CN114024678A

CN114024678A - Information processing method and system and related device

Info

Publication number: CN114024678A
Application number: CN202010682395.3A
Authority: CN
Inventors: 阎军智; 刘福文; 王珂; 杨波; 杭小勇
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2020-07-15
Filing date: 2020-07-15
Publication date: 2022-02-08

Abstract

The embodiment of the invention discloses an information processing method, an information processing system and a related device. The method comprises the following steps: the method comprises the steps that a first device obtains certificate description information of a first network element to be deployed and a first public and private key pair; generating a first digital certificate based on the certificate description information and the first public-private key pair; sending a certificate application request to a second device, wherein the certificate application request at least comprises the first digital certificate; the second device is used for verifying the first digital certificate by utilizing a digital certificate system; and under the condition that the digital certificate system verifies the first digital certificate, at least sending the first digital certificate to the first network element.

Description

Information processing method and system and related device

Technical Field

The present invention relates to the field of network security, and in particular, to an information processing method and system, and a related device.

Background

In a Network Function Virtualization (NFV) architecture, a Transport Layer Security protocol (TLS) is used between Virtual Network Functions (VNF) to perform Security protection. In order to enable secure TLS connections to be established between different VNFs, each VNF should be configured with a digital certificate corresponding to the VNF identity after deployment. At present, the same digital certificate is configured for each VNF mainly by a device manufacturer, and only the digital certificate needs to be written into an image file, so that the configuration of the digital certificate is automatically realized when the VNF is deployed.

The 5G core network adopts a Service-based Architecture (SBA) network Architecture, and different VNFs all require to use a TLS method for secure communication, and because VNFs are huge in number and dynamically deployed, there are high security requirements and efficiency requirements for management of digital certificates.

By adopting the method, the differentiated identity of the VNFs cannot be embodied, and once a security problem occurs in a digital certificate of one VNF, all VNFs using the digital certificate face a security risk.

Disclosure of Invention

In order to solve the existing technical problem, embodiments of the present invention provide an information processing method and system, and a related device.

In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:

in a first aspect, an embodiment of the present invention provides an information processing method, where the method includes:

the method comprises the steps that a first device obtains certificate description information of a first network element to be deployed and a first public and private key pair;

generating a first digital certificate based on the certificate description information and the first public-private key pair;

sending a certificate application request to a second device, wherein the certificate application request at least comprises the first digital certificate; the second device is used for verifying the first digital certificate by utilizing a digital certificate system;

and under the condition that the digital certificate system verifies the first digital certificate, at least sending the first digital certificate to the first network element.

In the above scheme, the method further comprises: when the first device determines that the first digital certificate meets a preset condition, a new first public and private key pair is obtained;

generating a new first digital certificate based on the new first public-private key pair and the certificate description information of the first network element, and generating a first signature based on a private key of the first public-private key pair and the new first digital certificate;

sending a certificate update request to the second device, the certificate update request including the new first digital certificate and the first signature; the second means is for verifying the new first digital certificate and the first signature using the digital certificate system;

and under the condition that the digital certificate system verifies the new first digital certificate and the first signature, at least sending the new first digital certificate to the first network element, wherein the new first digital certificate is used for updating the first digital certificate in the first network element.

In the foregoing solution, the determining, by the first device, that the first digital certificate satisfies a preset condition includes:

the first device determines that the first digital certificate meets a preset condition when determining that the validity period of the first digital certificate meets a first preset condition or when determining that the security of the first digital certificate does not meet a second preset condition.

In the foregoing solution, the obtaining, by the first device, the certificate description information of the first network element to be deployed includes:

the first device obtains certificate description information of a first Network element to be deployed from a Virtual Network Function Manager (VNFM);

the obtaining a first public and private key pair comprises: the first device obtaining a first public-private key pair from a fourth device for generating a public-private key pair; the fourth device is located in a Network Function Virtualization Infrastructure (NFVI).

In the above solution, the first apparatus is located in an Element Management (EM); each network element corresponds to one EM;

the sending at least the first digital certificate to the first network element includes:

sending at least the first digital certificate to the first network element by the first EM; the first EM is an EM corresponding to the first network element.

In the above solution, the first apparatus is located in a VNFM;

sending at least the first digital certificate to a first EM through the VNFM, forwarding the first digital certificate to the first network element through the first EM; the first EM is an EM corresponding to the first network element.

In a second aspect, an embodiment of the present invention further provides an information processing method, where the method includes:

the method comprises the steps that a second device obtains a certificate application request sent by a first device, wherein the certificate application request at least comprises a first digital certificate; the first digital certificate is generated based on certificate description information of a first network element and a first public and private key pair;

generating a second signature based on a specific private key and the first digital certificate, and sending a first request message containing the first digital certificate and the second signature to a digital certificate system; the digital certificate system is used for verifying the first digital certificate and the second signature;

obtaining a first response message of the digital certificate system; when the digital certificate system verifies the first digital certificate and the second signature, the response message comprises indication information for representing that the first digital certificate is verified;

and sending a certificate application response to the first device, wherein the certificate application response comprises indication information representing that the first digital certificate passes verification.

In the above scheme, the method further comprises: the second device obtains a certificate updating request sent by the first device, wherein the certificate updating request comprises a new first digital certificate and a first signature; the first signature is generated based on the new first digital certificate and a private key of the first public and private keys;

generating a third signature based on the particular private key and the new first digital certificate, sending a second request message containing the new first digital certificate, the first signature, and the third signature to the digital certificate system; the digital certificate system is used for verifying the new first digital certificate, the first signature and the third signature;

obtaining a second response message of the digital certificate system; when the digital certificate system verifies the new first digital certificate, the first signature and the third signature, the response message includes indication information representing that the new first digital certificate verifies;

and sending a certificate updating response to the first device, wherein the certificate updating response comprises indication information for representing that the new first digital certificate is verified.

In a third aspect, an embodiment of the present invention further provides an information processing method, where the method further includes:

the third device receives a certificate inquiry request of the first network element; the certificate inquiry request comprises first certificate information to be inquired;

retrieving a digital certificate corresponding to the first certificate information and status information corresponding to the retrieved digital certificate from a pre-stored certificate information set;

sending a certificate inquiry response to the first network element; the certificate inquiry response comprises the digital certificate and the state information corresponding to the digital certificate.

