the digital certificate to the security gateway; the authentication request does not carry the complete content of the digital certificate and carries the certificate identifier;

步骤S25:安全网关向区块链数字证书系统发送查询请求;Step S25: The security gateway sends a query request to the blockchain digital certificate system;

步骤S26:区块链数字证书系统查询该数字证书的状态信息;Step S26: The blockchain digital certificate system queries the status information of the digital certificate.

步骤S27:区块链数字证书系统向安全网关返回该数字证书的状态信息;Step S27: The blockchain digital certificate system returns status information of the digital certificate to the security gateway;

步骤S28:安全网关基于该状态信息认证小基站的数字证书;Step S28: The security gateway authenticates the digital certificate of the small base station based on the status information.

步骤S29:基于认证通过的数字证书计算得到认证授权字段(IKE-AUTN);该生成内容会作为认证响应返回给小基站;Step S29: Calculate an authentication authorization field (IKE-AUTN) based on the digital certificate passed by the authentication; the generated content is returned to the small base station as an authentication response;

步骤S30:安全网关会向小基站发送认证响应;Step S30: The security gateway sends an authentication response to the small base station.

步骤S31:基于认证响应验证网关的数字证书。Step S31: Verify the digital certificate of the gateway based on the authentication response.

示例4:Example 4:

如果小基站中未存储自身的数字证书,例如,采用了批量证书生成方案二,那么小基站在与安全网关认证过程中,需要将自身数字证书的ID告知安全网关,安全网关向区块链数字证书系统查询响应的数字证书以及证书状态。例如,安全网关在接收到小基站提交的证书标识(CERT_ID)之后,向区块链数字证书系统查询数字证书的状态信息。区块链数字证书系统根据证书信息查找相应证书以及证书状态,并将数字证书及状态返回给安全网关。安全网关根据数字证书及其状态对小基站进行认证。本示例提供的方案,一方面减少了小基站与安全网关之间的通信量,另一方面降低了小基站对证书管理方面的要求,例如证书生成、更新等操作,可降低成本。If the digital certificate is not stored in the small base station, for example, the batch certificate generation scheme 2 is adopted, the small base station needs to notify the security gateway of the ID of the digital certificate in the authentication process with the security gateway, and the security gateway sends the number to the blockchain. The certificate system queries the digital certificate of the response and the status of the certificate. For example, after receiving the certificate identifier (CERT_ID) submitted by the small base station, the security gateway queries the blockchain digital certificate system for status information of the digital certificate. The blockchain digital certificate system searches for the corresponding certificate and certificate status based on the certificate information, and returns the digital certificate and status to the security gateway. The security gateway authenticates the small base station based on the digital certificate and its status. The solution provided by this example reduces the communication between the small base station and the security gateway on the one hand, and reduces the certificate management requirements of the small base station, such as certificate generation and update, on the other hand, and reduces the cost.

具体本示例提供的数字证书的认证方法,可如图11所示,包括:The authentication method of the digital certificate provided by this example may be as shown in FIG. 11 and includes:

步骤S41:小基站启动;Step S41: the small base station is started;

步骤S42:小基站向安全网关发送初始化请求;Step S42: The small base station sends an initialization request to the security gateway.

步骤S43:小基站接收到安全网关的初始化响应;Step S43: The small base station receives the initialization response of the security gateway;

步骤S44:小基站向安全网关发送数字证书的认证请求;该认证请求携带有数字证书的完整内容及证书标识;Step S44: The small base station sends an authentication request for the digital certificate to the security gateway; the authentication request carries the complete content of the digital certificate and the certificate identifier;

步骤S45:安全网关向区块链数字证书系统发送查询请求;Step S45: The security gateway sends a query request to the blockchain digital certificate system.

步骤S46:区块链数字证书系统查询该数字证书的状态信息及对应的数字证书;Step S46: The blockchain digital certificate system queries the status information of the digital certificate and the corresponding digital certificate;

步骤S47:区块链数字证书系统向安全网关返回该数字证书的状态信息及数字证书;Step S47: The blockchain digital certificate system returns status information and a digital certificate of the digital certificate to the security gateway;

步骤S48:安全网关基于该状态信息认证小基站的数字证书;Step S48: The security gateway authenticates the digital certificate of the small base station based on the status information.

