CN115334506A - User trusted access system and method for 5G edge computing node - Google Patents

User trusted access system and method for 5G edge computing node Download PDF

Info

Publication number
CN115334506A
CN115334506A CN202210948364.7A CN202210948364A CN115334506A CN 115334506 A CN115334506 A CN 115334506A CN 202210948364 A CN202210948364 A CN 202210948364A CN 115334506 A CN115334506 A CN 115334506A
Authority
CN
China
Prior art keywords
container
credible
verification
upf
evidence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210948364.7A
Other languages
Chinese (zh)
Inventor
张小建
王齐
高鹏
郭亚琼
陆鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Smart Grid Research Institute Co ltd
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
State Grid Smart Grid Research Institute Co ltd
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Smart Grid Research Institute Co ltd, State Grid Corp of China SGCC, Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd filed Critical State Grid Smart Grid Research Institute Co ltd
Priority to CN202210948364.7A priority Critical patent/CN115334506A/en
Publication of CN115334506A publication Critical patent/CN115334506A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a user trusted access system and a method facing a 5G edge computing node, wherein the system comprises the following steps: the system comprises a user terminal UE, a target container, a UPF, a UDM, a host machine and a MEC controller, wherein the UE is a resource requesting party of the target container and requests a credible evidence to the target container for credible verification, and the credible evidence of the target container is provided by a TPM of the host machine and a vTPM in the target container; UPF is a communication agent of remote certification and respectively carries out credibility verification on UE and a target container; the UDM issues a certificate and a verification credible evidence for the UE for a credible verification node of the UE; the MEC controller is a trusted verification node of the container, issues AIK certificates and verification trusted evidences for TPM of a target container and a host, and adopts a remote certification method to carry out bidirectional trusted authentication on the UE and the container operation environment based on the system, so that the identity trust of the access container of the UE is ensured, and the operation environments of both parties are ensured to be trusted.