In the above scheme, the method further comprises: and the third device receives the certificate information set sent by the digital certificate system and stores the certificate information set.

In a fourth aspect, an embodiment of the present invention further provides an information processing apparatus, where the apparatus includes: a first communication unit and a first processing unit; wherein the content of the first and second substances,

the first communication unit is used for obtaining certificate description information of a first network element to be deployed and obtaining a first public and private key pair;

the first processing unit is used for generating a first digital certificate based on the certificate description information and the first public and private key pair;

the first communication unit is configured to send a certificate application request to a second apparatus, where the certificate application request includes at least the first digital certificate; the second device is used for verifying the first digital certificate by utilizing a digital certificate system; and the network element is further configured to send at least the first digital certificate to the first network element if the digital certificate system verifies the first digital certificate.

In the above scheme, the first communication unit is further configured to obtain a new first public-private key pair when the first processing unit determines that the first digital certificate meets a preset condition;

the first processing unit is further configured to generate a new first digital certificate based on the new first public-private key pair and the certificate description information of the first network element, and generate a first signature based on a private key in the first public-private key pair and the new first digital certificate;

the first communication unit is further configured to send a certificate update request to the second apparatus, where the certificate update request includes the new first digital certificate and the first signature; the second means is for verifying the new first digital certificate and the first signature using the digital certificate system; and the digital certificate system is further configured to send at least the new first digital certificate to the first network element if the new first digital certificate and the first signature are verified by the digital certificate system, where the new first digital certificate is used to update the first digital certificate in the first network element.

In the foregoing solution, the first processing unit is configured to determine that the validity period of the first digital certificate satisfies a first preset condition, or determine that the security of the first digital certificate does not satisfy a second preset condition, and determine that the first digital certificate satisfies the preset condition.

In the foregoing solution, the first communication unit is configured to obtain, from the VNFM, certificate description information of a first network element to be deployed; also for obtaining a first public-private key pair from a fourth means for generating a public-private key pair; the fourth device is located in the NFVI.

In the above aspect, the first means is located in the EM; each network element corresponds to one EM;

the first communication unit is configured to send at least the first digital certificate to the first network element through a first EM; the first EM is an EM corresponding to the first network element.

In the above solution, the first apparatus is located in a VNFM;

the first communication unit is configured to send at least the first digital certificate to a first EM through the VNFM, and forward the first digital certificate to the first network element through the first EM; the first EM is an EM corresponding to the first network element.

In a fifth aspect, an embodiment of the present invention further provides an information processing apparatus, where the apparatus includes: a second communication unit and a second processing unit; wherein the content of the first and second substances,

the second communication unit is used for obtaining a certificate application request sent by a first device, wherein the certificate application request at least comprises a first digital certificate; the first digital certificate is generated based on certificate description information of a first network element and a first public and private key pair;

the second processing unit is used for generating a second signature based on a specific private key and the first digital certificate;

the second communication unit is further configured to send a first request message containing the first digital certificate and the second signature to a digital certificate system; the digital certificate system is used for verifying the first digital certificate and the second signature; further for obtaining a first response message of the digital certificate system; when the digital certificate system verifies the first digital certificate and the second signature, the response message comprises indication information for representing that the first digital certificate is verified; and the first device is further configured to send a certificate application response to the first device, where the certificate application response includes indication information indicating that the first digital certificate is verified.

In the above scheme, the second communication unit is further configured to obtain a certificate update request sent by the first device, where the certificate update request includes a new first digital certificate and a first signature; the first signature is generated based on the new first digital certificate and a private key of the first public and private keys;

the second processing unit is further configured to generate a third signature based on the specific private key and the new first digital certificate;

the second communication unit is further configured to send a second request message containing the new first digital certificate, the first signature, and the third signature to the digital certificate system; the digital certificate system is used for verifying the new first digital certificate, the first signature and the third signature; a second response message further for obtaining the digital certificate system; when the digital certificate system verifies the new first digital certificate, the first signature and the third signature, the response message includes indication information representing that the new first digital certificate verifies; and the first device is further configured to send a certificate update response to the first device, where the certificate update response includes indication information indicating that the new first digital certificate is verified.

In a sixth aspect, an embodiment of the present invention further provides an information processing apparatus, where the apparatus includes: a third communication unit and a third processing unit; wherein the content of the first and second substances,

the third communication unit is configured to receive a certificate query request of the first network element; the certificate inquiry request comprises first certificate information to be inquired;

the third processing unit is configured to retrieve a digital certificate corresponding to the first certificate information and status information corresponding to the retrieved digital certificate from a pre-stored certificate information set;

the third communication unit is further configured to send a certificate query response to the first network element; the certificate inquiry response comprises the digital certificate and the state information corresponding to the digital certificate.

In the above scheme, the apparatus further comprises a storage unit;

the third communication unit is further configured to receive, by the third device, a certificate information set sent by a digital certificate system;

the storage unit is used for storing the certificate information set.

In a seventh aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method according to the first, second or third aspect of the present invention.

In an eighth aspect, an embodiment of the present invention further provides an information processing apparatus, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the method according to the first aspect, the second aspect, or the third aspect of the embodiment of the present invention when executing the program.

In a ninth aspect, an embodiment of the present invention further provides an information processing system, where the system includes: the first device, the second device and a fourth device for generating a public-private key pair; the fourth device is located in a network function virtualization infrastructure, NFVI; wherein the content of the first and second substances,

the first device is configured to obtain certificate description information of a first network element to be deployed, and obtain a first public-private key pair from the fourth device; generating a first digital certificate based on the certificate description information and the first public-private key pair; sending a certificate application request to a second device, wherein the certificate application request at least comprises the first digital certificate; further configured to receive a certificate application response of the second apparatus; under the condition that the certificate application response comprises indication information representing that the first digital certificate passes verification, at least sending the first digital certificate to the first network element;

the second device is used for generating a second signature based on a specific private key and the first digital certificate and sending a first request message containing the first digital certificate and the second signature to a digital certificate system; the digital certificate system is used for verifying the first digital certificate and the second signature; obtaining a first response message of the digital certificate system; when the digital certificate system verifies the first digital certificate and the second signature, the response message comprises indication information for representing that the first digital certificate is verified; and sending a certificate application response to the first device, wherein the certificate application response comprises indication information representing that the first digital certificate passes verification.