步骤S49:基于认证通过的数字证书计算得到认证授权字段(IKE-AUTN);该生成内容会作为认证响应返回给小基站;Step S49: Calculate an authentication authorization field (IKE-AUTN) based on the digital certificate passed by the authentication; the generated content is returned to the small base station as an authentication response;

步骤S50:安全网关会向小基站发送认证响应;该认证响应中可能还携带有网关的数字证书。Step S50: The security gateway sends an authentication response to the small base station; the authentication response may also carry a digital certificate of the gateway.

步骤S51:基于认证响应验证网关的数字证书。Step S51: Verify the digital certificate of the gateway based on the authentication response.

本公开实施例提供的数字证书的生成和认证方法,基站、运营商设备或者设备商自己产生数字证书,无需CA机构制作并签发数字证书,从而可以在小基站入网甚至出厂之前进行数字证书配置,可实现批量操作,提高证书生成和配置效率。The method for generating and authenticating a digital certificate provided by the embodiment of the present disclosure, the base station, the operator equipment, or the equipment manufacturer itself generates a digital certificate, and the CA organization does not need to make and issue a digital certificate, so that the digital certificate can be configured before the small base station enters the network or even leaves the factory. Batch operations can be implemented to improve certificate generation and configuration efficiency.

在图10和图11所示的数字证书的认证方法中,虚线框内的部分是改进的通过区块链数字证书系统进行交互,在基站初始化配置时进行数字证书认证的流程。In the authentication method of the digital certificate shown in FIGS. 10 and 11, the portion in the dotted line frame is an improved process of performing digital certificate authentication when the base station initializes the configuration by interacting with the blockchain digital certificate system.

在一些情况下,可以实现小基站仅存储公钥,不存储数字证书,可以减少小基站与安全网关之间的通信量,还可以降低小基站对数字证书管理方面的要求,降低小基站成本。In some cases, the small base station can only store the public key, does not store the digital certificate, can reduce the communication between the small base station and the security gateway, and can also reduce the requirements of the small base station for digital certificate management and reduce the cost of the small base station.

利用区块链实现去中心,由于区块链分布式存储数字证书,避免量小基站和安全网关向CA机构查询证书状态时产生大量请求。本示例不存在CA机构,避免了CA建设和维护成本。对现有方案改动较小,改造成本较低。Deblocking is implemented by using a blockchain. Since the blockchain distributes digital certificates in a distributed manner, a large number of requests are generated when the small base station and the security gateway are inquired about the certificate status of the CA organization. This example does not have a CA mechanism, which avoids CA construction and maintenance costs. The existing schemes are less modified and the transformation costs are lower.

在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法, 可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed. In addition, the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.

上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

另外,在本公开各实施例中的各功能单元可以全部集成在一个处理模块中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present disclosure may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; The unit can be implemented in the form of hardware or in the form of hardware plus software functional units.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions. The foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk. A medium that can store program code.

以上所述,仅为本公开的具体实施方式,但本公开的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本公开揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本公开的保护范围之内。因此,本公开的保护范围应以所述权利要求的保护范围为准。The above is only the specific embodiment of the present disclosure, but the scope of the present disclosure is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the disclosure. It should be covered within the scope of protection of the present disclosure. Therefore, the scope of protection of the present disclosure should be determined by the scope of the claims.

