CN102511176A - Data verification method and device thereof - Google Patents
Data verification method and device thereof Download PDFInfo
- Publication number
- CN102511176A CN102511176A CN2011800030374A CN201180003037A CN102511176A CN 102511176 A CN102511176 A CN 102511176A CN 2011800030374 A CN2011800030374 A CN 2011800030374A CN 201180003037 A CN201180003037 A CN 201180003037A CN 102511176 A CN102511176 A CN 102511176A
- Authority
- CN
- China
- Prior art keywords
- user data
- node
- disaster recovery
- key
- response message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013524 data verification Methods 0.000 title claims abstract description 47
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000012795 verification Methods 0.000 claims abstract description 60
- 238000011084 recovery Methods 0.000 claims description 125
- 230000004044 response Effects 0.000 claims description 84
- 230000002085 persistent effect Effects 0.000 claims description 6
- 230000008569 process Effects 0.000 description 12
- 230000005540 biological transmission Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000010076 replication Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 238000005192 partition Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 102000018059 CS domains Human genes 0.000 description 1
- 108050007176 CS domains Proteins 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/30—Types of network names
- H04L2101/395—Internet protocol multimedia private identity [IMPI]; Internet protocol multimedia public identity [IMPU]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention provides a data verification method and a device thereof. The data verification method comprises: the user data is divided into permanent user data and casual user data,and the permanent user data and the casual user data are verified individually, wherein verifying the permanent user data comprises: generating a first secret key according to the permanent user data,and verifying the permanent user data according to the first secret key. The pesent invention verifies the permanent user data and the casual user data individually, and generates the first secret key and verifies according to the first secret key for the permanent user data which has few updating and larger data volume, thus reducing the requirement for transmitting the total permanent user data and improving the verification efficiency.
Description
Technical Field
The present invention relates to the field of wireless communication, and in particular, to a data verification method and apparatus.
Background
With the development of fixed mobile network Convergence, the UDC (User Data Convergence) architecture is becoming the main product architecture of each large communication equipment manufacturer in the SDM (Subscriber Data management) solution. The UDC architecture uses FE (Front End node) to complete the business logic processing of various fields of CS/PS/IMS, and uses a common BE (Back End node) to complete the user data fusion storage and centralized management. Examples of FEs include HLR (Home Location Register), Auc (Authentication Center), HSS (Home Subscriber Server), UPCC (Unified Policy and Charging Controller), Application Server (Application Server), and the like. The BE is used as a user data center, generally distributed deployment is adopted, and disaster recovery networking is formed at a plurality of geographic positions, so that the safety of user data is ensured.
The consistency and reliability of the user data are the most interesting indexes for the telecommunication operators and are the core indexes of the service quality of the telecommunication network. In order to ensure that data of each BE office point under the disaster recovery networking are consistent, a data replication mechanism is generally adopted to perform inter-office data synchronization. The replication of the user data is done over a geographical bearer network. The quality and time delay of the bearer network between geographical deployment local points have great influence on the data replication, so a data verification mechanism is adopted at the same time. Data replication is the replication of modified data, while data verification is the integrity verification of user data, and data replication and verification are multi-layer protection mechanisms for user data consistency.
Similarly, the influence of bearer network quality and time delay on verification is huge, and data verification is full-user verification, so that the transmitted data volume is larger. Therefore, how to reduce the dependence on the bearer network and efficiently complete the data verification, and ensuring the inter-office data consistency in a short time is a key point and a hot point concerned by telecommunication operators and communication equipment manufacturers, and has strong requirements.
One solution uses full data checks. The main office packs and transmits the complete data of a certain user to the disaster recovery office to carry out verification, and the disaster recovery office compares the consistency of the data of the main office and the data of the main office; and if the data is inconsistent with the data, correcting the data of the main office by taking the data of the main office as a standard.
This scheme requires the transmission of the full amount of data before the comparison. The transmission of the full data occupies a large bandwidth of the bearer network, and the full data is compared during comparison, so that the verification performance is poor, a certain influence is brought to normal local point operation, and the verification of all users can be completed in a long time.
Disclosure of Invention
The embodiment of the invention provides a data verification method and device, which can improve the verification efficiency of user data.
In one aspect, a data verification method is provided, including: dividing user data into permanent user data and temporary user data; separately verifying the permanent user data and the temporary user data, wherein verifying the permanent user data comprises: a first key is generated based on the permanent user data, and the permanent user data is verified based on the first key.
In another aspect, a data verification apparatus is provided, including: a distinguishing unit for distinguishing the user data into permanent user data and temporary user data; and the verification unit is used for separately verifying the permanent user data and the temporary user data. The verification unit generates a first key according to the permanent user data and verifies the permanent user data according to the first key.
The embodiment of the invention separately verifies the permanent user data and the temporary user data, and generates the first key for the permanent user data with less update and larger data volume and verifies according to the first key, thereby reducing the requirement of transmitting the full permanent user data and improving the verification efficiency.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a data verification method according to an embodiment of the invention.
FIG. 2 is a schematic flow chart diagram of a data verification process of one embodiment of the present invention.
FIG. 3 is a schematic flow chart diagram of a data verification process according to another embodiment of the invention.
Fig. 4 is a block diagram of a data verification apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Due to the problems of the full data verification scheme, a mechanism for verifying by using a Key (secret Key) is derived. Before the primary BE starts the check, a certain user data of the local office is firstly subjected to certain algorithm operation to generate a Key, and the primary BE sends the Key to the disaster recovery office through a bearer network; the disaster recovery BE also adopts the same algorithm to calculate the data of the same user to generate a Key, and directly compares the difference of the two keys. And if the data is inconsistent with the data, replying a message to the primary BE to request the full amount of data. If so, the data is returned to consistent. And the primary BE operates according to the message replied by the disaster-tolerant BE, and if the replies of the opposite ends are inconsistent, the primary BE transmits the full data to execute verification. Otherwise, the user's verification process ends.
According to the scheme, the Key is compared firstly, so that only a small amount of data can be transmitted through the bearing network in the first stage, and the Key is compared with the full-volume data more quickly and simply. If the keys are the same, the data are consistent, the transmission of the full data is not needed any more, and the transmission quantity of the full data is reduced. Only if the data is inconsistent will the full amount of data be transmitted.
But this solution does not take into account the characteristics of the user data. In fact, whether in the CS (circuit Switched) or IMS (IP Multimedia Subsystem) or PS (packet Switched) domain, one of the biggest characteristics of user data is: the data of one user is to distinguish Permanent user data (Permanent subscriber data) from Temporary user data (temporal subscriber data).
According to the definition of two data by 3GPP TS 23.335, the permanent user data is a subscription data and is related to necessary information for the system to be aware of the service. Examples of persistent user data include Subscriber Identity (e.g., MSISDN (Mobile Subscriber Integrated services digital Network Number), IMSI (International Mobile Subscriber Identity), IMPU (IP Multimedia Public Identity), or IMPI (IP Multimedia private Identity)), service data (e.g., service profile in IMS), authentication data, and so forth. The temporary user data changes with the operation result of the system or traffic condition, and may include, for example, transparent data stored when the application server performs a service, an SGSN (Serving General packet radio service Support Node) number, a user status, and the like.
In comparison, the updating of permanent user data is less, the life cycle is long, and the data volume is generally large; the temporary user data is updated frequently, the life cycle is short, and the data volume is generally small.
Due to the existence of temporary user data, the keys obtained between the two BEs are inconsistent with each other at a high probability. That is to say, in the above scheme, the actual effect of the first stage reducing the data volume transmitted in the second stage through the Key is not good, and in fact, a large amount of full data is transmitted through the bearer network, and the expected effect is not completely achieved.
FIG. 1 is a flow chart of a data verification method according to an embodiment of the invention. The method of fig. 1 may BE performed by an active node (e.g., an active BE) or a disaster-tolerant node (e.g., a disaster-tolerant BE).
101, the user data is divided into permanent user data and temporary user data.
The definitions of the permanent user data and the temporary user data may be the same as in the prior art, for example, refer to 3GPP TS 23.335, and thus are not described in detail. In comparison, the updating of permanent user data is less, the life cycle is long, and the data volume is generally large; the temporary user data is updated frequently, the life cycle is short, and the data volume is generally small.
Optionally, the primary/disaster recovery BE may distinguish the permanent user data from the temporary user data according to the configuration of the FE. The configuration rules may refer to the partitioning of these two types of Data in 3GPP TS 23.335User Data conversion. The embodiment of the invention does not limit the specific contents of the permanent user data and the temporary user data, and only needs the main node and the disaster recovery node to adopt the same definition for the two user data.
102, the permanent user data and the temporary user data are verified separately.
The permanent user data and the temporary user data are verified separately, which means that the verification processes of the two data are independent from each other. Wherein verifying the persistent user data may comprise: a first key is generated based on the permanent user data, and the permanent user data is verified based on the first key. The algorithm for generating the key can refer to the prior art, so that the detailed description is omitted, and only the main node and the disaster recovery node need to adopt the same algorithm.
Meanwhile, the embodiment of the invention does not limit the sequence of the verification processing of the two data. For example, the verification processing of the permanent user data and the temporary user data may be partially or entirely performed in parallel, or the verification processing of the permanent user data and the temporary user data may be performed in a sequential manner.
The embodiment of the invention separately verifies the permanent user data and the temporary user data, and generates the first key for the permanent user data with less update and larger data volume and verifies according to the first key, thereby reducing the requirement of transmitting the full permanent user data and improving the verification efficiency.
Optionally, as an embodiment, checking the temporary user data may include checking the temporary user data by a full amount. Since the data amount of the temporary user data is small, the burden of data transmission and processing is small even if the full-size verification is performed.