In the foregoing solution, the system further includes a third device, configured to receive a certificate query request of the first network element; the certificate inquiry request comprises first certificate information to be inquired; retrieving a digital certificate corresponding to the first certificate information and status information corresponding to the retrieved digital certificate from a pre-stored certificate information set; sending a certificate inquiry response to the first network element; the certificate inquiry response comprises the digital certificate and the state information corresponding to the digital certificate

According to the information processing method, the system and the related device provided by the embodiment of the invention, on one hand, the first device obtains certificate description information of a first network element to be deployed and obtains a first public and private key pair; generating a first digital certificate based on the certificate description information and the first public-private key pair; sending a certificate application request to a second device, wherein the certificate application request at least comprises the first digital certificate; the second device is used for verifying the first digital certificate by utilizing a digital certificate system; under the condition that the digital certificate system verifies the first digital certificate, at least sending the first digital certificate to the first network element; the second device generates a second signature based on a specific private key and the first digital certificate, and sends a first request message containing the first digital certificate and the second signature to a digital certificate system; the digital certificate system is used for verifying the first digital certificate and the second signature; obtaining a first response message of the digital certificate system; when the digital certificate system verifies the first digital certificate and the second signature, the response message comprises indication information for representing that the first digital certificate is verified; and sending a certificate application response to the first device, wherein the certificate application response comprises indication information representing that the first digital certificate passes verification. Therefore, the first device and the certificate application function of the second device are utilized to realize application and automatic deployment of the digital certificates of the VNFs before deployment of the VNFs, and the problem that all the VNFs face security risks once security problems occur to the digital certificates of any VNF under the condition that the VNFs adopt the same digital certificate is avoided.

On the other hand, the third device receives a certificate inquiry request of the first network element; the certificate inquiry request comprises first certificate information to be inquired; retrieving a digital certificate corresponding to the first certificate information and status information corresponding to the retrieved digital certificate from a pre-stored certificate information set; sending a certificate inquiry response to the first network element; the certificate inquiry response comprises the digital certificate and the state information corresponding to the digital certificate. The verification of the validity of the digital certificate is achieved by using the certificate verification function of the third apparatus.

Drawings

FIG. 1 is a first flowchart illustrating an information processing method according to an embodiment of the present invention;

FIG. 2 is a second flowchart illustrating an information processing method according to an embodiment of the present invention;

FIG. 3 is a third schematic flowchart of an information processing method according to an embodiment of the present invention;

FIG. 4 is a first schematic diagram of a system architecture applied to an information processing method according to an embodiment of the present invention;

FIG. 5 is a first schematic interaction flow chart of an information processing method according to an embodiment of the present invention;

FIG. 6 is a schematic diagram illustrating an interaction flow of an information processing method according to an embodiment of the present invention;

FIG. 7 is a third schematic view illustrating an interaction flow of an information processing method according to an embodiment of the present invention;

FIG. 8 is a diagram illustrating a second system architecture applied to an information processing method according to an embodiment of the present invention;

FIG. 9 is a fourth schematic view illustrating an interaction flow of an information processing method according to an embodiment of the present invention;

FIG. 10 is a fifth schematic view illustrating an interaction flow of an information processing method according to an embodiment of the present invention;

FIG. 11 is a first block diagram of an information processing apparatus according to an embodiment of the present invention;

FIG. 12 is a second schematic diagram illustrating a second exemplary configuration of an information processing apparatus according to the present invention;

FIG. 13 is a third schematic diagram illustrating a structure of an information processing apparatus according to an embodiment of the present invention;

fig. 14 is a schematic diagram of a hardware configuration of an information processing apparatus according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.

Before describing the information processing method according to the embodiment of the present invention in detail, first, a device related to the information processing method of the present invention will be briefly described.

The system applied by the information processing method of the embodiment can comprise a first device, a second device and a fourth device; the first device may also be referred to as a certificate management device, the second device may also be referred to as a certificate application device, and the fourth device may also be referred to as a public-private key pair generation device.

And the public and private key pair generating device is specifically used for generating a public and private key pair by utilizing a cryptographic algorithm.

The certificate management device has a certificate generating function, generates a digital certificate by using a public and private key pair generated by a public and private key pair generating device and certificate description information from a VNF of a VNFM, and sends the digital certificate to a certificate applying device through a certificate applying request; sending a private key and a digital certificate in a public and private key pair to a corresponding VNF; wherein the generated digital certificate may also be referred to as a self-signed digital certificate.

The certificate application device is a trusted node in a digital certificate management system based on a block chain technology and has an independent private key and a public key, wherein the private key is used for signature, and the public key is used for identifying the identity in the block chain; the digital certificate management system is specifically used for receiving a certificate application request from the certificate management device, submitting the certificate application request to the digital certificate management system, verifying a digital certificate in the certificate application request by the digital certificate management system, and feeding back a certificate application response to the certificate management device.

Further, the certificate management apparatus further has a certificate update function, configured to generate a new digital certificate and send the new digital certificate to the certificate application apparatus through a certificate update request in a case that the digital certificate of the VNF is temporary or has insufficient security; sending a private key in the public and private key pair and a new digital certificate to a corresponding VNF; wherein the generated digital certificate may also be referred to as a self-signed digital certificate.

The certificate application device is used for receiving the certificate updating request from the certificate management device, submitting the certificate updating request to the digital certificate management system, verifying a new digital certificate in the certificate updating request by the digital certificate management system, and feeding back a certificate updating response to the certificate management device.

In some optional embodiments, the system may further include a third device, which may also be referred to as a certificate query device, which, in the digital certificate management system of the block chain technology, receives a new block generated by the digital certificate management system, and parses information of the digital certificate in the new block, so as to provide a digital certificate query service for the VNF. Optionally, the certificate inquiry apparatus may be deployed at the boundary between an intranet and the internet, so as to provide a certificate inquiry service for an intranet device.

Based on the foregoing, an embodiment of the present invention provides an information processing method. FIG. 1 is a first flowchart illustrating an information processing method according to an embodiment of the present invention; as shown in fig. 1, the method includes:

step 101: the method comprises the steps that a first device obtains certificate description information of a first network element to be deployed and a first public and private key pair;

step 102: generating a first digital certificate based on the certificate description information and the first public-private key pair;

step 103: sending a certificate application request to a second device, wherein the certificate application request at least comprises the first digital certificate; the second device is used for verifying the first digital certificate by utilizing a digital certificate system;

step 104: and under the condition that the digital certificate system verifies the first digital certificate, at least sending the first digital certificate to the first network element.