Claims (15)

一种数字证书的生成方法,包括:A method for generating a digital certificate, comprising: 预定设备获取基站的设备标识及公钥,其中,所述预定设备为使用所述数字证书的基站、生产所述基站的厂商的厂商设备或应用所述基站的运营商的运营商设备;The predetermined device acquires a device identifier of the base station and a public key, where the predetermined device is a base station that uses the digital certificate, a vendor device of a manufacturer that produces the base station, or a carrier device that uses an operator of the base station; 根据所述设备标识及公钥生成数字证书,其中,所述数字证书,用于供区块链数字证书系统生成证书区块,且当所述证书区块通过基于共识机制的验证后生效。Generating a digital certificate according to the device identifier and the public key, wherein the digital certificate is used by the blockchain digital certificate system to generate a certificate block, and is valid after the certificate block passes the verification based on the consensus mechanism. 根据权利要求1所述的方法,其中,The method of claim 1 wherein 当所述预定设备为所述厂商设备或运营商设备时,所述方法还包括:When the predetermined device is the vendor device or the carrier device, the method further includes: 将所述数字证书广播到区块链数字证书系统;Broadcasting the digital certificate to a blockchain digital certificate system; 当所述证书区块通过验证时,确认所述数字证书生效;When the certificate block passes the verification, it is confirmed that the digital certificate is valid; 将生效的所述数字证书写入对应的基站。The digital certificate that is in effect is written to the corresponding base station. 根据权利要求1所述的方法,其中,The method of claim 1 wherein 所述方法还包括:The method further includes: 当所述预定设备为所述厂商设备或运营商设备时,将生成的数字证书写入所述基站;其中,所述数字证书,用于所述基站在连接到网络之后自行广播到所述区块链数字证书系统。Writing the generated digital certificate to the base station when the predetermined device is the vendor device or the carrier device; wherein the digital certificate is used by the base station to broadcast to the area after connecting to the network Blockchain digital certificate system. 根据权利要求1所述的方法,其中,The method of claim 1 wherein 所述预定设备获取基站的设备标识及公钥,包括:The predetermined device acquires the device identifier and the public key of the base station, including: 所述基站读取预先存储的所述设备标识;The base station reads the device identifier stored in advance; 获取公钥;Obtain the public key; 所述预定设备生成数字证书,包括:The predetermined device generates a digital certificate, including: 所述基站根据所述预定信息生成所述数字证书;The base station generates the digital certificate according to the predetermined information; 所述方法还包括:The method further includes: 将所述数字证书广播到区块链数字证书系统;Broadcasting the digital certificate to a blockchain digital certificate system; 当所述证书区块通过验证时,确认所述数字证书生效。When the certificate block passes the verification, it is confirmed that the digital certificate is valid. 根据权利要求4所述的方法,其中,The method of claim 4, wherein 所述预定设备获取基站的设备标识及公钥,包括:The predetermined device acquires the device identifier and the public key of the base station, including: 当所述基站连接到网络后,读取预先存储的所述设备标识;Reading the pre-stored device identifier after the base station is connected to the network; 利用密钥生成算法生成所述公钥。The public key is generated using a key generation algorithm. 根据权利要求5所述的方法,其中,The method of claim 5, wherein 所述当所述基站连接到网络后,读取预先存储的所述设备标识,包括:After the base station is connected to the network, the pre-stored device identifier is read, including: 所述基站在接到网络后并在被设置成接入网网元之前,或被设置成接入网元之后,读取预先存储的所述设备标识;The base station reads the pre-stored device identifier after receiving the network and before being configured to access the network element, or after being configured to access the network element; 所述将所述数字证书广播到区块链数字证书系统,包括:The broadcasting the digital certificate to the blockchain digital certificate system comprises: 根据预先存储的所述区块链数字证书系统的通信地址,将所述数字证书广播到所述区块链数字证书系统。The digital certificate is broadcast to the blockchain digital certificate system based on a pre-stored communication address of the blockchain digital certificate system. 一种数字证书的认证方法,应用于网关中,包括:A method for authenticating a digital certificate, applied to a gateway, comprising: 接收基站发送的认证请求,其中,所述认证请求,用于对所述基站的数字证书进行认证;所述数字证书为所述基站自身生成的或厂商设备生成的;所述厂商设备为所述基站的生产厂商的设备;Receiving an authentication request sent by the base station, where the authentication request is used to authenticate the digital certificate of the base station; the digital certificate is generated by the base station itself or generated by a vendor device; The equipment of the manufacturer of the base station; 基于所述认证请求,查询区块链数字证书系统中存储的所述数字证书的状态信息;And querying, according to the authentication request, status information of the digital certificate stored in the blockchain digital certificate system; 基于所述状态信息认证所述数字证书;And authenticating the digital certificate based on the status information; 当所述数字证书通过验证时,向所述基站返回认证响应。When the digital certificate passes verification, an authentication response is returned to the base station. 根据权利要求7所述的认证方法,其中,The authentication method according to claim 7, wherein 所述接收基站发送的认证请求,包括:The receiving the authentication request sent by the base station includes: 接收携带有所述数字证书的证书标识的认证请求;Receiving an authentication request carrying the certificate identifier of the digital certificate; 所述基于所述认证请求,查询区块链数字证书系统存储的所述数字证书的状态信息,包括:The status information of the digital certificate stored by the query blockchain digital certificate system based on the authentication request includes: 基于所述证书标识,查询所述区块链数字证书系统中存储的所述数字证书及所述状态信息。