Description

User trusted access system and method for 5G edge computing node
Technical Field
The invention relates to the technical field of network information security, in particular to a 5G edge computing node-oriented user trusted access system and a method.
Background
Mobile Edge Computing (MEC) is a key technology in a 5G network, and the basic idea is to migrate cloud Computing service capability from inside a Mobile core network to the Edge of a Mobile access network, so as to realize flexible utilization of Computing and storage resources. With the development of 5G, the requirement for low-delay mobility application is greater, and the MEC technology enables services to be locally deployed and deployed in a short distance, so that the service delay is greatly reduced, and the service experience of a user is effectively improved.
With the continuous development and wide application of cloud computing technology, virtualization technology also becomes increasingly important. The container technology is favored by more and more users by virtue of the advantages of low self resource occupation, insusceptibility to environmental factors and the like. Therefore, in MECs, vessels are also widely used. However, since the MEC is deployed on the edge side, the environment where the container is located is not secure, and how to ensure the user and the container to trust in both directions in an untrusted environment is a problem to be solved urgently.
The TCG defines trusted computing as: an entity is trusted if its behavior always proceeds in the expected manner and eventually reaches the expected goal. Proof of definition in the TCG specification is a reporting mechanism for a proving party to report the identity of its platform and software and hardware configuration information to a challenger. After the challenger successfully verifies, the identity information and the report provided by the proving party are believed to be correct and reliable.
At present, the following schemes are mainly used to ensure that a user terminal can access an edge computing node as trusted:
(1) The identity of the UE accessing the 5G network is guaranteed to be legal by using the main authentication of the 5G User terminal UE (User Equipment) when a built-in sim card accesses the 5G network, but the safety of the internal operating environment of the UE cannot be guaranteed, namely the credible UE access cannot be guaranteed;
(2) Setting an edge Internet of things agent, and encrypting information interaction between the access equipment and the agent by adopting an encryption strategy; and carrying out fault study and judgment on the access equipment. The method only judges whether the access equipment fails or not, only ensures the reliability of the equipment and cannot prove the credibility of the equipment.
(3) Setting an access edge agent and an internet of things management platform, and sharing files between the access edge agent and the internet of things management platform in a directory sharing mode; performing trusted verification on the access equipment by utilizing the access edge agent; instantiating the container mirror image of the APP on the edge computing node, and performing identity verification on the instantiated edge computing APP through a management platform. The method can only verify the identity of the container and cannot ensure the credibility of the operating environment of the container.
Disclosure of Invention
Therefore, the invention provides a user trusted access system and a user trusted access method facing to a 5G edge computing node, which aim to solve the defects in the prior art, and realize the bidirectional trusted authentication of the UE and the container operation environment by adopting a remote certification method, thereby ensuring the identity trust of the access container of the UE and the credibility of the operation environments of both parties.
In a first aspect, the present invention provides a user trusted access system facing a 5G edge computing node, including: user terminal UE, target container, user plane function network element UPF, unified data management function network element UDM, host machine and MEC controller, wherein:
the UE is a resource requesting party of the target container, and performs trusted verification on the target container by requesting a trusted evidence from the target container, wherein the trusted evidence of the target container is provided by a Trusted Platform Module (TPM) of a host machine where the target container is located and a virtual trusted computing module (vTPM) in the target container;
the UPF is a communication agent of remote certification, and verifies whether the UE is credible or not by combining the UDM after receiving a remote certification request sent by the UE, wherein the UDM is a credible verification node of the UE and is used for issuing a certification key certificate and a verification credible evidence for the UE; after the UE credibility verification is passed, the UPF and the MEC controller are combined to verify whether the target container is credible or not, wherein the MEC controller is a credible verification node of the target container and is used for issuing an AIK certificate and verifying credible evidence for the target container and the TPM of the host;
and after the UE and the target container pass the credibility verification, the UPF allows the UE and the target container to establish communication.
In an embodiment, before the UE initiates a remote attestation request to a UPF, the UE, the target container, the MEC controller, and the UDM perform security initialization, including:
the UE is internally provided with a TPM module, the UE issues an AIK key AIK1 of TPM for the UE by the UDM during registration, and sends a measured PCR value to a reference value library of the UDM during initial startup for providing a measurement reference value for verifying whether the UE is credible or not;
the method comprises the steps that a TPM of a host machine obtains an identity certification key from an MEC controller to be AIK2, the host machine is started in an initialization mode, a measured PCR value is sent to a reference value base of the MEC controller, a container is initialized, the TPM of the host machine issues a certificate CvAIK1 of a virtual identity certification key for a vTPM instance on a target container, the key is vAIK1, when the target container is started, the vTPM is used for measuring, the measured vPCR value is sent to a virtual reference value base in the host machine, and the measurement reference value used for verifying whether the target container is credible or not is provided.
In a second aspect, the present invention further provides a 5G edge computing node-oriented user trusted access method, where the 5G edge computing node-oriented user trusted access system based on the first aspect includes:
the UE initiates a remote certification request to the UPF, and the UPF verifies whether the UE is credible or not in combination with the UDM after receiving the remote certification request;
if the UE credibility verification is passed, the UPF and the MEC controller verify whether the target container is credible;
the UPF allows the UE to establish communication with the target container after both the UE and the target container pass the trusted verification.
In an embodiment, before the step of initiating the remote attestation request to the UPF, the UE further includes: the method comprises the following steps of carrying out security initialization on UE, a target container, an MEC controller and a UDM, wherein the process comprises the following steps:
when the UE is initialized and started, the measured PCR value is sent to a reference value library of the UDM;
when the host computer is initialized and started, the measured PCR value is sent to a reference value library of the MEC controller;
when the container is initialized, the TPM of the host machine issues a certificate CvAIK1 of a virtual identity certificate key for a vTPM instance on a target container, the key is vAIK1, when the target container is started, the vTPM is used for measuring, and a measured vPCR value is sent to a virtual reference value base in the host machine.
In an embodiment, after receiving the remote attestation request, the UPF performs a process of verifying, in conjunction with the UDM, whether the UE is trusted, including:
after receiving the remote proof request, the UPF initiates a UE credible proof verification request to the UDM;
and the UDM verifies the credible evidence of the UE and returns a response of a credible verification result of the UE to the UPF.
In one embodiment, the process of the UPF federated MEC controller verifying whether a target container is authentic includes:
the UPF initiates a container credible evidence acquisition request to a target container;
after receiving the container credible evidence acquisition request, the target container generates a container credible evidence response and sends the container credible evidence response to the UPF;
after receiving the container credible evidence response, the UPF sends a container credible evidence verification request to the MEC controller;
and the MEC controller receives the container credible evidence verification request, verifies the container credible evidence and the container credibility by the combined host machine, and returns a container verification response result to the UPF.
In an embodiment, a process for a UE to initiate a remote attestation request to a UPF includes:
after generating a random number nonce1, the UE initiates a remote attestation request to the UPF, wherein the remote attestation request comprises: target container ID, random number nonce1, UE _ ID, UE's proof of trust, where the UE's proof of trust includes: the confidence measure PCR1 in the TPM of the UE, the ID of the TPM and the signature S1 of PCR1 using the key AIK1.
In an embodiment, after receiving the remote attestation request, the UPF initiates a UE trusted evidence verification request to the UDM, including:
after receiving the remote proof request, the UPF generates a random number nonce2 and initiates a challenge of a UE credible proof verification request to the UDM, wherein the UE credible proof verification request comprises: nonce2, UE _ ID, proof of trust of the UE.
In an embodiment, the process of verifying the trustworthy proof of the UE by the UDM and returning a response of the trustworthy verification result of the UE to the UPF includes:
the UDM records a nonce2 in the UE credible evidence verification request and verifies the credible evidence of the UE;
the UDM firstly verifies the signature S1 and confirms whether the identity information of the UE is valid;
after the UDM signature verification is finished, comparing the PCR1 value with a stored PCR reference value of the TPM of the UE, and if the values are consistent, judging that the UE is credible;
after the UE is judged to be credible, the UDM returns a UE credible verification response containing a UE credible verification result to the UPF;
the UE trusted verification response includes: random number nonce2', UE _ ID, UE credible verification result Success/Failure;
the UPF receives the credible verification response of the UE, judges whether the session is valid or not by verifying whether the random number nonce2' is the same as the nonce2 or not, and if so, the session is valid;
if the session is valid, the UPF reads that the UE credible verification result is Success, the UE credible verification is passed, and the verification is continued;
if the credible verification result is Failure, the UPF disconnects the connection with the UE;
and if the trusted verification result is Success, the UPF generates a random number nonce3 and initiates a container trusted evidence acquisition request to the target container, wherein the container trusted evidence acquisition request comprises the target container ID and the random number nonce3.
In an embodiment, the process of generating a container credible evidence response and sending the container credible evidence response to the UPF after the target container receives the container credible evidence obtaining request includes:
the container credibility evidence response comprises a random number nonce3' and credibility evidence of the target container, wherein the credibility evidence comprises a credibility value PCR2 of the TPM of the MEC host and a signature S2 of the PCR2 by using AIK2; a trusted measurement vPCR1 of the vTPM instance in the target container, and a signature S3 of vPCR1 using the key vAIK1.
In an embodiment, the process of sending a container trusted evidence verification request to the MEC controller after the UPF receives the container trusted evidence response includes:
after receiving the container credible evidence response, the UPF judges whether the session is valid by verifying whether the random number nonce3' is the same as the nonce 3;
if the random number is valid, the UPF generates a random number nonce4 and sends a container trusted evidence verification request challenge to the MEC controller, wherein the container trusted evidence verification request includes the random number nonce4, a container ID and a container trusted evidence.
In an embodiment, the process of receiving a container trusted evidence verification request by the MEC controller and verifying the container trusted evidence and the container trust by the federated host includes:
the MEC controller receives a container credible evidence verification request and verifies the signature S2;
the MEC controller searches a corresponding host machine through the container ID, and after the verification is passed, the MEC controller compares the PCR2 value with a stored PCR reference value of the host machine to judge whether the host machine is credible;