In this embodiment, the first apparatus may be a certificate management apparatus, and optionally, the first apparatus may be located in network Element Management (EM) in an NFV architecture, or the first apparatus may be located in a VNFM in the NFV architecture.

Each network element (e.g., the first network element) in this embodiment may specifically be a VNF in the NFV architecture.

In this embodiment, a VNFM in the NFV architecture has a configuration file of a VNF to be deployed, and the configuration file of the VNF includes certificate description information. In some alternative embodiments, a certificate Identification (ID) may be included in the certificate description information. In alternative embodiments, the certificate description information may include information such as a certificate Identification (ID) and a certificate format. Illustratively, the certificate format information may include fields carried in the digital certificate. Illustratively, the certificate Identification (ID) may be at least one of a domain name, an IP address, and a device identification of the VNF; if the certificate Identification (ID) includes two or more of the above information, the certificate Identification (ID) may be represented by a combination of the two or more information.

Based on this, in some optional embodiments of the present invention, the obtaining, by the first apparatus, certificate description information of the first network element to be deployed includes: the first device obtains certificate description information of a first network element to be deployed from a VNFM; the obtaining a first public and private key pair comprises: the first device obtaining a first public-private key pair from a fourth device for generating a public-private key pair; the fourth device is located in a network function virtualization infrastructure NFVI.

In this embodiment, the first device generates a first digital certificate based on the certificate description information and the first public-private key pair. In some optional embodiments, the first device may generate a first digital certificate based on the certificate identification and the first public-private key pair; the first digital certificate may be referred to as a first self-signed digital certificate. For example, if the certificate identifier in the certificate description information is a domain Name of the VNF, the identification Name (DN) entry in the first digital certificate is the domain Name of the VNF.

In this embodiment, the first device sends the generated first digital certificate to a second device through a certificate application request, where the second device is also the certificate application device. Optionally, the certificate application request may include the first digital certificate and information of a first network element (e.g., VNF) to be deployed; such as an identification of the first network element.

In this embodiment, the second device is a trusted node in a digital certificate management system based on a block chain technology, and verifies the first digital certificate through the digital certificate system. Then at least the first digital certificate is sent to the first network element if the digital certificate system verifies the first digital certificate.

In some optional embodiments of the invention, the first device is located in an EM; each network element corresponds to one EM; the sending at least the first digital certificate to the first network element includes: sending at least the first digital certificate to the first network element by the first EM; the first EM is an EM corresponding to the first network element.

In some optional embodiments of the invention, the first device is located in a VNFM; the sending at least the first digital certificate to the first network element includes: sending at least the first digital certificate to a first EM through the VNFM, forwarding the first digital certificate to the first network element through the first EM; the first EM is an EM corresponding to the first network element.

Optionally, the first device may send the first digital certificate to the first network element, and may also send a private key of the first public-private key pair to the first network element.

In some optional embodiments of the invention, the method further comprises: when the first device determines that the first digital certificate meets a preset condition, a new first public and private key pair is obtained; generating a new first digital certificate based on the new first public-private key pair and the certificate description information of the first network element, and generating a first signature based on a private key of the first public-private key pair and the new first digital certificate; sending a certificate update request to the second device, the certificate update request including the new first digital certificate and the first signature; the second means is for verifying the new first digital certificate and the first signature using the digital certificate system; and under the condition that the digital certificate system verifies the new first digital certificate and the first signature, at least sending the new first digital certificate to the first network element, wherein the new first digital certificate is used for updating the first digital certificate in the first network element.

In some optional embodiments of the invention, the determining, by the first device, that the first digital certificate satisfies a preset condition includes: the first device determines that the first digital certificate meets a preset condition when determining that the validity period of the first digital certificate meets a first preset condition or when determining that the security of the first digital certificate does not meet a second preset condition.

In this embodiment, when the proximity of the first digital certificate expires or the security of the first digital certificate is insufficient, a procedure for updating the digital certificate needs to be initiated. The first device obtains a new first public-private key pair again through the fourth device, generates a new first digital certificate based on the new first public-private key pair and original certificate description information (such as an identifier of a VNF) of the first network element, and signs the new first digital certificate based on a private key in the original first public-private key pair to obtain a first signature; the new first digital certificate and the first signature are sent to the second device via a certificate update request. The second device authenticates the new first digital certificate via the digital certificate system. Sending at least the new first digital certificate to the first network element if the digital certificate system verifies the new first digital certificate. Optionally, the first device sends the new first digital certificate and a private key of the first public-private key pair of the heart to the first network element.

Based on the foregoing embodiment, the embodiment of the present invention further provides an information processing method. FIG. 2 is a second flowchart illustrating an information processing method according to an embodiment of the present invention; as shown in fig. 2, the method includes:

step 201: the method comprises the steps that a second device obtains a certificate application request sent by a first device, wherein the certificate application request at least comprises a first digital certificate; the first digital certificate is generated based on certificate description information of a first network element and a first public and private key pair;

step 202: generating a second signature based on a specific private key and the first digital certificate, and sending a first request message containing the first digital certificate and the second signature to a digital certificate system; the digital certificate system is used for verifying the first digital certificate and the second signature;

step 203: obtaining a first response message of the digital certificate system; when the digital certificate system verifies the first digital certificate and the second signature, the response message comprises indication information for representing that the first digital certificate is verified;

step 204: and sending a certificate application response to the first device, wherein the certificate application response comprises indication information representing that the first digital certificate passes verification.

In this embodiment, after receiving a certificate application request, a second device generates a second signature based on its own independent private key (i.e., a specific private key) and a first digital certificate, and sends a first request message including the first digital certificate and the second signature to a digital certificate system; the digital certificate system verifies the first digital certificate and the second signature; after the verification is passed, the digital certificate system records the first digital certificate and the status information thereof into the blockchain, and the first digital certificate is approved by all nodes in the blockchain once being recorded into the blockchain. The second device sends a certificate application response to the first device.