And querying, according to the certificate identifier, the digital certificate and the status information stored in the blockchain digital certificate system. 根据权利要求7所述的认证方法,其中,The authentication method according to claim 7, wherein 所述接收基站发送的认证请求,包括:The receiving the authentication request sent by the base station includes: 接收携带有所述数字证书的证书标识及所述数字证书的认证请求。Receiving a certificate identifier carrying the digital certificate and an authentication request of the digital certificate. 根据权利要求7至9任一项所述的方法,其中,The method according to any one of claims 7 to 9, wherein 所述基于所述认证请求,查询区块链数字证书系统存储的所述数字证书的状态信息,包括:The status information of the digital certificate stored by the query blockchain digital certificate system based on the authentication request includes: 当所述网关是所述区块链数字证书系统的记账节点时,本地查询所述状态信息;When the gateway is a billing node of the blockchain digital certificate system, the state information is locally queried; 或者,or, 当所述网关不是所述区块链数字证书系统的记账节点时,向所述区块链数字证书系统查询所述状态信息。When the gateway is not a billing node of the blockchain digital certificate system, the status information is queried to the blockchain digital certificate system. 一种通信设备,其中,所述通信设备为预定设备;所述预定设备为使用所述数字证书的基站、生产所述基站的厂商的厂商设备或应用所述基站的运营商的运营商设备,包括:A communication device, wherein the communication device is a predetermined device; the predetermined device is a base station using the digital certificate, a vendor device of a manufacturer producing the base station, or an operator device of an operator applying the base station, include: 获取单元,用于获取基站的设备标识及公钥,其中,An obtaining unit, configured to acquire a device identifier and a public key of the base station, where 证书生成单元,用于根据所述设备标识及公钥生成数字证书,其中,所述数字证书,用于供区块链数字证书系统生成证书区块,且当所述证书区块通过基于共识机制的验证后生效。a certificate generating unit, configured to generate a digital certificate according to the device identifier and the public key, where the digital certificate is used by the blockchain digital certificate system to generate a certificate block, and when the certificate block passes the consensus-based mechanism Effective after verification. 一种通信设备,其中,所述通信设备为网关,包括:A communication device, wherein the communication device is a gateway, including: 接收单元,用于接收基站发送的认证请求,其中,所述认证请求,用于对所述基站的数字证书进行认证;所述数字证书为所述基站自身生成的或厂商设备生成的;所述厂商设备为所述基站的生产厂商的设备;a receiving unit, configured to receive an authentication request sent by the base station, where the authentication request is used to authenticate the digital certificate of the base station; the digital certificate is generated by the base station itself or generated by a vendor device; The manufacturer equipment is the equipment of the manufacturer of the base station; 查询单元,用于基于所述认证请求,查询区块链数字证书系统中存储的所述数字证书及/或所述数字证书的状态信息;a query unit, configured to query, according to the authentication request, status information of the digital certificate and/or the digital certificate stored in a blockchain digital certificate system; 认证单元,用于基于所述状态信息认证所述数字证书;An authentication unit, configured to authenticate the digital certificate based on the status information; 发送单元,用于当所述数字证书通过验证时,向所述基站返回认证响应。And a sending unit, configured to return an authentication response to the base station when the digital certificate passes the verification. 一种通信设备,包括:A communication device comprising: 收发器,用于信息收发;Transceiver for information transmission and reception; 存储器,用于信息存储;Memory for information storage; 处理器,分别与所述收发器及存储器连接,用于通过计算机程序的执行控制所述收发器的信息收发、存储器的信息存储,并实现权利要求1至6任一项提供的数字证书的生成方法,或实现权利要求7至10任一项提供的数字证书的认证方法。And a processor connected to the transceiver and the memory for controlling information transmission and reception of the transceiver, storage of information of the memory by execution of a computer program, and realizing generation of the digital certificate provided by any one of claims 1 to 6. A method, or an authentication method for implementing the digital certificate provided by any one of claims 7 to 10. 一种通信设备,包括:收发器、存储器、处理器及存储在存储器上并由处理器执行的计算机程序;A communication device includes: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor; 所述处理器分别与所述收发器及所述存储器连接,用于通过所述计算机程序的执行,实现权利要求1至6任一项提供的数字证书的生成方法,或实现权利要求7至10任一项提供的数字证书的认证方法。The processor is connected to the transceiver and the memory, respectively, for implementing the method for generating a digital certificate according to any one of claims 1 to 6 or implementing the claims 7 to 10 by execution of the computer program The authentication method for any digital certificate provided. 一种计算机存储介质,所述计算机存储介质存储有计算机程序;所述计算机存储被执行后,能够实现权利要求1至6任一项提供的数字证书的生成方法,或实现权利要求7至10任一项提供的数字证书的认证方法。A computer storage medium storing a computer program; after the computer storage is executed, the method for generating a digital certificate according to any one of claims 1 to 6 can be implemented, or any of claims 7 to 10 can be implemented A method of authentication for a digital certificate provided.
PCT/CN2018/088853 2017-08-16 2018-05-29 Methods for generating and authenticating digital certificate, communication device, and storage medium Ceased WO2019033822A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710703108.0A CN109412792A (en) 2017-08-16 2017-08-16 Generation, authentication method, communication equipment and the storage medium of digital certificate
CN201710703108.0 2017-08-16