if the host is credible, the MEC controller sends a container credibility verification request challenge to the host;
the container trusted verification request comprises a container ID and container trusted evidence;
the host computer receives a container credibility verification request sent by the MEC controller;
and the host machine verifies the signature S3, if the signature S3 passes verification, the host machine compares the vPCR1 with a vPCR reference value stored in a virtual reference library in the host machine, and returns the credible verification result Success/Failure of the container to the MEC controller.
In one embodiment, the MEC controller returns a container trusted evidence validation response result to the UPF, including: and if the verification results of the random number nonce4', the container ID, the container credible evidence verification result and the container credible verification result are both Success, the UPF determines that the UE and the container are both credible, and allows the UE to establish communication with the target container.
The technical scheme of the invention has the following advantages:
1. the user trusted access system facing the 5G edge computing node provided by the embodiment of the invention comprises: the user terminal UE, the target container, the user plane function network element UPF, the unified data management function network element UDM, the host machine and the MEC controller utilize the UPF remote certification agent to realize the credible verification of the container, and the bidirectional credible authentication of the operation environments of the UE and the container not only ensures the credible identity of the access container of the UE, but also ensures the credible operation environments of both parties of the access.
2. The user trusted access method facing the 5G edge computing node provided by the embodiment of the invention realizes the verification of the trusted terminal UE provided with the TPM through the UDM, reduces the resource burden of a remote certification agent, and finally realizes the bidirectional remote certification of the UE and the container. The method provided by the embodiment of the invention realizes the bidirectional credible authentication of the running environments of the UE and the container by adopting a remote certification method on the basis of the main authentication of the 5G network, thereby not only ensuring the credibility of the identity of the accessed container of the UE, but also ensuring the credibility of the running environments of both parties of the access, and realizing the credible access of the user terminal and the effective control of a communication channel when a mass of terminals access the edge computing node of the MEC under the application of the 5G industrial Internet environment by controlling the communication establishment through the UPF network element node of the user plane functional network element.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic structural diagram of an example of a user trusted access system facing a 5G edge computing node according to an embodiment of the present invention;
fig. 2 is a flowchart of an example of a user trusted access method for a 5G edge computing node according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a process of authenticating a user equipment UE according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a process for validating a target container in an embodiment of the invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Fig. 1 is a block diagram of a user trusted access system facing a 5G edge computing node according to an embodiment of the present invention, including: user terminal UE, target container, user plane function network element UPF, unified data management function network element UDM, host machine and MEC controller, wherein: the UE is a resource requesting party of a target container, and performs credibility verification on the target container by requesting credible evidence from the target container, wherein the credible evidence of the target container is provided by a credible platform module (TPM) of a host machine where the target container is located and a virtual credible computing module (vTPM) in the target container; the UPF is a communication agent of remote certification, and verifies whether the UE is trusted or not by combining the UDM after receiving a remote certification request sent by the UE, wherein the UDM is a trusted verification node of the UE and is used for issuing a certification key certificate and verifying a trusted evidence for the UE; after the UE credibility verification is passed, the UPF and the MEC controller are combined to verify whether the target container is credible or not, wherein the MEC controller is a credible verification node of the target container and is used for issuing AIK certificates and verification credible evidences for the TPM of the target container and the host;
the UPF allows the UE to establish communication with the target container after both the UE and the target container pass the trusted verification.
Based on the 5G edge computing node-oriented user trusted access system provided by the embodiment of the invention, the trusted verification of the container is realized by using the remote attestation agent, the verification of the trusted terminal UE provided with the physical TPM is realized through the UDM, the resource burden of the remote attestation agent is reduced, and the bidirectional trusted authentication of the UE and the running environment of the container is finally realized, so that the identity trust of the access container of the UE is ensured, and the running environments of two parties accessing the system are also ensured to be trusted.
It should be noted that in practical applications, there is at least one target container, and fig. 1 uses two containers as an example, but not limited thereto.
The Trusted Platform Module (TPM) in the embodiment of the present invention is a chip that is planted inside a computer and provides a Trusted root for the computer, and may provide functions such as identity authentication, trusted measurement, secure storage, and the like. Inside the TPM, there is a Platform Configuration Register (PCR) for recording the system running status. Its value can only be changed by means of an extension operation, which is irreversible, and by means of an extension PCR an infinitely long sequence of measurement values can be recorded, the sequence of measurement values reflects the transition of the system state, and one measurement value in the extension sequence is changed, and the subsequent measurement sequence is affected. The platform state information may be placed in a measurement log file external to the TPM in the form of a log. The summary of the measurement log information is recorded in the PCR through extension so as to be used for verifying the measurement log at a later time, thereby confirming whether the system is credible.