Optionally, as another embodiment, the verifying the temporary user data may include generating a second key according to the temporary user data, and verifying the temporary user data according to the second key. And the verification processing based on the secret key is also executed on the temporary user data, so that the requirement of transmitting the whole amount of temporary user data can be reduced, and the verification efficiency is further improved.
Alternatively, as another embodiment, the method of fig. 1 may BE performed by an active node (e.g., an active BE). At this time, in step 102, if the permanent user data is verified according to the first key, the active node may send the first key to the disaster recovery node. The primary node may then receive a first response message of the disaster recovery node, where the first response message includes an indication that the disaster recovery node determines, according to the first key, whether the permanent user data is consistent with corresponding permanent user data stored on the disaster recovery node. Optionally, when the first response message includes an indication that the permanent user data is inconsistent with the corresponding permanent user data stored in the disaster recovery node, the active node may send the permanent user data to the disaster recovery node, so that the disaster recovery node performs full verification on the permanent user data.
Alternatively, as another embodiment, the method of fig. 1 may BE performed by an active node (e.g., an active BE). At this time, if the temporary user data is verified according to the second key in step 102, the active node may send the second key to the disaster recovery node. The primary node may then receive a second response message of the disaster recovery node, where the second response message includes an indication that the disaster recovery node determines, according to the second key, whether the temporary user data is consistent with corresponding temporary user data stored on the disaster recovery node. Optionally, when the second response message includes an indication that the temporary user data is inconsistent with corresponding temporary user data stored in the disaster recovery node, the active node may send the temporary user data to the disaster recovery node, so that the disaster recovery node performs full verification on the temporary user data.
Alternatively, as another embodiment, the method of fig. 1 may alternatively BE performed by a disaster recovery node (e.g., a disaster recovery BE). At this time, if the permanent user data is verified according to the first key in step 102, the disaster recovery node may receive a third key generated by the active node according to the corresponding permanent user data stored in the active node. Then, the disaster recovery node may generate a first response message according to a comparison result of whether the first key and the third key are consistent, where the first response message includes an indication of whether the permanent user data is consistent with corresponding permanent user data stored in the active node. The disaster recovery node may send a first response message to the primary node. Optionally, in a case that the first response message includes an indication that the permanent user data is inconsistent with the corresponding permanent user data stored in the active node, the disaster recovery node may receive the corresponding permanent user data from the active node, and perform a full-scale verification according to the corresponding permanent user data.
Alternatively, as another embodiment, the method of fig. 1 may BE performed by a disaster recovery node (e.g., a disaster recovery BE). At this time, if the temporary user data is verified according to the second key in step 102, the disaster recovery node may receive a fourth key generated by the active node according to the corresponding temporary user data stored in the active node. Then, the disaster recovery node may generate a second response message according to a comparison result of whether the second key and the fourth key are consistent, where the second response message includes an indication of whether the temporary user data is consistent with corresponding temporary user data stored in the active node. The disaster recovery node may send a second response message to the primary node. Optionally, in a case that the second response message includes an indication that the temporary user data is inconsistent with corresponding temporary user data stored in the active node, the disaster recovery node may receive the corresponding temporary user data from the active node, and perform a full-scale verification according to the corresponding temporary user data.
According to the embodiment of the invention, the data is subjected to partition verification according to the characteristics of the user data, so that the data transmission quantity of the bearer network is reduced, and the influence of the quality of the bearer network on the user data verification is reduced. Meanwhile, the efficiency of data verification is improved, the time for completing user verification is shortened, and the consistency of data is ensured in a short time.
Embodiments of the present invention are described in more detail below with reference to specific examples. It should be noted that the embodiments of fig. 2 and 3 are only for helping those skilled in the art to better understand the present invention, and are not intended to limit the scope of the present invention.
In the embodiments of fig. 2 and fig. 3, the primary BE is taken as an example of a primary node, and the disaster recovery BE is taken as an example of a disaster recovery node. The embodiment of the present invention is not limited to this, but may be applied to any active/disaster recovery node type.
In addition, for simplicity, only one disaster-tolerant BE is illustrated in fig. 2 and 3, but the embodiment of the present invention is not limited thereto, and two or more disaster-tolerant BEs may BE used to further improve the data security.
Fig. 2 and fig. 3 only illustrate a process of verifying temporary user data in a key comparison manner, but the embodiment of the present invention is not limited thereto. Since the data amount of the temporary user data is generally small, the whole amount of the temporary user data can be directly checked.
FIG. 2 is a schematic flow chart diagram of a data verification process of one embodiment of the present invention. The embodiment of figure 2 is an HLR-FE and BE scenario. Typical HLR's permanent subscriber data include subscriber identities such as IMSI, MSISDN, and authentication keys (authentication keys). Typical temporary subscriber data of the HLR includes Location information, VLR (Visitor Location Register) number, and the like.
Step 201 and step 209 are the process of performing verification processing on the permanent user data.
201, the primary BE generates a key1 of permanent user data (such as IMSI/MSISDN) of a certain user in the office according to the configuration of HLR-FE and a predetermined algorithm. The predetermined algorithm for calculating the key may be the same as in the prior art and will not be described in detail.
202, the primary BE sends key1 to the disaster-tolerant BE.
203, the disaster recovery BE uses the same predetermined algorithm to obtain the corresponding key2 according to the permanent user data (such as IMSI/MSISDN, etc.) of the same user.
Although step 203 is depicted in fig. 2 as being performed after step 202, embodiments of the present invention are not limited in this regard and step 203 may be performed before step 202 or simultaneously with step 202.
204, the disaster recovery BE compares whether the two keys key1 and key2 are consistent.
205, if the comparison result of key1 and key2 in step 204 is consistent (e.g. key1 and key2 have equal values), the disaster recovery BE sends a response message to the primary BE. The response message in step 205 indicates that the comparison result of key1 and key2 is consistent, or indicates that the two versions of the permanent user data of the user on the primary BE and the disaster recovery BE are consistent. Thus, data verification of the user's permanent user data is complete.
Optionally, on the other hand, if the comparison results of key1 and key2 in step 204 are not consistent (e.g., the values of key1 and key2 are not equal), step 206 and 209 are performed.
206, the disaster recovery BE sends a response message to the primary BE. The response message in step 206 indicates that the comparison result of key1 and key2 is inconsistent, or indicates that the two versions of the permanent user data of the user on the primary BE and the disaster-tolerant BE are inconsistent. Thus, the response message in step 206 requests a full check of the user's permanent user data.
207, the primary BE sends the permanent user data (such as IMSI/MSISDN) of the user to the disaster recovery BE according to the response message of step 206.
208, after the disaster recovery BE receives the permanent user data of the user sent by the primary BE, the disaster recovery BE performs a full check based on the corresponding permanent user data (such as IMSI/MSISDN) stored in the disaster recovery BE, and completes the check operation. For example, in the case where the permanent user data sent from the primary BE and the permanent user data stored in the disaster-tolerant BE do not pass the full amount check, the permanent user data sent from the primary BE is used to replace the permanent user data stored in the disaster-tolerant BE.
209, the disaster recovery BE replies a response message to the primary BE to indicate that the full verification is completed.
Step 211-.
211, the primary BE converts the temporary user data (such as location information, VLR number, etc.) of a certain user in the office point into a key3 according to the configuration of HLR-FE and a predetermined algorithm. The predetermined algorithm for calculating the key may be the same as in the prior art and will not be described in detail.
212, the primary BE sends key3 to the disaster-tolerant BE.
213, the disaster recovery BE uses the same predetermined algorithm to obtain the corresponding key4 according to the temporary user data (such as location information, VLR number, etc.) of the same user.
Although step 213 is depicted in fig. 2 as being performed after step 212, the embodiment of the present invention is not limited in this regard, and step 213 may be performed before step 212 or simultaneously with step 212.
214, the disaster recovery BE compares the two keys key3 and key4 for agreement.
215, if the comparison result of the key3 and the key4 in the step 214 is consistent (for example, the key3 and the key4 have equal values), the disaster recovery BE sends a response message to the primary BE. The response message in step 215 indicates that the comparison result of key3 and key4 is consistent, or indicates that the two versions of the temporary user data of the user on the primary BE and the disaster recovery BE are consistent. Thus, the data verification of the temporary user data of the user is completed.
Alternatively, if the comparison of key3 and key4 in step 214 is not consistent (e.g., key3 and key4 are not equal), step 216 and 219 are performed.
216, the disaster recovery BE sends a response message to the primary BE. The response message in step 216 indicates that the comparison result of key3 and key4 is inconsistent, or indicates that the two versions of the temporary user data of the user on the primary BE and the disaster recovery BE are inconsistent. Thus, the response message in step 216 requests a full check of the temporary user data for that user.
217, the primary BE sends the temporary user data (such as location information, VLR number, etc.) of the user to the disaster recovery BE according to the response message of step 216.
218, after receiving the temporary user data of the user sent by the primary BE, the disaster recovery BE performs full-scale verification based on the corresponding temporary user data (such as location information, VLR number, etc.) stored in the disaster recovery BE, thereby completing the verification operation. For example, in a case where the temporary user data transmitted from the primary BE and the temporary user data stored in the disaster-tolerant BE do not pass the full amount check, the temporary user data stored in the disaster-tolerant BE is replaced with the temporary user data transmitted from the primary BE.
219, the disaster recovery BE replies a response message to the primary BE to indicate that the full amount check is completed.
Step 201 and step 211 and 219 in fig. 2 are independent from each other. Therefore, although step 201-.
According to the embodiment of the invention, the data is subjected to partition verification according to the characteristics of the user data, so that the data transmission quantity of the bearer network is reduced, and the influence of the quality of the bearer network on the user data verification is reduced. Meanwhile, the efficiency of data verification is improved, the time for completing user verification is shortened, and the consistency of data is ensured in a short time.
FIG. 3 is a schematic flow chart diagram of a data verification process according to another embodiment of the invention. The embodiment of FIG. 3 is a HSS-FE and BE scenario. Typical HSS permanent user data such as IMPI, IMPU, etc. user identity, and Service Profile (Service Profile), etc. Typical HSS temporary user data such as user status, etc.
Step 301-.
301, the primary BE converts the permanent user data (such as IMPI/IMPU) of a certain user in the office into a key1 according to the configuration of HLR-FE and a predetermined algorithm. The predetermined algorithm for calculating the key may be the same as in the prior art and will not be described in detail.
302, the primary BE sends key1 to the disaster recovery BE.
303, the disaster recovery BE uses the same predetermined algorithm to obtain the corresponding key2 according to the permanent user data (such as IMPI/IMPU, etc.) of the same user.
Although step 303 is depicted in fig. 3 as being performed after step 302, embodiments of the present invention are not limited in this regard and step 303 may be performed before step 302 or concurrently with step 302.
304, the disaster recovery BE compares whether the two keys key1 and key2 agree.
305, if the comparison result of the key1 and the key2 in the step 304 is consistent (for example, the key1 and the key2 have equal values), the disaster recovery BE sends a response message to the master BE. The response message in step 305 indicates that the comparison result of key1 and key2 is consistent, or indicates that the two versions of the permanent user data of the user on the primary BE and the disaster recovery BE are consistent. Thus, data verification of the user's permanent user data is complete.
Optionally, on the other hand, if the comparison results of key1 and key2 in step 304 are not consistent (e.g., the values of key1 and key2 are not equal), step 306-.
And 306, the disaster recovery BE sends a response message to the main BE. The response message in step 306 indicates that the comparison result of key1 and key2 is inconsistent, or indicates that the two versions of the permanent user data of the user on the primary BE and the disaster-tolerant BE are inconsistent. Thus, the response message in step 306 requests that the user's permanent user data be fully verified.
307, the primary BE sends the permanent user data (such as IMPI/IMPU) of the user to the disaster-tolerant BE according to the response message of step 306.
308, after receiving the permanent user data of the user sent by the primary BE, the disaster recovery BE performs a full check based on the corresponding permanent user data (such as IMPI/IMPU, etc.) stored in the disaster recovery BE, and completes the check operation. For example, in the case where the permanent user data sent from the primary BE and the permanent user data stored in the disaster-tolerant BE do not pass the full amount check, the permanent user data sent from the primary BE is used to replace the permanent user data stored in the disaster-tolerant BE.
309, the disaster recovery BE replies a response message to the primary BE to indicate that the full verification is completed.
Step 311 and 319 are the process of performing the verification process on the temporary user data.
311, the primary BE converts the temporary user data (such as user state) of a certain user in the local point into the key3 according to the configuration of the HLR-FE and the predetermined algorithm. The predetermined algorithm for calculating the key may be the same as in the prior art and will not be described in detail.
312, the primary BE sends key3 to the disaster-tolerant BE.
313, the disaster recovery BE obtains the corresponding key4 according to the temporary user data (such as user status) of the same user by using the same predetermined algorithm.
Although step 313 is depicted in fig. 3 as being performed after step 312, the embodiment of the present invention is not limited in this regard, and step 313 may be performed before step 312 or simultaneously with step 312.
314, the disaster recovery BE compares whether the two keys key3 and key4 agree.
315, if the comparison result of the key3 and the key4 in step 314 is consistent (for example, the key3 and the key4 have equal values), the disaster recovery BE sends a response message to the primary BE. The response message in step 315 indicates that the comparison result of key3 and key4 is consistent, or indicates that the two versions of the temporary user data of the user on the primary BE and the disaster recovery BE are consistent. Thus, the data verification of the temporary user data of the user is completed.
Alternatively, if the comparison of key3 and key4 in step 314 is not consistent (e.g., key3 and key4 are not equal), step 316-.
316, the disaster recovery BE sends a response message to the primary BE. The response message in step 316 indicates that the comparison result of key3 and key4 is inconsistent, or indicates that the two versions of the temporary user data of the user on the primary BE and the disaster recovery BE are inconsistent. Thus, the response message in step 316 requests a full check of the temporary user data for that user.
317, the primary BE sends the temporary user data (such as user state) of the user to the disaster recovery BE according to the response message of step 316.
318, after the disaster recovery BE receives the temporary user data of the user sent by the primary BE, the disaster recovery BE performs a full amount of verification based on the corresponding temporary user data (such as user state, etc.) stored in the disaster recovery BE, and completes the verification operation. For example, in a case where the temporary user data transmitted from the primary BE and the temporary user data stored in the disaster-tolerant BE do not pass the full amount check, the temporary user data stored in the disaster-tolerant BE is replaced with the temporary user data transmitted from the primary BE.
319, the disaster recovery BE replies a response message to the primary BE indicating that the full amount check is completed.
Steps 301 and 309 and 311 and 319 in fig. 3 are independent of each other. Therefore, although step 301-.
According to the embodiment of the invention, the data is subjected to partition verification according to the characteristics of the user data, so that the data transmission quantity of the bearer network is reduced, and the influence of the quality of the bearer network on the user data verification is reduced. Meanwhile, the efficiency of data verification is improved, the time for completing user verification is shortened, and the consistency of data is ensured in a short time.
Under the UDC architecture, the traffic handling is done by the FE and the storage and management of user data is done by the BE. The BE can support services in various fields as long as corresponding FEs (e.g., HLR of CS domain, HSS of IMS domain) are deployed. The embodiment of the invention adopts flexible data partition configuration, the FE in each field can configure data by self, and the BE finishes user data verification according to the configuration. The embodiment of the invention is not limited to a specific network, for example, the invention can be applied to a plurality of fields such as CS/PS/IMS and the like, and can also support the application of VAS (Value Added Service).
Fig. 4 is a block diagram of a data verification apparatus according to an embodiment of the present invention. The apparatus 40 of fig. 4 comprises a distinguishing unit 41 and a verification unit 42.
The distinguishing unit 41 distinguishes the user data into permanent user data and temporary user data. The verification unit 42 verifies the permanent user data and the temporary user data separately. The verification unit 42 may generate a first key based on the permanent user data and verify the permanent user data based on the first key.
The embodiment of the invention separately verifies the permanent user data and the temporary user data, and generates the first key for the permanent user data with less update and larger data volume and verifies according to the first key, thereby reducing the requirement of transmitting the full permanent user data and improving the verification efficiency.
The apparatus 40 of fig. 4 may BE an active node (e.g., an active BE) or a disaster-tolerant node (e.g., a disaster-tolerant BE), and may perform various steps of the method embodiments of fig. 1-3, which are not described in detail to avoid repetition.
Optionally, as an embodiment, the verification unit 42 may generate a second key according to the temporary user data, and verify the temporary user data according to the second key. Alternatively, the verification unit 42 may perform a full verification of the temporary user data.
Alternatively, as another embodiment, the apparatus 40 may BE an active node (e.g., an active BE). The checking unit 42 may send the first key to the disaster recovery node and receive a first response message of the disaster recovery node. The first response message may include an indication that the disaster recovery node determines whether the permanent user data is consistent with corresponding permanent user data stored on the disaster recovery node based on the first key. Optionally, the checking unit 42 may send the permanent user data to the disaster recovery node when the response message includes an indication that the permanent user data is inconsistent with the corresponding permanent user data stored on the disaster recovery node, so that the disaster recovery node performs full-scale checking on the permanent user data.
Alternatively, as another embodiment, the apparatus 40 may be an active node. The checking unit 42 may send the second key to the disaster recovery node and receive a second response message of the disaster recovery node. The second response message includes an indication that the disaster recovery node determines whether the temporary user data is consistent with corresponding temporary user data stored on the disaster recovery node according to the second key. Optionally, the checking unit 42 may send the temporary user data to the disaster recovery node when the response message includes an indication that the temporary user data is inconsistent with the corresponding temporary user data stored on the disaster recovery node, so that the disaster recovery node performs full-scale checking on the temporary user data.
Optionally, as another embodiment, the apparatus 40 may be a disaster recovery node. The checking unit 42 may receive a third key generated by the active node according to the corresponding permanent user data stored in the active node; generating a first response message according to a comparison result of whether the first key and the third key are consistent, wherein the first response message comprises an indication of whether the permanent user data is consistent with corresponding permanent user data stored on the main node; and sending a first response message to the active node. Optionally, the checking unit 42 may receive the corresponding permanent user data from the active node and perform full checking according to the corresponding permanent user data, in case that the first response message includes an indication that the permanent user data is inconsistent with the corresponding permanent user data stored on the active node.
Alternatively, as another embodiment, the apparatus 40 may BE a disaster-tolerant node (e.g., a disaster-tolerant BE). The verifying unit 42 may receive a fourth key generated by the active node according to the corresponding temporary user data stored in the active node; generating a second response message according to the comparison result of whether the second key is consistent with the fourth key, wherein the second response message comprises an indication of whether the temporary user data is consistent with corresponding temporary user data stored on the main node; and sending a second response message to the active node. Optionally, the checking unit 42 may receive the corresponding temporary user data from the active node and perform full checking according to the corresponding temporary user data, in a case that the second response message includes an indication that the temporary user data is inconsistent with the corresponding temporary user data stored on the active node.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (20)
1. A method for data verification, comprising:
dividing user data into permanent user data and temporary user data;
separately verifying the permanent user data and the temporary user data, wherein verifying the permanent user data comprises: and generating a first key according to the permanent user data, and verifying the permanent user data according to the first key.
2. The data verification method of claim 1, wherein verifying the temporary user data comprises:
generating a second key according to the temporary user data, and verifying the temporary user data according to the second key; or,
and carrying out full-scale verification on the temporary user data.
3. The data checking method of claim 1 or 2, wherein the method is performed by a primary node, and the checking the permanent user data according to the first key comprises:
sending the first key to a disaster recovery node;
and receiving a first response message of the disaster recovery node, wherein the first response message includes an indication that the disaster recovery node determines whether the permanent user data is consistent with corresponding permanent user data stored on the disaster recovery node according to a first key.
4. The data verification method of claim 3, further comprising: and when the first response message includes an indication that the permanent user data is inconsistent with corresponding permanent user data stored on the disaster recovery node, sending the permanent user data to the disaster recovery node so that the disaster recovery node performs full verification on the permanent user data.
5. The data verification method of claim 2, wherein the method is performed by a primary node, and wherein verifying the temporary user data according to the second key comprises:
sending the second key to a disaster recovery node;
and receiving a second response message of the disaster recovery node, wherein the second response message includes an indication that the disaster recovery node determines whether the temporary user data is consistent with corresponding temporary user data stored on the disaster recovery node according to a second key.
6. The data verification method of claim 5, further comprising: and when the second response message includes an indication that the temporary user data is inconsistent with corresponding temporary user data stored in the disaster recovery node, sending the temporary user data to the disaster recovery node so that the disaster recovery node performs full verification on the temporary user data.
7. The data verification method according to claim 1 or 2, wherein the method is performed by a disaster recovery node, and the verifying the permanent user data according to the first key comprises:
receiving a third key generated by the main node according to the corresponding permanent user data stored on the main node;
generating a first response message according to a comparison result of whether the first key and the third key are consistent, wherein the first response message comprises an indication of whether the permanent user data is consistent with corresponding permanent user data stored on the main node;
and sending the first response message to the active node.
8. The data verification method of claim 7, further comprising: and receiving the corresponding permanent user data from the main node under the condition that the first response message comprises an indication that the permanent user data is inconsistent with the corresponding permanent user data stored on the main node, and carrying out full-scale verification according to the corresponding permanent user data.
9. The data verification method of claim 2, wherein the method is performed by a disaster recovery node, and verifying the temporary user data according to the second key comprises:
receiving a fourth key generated by the main node according to the corresponding temporary user data stored on the main node;
generating a second response message according to a comparison result of whether the second key and the fourth key are consistent, wherein the second response message includes an indication of whether the temporary user data is consistent with corresponding temporary user data stored on the active node;
and sending the second response message to the active node.
10. The data verification method of claim 9, further comprising: and receiving the corresponding temporary user data from the main node under the condition that the second response message comprises an indication that the temporary user data is inconsistent with the corresponding temporary user data stored on the main node, and performing full verification according to the corresponding temporary user data.
11. A data verification apparatus, comprising:
a distinguishing unit for distinguishing the user data into permanent user data and temporary user data;
and the verification unit is used for separately verifying the permanent user data and the temporary user data, and specifically used for generating a first key according to the permanent user data and verifying the permanent user data according to the first key.
12. The data verification apparatus of claim 11, wherein the verification unit is further configured to generate a second key according to the temporary user data, and verify the temporary user data according to the second key; or,
the checking unit is further configured to perform full-scale checking on the temporary user data.
13. The data checking apparatus according to claim 11 or 12, wherein the apparatus is a master node, and the checking unit is specifically configured to send the first key to a disaster recovery node; and receiving a first response message of the disaster recovery node, wherein the first response message includes an indication that the disaster recovery node determines whether the permanent user data is consistent with corresponding permanent user data stored on the disaster recovery node according to a first key.
14. The data verification apparatus according to claim 13, wherein the verification unit is specifically configured to, when the first response message includes an indication that the permanent user data is inconsistent with corresponding permanent user data stored in the disaster recovery node, send the permanent user data to the disaster recovery node, so that the disaster recovery node performs full verification on the permanent user data.
15. The data checking apparatus according to claim 12, wherein the apparatus is a master node, and the checking unit is specifically configured to send the second key to the disaster recovery node; and receiving a second response message of the disaster recovery node, wherein the second response message includes an indication that the disaster recovery node determines whether the temporary user data is consistent with corresponding temporary user data stored on the disaster recovery node according to a second key.
16. The data verification apparatus according to claim 15, wherein the verification unit is specifically configured to, when the second response message includes an indication that the temporary user data is inconsistent with corresponding temporary user data stored in the disaster recovery node, send the temporary user data to the disaster recovery node, so that the disaster recovery node performs full verification on the temporary user data.
17. The data verification apparatus according to claim 11 or 12, wherein the apparatus is a disaster recovery node, and the verification unit is specifically configured to receive a third key generated by the active node according to the corresponding permanent user data stored in the active node; generating a first response message according to a comparison result of whether the first key and the third key are consistent, wherein the first response message comprises an indication of whether the permanent user data is consistent with corresponding permanent user data stored on the main node; and sending the first response message to the active node.
18. The data checking apparatus according to claim 17, wherein the checking unit is specifically configured to, in a case that the first response message includes an indication that the persistent user data is inconsistent with corresponding persistent user data stored on the active node, receive the corresponding persistent user data from the active node, and perform the full-scale check according to the corresponding persistent user data.
19. The data verification apparatus according to claim 12, wherein the apparatus is a disaster recovery node, and the verification unit is specifically configured to receive a fourth key generated by the active node according to the corresponding temporary user data stored in the active node; generating a second response message according to a comparison result of whether the second key and the fourth key are consistent, wherein the second response message includes an indication of whether the temporary user data is consistent with corresponding temporary user data stored on the active node; and sending the second response message to the active node.
20. The data checking apparatus according to claim 19, wherein the checking unit is specifically configured to, in a case that the second response message includes an indication that the temporary user data is inconsistent with corresponding temporary user data stored on the active node, receive the corresponding temporary user data from the active node, and perform a full-scale check according to the corresponding temporary user data.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2011/084012 WO2013086711A1 (en) | 2011-12-14 | 2011-12-14 | Data checking method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102511176A true CN102511176A (en) | 2012-06-20 |
Family
ID=46222797
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011800030374A Pending CN102511176A (en) | 2011-12-14 | 2011-12-14 | Data verification method and device thereof |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102511176A (en) |
| WO (1) | WO2013086711A1 (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009127965A1 (en) * | 2008-04-18 | 2009-10-22 | Telefonaktiebolaget Lm Ericsson (Publ) | Auto-configuration and discovery of portable telecommunication system |
| CN101894079A (en) * | 2010-07-15 | 2010-11-24 | 哈尔滨工程大学 | Hash tree memory integrity protection method of variable length storage block |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7054307B2 (en) * | 2000-12-29 | 2006-05-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Method, apparatus and system for managing subscriber data |
-
2011
- 2011-12-14 CN CN2011800030374A patent/CN102511176A/en active Pending
- 2011-12-14 WO PCT/CN2011/084012 patent/WO2013086711A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009127965A1 (en) * | 2008-04-18 | 2009-10-22 | Telefonaktiebolaget Lm Ericsson (Publ) | Auto-configuration and discovery of portable telecommunication system |
| CN101894079A (en) * | 2010-07-15 | 2010-11-24 | 哈尔滨工程大学 | Hash tree memory integrity protection method of variable length storage block |
Non-Patent Citations (1)
| Title |
|---|
| 《3RD GENERATION PARTNERSHIP PROJECT》: "《3GPP TS 23.335 V0.5.0》", 20 October 2009 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2013086711A1 (en) | 2013-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112219415B (en) | User authentication in a first network using a subscriber identity module for a second old network | |
| JP5392879B2 (en) | Method and apparatus for authenticating a communication device | |
| CN113545018B (en) | Protecting a telecommunications network using network components as blockchain nodes | |
| US20200068401A1 (en) | HARDWARE IDENTIFICATION-BASED SECURITY AUTHENTICATION SERVICE FOR IoT DEVICES | |
| CN109587688A (en) | Safety in inter-system mobility | |
| EP2245872A1 (en) | Application specific master key selection in evolved networks | |
| CN109716834A (en) | Temporary identifier in wireless communication system | |
| WO2016166529A1 (en) | Security improvements in a cellular network | |
| US20220279471A1 (en) | Wireless communication method for registration procedure | |
| WO2018205148A1 (en) | Data packet checking method and device | |
| Zhang et al. | Dynamic group based authentication protocol for machine type communications | |
| CN112997518A (en) | Security management in a disaggregated base station in a communication system | |
| CN116097886A (en) | Policy control for redundant transmissions | |
| WO2020147856A1 (en) | Authentication processing method and device, storage medium, and electronic device | |
| CN111866871A (en) | Communication method and device | |
| CN109803262A (en) | A kind of transmission method and device of network parameter | |
| Zhang et al. | Group-based authentication and key agreement for machine-type communication | |
| CN110881020B (en) | Authentication method for user subscription data and data management network element | |
| CN109891857A (en) | Prevent the conflict of mobile Session ID in neutral mainframe network | |
| CN110169105B (en) | Method, device and system for link reconstruction | |
| CN113424506A (en) | Management of user equipment security capabilities in a communication system | |
| WO2016086356A1 (en) | Authentication method within wireless communication network, related apparatus and system | |
| CN102511176A (en) | Data verification method and device thereof | |
| CN106888447B (en) | Method and system for processing auxiliary USIM application information | |
| CN114051242A (en) | Security management method, device and equipment between user and multiple terminals |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120620 |