Publications (1)

Publication Number Publication Date
WO2019033822A1 true WO2019033822A1 (en) 2019-02-21

Family

ID=65361787

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/088853 Ceased WO2019033822A1 (en) 2017-08-16 2018-05-29 Methods for generating and authenticating digital certificate, communication device, and storage medium

Country Status (2)

Country Link
CN (1) CN109412792A (en)
WO (1) WO2019033822A1 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110008682B (en) * 2019-03-31 2020-12-29 西安邮电大学 A method for updating data in different types of storage media based on PKI
CN109981680B (en) * 2019-04-08 2021-08-24 上海人行道网络信息技术有限公司 Access control implementation method and device, computer equipment and storage medium
CN112152791B (en) * 2019-06-27 2021-12-03 华为技术有限公司 Certificate updating method and related equipment
CN110336675B (en) * 2019-07-05 2022-08-02 中国工商银行股份有限公司 Monitoring method and device for digital certificate expiration date
CN111132149B (en) * 2019-12-30 2023-11-21 全链通有限公司 Registration method of 5G user terminal, user terminal equipment and medium
CN114024678B (en) * 2020-07-15 2025-04-04 中国移动通信有限公司研究院 Information processing method, system and related device
CN114268953B (en) * 2020-09-14 2023-08-15 中国移动通信集团重庆有限公司 Base station authentication method, query node, system and equipment
CN112422289B (en) * 2020-09-30 2022-02-22 郑州信大捷安信息技术股份有限公司 Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment
CN114626045A (en) * 2020-12-14 2022-06-14 宝能汽车集团有限公司 Secure canning method and system, storage medium, front-end processor and TSP platform
CN112861106B (en) * 2021-02-26 2023-01-10 卓尔智联(武汉)研究院有限公司 Digital certificate processing method and system, electronic device and storage medium
CN116347443A (en) * 2021-12-22 2023-06-27 中兴通讯股份有限公司 Base station access control method, base station, block chain system and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105472604A (en) * 2014-09-09 2016-04-06 中兴通讯股份有限公司 Digital certificate state processing method, device and system
US20160330035A1 (en) * 2015-05-05 2016-11-10 ShoCard, Inc. User Identification Management System and Method
CN106385315A (en) * 2016-08-30 2017-02-08 北京三未信安科技发展有限公司 Digital certificate management method and system
WO2017065389A1 (en) * 2015-10-16 2017-04-20 (주)코인플러그 Accredited certificate issuance system based on block chain and accredited certificate issuance method based on block chain using same, and accredited certificate authentication system based on block chain and accredited certificate authentication method based on block chain using same
CN106789041A (en) * 2017-02-15 2017-05-31 江苏信源久安信息科技有限公司 A kind of credible block chain method of decentralization certificate

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105472604A (en) * 2014-09-09 2016-04-06 中兴通讯股份有限公司 Digital certificate state processing method, device and system
US20160330035A1 (en) * 2015-05-05 2016-11-10 ShoCard, Inc. User Identification Management System and Method
WO2017065389A1 (en) * 2015-10-16 2017-04-20 (주)코인플러그 Accredited certificate issuance system based on block chain and accredited certificate issuance method based on block chain using same, and accredited certificate authentication system based on block chain and accredited certificate authentication method based on block chain using same
CN106385315A (en) * 2016-08-30 2017-02-08 北京三未信安科技发展有限公司 Digital certificate management method and system
CN106789041A (en) * 2017-02-15 2017-05-31 江苏信源久安信息科技有限公司 A kind of credible block chain method of decentralization certificate

Also Published As

Publication number Publication date
CN109412792A (en) 2019-03-01

Similar Documents

Publication Publication Date Title
WO2019033822A1 (en) Methods for generating and authenticating digital certificate, communication device, and storage medium
US11956361B2 (en) Network function service invocation method, apparatus, and system
EP3726804B1 (en) Device authentication method, service access control method, device, and non-transitory computer-readable recording medium
KR102018971B1 (en) Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium
CN111783068A (en) Device authentication method, system, electronic device and storage medium
US8516133B2 (en) Method and system for mobile device credentialing
EP3017582B1 (en) Method to enroll a certificate to a device using scep and respective management application
JP7670836B2 (en) Key provisioning methods and related products
EP3425842B1 (en) Communication system and communication method for certificate generation
EP3326321B1 (en) Method and apparatus for providing secure communication among constrained devices
CN118199968A (en) Device and method for negotiating digital certificates between SSP device and server
CN109756447A (en) A kind of safety certifying method and relevant device
WO2018177143A1 (en) Identity authentication method and system, server and terminal
KR20160127167A (en) Multi-factor certificate authority
US20060224890A1 (en) System and method for achieving machine authentication without maintaining additional credentials
WO2019056971A1 (en) Authentication method and device
CN108352982A (en) Communication device, communication means and computer program
CN108632037B (en) Public key processing method and device for public key infrastructure
CN114205162B (en) Method and system for mutual trust authentication based on blockchain PKI
WO2024016124A1 (en) Device configuration methods and apparatuses, and communication device
WO2023240587A1 (en) Device permission configuration method and apparatus, and terminal device
JP2024513526A (en) Root of trust registration and device-bound public key registration
CN119404469A (en) Security implementation method and device, system, communication equipment, chip, storage medium
CN113455025A (en) Method for SSP terminal to interoperate between bundle downloading process and ESIM configuration file downloading process
CN103152730A (en) Anti-DoS (Denial of Service) radio access method for universal mobile telecommunications system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18846003

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 13/08/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18846003

Country of ref document: EP

Kind code of ref document: A1