The Virtual Trusted Platform Module (vTPM) is a software-based representation form of a physical Trusted Platform Module, and provides hardware-based security-related functions such as random number generation, certification, key generation and the like, and the vTPM Module is carried by a container mirror image. After addition to the virtual machine, the vTPM enables the host operating system to create and store the private key. These keys are not disclosed to the host operating system itself, so the virtual machine attack surface is reduced. For host operating systems that are compromised in security, the security of their keys is also compromised, but enabling a TPM can reduce this risk to a large extent, and only the host operating system can use these keys for encryption or signing. The vTPM of the embodiment of the invention is provided with vPCR to provide isolatable metric value storage space for the container in the MEC node.
In the embodiment of the present invention, before the UE initiates the remote attestation request to the UPF, the UE, the target container, the MEC controller, and the UDM perform security initialization to provide a measurement reference value for subsequent trusted verification. Specifically, a TPM module is built in the UE, and the UDM issues an AIK key AIK1 of a TPM for the UE during registration, and sends a measured PCR value to a reference value library of the UDM during initial start, so as to provide a measurement reference value for verifying whether the UE is trusted; the method comprises the steps that a TPM of a host machine obtains an identity certification key from an MEC controller to be AIK2, the host machine is started in an initialization mode, a measured PCR value is sent to a reference value base of the MEC controller, a container is initialized, the TPM of the host machine issues a certificate CvAIK1 of a virtual identity certification key for a vTPM instance on a target container, the key is vAIK1, when the target container is started, the vTPM is used for measuring, the measured vPCR value is sent to a virtual reference value base in the host machine, and the measurement reference value used for verifying whether the target container is credible or not is provided.
In the embodiment of the invention, vPCR is set in vTPM of the container, isolatable metric value storage space is provided for the container in the MEC node, vPCR reference value is stored in a host machine, and performance loss of the container is reduced.
Example 2
Based on the user trusted access system facing the 5G edge computing node in embodiment 1, the embodiment of the present invention provides a user trusted access method facing the 5G edge computing node, where after the user terminal completes 5G master authentication, when requesting resource access to the edge computing node, trusted evidence verification requests are respectively issued to the 5G terminal and the container by a set remote attestation agent, and the user terminal can access the container after the trusted evidence passes verification by the trusted verification node. As shown in fig. 2, includes:
step S1: and the UE initiates a remote certification request to the UPF, and the UPF verifies whether the UE is credible or not in combination with the UDM after receiving the remote certification request.
In the embodiment of the invention, the process of verifying whether the UE is credible is as follows: after receiving the remote proof request, the UPF initiates a UE credible proof verification request to the UDM; the UDM verifies the credible evidence of the UE and returns a response of a credible verification result of the UE to the UPF; if the credibility verification of the UE is not passed, the UPF terminates the flow.
Step S2: and if the credibility of the UE passes the credibility verification, the UPF and the MEC controller verify whether the target container is credible.
In the embodiment of the invention, the process of verifying whether the target container is credible is as follows: the UPF initiates a container credible evidence acquisition request to a target container; after receiving the container credible evidence acquisition request, the target container generates a container credible evidence response and sends the container credible evidence response to the UPF; after receiving the container credible evidence response, the UPF sends a container credible evidence verification request to the MEC controller; the MEC controller receives a container credible evidence verification request, verifies the container credible evidence and returns a container credible verification result response; if the target's trust verification fails, the UPF terminates the process.
And step S3: when both the UE and the target container pass the trusted authentication, the UPF allows the UE to establish communication with the target container.
The embodiment of the invention realizes the verification of the trusted terminal UE provided with the TPM through the UDM, reduces the resource burden of a remote certification agent, finally realizes the bidirectional remote certification of the UE and the container, ensures the identity credibility of an access container of the UE and the credibility of the running environments of both parties of access, and controls the communication establishment through a user plane functional network element UPF.
In practical application, before the UE initiates a remote attestation request to the UPF, it needs to perform secure initialization on the UE, the target container, the MEC controller, and the UDM, specifically, a TPM module is built in the UE in the embodiment of the present invention, the UDM issues a module AIK certificate CAIK1 of the TPM for the UE during registration, and a key is AIK1; when UE is initialized and started, the measured PCR value is sent to a reference value library of the UDM; a TPM module of a host machine acquires an identity certificate key certificate CAIK2 from an MEC controller, and the key is AIK2; when the host computer is initialized and started, the measured PCR value is sent to a reference value library of the MEC controller; when the container is initialized, the TPM of the MEC host issues a certificate CvAIK1 of a Virtual Identity Key (vmaik) for the vTPM instance on the container, where the Key is vmaik 1. When the container is started, the vTPM is used for measuring, and the measured vPCR value is sent to a virtual reference value library in the host machine. And obtaining a measurement reference value in subsequent credibility verification through the security initialization process.