In some optional embodiments of the invention, the method further comprises: the second device obtains a certificate updating request sent by the first device, wherein the certificate updating request comprises a new first digital certificate and a first signature; the first signature is generated based on the new first digital certificate and a private key of the first public and private keys; generating a third signature based on the particular private key and the new first digital certificate, sending a second request message containing the new first digital certificate, the first signature, and the third signature to the digital certificate system; the digital certificate system is used for verifying the new first digital certificate, the first signature and the third signature; obtaining a second response message of the digital certificate system; when the digital certificate system verifies the new first digital certificate, the first signature and the third signature, the response message includes indication information representing that the new first digital certificate verifies; and sending a certificate updating response to the first device, wherein the certificate updating response comprises indication information for representing that the new first digital certificate is verified.

In this embodiment, when the proximity of the first digital certificate expires or the security of the first digital certificate is insufficient, a procedure for updating the digital certificate needs to be initiated. The second device receives a certificate update request that includes the new first digital certificate and the first signature. The second device generates a third signature based on a private key (namely a specific private key) of the second device and the new first digital certificate, sends a second request message containing the new first digital certificate, the first signature and the third signature to the digital certificate system, and the digital certificate system verifies the new first digital certificate, the first signature and the third signature; after the verification is passed, the digital certificate system records a new first digital certificate and state information thereof into the blockchain, and the new first digital certificate is approved by all nodes in the blockchain once being recorded into the blockchain. The second device sends a certificate update response to the first device.

By adopting the technical scheme of the embodiment of the invention, the application and automatic deployment of the digital certificates of the VNFs before the deployment of the VNFs are realized by combining the first device and the certificate application function of the second device, and the problem that all the VNFs face security risks once the digital certificates of any VNF have security problems under the condition that the VNFs adopt the same digital certificate is avoided.

The embodiment of the invention also provides an information processing method. FIG. 3 is a third schematic flowchart of an information processing method according to an embodiment of the present invention; as shown in fig. 3, the method includes:

step 301: the third device receives a certificate inquiry request of the first network element; the certificate inquiry request comprises first certificate information to be inquired;

step 302: retrieving a digital certificate corresponding to the first certificate information and status information corresponding to the retrieved digital certificate from a pre-stored certificate information set;

step 303: sending a certificate inquiry response to the first network element; the certificate inquiry response comprises the digital certificate and the state information corresponding to the digital certificate.

In some optional embodiments of the invention, the method further comprises: and the third device receives the certificate information set sent by the digital certificate system and stores the certificate information set.

The technical solution of this embodiment realizes checking the validity of the digital certificate by using the certificate checking function of the third apparatus. The third device of this embodiment may be deployed at the boundary between the intranet and the internet, and solve the problem that the intranet VNF cannot query the validity of the certificate in the conventional OCSP/CRL manner.

The information processing method according to the embodiment of the present invention is described below with reference to specific examples. In the following examples, the first device is a certificate management device, the second device is a certificate application device, the third device is a certificate inquiry device, the fourth device is a public-private key pair generation device, and the network element is a VNF in the above embodiments are all described as examples.

Scene one

In this scenario, fig. 4 is a first schematic diagram of a system architecture applied to the information processing method according to the embodiment of the present invention; as shown in fig. 4, the certificate management apparatus is located in each EM, each EM corresponding to one VNF; the public-private key pair generation device is located in the NFVI. The following description is given by taking a certificate deployment process, a certificate inquiry process, and a certificate update process of the VNF as examples.

Example 1

FIG. 5 is a first schematic interaction flow chart of an information processing method according to an embodiment of the present invention; as shown in fig. 5, includes:

step 401 to step 402: the certificate management apparatus obtains a configuration file (VNFD) of the VNF from the VNFM through the EM, and obtains VNF certificate description information from the VNFD.

Prior to VNF deployment, the VNFM specifies in a configuration file of the VNF (VNFD) a description of the digital certificate, including information such as certificate format, certificate ID, etc. For example, the certificate format may be a field carried in a certificate, and the certificate ID may be at least one of a domain name, an IP address, and a device identifier of the VNF.

Step 403: when VNF deploys, a certificate management device located in EM applies for a public and private key pair from a public and private key pair generation device, the public and private key pair is generated for the generation device, and the public and private key pair is sent to the certificate management device based on the application of the certificate management device.

Step 404: the certificate management device generates a self-signed digital certificate (i.e. the aforementioned first digital certificate) according to the certificate description information and the public-private key pair. If the certificate ID in the certificate description information is the domain name of the VNF, the DN entry of the certificate in the self-signed digital certificate is the domain name of the VNF.

Step 405: the certificate management device sends a certificate application request to the certificate application device, wherein the certificate application request comprises a self-signed digital certificate and VNF information to be deployed.

Step 406 to step 407: after receiving the certificate application request, the certificate application device sends a certificate issue request to the digital certificate system, and the digital certificate system sends a certificate issue response to the certificate application device.

The certificate application device signs the self-signed digital certificate based on a private key of the certificate application device, and sends the self-signed digital certificate and the signature to a digital certificate system based on a block chain through a certificate issuing request. The digital certificate system based on the block chain verifies the self-signed digital certificate and verifies the signature; after verification and consensus, the self-signed digital certificate and its status are recorded into the blockchain. Once recorded in the blockchain, the digital certificate is approved by all nodes in the blockchain.

Steps 408 to 410: the certificate application device sends a certificate application response to the certificate management device; the certificate management device sends the private key in the public and private key pair and the self-signed digital certificate to the corresponding VNF through the EM.

Example two

FIG. 6 is a schematic diagram illustrating an interaction flow of an information processing method according to an embodiment of the present invention; as shown in fig. 6, includes:

step 501: in the stage of maintaining the certificate information, the certificate inquiry device receives a new block from the digital certificate system and locally updates and maintains the digital certificate and the state information thereof.

Illustratively, the new block includes the digital certificate and its status information that has been newly verified in the digital certificate system over a period of time. The status information may represent whether the digital certificate is valid, for example, the status information may indicate that the corresponding digital certificate is in a valid state or a revoked state, and so on.

Step 502 to step 504: when the VNF receives digital certificates from other VNFs, the VNF sends a certificate query request to a certificate query device; the certificate inquiry apparatus retrieves the digital certificate and the status information thereof corresponding to the certificate information, and sends the result as a certificate inquiry response to the VNF.

In this embodiment, the certificate query request may include the certificate information to be queried. The certificate information may be, for example, a certificate ID, or a certificate hash value, or the like.

Further, the VNF receives a certificate inquiry response from the certificate inquiry apparatus, and verifies the validity of the digital certificate.

Example three

This example is a certificate update procedure, and when the digital certificate of the VNF is approaching to expire or the digital certificate is no longer secure, the certificate management apparatus initiates a certificate update procedure. FIG. 7 is a third schematic view illustrating an interaction flow of an information processing method according to an embodiment of the present invention; as shown in fig. 7, includes:

step 601 to step 604: the certificate management apparatus located in the EM of the corresponding VNF acquires a new public-private key pair from the public-private key pair generation apparatus, and the certificate management apparatus generates a new self-signed digital certificate (e.g., the aforementioned new first digital certificate).

In this embodiment, the certificate management apparatus may generate a new self-signed digital certificate according to the description information (e.g., certificate ID) of the original digital certificate of the VNF and the new public-private key pair.

Step 605: the certificate management device sends a certificate updating request to the certificate application device, wherein the certificate updating request comprises a new self-signed digital certificate, and the certificate management device signs the new self-signed digital certificate based on the original private key.

Step 606 to step 607: after receiving the digital certificate updating request, the certificate application device sends a certificate issuing request to the digital certificate system; the digital certificate system sends a certificate issuing response to the certificate applying apparatus.

The certificate application device signs a new self-signed digital certificate based on a private key of the certificate application device, and sends the new self-signed digital certificate and signatures (including signatures performed by the certificate management device based on an original private key and signatures performed by the certificate application device based on a private key of the certificate application device) to a digital certificate system based on a block chain through a certificate issuing request. The digital certificate system based on the block chain verifies the self-signed digital certificate and verifies the signature; after verification and consensus, the self-signed digital certificate and its status are recorded into the blockchain. Once recorded in the blockchain, the digital certificate is approved by all nodes in the blockchain.

Step 608 to step 610: the certificate application device sends a certificate application response to the certificate management device; the certificate management device sends the private key in the new public and private key pair and the new self-signed digital certificate to the corresponding VNF through the EM.

It should be noted that, in the VNF certificate update process, the original VNF may be closed and a new VNF may be deployed in a manner of redeploying the VNF, and a new digital certificate is used in the deployment process.

Scene two

In this scenario, fig. 8 is a schematic diagram of a system architecture of an application of the information processing method according to the embodiment of the present invention; as shown in fig. 8, the certificate management apparatus is located in the VNFM; the public-private key pair generation device is located in the NFVI. The following description is given by taking a certificate deployment process, a certificate inquiry process, and a certificate update process of the VNF as examples.

Example four

FIG. 9 is a fourth schematic view illustrating an interaction flow of an information processing method according to an embodiment of the present invention; as shown in fig. 9, includes:

step 701: the certificate management apparatus obtains certificate description information of the VNF from the VNFM through the EM.

Before VNF deployment, the VNFM specifies in the VNF's configuration file VNFD the description of the digital certificate, including information such as certificate format, certificate ID, etc. For example, the certificate format may be a field carried in the certificate, and the certificate ID may be required to be a domain name, an IP address, a device identifier of the VNF, a combination of the above information, and the like.

Step 702 to step 704: the certificate management device applies for a public and private key pair from the public and private key pair generation device, the public and private key pair is generated by the public and private key pair generation device, and the public and private key pair is sent to the certificate management device based on the application of the certificate management device.

Step 705: the certificate management device generates a self-signed digital certificate (i.e. the aforementioned first digital certificate) according to the certificate description information and the public-private key pair. If the certificate ID in the certificate description information is the domain name of the VNF, the DN entry of the certificate in the self-signed digital certificate is the domain name of the VNF.

Step 706: the certificate management device sends a certificate application request to the certificate application device, wherein the certificate application request comprises a self-signed digital certificate and VNF information to be deployed.

Step 707 to step 708: after receiving the certificate application request, the certificate application device sends a certificate issue request to the digital certificate system, and the digital certificate system sends a certificate issue response to the certificate application device.

Step 709 to step 711: the certificate application device sends a certificate application response to the certificate management device; the certificate management device sends a private key in a public and private key pair and a self-signed digital certificate to the VNFM, and the VNFM sends the VNFD, the private key and the self-signed digital certificate to the corresponding EM.

Alternatively, since the private key and the self-signed digital certificate may both be a string of hexadecimal encodings, the private key and the self-signed digital certificate may be sent to the EM as part of the VNFD for deployment and configuration of the VNF.

Example five

Regarding the certificate query process in this example, reference may be specifically made to the processing process in the second example, which is not described herein again.

Example six

This example is a certificate update procedure, and when the digital certificate of the VNF is approaching to expire or the digital certificate is no longer secure, the certificate management apparatus initiates a certificate update procedure. FIG. 10 is a fifth schematic view illustrating an interaction flow of an information processing method according to an embodiment of the present invention; as shown in fig. 10, includes:

step 801 to step 804: the certificate management apparatus acquires a new public-private key pair from the public-private key pair generation apparatus, and the certificate management apparatus generates a new self-signed digital certificate (e.g., the aforementioned new first digital certificate).

Step 805: the certificate management device sends a certificate updating request to the certificate application device, wherein the certificate updating request comprises a new self-signed digital certificate, and the certificate management device signs the new self-signed digital certificate based on the original private key.

Step 806 to step 807: after receiving the digital certificate updating request, the certificate application device sends a certificate issuing request to the digital certificate system; the digital certificate system sends a certificate issuing response to the certificate applying apparatus.

Step 808 to step 810: the certificate application device sends a certificate application response to the certificate management device; and the certificate management device sends the private key in the new public and private key pair and the new self-signed digital certificate to the corresponding EM through the VNFM, and the EM sends the private key and the new self-signed digital certificate to the corresponding VNF.

The embodiment of the invention also provides an information processing device. FIG. 11 is a first block diagram of an information processing apparatus according to an embodiment of the present invention; as shown in fig. 11, the apparatus includes: a first communication unit 11 and a first processing unit 12; wherein the content of the first and second substances,

the first communication unit 11 is configured to obtain certificate description information of a first network element to be deployed, and obtain a first public-private key pair;

the first processing unit 12 is configured to generate a first digital certificate based on the certificate description information and the first public-private key pair;

the first communication unit 11 is configured to send a certificate application request to a second apparatus, where the certificate application request includes at least the first digital certificate; the second device is used for verifying the first digital certificate by utilizing a digital certificate system; and the network element is further configured to send at least the first digital certificate to the first network element if the digital certificate system verifies the first digital certificate.

In some optional embodiments of the present invention, the first communication unit 11 is further configured to, when the first processing unit 12 determines that the first digital certificate satisfies a preset condition, obtain a new first public-private key pair;

the first processing unit 12 is further configured to generate a new first digital certificate based on the new first public-private key pair and the certificate description information of the first network element, and generate a first signature based on a private key in the first public-private key pair and the new first digital certificate;

the first communication unit 11 is further configured to send a certificate update request to the second apparatus, where the certificate update request includes the new first digital certificate and the first signature; the second means is for verifying the new first digital certificate and the first signature using the digital certificate system; and the digital certificate system is further configured to send at least the new first digital certificate to the first network element if the new first digital certificate and the first signature are verified by the digital certificate system, where the new first digital certificate is used to update the first digital certificate in the first network element.

In some optional embodiments of the present invention, the first processing unit 12 is configured to determine that the first digital certificate satisfies a preset condition when determining that the validity period of the first digital certificate satisfies a first preset condition, or when determining that the security of the first digital certificate does not satisfy a second preset condition.

In some optional embodiments of the present invention, the first communication unit 11 is configured to obtain, from the VNFM, certificate description information of a first network element to be deployed; also for obtaining a first public-private key pair from a fourth means for generating a public-private key pair; the fourth device is located in the NFVI.

In some optional embodiments of the invention, the first device is located in an EM; each network element corresponds to one EM;

the first communication unit 11 is configured to send at least the first digital certificate to the first network element through a first EM; the first EM is an EM corresponding to the first network element.

In some optional embodiments of the invention, the first device is located in a VNFM; the first communication unit 11 is configured to send at least the first digital certificate to a first EM through the VNFM, and forward the first digital certificate to the first network element through the first EM; the first EM is an EM corresponding to the first network element.

In the embodiment of the present invention, the first Processing Unit 12 in the apparatus may be implemented by a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU), or a Programmable Gate Array (FPGA) in practical application; the first communication unit 11 in the device can be realized by a communication module (including a basic communication suite, an operating system, a communication module, a standardized interface, a protocol and the like) and a transceiving antenna in practical application.

It should be noted that: in the information processing apparatus provided in the above embodiment, when performing information processing, only the division of each program module is exemplified, and in practical applications, the processing may be distributed to different program modules according to needs, that is, the internal structure of the apparatus may be divided into different program modules to complete all or part of the processing described above. In addition, the information processing apparatus and the information processing method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.

The embodiment of the invention also provides an information processing device. FIG. 12 is a second schematic diagram illustrating a second exemplary configuration of an information processing apparatus according to the present invention; as shown in fig. 12, the apparatus includes: a second communication unit 21 and a second processing unit 22; wherein the content of the first and second substances,

the second communication unit 21 is configured to obtain a certificate application request sent by a first device, where the certificate application request at least includes a first digital certificate; the first digital certificate is generated based on certificate description information of a first network element and a first public and private key pair;

the second processing unit 22 is configured to generate a second signature based on a specific private key and the first digital certificate;

the second communication unit 21 is further configured to send a first request message containing the first digital certificate and the second signature to a digital certificate system; the digital certificate system is used for verifying the first digital certificate and the second signature; further for obtaining a first response message of the digital certificate system; when the digital certificate system verifies the first digital certificate and the second signature, the response message comprises indication information for representing that the first digital certificate is verified; and the first device is further configured to send a certificate application response to the first device, where the certificate application response includes indication information indicating that the first digital certificate is verified.

In some optional embodiments of the present invention, the second communication unit 21 is further configured to obtain a certificate update request sent by the first apparatus, where the certificate update request includes the new first digital certificate and the first signature; the first signature is generated based on the new first digital certificate and a private key of the first public and private keys;

the second processing unit 22 is further configured to generate a third signature based on the specific private key and the new first digital certificate;

the second communication unit 21 is further configured to send a second request message containing the new first digital certificate, the first signature, and the third signature to the digital certificate system; the digital certificate system is used for verifying the new first digital certificate, the first signature and the third signature; a second response message further for obtaining the digital certificate system; when the digital certificate system verifies the new first digital certificate, the first signature and the third signature, the response message includes indication information representing that the new first digital certificate verifies; and the first device is further configured to send a certificate update response to the first device, where the certificate update response includes indication information indicating that the new first digital certificate is verified.

In the embodiment of the present invention, the second processing unit 22 in the apparatus may be implemented by a CPU, a DSP, an MCU or an FPGA in practical application; the second communication unit 21 in the device can be realized by a communication module (including a basic communication suite, an operating system, a communication module, a standardized interface, a protocol and the like) and a transceiving antenna in practical application.

The embodiment of the invention also provides an information processing device. FIG. 13 is a third schematic diagram illustrating a structure of an information processing apparatus according to an embodiment of the present invention; as shown in fig. 13, the apparatus includes: a third communication unit 31 and a third processing unit 32; wherein the content of the first and second substances,

the third communication unit 31 is configured to receive a certificate query request of the first network element; the certificate inquiry request comprises first certificate information to be inquired;

the third processing unit 32 is configured to retrieve a digital certificate corresponding to the first certificate information and status information corresponding to the retrieved digital certificate from a pre-stored certificate information set;

the third communication unit 31 is further configured to send a certificate query response to the first network element; the certificate inquiry response comprises the digital certificate and the state information corresponding to the digital certificate.

In some optional embodiments of the invention, the apparatus further comprises a storage unit;

the third communication unit 31 is further configured to receive a certificate information set sent by a digital certificate system by the third device;

the storage unit is used for storing the certificate information set.

In the embodiment of the present invention, the third processing unit 32 in the apparatus can be implemented by a CPU, a DSP, an MCU, or an FPGA in practical application; the storage unit in the device can be realized by a memory in practical application; the third communication unit 31 in the device can be realized by a communication module (including a basic communication suite, an operating system, a communication module, a standardized interface, a protocol and the like) and a transceiving antenna in practical application.

Fig. 14 is a schematic diagram of a hardware structure of the information processing apparatus according to the embodiment of the present invention, and as shown in fig. 14, the information processing apparatus includes a memory 42, a processor 41, and a computer program stored in the memory 42 and operable on the processor 41, and when the processor 41 executes the computer program, the processor 41 implements the steps of the information processing method applied to the first apparatus, the second apparatus, or the third apparatus.

Optionally, a network interface 43 may also be included in the information processing apparatus. It will be appreciated that the various components of the information processing apparatus are coupled together by bus system 44. It will be appreciated that the bus system 44 is used to enable communications among the components. The bus system 44 includes a power bus, a control bus, and a status signal bus in addition to the data bus. For clarity of illustration, however, the various buses are labeled as bus system 44 in fig. 14.

It will be appreciated that the memory 42 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 42 described in connection with the embodiments of the invention is intended to comprise, without being limited to, these and any other suitable types of memory.

The method disclosed in the above embodiments of the present invention may be applied to the processor 41, or implemented by the processor 41. The processor 41 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 41. The processor 41 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 41 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in memory 42, where processor 41 reads the information in memory 42 and in combination with its hardware performs the steps of the method described above.

In an exemplary embodiment, the information processing apparatus may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, MCUs, microprocessors (microprocessors), or other electronic components for performing the foregoing methods.

In an exemplary embodiment, the present invention further provides a computer readable storage medium, such as the memory 42 including a computer program, which can be executed by the processor 41 of the information processing apparatus to perform the steps of the foregoing method. The computer readable storage medium can be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories.

An embodiment of the present invention provides a computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing the steps of the information processing method applied to a first device, a second device, or a third device.

An embodiment of the present invention further provides an information processing system, where the information processing system may adopt the deployment manner shown in fig. 4 or fig. 8. The system comprises: the first device, the second device and a fourth device for generating a public-private key pair; the fourth device is located in a network function virtualization infrastructure, NFVI; wherein the content of the first and second substances,

In some optional embodiments of the present invention, the system further comprises a third means for receiving a certificate query request of the first network element; the certificate inquiry request comprises first certificate information to be inquired; retrieving a digital certificate corresponding to the first certificate information and status information corresponding to the retrieved digital certificate from a pre-stored certificate information set; sending a certificate inquiry response to the first network element; the certificate inquiry response comprises the digital certificate and the state information corresponding to the digital certificate.

The methods disclosed in the several method embodiments provided in the present application may be combined arbitrarily without conflict to obtain new method embodiments.

Features disclosed in several of the product embodiments provided in the present application may be combined in any combination to yield new product embodiments without conflict.

The features disclosed in the several method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. An information processing method, characterized in that the method comprises:

2. The method of claim 1, further comprising:

when the first device determines that the first digital certificate meets a preset condition, a new first public and private key pair is obtained;

3. The method according to claim 2, wherein the first device determining that the first digital certificate satisfies a preset condition comprises:

4. The method of claim 1, wherein obtaining, by the first device, certificate description information of the first network element to be deployed comprises:

the obtaining a first public and private key pair comprises: the first device obtaining a first public-private key pair from a fourth device for generating a public-private key pair; the fourth device is located in a network function virtualization infrastructure NFVI.

5. The method according to any of claims 1 to 4, characterized in that said first means are located in an element management EM; each network element corresponds to one EM;

6. The method of any of claims 1 to 4, wherein the first device is located in a VNFM;

7. An information processing method, characterized in that the method comprises:

8. The method of claim 7, further comprising:

the second device obtains a certificate updating request sent by the first device, wherein the certificate updating request comprises a new first digital certificate and a first signature; the first signature is generated based on the new first digital certificate and a private key of the first public and private keys;

9. An information processing method, characterized in that the method further comprises:

10. The method of claim 9, further comprising:

and the third device receives the certificate information set sent by the digital certificate system and stores the certificate information set.

11. An information processing apparatus characterized in that the apparatus comprises: a first communication unit and a first processing unit; wherein the content of the first and second substances,

12. The apparatus according to claim 11, wherein the first communication unit is further configured to, when the first processing unit determines that the first digital certificate satisfies a preset condition, obtain a new first public-private key pair;

13. The apparatus according to claim 12, wherein the first processing unit is configured to determine that the first digital certificate satisfies a preset condition when determining that a validity period of the first digital certificate satisfies a first preset condition, or when determining that security of the first digital certificate does not satisfy a second preset condition.

14. The apparatus according to claim 11, wherein the first communication unit is configured to obtain credential description information of the first network element to be deployed from a virtual network function manager VNFM; also for obtaining a first public-private key pair from a fourth means for generating a public-private key pair; the fourth device is located in a network function virtualization infrastructure NFVI.

15. The apparatus according to any of claims 11 to 14, wherein said first apparatus is located in a network element management, EM; each network element corresponds to one EM;

16. The apparatus according to any of claims 11 to 14, wherein the first apparatus is located in a VNFM;

17. An information processing apparatus characterized in that the apparatus comprises: a second communication unit and a second processing unit; wherein the content of the first and second substances,

18. The apparatus according to claim 17, wherein the second communication unit is further configured to obtain a certificate update request sent by the first apparatus, where the certificate update request includes the new first digital certificate and the first signature; the first signature is generated based on the new first digital certificate and a private key of the first public and private keys;

19. An information processing apparatus characterized in that the apparatus comprises: a third communication unit and a third processing unit; wherein the content of the first and second substances,

20. The apparatus of claim 19, further comprising a storage unit;

the storage unit is used for storing the certificate information set.

21. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6; alternatively, the first and second electrodes may be,

the program when executed by a processor implementing the steps of the method of claim 7 or 8; alternatively, the first and second electrodes may be,

which program, when being executed by a processor, carries out the steps of the method as claimed in claim 9 or 10.

22. An information processing apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any one of claims 1 to 6 are implemented when the program is executed by the processor; alternatively, the first and second electrodes may be,

the processor, when executing the program, implements the steps of the method of claim 7 or 8; alternatively, the first and second electrodes may be,

the processor, when executing the program, implements the steps of the method of claim 9 or 10.

23. An information processing system, the system comprising: the first device, the second device and a fourth device for generating a public-private key pair; the fourth device is located in a network function virtualization infrastructure, NFVI; wherein the content of the first and second substances,

24. The system according to claim 23, wherein said system further comprises a third means for receiving a certificate query request of the first network element; the certificate inquiry request comprises first certificate information to be inquired; retrieving a digital certificate corresponding to the first certificate information and status information corresponding to the retrieved digital certificate from a pre-stored certificate information set; sending a certificate inquiry response to the first network element; the certificate inquiry response comprises the digital certificate and the state information corresponding to the digital certificate.