Search

CN-122002285-A - Access right management method, device and storage medium

CN122002285ACN 122002285 ACN122002285 ACN 122002285ACN-122002285-A

Abstract

The application provides an access right management method, a device and a storage medium, which relate to the technical field of communication, and the method is applied to a first functional network element and comprises the steps of receiving a digital identity sent by first network equipment, wherein the digital identity is a digital identity of a terminal; and sending the structured information to the first network device, wherein the digital identity and the structured information are used for determining whether the terminal has access rights to the first network device. The scheme of the application can improve the efficiency of access authority management.

Inventors

  • Liang Yacong

Assignees

  • 大唐移动通信设备有限公司

Dates

Publication Date
20260508
Application Date
20241106

Claims (20)

  1. 1. An access rights management method, applied to a first functional network element, the method comprising: receiving a digital identity sent by first network equipment, wherein the digital identity is the digital identity of a terminal; determining the structural information of the terminal according to the digital identity; And sending the structured information to the first network equipment, wherein the digital identity and the structured information are used for determining whether the terminal has access rights to the first network equipment.
  2. 2. The method of claim 1, wherein the structured information comprises at least one of: the type information is used for indicating the digital identity identifier to be the digital identity identifier of the terminal type; an encryption mechanism identifier, configured to indicate an encryption mechanism of the digital identity identifier; key credential information indicating a public key of the terminal; home network device information for indicating a home network device of the terminal; access network device information for indicating network devices to which the terminal is allowed to access.
  3. 3. The method of claim 2, wherein the digital identification comprises at least one of: an identifier of the digital identity scheme; an identifier of a digital identity method; And the character string identification of the terminal in the digital identity method is obtained by encrypting the subscription hidden identifier SUCI of the terminal and the identification of a second network device by the encryption mechanism, wherein the second network device is the home network device of the terminal.
  4. 4. A method according to claim 3, characterized in that the method further comprises: receiving the home network equipment information sent by the first network equipment; Determining whether the terminal has access rights to the first network device according to the home network device information; And sending a response message to the first network equipment, wherein the response message is used for indicating whether the terminal has access rights to the first network equipment.
  5. 5. The method of claim 4, wherein the determining whether the terminal has access to the first network device based on the home network device information comprises: decrypting the character string identifier according to the encryption mechanism to obtain SUCI of the terminal; and determining whether the terminal has access authority to the first network device according to SUCI of the terminal and access control information corresponding to the second network device, wherein the access control information is determined through the home network device information, the access control information is used for indicating network devices which are allowed to be accessed by at least one terminal, and the home network devices of the at least one terminal are all the second network devices.
  6. 6. A method according to claim 4 or 5, characterized in that the response message further comprises SUCI of the terminal in case the response message indicates that the terminal has access to the first network device.
  7. 7. An access rights management method, applied to a first network device, comprising: Receiving a first access request message sent by a terminal, wherein the first access request message comprises a digital identity of the terminal; The digital identity is sent to a first functional network element; receiving the structured information of the terminal sent by the first functional network element; And determining whether the terminal has access rights to the first network equipment according to the structured information.
  8. 8. The method of claim 7, wherein the structured information comprises at least one of: the type information is used for indicating the digital identity identifier to be the digital identity identifier of the terminal type; an encryption mechanism identifier, configured to indicate an encryption mechanism of the digital identity identifier; key credential information indicating a public key of the terminal; home network device information for indicating a home network device of the terminal; access network device information for indicating network devices to which the terminal is allowed to access.
  9. 9. The method according to claim 8, wherein the first access request further includes digital signature information of the terminal, and the determining whether the terminal has access rights to the first network device according to the structured information includes: Verifying the digital signature information according to the public key of the terminal to obtain a verification result; And under the condition that the verification result is that the verification is passed, determining whether the terminal has the access right to the first network equipment according to the home network equipment information and/or the access network equipment information.
  10. 10. The method according to claim 9, wherein said determining whether the terminal has access rights to the first network device based on the home network device information and/or the visited network device information comprises: And under the condition that the access network equipment information comprises the identification of the first network equipment, determining that the terminal has the access right to the first network equipment.
  11. 11. The method according to claim 10, wherein the method further comprises: sending a query request message to the terminal, wherein the query request message is used for requesting to query SUCI of the terminal; Receiving SUCI sent by the terminal; And sending a second access request message to a second network device according to SUCI, where the second access request message is used for the terminal to perform initial registration on the second network device, and the second network device is a home network device of the terminal.
  12. 12. The method according to claim 9, wherein said determining whether the terminal has access rights to the first network device based on the home network device information and/or the visited network device information comprises: transmitting the home network device information to the first functional network element in case the identity of the first network device is not included in the visited network device information; And receiving a response message sent by the first functional network element, wherein the response message is used for indicating whether the terminal has access rights to the first network equipment.
  13. 13. The method of claim 12, wherein if the response message indicates that the terminal has access to the first network device, the response message further includes SUCI of the terminal, the method further comprising: And sending a second access request message to a second network device according to SUCI, where the second access request message is used for the terminal to perform initial registration on the second network device, and the second network device is a home network device of the terminal.
  14. 14. The method according to claim 11 or 13, wherein the second access request message comprises at least one of the following: the digital identity mark; the digital signature information; SUCI of the terminal.
  15. 15. The method according to any of claims 8-14, wherein the digital identification comprises at least one of: an identifier of the digital identity scheme; an identifier of a digital identity method; And the character string identification of the terminal in the digital identity method is obtained by encrypting SUCI of the terminal and identification of second network equipment by the encryption mechanism, wherein the second network equipment is home network equipment of the terminal.
  16. 16. An access rights management method, applied to a terminal, comprising: The method comprises the steps of sending a first access request message to first network equipment, wherein the first access request message comprises a digital identity of the terminal, the digital identity is used for obtaining structural information of the terminal, and the digital identity and the structural information are used for determining whether the terminal has access rights to the first network equipment.
  17. 17. The method of claim 16, wherein the method further comprises: And responding to the received query request message sent by the first network equipment, and sending SUCI of the terminal to the first network equipment.
  18. 18. An access rights management method, applied to a second network device, the method comprising: and receiving a second access request message sent by the first network equipment, wherein the second access request message is used for initial registration of the terminal on the second network equipment, and the second network equipment is home network equipment of the terminal.
  19. 19. The method of claim 18, wherein the method further comprises: And sending access control information corresponding to the second network equipment to the first functional network element, wherein the access control information is used for indicating network equipment which is allowed to be accessed by at least one terminal, and the home network equipment of the at least one terminal is the second network equipment.
  20. 20. An access rights management unit comprising a memory, a transceiver, and a processor: A memory for storing a computer program, a transceiver for transceiving data under control of the processor, and a processor for reading the computer program in the memory and performing the access rights management method according to any of claims 1-6.

Description

Access right management method, device and storage medium Technical Field The present application relates to the field of communications technologies, and in particular, to a method and apparatus for managing access rights, and a storage medium. Background In order to ensure the security of the communication between the terminal and the visited network device, it is necessary to determine whether the terminal allows access to the visited network device when the terminal requests access to the visited network device. At present, whether the terminal is allowed to access the visiting network device is mainly judged through Authentication and key negotiation (Authentication AND KEY AGREEMENT, AKA) flow, however, the method requires the home network device of the terminal to sign roaming agreement with the visiting network device in an offline mode, and has lower efficiency. Disclosure of Invention The application provides an access right management method, an access right management device and a storage medium, which solve the technical problem that the efficiency of access right management based on an AKA flow is low by signing a roaming agreement under a roaming scene under the line of home network equipment and visiting network equipment of a terminal. In a first aspect, the present application provides an access rights management method, applied to a first functional network element, the method comprising: Receiving a digital identity sent by first network equipment, wherein the digital identity is the digital identity of a terminal; Determining the structural information of the terminal according to the digital identity; And sending the structured information to the first network equipment, wherein the digital identity and the structured information are used for determining whether the terminal has access rights to the first network equipment. In some embodiments, the structured information includes at least one of: The type information is used for indicating the digital identity mark as the digital identity mark of the terminal type; the encryption mechanism identifier is used for indicating an encryption mechanism of the digital identity identifier; Key credential information indicating a public key of the terminal; home network equipment information for indicating home network equipment of the terminal; access network device information for indicating network devices to which the terminal is allowed to access. In some embodiments, the digital identification comprises at least one of: an identifier of the digital identity scheme; an identifier of a digital identity method; the character string identification of the terminal in the digital identity method is obtained by encrypting SUCI of the terminal and identification of a second network device by an encryption mechanism, wherein the second network device is home network device of the terminal. In some embodiments, the method further comprises: Receiving home network equipment information sent by first network equipment; Determining whether the terminal has access rights to the first network device according to the home network device information; And sending a response message to the first network device, wherein the response message is used for indicating whether the terminal has the access right to the first network device. In some embodiments, determining whether the terminal has access to the first network device based on the home network device information comprises: Decrypting the character string identifier according to the encryption mechanism to obtain the identifier of SUCI of the terminal and the identifier of the second network device; And determining whether the terminal has access rights to the first network device according to SUCI of the terminal and access control information corresponding to the second network device, wherein the access control information is determined through home network device information, the access control information is used for indicating network devices which are allowed to access by at least one terminal, and the home network device of the at least one terminal is the second network device. In some embodiments, if the response message indicates that the terminal has access to the first network device, SUCI of the terminal is further included in the response message. In a second aspect, the present application provides an access rights management method, applied to a first network device, the method comprising: receiving a first access request message sent by a terminal, wherein the first access request message comprises a digital identity of the terminal; Transmitting a digital identity to a first functional network element; Receiving the structured information sent by the first functional network element; And determining whether the terminal has access rights to the first network device according to the structured information. In some embodiments, the structured information includes at least one of: The ty