In a specific embodiment, the process of verifying whether the UE is authentic is as follows:
step S21, the UE generates a random number nonce1 and initiates a remote attestation request to the UPF, wherein the remote attestation request comprises a target container ID, the random number nonce1, a UE _ ID and a credible evidence of the UE, the credible evidence of the UE comprises a credible measurement value PCR1 in a TPM of the UE, the ID of the TPM and a signature S1 of the PCR1 by using a key AIK1, and the process corresponds to (1) in FIG. 3.
Step S22, after receiving the remote certification request, the UPF generates a random number nonce2 and initiates a UE credible evidence verification request challenge to the UDM; the UE trusted evidence verification request includes a random number nonce2, UE _ ID, and the above-mentioned trusted evidence of the UE, and this process corresponds to (2) in fig. 3.
Step S23, the UDM records a nonce2 in the UE credible evidence verification request and verifies the credible evidence of the UE; the UDM firstly verifies the signature S1 and confirms whether the identity information of the UE is valid; and after the UDM signature verification is finished, comparing the PCR1 value with a stored PCR reference value of the TPM of the UE, and if the values are consistent, judging that the UE is credible, wherein the process corresponds to (3) in the figure 3.
Step S24, the UDM returns a UE credible verification response containing the UE credible verification result to the UPF; the UE credible verification response comprises random number nonce2', UE _ ID and UE credible verification result Success/Failure; the UPF receives the credible verification response of the UE, judges whether the session is valid by verifying whether the random number nonce2' is the same as nonce2, and if so, the session is valid; if the session is valid, the UPF reads the credible verification result of the UE, and if the session is successful, the credible verification of the UE passes and the verification continues; if the Failure is detected, the user plane function network element UPF disconnects the UE, and the process corresponds to (4) in fig. 3.
In one embodiment, the process of verifying whether the target container is authentic is:
step S31, UPF reads that the result of the credible verification of the UE is Success, generates a random number nonce3 and initiates a request for acquiring the credible evidence of the container to a target container; the container trusted evidence acquisition request includes a target container ID, a random number nonce3, and the process corresponds to (1) in fig. 4.
Step S32, after the target container receives the container credible evidence acquisition request, generating a container credible evidence response and sending the container credible evidence response to the UPF; the container credibility evidence response comprises a random number nonce3' and credibility evidence of the target container, wherein the credibility evidence comprises a credibility value PCR2 of TPM of the MEC host and a signature S2 of the PCR2 by using AIK2; the value of the trustworthiness metric for the vTPM instance vPCR1 in the target container, and the signature S3 of vPCR1 using the key vAIK1, which corresponds to (2) in fig. 4.
Step S33, after the UPF receives the container credible evidence response, whether the session is valid is judged by verifying whether the random number nonce3' is the same as nonce 3; if the random number is valid, the UPF generates a random number nonce4 and sends a container credible evidence verification request challenge to the MEC controller; the container trusted evidence verification request includes the random number nonce4, the container ID, and the container trusted evidence, and the process corresponds to (3) in fig. 4.
Step S34, the MEC controller receives a container credible evidence verification request, and verifies a signature S2 at first; the MEC controller can find the corresponding host machine through the container ID; after the verification is passed, the MEC controller compares the PCR2 value with a stored PCR reference value of the host machine, and judges whether the host machine is credible; if the host is credible, the MEC controller sends a container credibility verification request challenge to the host; the container trust verification request includes the container ID and the container trust proof, and the process corresponds to (4) in fig. 4.
S35, the host computer receives a container credibility verification request sent by the MEC controller; since the host issues CvAIK1 for the vTPM instance, the host can verify the signature S3; if the signature S3 passes the verification, the host machine compares the vPCR1 with a vPCR reference value stored in a virtual reference library in the host machine, and returns the trusted verification result Success/Failure of the container to the MEC controller, and the process corresponds to (5) in FIG. 4.
Step S36, the MEC controller returns a container credible evidence verification response to the UPF, wherein the response comprises a random number nonce4', a container ID and a container credible evidence verification result Success/Failure; when the container credibility verification result and the container credibility evidence verification result are both Success, it is determined that both the UE and the container are credible, and the UPF allows the UE to establish communication with the target container, which corresponds to (6) in fig. 4.
The user trusted access method facing the 5G edge computing node, provided by the embodiment of the invention, realizes verification of the trusted terminal UE with the TPM through the UDM, reduces the resource burden of a remote certification agent, and finally realizes bidirectional remote certification of the UE and a container. The method provided by the embodiment of the invention realizes the bidirectional credible authentication of the running environments of the UE and the container by adopting a remote certification method on the basis of the main authentication of the 5G network, thereby not only ensuring the credibility of the identity of the accessed container of the UE, but also ensuring the credibility of the running environments of both parties of the access, and realizing the credible access of the user terminal and the effective control of a communication channel when a mass of terminals access the edge computing node of the MEC under the application of the 5G industrial Internet environment by controlling the communication establishment through the UPF network element node of the user plane functional network element.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. This need not be, nor should it be exhaustive of all embodiments. And obvious variations or modifications derived therefrom are intended to be within the scope of the invention.

Claims (13)

1. A user trusted access system facing a 5G edge computing node is characterized by comprising: user terminal UE, target container, user plane function network element UPF, unified data management function network element UDM, host machine and MEC controller, wherein:
the UE is a resource requesting party of a target container, and performs credibility verification on the target container by requesting credible evidence from the target container, wherein the credible evidence of the target container is provided by a credible platform module (TPM) of a host machine where the target container is located and a virtual credible computing module (vTPM) in the target container;
the UPF is a communication agent of remote certification, and verifies whether the UE is credible or not by combining the UDM after receiving a remote certification request sent by the UE, wherein the UDM is a credible verification node of the UE and is used for issuing a certification key certificate and a verification credible evidence for the UE; after the UE credibility verification is passed, the UPF and the MEC controller are combined to verify whether the target container is credible or not, wherein the MEC controller is a credible verification node of the target container and is used for issuing an AIK certificate and verifying credible evidence for the target container and the TPM of the host;
the UPF allows the UE to establish communication with the target container after both the UE and the target container pass the trusted verification.
2. The 5G edge computing node-oriented user trusted access system of claim 1, wherein before the UE initiates a remote attestation request to a UPF, the UE, the target container, the MEC controller, and the UDM perform security initialization, comprising:
the method comprises the steps that a TPM module is built in the UE, the UDM issues an AIK key AIK1 of the TPM for the UE during registration of the UE, and a measured PCR value is sent to a reference value library of the UDM during initialization starting and used for providing a measurement reference value for verifying whether the UE is credible or not;
the method comprises the steps that a TPM of a host machine obtains an identity certification key from an MEC controller to be AIK2, the host machine is started in an initialization mode, a measured PCR value is sent to a reference value base of the MEC controller, a container is initialized, the TPM of the host machine issues a certificate CvAIK1 of a virtual identity certification key for a vTPM instance on a target container, the key is vAIK1, when the target container is started, the vTPM is used for measuring, the measured vPCR value is sent to a virtual reference value base in the host machine, and the measurement reference value used for verifying whether the target container is credible or not is provided.
3. A user trusted access method facing a 5G edge computing node is based on the user trusted access system facing the 5G edge computing node in any one of claims 1 or 2, and is characterized by comprising the following steps:
the UE initiates a remote certification request to the UPF, and the UPF verifies whether the UE is credible or not in combination with the UDM after receiving the remote certification request;
if the UE credibility verification is passed, the UPF and the MEC controller verify whether the target container is credible;
when both the UE and the target container pass the trusted authentication, the UPF allows the UE to establish communication with the target container.
4. The 5G edge computing node-oriented user trusted access method according to claim 3, wherein before the step of initiating the remote attestation request to the UPF by the UE, the method further comprises: the method comprises the following steps of carrying out security initialization on UE, a target container, an MEC controller and a UDM, wherein the process comprises the following steps:
when the UE is initialized and started, the measured PCR value is sent to a reference value library of the UDM;
when the host computer is initialized and started, the measured PCR value is sent to a reference value library of the MEC controller;
when the container is initialized, the TPM of the host machine issues a certificate CvAIK1 of a virtual identity certificate key for a vTPM instance on a target container, the key is vAIK1, when the target container is started, the vTPM is used for measuring, and a measured vPCR value is sent to a virtual reference value base in the host machine.
5. The 5G edge computing node-oriented user trusted access method according to claim 3, wherein the process of verifying, in conjunction with the UDM, whether the UE is trusted after the UPF receives the remote attestation request includes:
after receiving the remote proof request, the UPF initiates a UE credible proof verification request to the UDM;
and the UDM verifies the credible evidence of the UE and returns a response of a credible verification result of the UE to the UPF.
6. The 5G edge computing node-oriented user trusted access method according to claim 5, wherein the process of verifying whether the target container is trusted by the UPF in combination with the MEC controller comprises:
the UPF initiates a container credible evidence acquisition request to a target container;
after receiving the container credible evidence acquisition request, the target container generates a container credible evidence response and sends the container credible evidence response to the UPF;
after receiving the container credible evidence response, the UPF sends a container credible evidence verification request to the MEC controller;
and the MEC controller receives the container credible evidence verification request, verifies the container credible evidence and the container credibility by the combined host machine, and returns a container verification response result to the UPF.
7. The 5G edge computing node-oriented user trusted access method according to claim 6, wherein the process of initiating the remote attestation request to the UPF by the UE comprises:
after generating a random number nonce1, the UE initiates a remote attestation request to the UPF, where the remote attestation request includes: target container ID, random number nonce1, UE _ ID, UE's proof of trust, where the UE's proof of trust includes: the confidence measure PCR1 in the TPM of the UE, the ID of the TPM and the signature S1 of PCR1 using the key AIK1.
8. The 5G edge computing node-oriented user trusted access method according to claim 7, wherein the process of initiating a UE trusted evidence verification request to the UDM after the UPF receives the remote attestation request includes:
after receiving the remote proof request, the UPF generates a random number nonce2 and initiates a challenge of a UE credible proof verification request to the UDM, wherein the UE credible proof verification request comprises: random number nonce2, UE _ ID, proof of trust of the UE.
9. The 5G edge computing node-oriented user trusted access method according to claim 8, wherein the process of verifying the trusted evidence of the UE by the UDM and returning a response of the trusted verification result of the UE to the UPF includes:
the UDM records a nonce2 in the UE credible evidence verification request and verifies the credible evidence of the UE;
the UDM firstly verifies the signature S1 and confirms whether the identity information of the UE is valid;
after the UDM signature verification is finished, comparing the PCR1 value with a stored PCR reference value of the TPM of the UE, and if the values are consistent, judging that the UE is credible;
after the UE is judged to be credible, the UDM returns a UE credible verification response containing a UE credible verification result to the UPF;
the UE trusted verification response includes: random number nonce2', UE _ ID, and UE credible verification result Success/Failure;
the UPF receives the credible verification response of the UE, judges whether the session is valid or not by verifying whether the random number nonce2' is the same as the nonce2 or not, and if so, the session is valid;
if the session is valid, the UPF reads that the UE credible verification result is Success, the UE credible verification is passed, and the verification is continued;
if the credible verification result is Failure, the UPF disconnects the connection with the UE;
and if the trusted verification result is Success, the UPF generates a random number nonce3 and initiates a container trusted evidence acquisition request to the target container, wherein the container trusted evidence acquisition request comprises the ID of the target container and the random number nonce3.
10. The 5G edge computing node-oriented user trusted access method according to claim 9, wherein the process of generating a container trusted evidence response and sending the container trusted evidence response to the UPF after the target container receives the container trusted evidence acquisition request includes:
the container credibility evidence response comprises a random number nonce3' and credibility evidence of the target container, wherein the credibility evidence comprises a credibility value PCR2 of TPM of the MEC host and a signature S2 of the PCR2 by using AIK2; a trusted measurement value vPCR1 of the vTPM instance in the target container, and a signature S3 of vPCR1 using the key vAIK1.
11. The 5G edge computing node-oriented user trusted access method according to claim 10, wherein the process of sending a container trusted evidence verification request to the MEC controller after the UPF receives the container trusted evidence response includes:
after receiving the container credible evidence response, the UPF judges whether the session is valid by verifying whether the random number nonce3' is the same as nonce 3;
if the container credible evidence is valid, the UPF generates a random number nonce4 and sends a container credible evidence verification request challenge to the MEC controller, wherein the container credible evidence verification request comprises the random number nonce4, a container ID and a container credible evidence.
12. The 5G edge computing node-oriented user trusted access method according to claim 11, wherein the MEC controller receives a request for verifying the trusted container evidence, and the process of verifying the trusted container evidence and the trusted container evidence by the federated host includes:
the MEC controller receives a container credible evidence verification request and verifies the signature S2;
the MEC controller searches a corresponding host machine through the container ID, and after the verification is passed, the MEC controller compares the PCR2 value with a stored PCR reference value of the host machine to judge whether the host machine is credible;
if the host is credible, the MEC controller sends a container credibility verification request challenge to the host;
the container trusted verification request comprises a container ID and container trusted evidence;
the host computer receives a container credibility verification request sent by the MEC controller;
and the host machine verifies the signature S3, if the signature S3 passes verification, the host machine compares the vPCR1 with a vPCR reference value stored in a virtual reference library in the host machine, and returns the credible verification result Success/Failure of the container to the MEC controller.
13. The 5G edge computing node-oriented user trusted access method according to claim 12, wherein the MEC controller returns a container trusted evidence validation response result to the UPF, and the method comprises: and if the verification results of the random number nonce4', the container ID, the container credible evidence verification result and the container credible verification result are both Success, the UPF determines that the UE and the container are both credible, and allows the UE to establish communication with the target container.
CN202210948364.7A 2022-08-08 2022-08-08 User trusted access system and method for 5G edge computing node Pending CN115334506A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210948364.7A CN115334506A (en) 2022-08-08 2022-08-08 User trusted access system and method for 5G edge computing node

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210948364.7A CN115334506A (en) 2022-08-08 2022-08-08 User trusted access system and method for 5G edge computing node

Publications (1)

Publication Number Publication Date
CN115334506A true CN115334506A (en) 2022-11-11

Family

ID=83921624

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210948364.7A Pending CN115334506A (en) 2022-08-08 2022-08-08 User trusted access system and method for 5G edge computing node

Country Status (1)

Country Link
CN (1) CN115334506A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117119456A (en) * 2023-10-24 2023-11-24 国网智能电网研究院有限公司 5G MEC multi-container remote certification method, system, device and medium
WO2024108583A1 (en) * 2022-11-25 2024-05-30 华为技术有限公司 Trust measurement method, device, and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024108583A1 (en) * 2022-11-25 2024-05-30 华为技术有限公司 Trust measurement method, device, and system
CN117119456A (en) * 2023-10-24 2023-11-24 国网智能电网研究院有限公司 5G MEC multi-container remote certification method, system, device and medium
CN117119456B (en) * 2023-10-24 2024-01-23 国网智能电网研究院有限公司 5G MEC multi-container remote certification method, system, device and medium

Similar Documents

Publication Publication Date Title
EP3061027B1 (en) Verifying the security of a remote server
US10437985B2 (en) Using a second device to enroll a secure application enclave
US10798094B2 (en) Blockchain-based account management
US8452954B2 (en) Methods and systems to bind a device to a computer system
CN110768791B (en) Data interaction method, node and equipment with zero knowledge proof
CN115334506A (en) User trusted access system and method for 5G edge computing node
US20160125180A1 (en) Near Field Communication Authentication Mechanism
KR20090067154A (en) A portable device for use in establishing trust
US11424915B2 (en) Terminal registration system and terminal registration method with reduced number of communication operations
CN111901304B (en) Registration method and device of mobile security equipment, storage medium and electronic device
KR100932274B1 (en) Apparatus and method for verifying software integrity of mobile terminals
CN112422516B (en) Trusted connection method and device based on power edge calculation and computer equipment
CN115378740B (en) Method for realizing bidirectional authentication login based on trusted opennsh
CN115314495A (en) Container reinforcement system and reinforcement method for 5G edge computing node
KR100901279B1 (en) Wire/Wireless Network Access Authentication Method using Challenge Message based on CHAP and System thereof
CN111245600A (en) Authentication method and system based on block chain technology
CN113794685B (en) Data transmission method and device based on credibility assessment
CN111147233B (en) Reliable implementation method and node for ABE attribute encryption
US20240214202A1 (en) Securing a computing device accessory
CN115549948A (en) Decentralized trust chain authentication method, system and medium based on trusted computing
CN118300814A (en) Cross-platform login method and system
CN113987461A (en) Identity authentication method and device and electronic equipment
CN117978401A (en) Communication authentication method, electronic equipment and storage medium
CN116108447A (en) Trusted proving method and device and electronic equipment
KR20240047215A (en) Certificate update method and device driving it

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination