WO2019015563A1 - 一种虚拟网络功能vnf的初始化凭据生成方法及设备 - Google Patents
一种虚拟网络功能vnf的初始化凭据生成方法及设备 Download PDFInfo
- Publication number
- WO2019015563A1 WO2019015563A1 PCT/CN2018/095913 CN2018095913W WO2019015563A1 WO 2019015563 A1 WO2019015563 A1 WO 2019015563A1 CN 2018095913 W CN2018095913 W CN 2018095913W WO 2019015563 A1 WO2019015563 A1 WO 2019015563A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- public key
- report
- vnfi
- received
- management device
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
Definitions
- the present application relates to the field of communications technologies, and in particular, to a method and a device for generating an initialization credential of a virtual network function VNF.
- ETSI European Telecommunications Standards Institude
- NFV telecommunications network function virtualization
- VNF virtualized network function
- VNFI VNF instance
- VNFM Network Functions Virtualization Infrastructure
- VNFM Virtualized Network Funcion Manager
- the public key of the VNF since the public key of the VNF is generated by the NFVI, it is then forwarded to the VNFI. In the process of forwarding the public key from NFVI to VNFI, the public key may be attacked by the outside world, thereby increasing the probability that the public key is exposed, and there is bound to be a certain security risk.
- the embodiment of the present application provides a method and a device for generating an initialization credential of a virtualized network function VNF, which are used to reduce the probability that a public key is exposed.
- an embodiment of the present application provides a method for generating an initialization credential of a virtualized network function VNF.
- the method includes: during the VNF instantiation, the virtual network function instance VNFI generates a first public key and a report of the VNF; wherein the report and the first public key satisfy a set function relationship; the VNFI
- the first public key and the report are sent to the management device of the VNFI, so that the management device verifies the received first public key by using the received report.
- the process of transmitting the public key to the VNFI when the public key is generated by the NFVI is omitted, thereby reducing the probability that the public key is attacked by the outside world, thereby reducing the probability of the public key being attacked by the outside world. The probability that the public key will be exposed.
- the virtual network function instance VNFI generates a first public key and a report of the virtual network function VNF, including: the VNFI generates the first through an application in a memory protection area. a public key and the report; wherein the memory protection area is created by the NFV infrastructure NFVI in the VNFI, and the security level of the data in the memory protection area is higher than the VNFI except the memory protection area The security level of data in other areas outside.
- the memory protection area can resist malicious privileged software and physical attacks against memory. Therefore, the first public key can be protected and the report is protected from malware by the memory protection area. Even the operating system or the hypervisor cannot affect the first public key in the memory protection area. Therefore, the probability that the first public key is exposed can be further reduced.
- the method further includes: the VNFI generating a signature of the report by an application in the memory protection area; wherein the signature is according to the report, and for the memory protection
- the central processor of the area is generated by a pre-configured private key; the VNFI sends the signature and the identifier of the central processor to the verification server, so that the verification server utilizes the second public key, the received signature, Receiving the identifier of the central processing unit and the central processor identifier pre-stored by the verification server, verifying whether the report sent by the management device is complete and whether the report is generated by the application in the memory protection area;
- the second public key is a public key corresponding to the private key pre-stored by the verification server.
- the signature of the report is also generated by the application in the memory protection area, so that the verification server uses the received signature to verify whether the received report is complete, that is, whether the report content has been tampered with, and the received content is verified. Whether the report is generated by an application in the memory protected area, that is, whether the received report is signed by a legitimate CPU.
- the report includes: a hash value of a code for generating the first public key; and/or a hash value of the first public key.
- the report may include different content that meets the set function relationship with the first public key.
- the report may also carry the identifier of the central processing unit.
- the embodiment of the present application provides a method for verifying an initialization credential of a virtual network function VNF, where the method includes: the management device receives a first public key and a report of a VNF generated and sent by the virtual network function instance VNFI; The set function relationship is satisfied between the report and the first public key; the management device verifies the received first public key according to the received report.
- the first public key and the report are generated by an application in a memory protection area created by the NFV infrastructure NFVI; wherein the data protection level in the memory protection area is higher than The security level of data in other areas except the memory protection area on the VNFI.
- the method further includes: the management device receiving the report signature sent by the VNFI and an identifier of a central processor of the memory protection area; wherein the signature is The VNFI is generated according to the report and a private key pre-configured for the central processor; the management device sends the signature, the identifier of the central processor, and the received report to an authentication server, And causing the verification server to verify whether the report sent by the management device is complete by using the second public key, the received signature, the identifier of the received central processor, and the central processor identifier pre-stored by the verification server.
- the management device receives the Determining the verification result sent by the verification server, and confirming that the verification result is that the verification server verifies that the report sent by the management device is finished. And generated for application in the protected region of memory.
- a hash value of a code for generating the first public key and/or a hash value of the first public key.
- the management device verifies the received first public key according to the received report, including: the management device uses the setting function for the received first public key.
- the relational operation obtains an operation result, and verifies whether the received first public key is legal according to the consistency of the operation result and the received hash value of the first public key; and/or the management device receives according to the The consistency of the hash value of the code for generating the first public key and the hash value of the code stored in the management device in advance, and verifying whether the code for generating the first public key is legal.
- the management device verifies the legality of the first public key by using the received hash value of the first public key and the hash value of the received code for generating the first public key. Can improve the security of verification.
- an embodiment of the present application provides a method for verifying an initialization credential of a virtual network function VNF.
- the method includes the verification server receiving a report generated and transmitted by the virtual network function instance VNFI, a signature of the report, and an identification of a central processing unit of the memory protection area, the memory protection area being an NFV infrastructure NFVI at the VNFI
- the security level of the data in the memory protection area is higher than the security level of the data in the area other than the memory protection area on the VNFI
- the verification server is based on the received signature, the second a public key, an identifier of the received central processing unit, and a central processor identifier pre-stored by the verification server, verifying whether the received report is complete and whether the report is generated by an application in the memory protection area;
- the verification server sends the verification result to the management device of the VNFI, so that the management device confirms that the verification result is that the verification server verifies that the received report is complete and is an application in the memory protection area
- the verification server is capable of verifying whether the received report is complete, that is, verifying whether the received report has been tampered with, and verifying whether the received report is generated by an application in the memory protection area, that is, verifying the receiving. Whether the report to the report is signed by the legal CPU, the verification server then sends the verification result to the management device, and the management device verifies the received first public key according to the received report.
- the public key of the VNF is generated by the VNFI itself, which omits the process of sending the public key to the VNFI when the public key is generated by the NFVI, thereby reducing the probability of the public key being attacked by the outside world, thereby reducing the probability of the public key being exposed.
- the first public key can be protected and the report is protected from malware by the memory protection area. Even the operating system or the hypervisor cannot affect the first public key in the memory protection area. Therefore, the probability that the first public key is exposed can be further reduced.
- the embodiment of the present application provides a virtual network function instance VNFI device, and the specific structure of the VNFI device may include a generating module and a sending module.
- the generating module and the transmitting module may perform the respective functions of the methods provided by the above first aspect or any of the possible designs of the first aspect.
- the embodiment of the present application provides a management device of a virtual network function instance VNFI, and the specific structure of the management device may include a receiving module and a verification module.
- the receiving module and the verification module may perform the respective functions of the methods provided by any of the possible designs of the second aspect or the second aspect described above.
- an embodiment of the present application provides an authentication server, where the specific structure of the verification server may include a receiving module, a verification module, and a sending module.
- the receiving module, the verifying module, and the transmitting module can perform the corresponding functions in the methods provided by the third aspect above.
- the embodiment of the present application provides a network function virtualization instance VNFI device, where the VNFI device includes: a processor and a communication interface.
- the VNFI device may further include a memory, where the computer program is stored; wherein the processor is coupled to the memory and the communication interface, the memory may be disposed in the processor, and the memory and the processor may be implemented by the chip.
- the computer program stored by the memory includes instructions which, when executed by the processor, cause the VNFI device to perform the method provided in any of the possible aspects of the first aspect or the first aspect described above.
- the embodiment of the present application provides a management device for a network function virtualization instance VNFI, where the management device includes: a processor and a communication interface.
- the management device may further include a memory, where the computer program is stored; wherein the processor is coupled to the memory and the communication interface, the memory may be disposed in the processor, and the memory and the processor may be implemented by a chip.
- the computer program stored in the memory includes instructions which, when executed by the processor, cause the management device to perform the method provided in any one of the possible aspects of the second aspect or the second aspect described above.
- an embodiment of the present application provides an authentication server, where the verification server includes a processor and a communication interface.
- the verification server may further include a memory, where the computer program is stored; wherein the processor is coupled to the memory and the communication interface, the memory may be disposed in the processor, and the memory and the processor may be implemented by a chip.
- the computer program stored by the memory includes instructions that, when executed by the processor, cause the verification server to perform the method provided by the third aspect above.
- the embodiment of the present application further provides a computer readable storage medium, where any one of the foregoing first aspect, the first aspect, or any one of the foregoing second aspect and the second aspect is stored. And computer software instructions for use in the functions of the third aspect, and any one of the first aspect, the first aspect, the second aspect, the second aspect, and the third The program designed by the aspect method.
- the first public key and the report are generated by the virtual network function instance VNFI, and then the VNFI sends the first public key and the report to the management device, so that the management device uses the received report to receive the first
- the public key is verified. Since the public key of the VNF is generated by the VNFI itself, the process of transmitting the public key to the VNFI when the public key is generated by the NFVI is omitted, thereby reducing the probability of the public key being attacked by the outside world, thereby reducing the probability of the public key being exposed. .
- FIG. 1 is a network architecture diagram of network function virtualization according to an embodiment of the present application
- FIG. 2 is a schematic diagram of a method for generating initialization credentials of a VNFI in the prior art
- FIG. 3 is a schematic diagram of a VNF initialization credential generating method according to an embodiment of the present disclosure
- FIG. 4 is a schematic diagram of another method for generating initialization credentials of a VNF according to an embodiment of the present disclosure
- FIG. 5 is a schematic structural diagram of a computer device according to an embodiment of the present application.
- NFV Network Function Virtualization
- COTS Common Commercial shelf product
- each network element used in the telecommunication network can be transformed into a stand-alone application, which can be flexibly deployed on a unified infrastructure platform built by standards-based servers, storage, and switches, and through virtualization technology to the infrastructure.
- Hardware device resource pooling and virtualization providing virtual resources to upper-layer applications, enabling application and hardware decoupling, enabling each application to rapidly increase virtual resources to achieve rapid expansion of system capacity, or to rapidly reduce virtual resources to achieve shrinkage
- the purpose of system capacity is to increase the flexibility of the network.
- the common COTS server is used to form a shared resource pool. The newly developed services do not need to be separately deployed with hardware devices, which greatly shortens the time for new services to go online.
- the foundation of NFV technology includes cloud computing technology and virtualization technology.
- Hardware devices such as general-purpose COTS computing/storage/network can be decomposed into multiple virtual resources through virtualization technology for use by various applications in the upper layers.
- virtualization technology Through the virtualization technology, the decoupling between the application and the hardware is realized, so that the virtual resource supply speed is greatly increased.
- the cloud computing technology the elastic scalability of the application can be realized, and the virtual resource is matched with the service load, which not only improves the virtual resource. Utilize efficiency and improve system response rate.
- FIG. 1 is a schematic structural diagram of an NFV system 100 that can be applied to the technical solutions provided by the embodiments of the present application.
- the NFV system 100 can be used in various networks, for example, in a data center network and an operator. Network or LAN to achieve.
- the NFV system 100 includes an NFV Management and Orchestration (NFV MANO) 101, NFVI 130, multiple VNFs 108, multiple Element Management (EM) 122, network services, VNF, and infrastructure descriptions. (Network Service, VNF and Infrastructure Description) 126, and the Operations Support System/Business Support System (OSS/BSS) 124.
- NFV MANO NFV Management and Orchestration
- NFVI 130 multiple VNFs 108
- Element Management (EM) 122 multiple Element Management
- network services VNF
- infrastructure descriptions Network Service, VNF and Infrastructure Description
- OSS/BSS Operations Support System/Business Support System
- the NFV MANO 101 includes a Network Function Virtualization Orchestrator (NFVO) 102, one or more VNFMs 104, and a Virtualized Infrastructure Manager (VIM) 106.
- the NFVI 130 includes computing hardware 112, storage hardware 114, network hardware 116, virtualization layer, virtual computing 110, virtual storage 118, and virtual network 120. The following is introduced separately.
- NFV MANO 101 is used to perform monitoring and management of VNF 108 and NFVI 130.
- NFVO 102 may implement network services on NFVI 130, such as L2 and L3VPN services, may also perform resource related requests from one or more VNFMs 104, send configuration information to VNFM 104, and collect status information of VNF 108. .
- NFVO 102 can also communicate with VIM 106 to enable resource allocation, and/or resource reservation, and to exchange virtualized hardware resource configuration and status information.
- the VNFM 104 can manage one or more VNFs 108.
- the VNFM 104 can perform various management functions such as instantiating, updating, querying, scaling, terminating the VNF 108.
- the VNFM 104 can communicate with the VNF 108 to complete VNF lifecycle management and exchange configuration and status information.
- the VNFM can be one or more, and is responsible for lifecycle management of different types of VNFs.
- VIM 106 which can perform resource management functions, such as managing allocation of infrastructure resources (eg, adding resources to virtual containers) and operational functions (eg, collecting NFVI failure information).
- VNFM 104 and VIM 106 can communicate with each other for resource allocation and exchange of configuration and status information for virtualized hardware resources.
- NFVI 130 including hardware resources, software resources, or a combination of both to establish a virtualized environment, deploy, manage, and implement VNF 108.
- hardware resources and virtualization layers are used to provide virtualized resources to VNF 108, such as VMs and other forms of virtual containers.
- Hardware resources include computing hardware 112, storage hardware 114, and network hardware 116.
- Computing hardware 112 may be off-the-shelf hardware and/or user-customized hardware for providing processing and computing resources.
- Storage hardware 114 may be storage capacity provided within the network or storage capacity resident in storage hardware 114 itself (local storage located within the server). As an embodiment, the resources of computing hardware 112 and storage hardware 114 may be grouped together.
- Network hardware 116 may be a switch, a router, and/or any other network device configured to have switching functionality.
- Network hardware 116 can span multiple domains and can include multiple networks interconnected by one or more transport networks.
- the virtualization layer in NFVI 130 can abstract hardware resources from the physical layer and decouple VNF 108 to provide virtualized resources to VNF 108.
- the virtualized resources include virtual computing 110, virtual storage 118, and virtual network 120.
- Virtual computing 110 and virtual storage 118 may be provided to VNF 108 in the form of hypervisors, VMs, and/or other virtual containers.
- one or more VNFs 108 are deployed on one VM.
- the virtualization layer abstract network hardware 116 forms a virtual network 120.
- the virtual network 120 includes a virtual switch that is used to provide connectivity between VMs and/or other virtual containers that house the VNFs 108.
- the transport network in network hardware 116 can be virtualized using a centralized control plane and a separate forwarding plane (eg, a software defined network).
- VNF 108 configured to virtualize at least one network function.
- the VNF 108 can be a virtualization provider edge (PE) node for providing all PE network functions on a non-virtualized device, such as routers, switches, bridges, servers, cloud computing systems, and the like.
- PE virtualization provider edge
- Each VNF 108 runs in a virtual container, corresponding to a set of network functions belonging to one or more physical devices.
- OSS/BSS Operation Support System and Business Support System
- the management functions supported by OSS include: network configuration, service provision, and fault management.
- VNFM 104 can interact with VNF 108 and EM 122 to manage the lifecycle of the VNF and exchange configuration and status information.
- the VNF 108 can be configured to virtualize at least one network function performed by one physical network device.
- the VNF 108 can be configured to provide functionality provided by different network elements in an IP Multimedia Subsystem (IMS) network, such as a Proxy call session control function (P -CSCF), Intertrogating call session control function (I-CSCF), Serving call session control function (S-CSCF), Home subscriber server (HSS) , as well as the network functions of the Application Server (AS).
- IMS IP Multimedia Subsystem
- P -CSCF Proxy call session control function
- I-CSCF Intertrogating call session control function
- S-CSCF Serving call session control function
- HSS Home subscriber server
- AS Application Server
- the EM 122 is configured to manage one or more VNFs 108.
- VNFM As an example to describe how VNFM authenticates VNFI. See Figure 2, which can include the following steps:
- NFVO sends an instantiation VNF request to VNFM
- the NFVO receives the VNF instantiation request, it sends an instantiated VNF request to the VNFM.
- the instantiation request received by the NFVO may be a manual trigger or an automatic trigger, such as an OSS trigger or a BSS trigger.
- the VNFM sends a resource allocation request to the NFVO;
- the resource allocation request is sent to the NFVO, where the resource allocation request sent by the VNFM to the NFVO includes resource requirements, such as required computing resources, storage resources, or network resources. .
- NFVO sends a request message to the VIM requesting to allocate computing resources, storage resources, and network resources;
- the VIM sends a call message to the NFVI to call the computing resource, the storage resource, and the network resource;
- the NFVI receives the invocation message, create a VNFI, a virtual machine, and a public key that generates the VNF;
- a private key corresponding to the public key of the VNF is also generated and sent to the VNFI.
- the NFVI sends the public key to the VNFI, and simultaneously sends the computing resource, the storage resource, and the network resource allocation success response, and the public key to the VIM;
- the VIM successfully responds to the computing resource, the storage resource, and the network resource allocation, and sends the public key to the NFVO;
- NFVO sends the computing resource, storage resource and network resource allocation success response, and the public key to the VNFM;
- the VNFI sends the received public key to the VNFM.
- the VNFI may send the public key to the VNFM after receiving the public key sent by the NFVI, or may send the received public key to the VNFM after a predetermined period of time, which is not limited herein.
- VNFI needs to establish an initial connection with the VNFM in either of the above two ways. Two implementations of establishing an initial connection between VNFI and VNFM are given below.
- the NFVI reports the port number and IP address of the VNFM to the VM, so that the VNFI actively establishes an initial connection with the VNFM by using the port number and IP address of the VNFM.
- the NFVI reports the port number and IP address of the VM to the VNFM, so that the VNFM actively establishes an initial connection with the VNFI by using the port number and IP address of the VM.
- the VNFM compares the received public key sent by the VNFI with the received public key sent by the NFVO. If the same, the VNFM sends a VNF instantiation success message to the VNFO, and establishes a management channel with the VNFI.
- the public key of the VNF is generated by the NFVI and then transmitted to the VNFI.
- the public key may be attacked by the outside world, which may increase the probability of the public key being exposed, and there is bound to be a certain security risk.
- the embodiment of the present application provides a method for generating an initial credential of a virtual network function VNF.
- the first public key of the VNF and the report are generated by the VNFI, and then the first The public key and the report are sent to the management device to cause the management device to verify the received first public key using the received report. Since the public key of the VNF is generated by the VNFI itself, the process of transmitting the public key to the VNFI when the public key is generated by the NFVI is omitted, thereby reducing the probability of the public key being attacked by the outside world, thereby reducing the probability of the public key being exposed. .
- an embodiment of the present invention provides a method for generating an initialization credential of a virtual network function VNF.
- the process description of the method is as follows:
- NFVO sends an instantiation VNF request to the VNFM.
- the NFVO receives the VNF instantiation request, it sends an instantiated VNF request to the VNFM.
- the instantiation request received by the NFVO may be a manual trigger or an automatic trigger, such as an OSS trigger or a BSS trigger.
- the VNFM sends a resource allocation request to the NFVO.
- the resource allocation request is sent to the NFVO, where the resource allocation request sent by the VNFM to the NFVO includes resource requirements, such as required computing resources, storage resources, or network resources. .
- the NFVO sends a request message to the VIM requesting to allocate a computing resource, a storage resource, and a network resource.
- the VIM sends a call message to the NFVI that invokes the computing resource, the storage resource, and the network resource.
- S306 The first public key and report of the VNF generated by the VNFI
- a set function relationship such as a hash function relationship, is satisfied between the report and the first public key.
- the report generated by the VNFI includes at least one of a hash value of the first public key and a hash value of the code for generating the first public key
- the hash of the first public key and the first public key A hash function relationship is satisfied between the values
- a hash function relationship is satisfied between the code for generating the first public key and the hash value of the code for generating the first public key.
- the hash function may be a message digest algorithm (MD2), a message digest algorithm (MD4), a message digest algorithm (MD5), or a message digest algorithm (MD5), or It is a Security Hash Algorithm (SHA).
- MD2 message digest algorithm
- MD4 message digest algorithm
- MD5 message digest algorithm
- MD5 message digest algorithm
- SHA Security Hash Algorithm
- a hash function that will obtain a hash value of the first public key and a hash value of the code used to generate the first public key will be referred to as a hash function 1.
- a hash value is a unique and compact numerical representation of a piece of data.
- the first hash value is obtained. If you make changes to any part of the plaintext, such as changing a letter in the plaintext of the paragraph, and then hashing the plaintext using the hash function, it will produce different values. Therefore, the integrity of the plaintext of the paragraph can be verified based on the hash value of the data.
- the integrity of the first public key can be verified according to the hash value of the first public key, and the hash value of the code used to generate the first public key can be verified for generating the first public The integrity of the key's code.
- the VNFI can also generate a first private key corresponding to the first public key, and the first private key can be used when the VNFI establishes a management channel with the management device and transmits data.
- the first private key is generated by the VNFI, and the first private key can be avoided from being exposed to the NFVI, and therefore, the probability that the first private key is exposed can be reduced.
- the VNFI When the first public key and report are generated by VNFI, if the VNFI is attacked by the outside world, the probability that the first public key is exposed will increase.
- the VNFI generates the first public key and the report through the application in the memory protection area, wherein the memory protection area is created by the NFVI in the VNFI, and the data in the memory protection area has a high security level.
- the technology for supporting the NFVI to create a memory protection area may be an Intel Software Guard Extensions (Intel SGX) technology.
- the computing hardware in the hardware components included in the NFVI such as a central processing unit, can support Intel SGX technology.
- NFVI applies to SGX to create a memory protection zone enclave. After receiving the create command, SGX executes the create command, allocates the memory protection area, and loads the application for generating the first public key and report into the memory protection area. In this way, VNFI can generate the first public key and report through the application in the memory protection area.
- SGX is an extension of the CPU architecture to provide hardware protection for the secure execution of applications.
- This extension allows user-mode applications to create a memory-protected area within the application's virtual address storage space that protects against malicious privileged software, such as against compromised host operating systems or malicious virtual machine monitors. Attacks can also resist physical attacks on memory, such as memory probes. Therefore, the first public key can be protected and the report is protected from malware by the memory protection area. That is, the first public key and the report are located in the memory protection area, and even the operating system or the hypervisor cannot affect the memory protection area. The code and data, therefore, can further reduce the chance that the first public key will be exposed.
- the VNFI generates a first private key corresponding to the first public key through the memory protection area. Therefore, the first private key is located in the memory protection area, which can also reduce attacks by the outside world, thereby reducing the exposure of the first private key. probability.
- the central processor capable of supporting the NFVI to create a memory protection area is limited, for example, a central processing unit provided by Intel, or a central processing unit provided by other vendors capable of supporting the NFVI to create a memory protection area, This is not a limitation. Therefore, in order to further verify whether the generated report is signed by a legitimate CPU, that is, whether the verification report is generated by an application in the memory protection area, in the embodiment of the present application, the VNFI generates the report through the memory protection area. The signature of the report is also generated by the application in the memory protection area.
- the process of generating the report signature is that the application in the memory protection area uses the hash function and the report to generate the summary information of the report, and then encrypts the generated summary information by using the private key to obtain the signature of the report.
- the hash function used to generate the report may be a hash function 1
- the private key used to encrypt the generated summary information may be pre-configured for the central processing unit of the memory protection area, and is in the center.
- the processor is programmed into the central processing unit when it leaves the factory.
- the central processor capable of supporting the NFVI to create a memory protection area is exemplified by a central processing unit provided by Intel, and different central processing units correspond to different identifiers.
- the identifier of the central processing unit may be a number, may be a character, or a combination of numbers and characters, and the identifier of the central processing unit may be separately sent to the verification server, or may be carried in the report and sent to the verification server, and is not used herein. limit.
- an example is to separately send the identity of the central processing unit to the verification server.
- the VNFI sends the first public key, the report, the signature, and the identifier of the central processing unit to the NFVI;
- the NFVI sends the first public key, the report, the signature, the identifier of the central processing unit, and the VNF ID to the VIM;
- the VNF ID in this step is an identifier of the VNF, which is used to indicate which VNF is currently instantiated.
- the NFVI sends the first public key, the report, the signature, the identifier of the central processor, and the VNF ID to the VIM, and also sends the computing resource, the storage resource, and the network resource allocation success response to the VIM.
- the VIM sends the first public key, the report, the signature, the identifier of the central processing unit, and the VNF ID to the NFVO;
- the VIM sends the first public key, the report, the signature, the identifier of the central processor, and the VNF ID to the NFVO, and also sends the computing resource, the storage resource, and the network resource allocation success response to the NFVO.
- NFVO sends the first public key, the report, the signature, the identifier of the central processing unit, and the VNF ID to the management device for managing the VNFI;
- the NFVO sends the first public key, the report, the signature, the identifier of the central processing unit, and the VNF ID to the management device, and also sends the computing resource, the storage resource, and the network resource allocation success response to the management device.
- the management device may be a VNFM, or may be Element Management (EM) and VNFM. That is to say, in the embodiment of the present application, the first public key may be verified by the VNFM, and the first public key may be verified by the EM, which are respectively introduced below.
- VNFM VNFM
- EM Element Management
- the management device is a VNFM, and continues to refer to FIG.
- the VNFM sends the received report, the signature, and the identifier of the central processing unit to the verification server.
- the verification server verifies whether the received report is complete and is a report generated by the application of the memory protection area. The process is different, as described below.
- the verification server is provided by the central processor manufacturer, and the verification server can record which central processing unit can support the creation of the memory protection area and the public key that the central processing unit burns at the factory.
- different central processors capable of supporting the creation of a memory protected area correspond to the same second public key.
- the verification server receives the report transmitted by the VNFM, the signature of the received report is decrypted by the second public key, and the summary information of the received report is obtained and recorded as the summary information 1.
- the summary information is calculated from the received report, and is recorded as the summary information 2, and compared with whether the summary information 1 and the summary information 2 are the same. If they are the same, it indicates that the report received by the verification server is complete.
- the report received by the verification server is generated by the application in the memory protection area.
- the verification server is provided by the central processor manufacturer, and the verification server can record which central processing unit can support the creation of the memory protection area and the public key that the central processing unit burns at the factory.
- different central processors capable of supporting the creation of the memory protection area correspond to different second public keys.
- the correspondence between the public key and the central processor identifier is recorded on the verification server. Therefore, when the verification server receives the identifier of the central processor sent by the VNFI, the public key corresponding to the identifier can be found from the correspondence between the public key and the central processor identifier.
- the verification server After determining the public key corresponding to the identifier of the central processing unit, that is, the second public key, the verification server decrypts the signature of the received report by using the second public key, and obtains a report corresponding to the signature of the received report. Summary information, recorded as summary information 3. Then use the hash function 1 to calculate the summary information from the received report, that is, the summary information 4, and compare whether the summary information 3 and the summary information 4 are the same. If they are the same, it indicates that the received report is in the memory protection area. The application is generated.
- the verification server verifies that the received report has application generation in the memory protection area, that is, first verifies whether the report received by the verification server is signed and sent by the legitimate central processor to achieve the primary of the received report. verification.
- the verification server sends the verification result to the VNFM.
- the VNFM verifies the received first public key by using the received report when the verification result is that the verification server verifies that the report sent by the VNFM is generated by the application in the memory protection area;
- the VNFM confirms that the verification result is that the verification server verifies that the VNFM report is generated by the application in the memory protection area, that is, the report is signed and sent by the legitimate central processor, the received report is used to receive the first A public key is used for verification.
- the received first public key is operated by using a set function relationship, for example, by using the hash function 1, the received first public key is hashed, and the received first public key is obtained.
- a hash value here, a hash value obtained by the operation is recorded as a hash value of 1
- a hash value of the first public key received by the NFVO is recorded as a hash value of 2. Then compare whether the hash value 1 and the hash value 2 are the same. If they are the same, it is determined that the received first public key sent by the NFVO is a legal public key.
- the consistency of the received hash value of the code for generating the first public key and the hash value of the code stored in the VNFM is further verified, and the code for generating the first public key is verified. is it legal.
- the VNFM can obtain the hash value of the legal code from the CPU provider and store it on the VNFM.
- the VNFM can obtain the hash value of the legal code from the CPU provider and store it on the VNFM.
- the VNFM confirms that the verification result is that the verification server verifies that the VNFM report is not generated by the application in the memory protection area, that is, when the report sent by the VNFM is sent by the illegal central processor signature. In this case, it is not necessary to use the received report to verify the received first public key.
- the management device verifies the legality of the first public key by using the received hash value of the first public key and the hash value of the received code for generating the first public key. Can improve the security of verification.
- VNFM sends a VNF instantiation success message to the VNFO, and establishes a management channel with the VNFI.
- the VNFM also advertises the first public key of the VNF to other network elements in the network, for example, other VNFIs other than the VNFI, so that other VNFIs establish a connection with the VNFI.
- the management device is VNFM and EM, see Figure 4.
- the method before the NFVO sends the first public key, the report, the signature, the identifier of the central processing unit, and the VNF ID to the management device for managing the VNFI, the method further includes steps S401-S409, where S401- The steps of S409 are the same as the steps S301-S309 shown in FIG. 3, and details are not described herein.
- the following mainly introduces the first public key, report, signature, central processor identifier, and VNF ID to be used for management in NFVO.
- the VNFI management device step, and the subsequent steps after this step, are described as follows:
- NFVO sends the first public key, the report, the signature, the identifier of the central processing unit, and the VNF ID to the VNFM;
- the VNFM sends the first public key, the report, the signature, and the identifier of the central processing unit to the EM;
- S412 The EM sends the report, the signature, and the identifier of the central processing unit to the verification server.
- the verification server sends the verification result to the EM
- the EM uses the received report to verify the received first public key when the verification result is generated by the application in the memory protection area when the verification result is the verification server verifies the report sent by the EM;
- the process of verifying the received first public key by using the received report in the step is the same as the step S314 shown in FIG. 3, and details are not described herein again.
- the VNFM sends a VNF instantiation success message to the VNFO, and establishes a management connection with the VNFI.
- the VNFM also advertises the first public key of the VNF to other network elements in the network, for example, other VNFIs other than the VNFI, so that other VNFIs establish a connection with the VNFI.
- FIG. 5 shows a schematic structural diagram of a virtual network function instance VNFI device 500.
- the VNFI device 500 can include a generation module 501 and a transmission module 502.
- the generating module 501 can be used to execute S306 in the embodiment shown in FIG. 3, or S406 in the embodiment shown in FIG. 4, or other processes for supporting the technology described in the embodiment of the present application.
- the sending module 502 can be used to execute S307 in the embodiment shown in FIG. 3, or S407 in the embodiment shown in FIG. 4, or other processes for supporting the techniques described in the embodiments of the present application. All the related content of the steps involved in the foregoing method embodiments may be referred to the functional descriptions of the corresponding functional modules, and details are not described herein again.
- FIG. 6 shows a schematic structural diagram of a management device 600 of a virtual network function instance VNFI.
- the management device 600 of the VNFI may include a receiving module 601 and a verification module 602.
- the receiving module 601 can be used to execute S310 in the embodiment shown in FIG. 3, or S410, S411 in the embodiment shown in FIG. 4, or other processes for supporting the technology described in the embodiment of the present application.
- the verification module 602 can be used to perform S314 in the embodiment shown in FIG. 3, or S415 in the embodiment shown in FIG. 4, or to support other processes described in the embodiments of the present application. All the related content of the steps involved in the foregoing method embodiments may be referred to the functional descriptions of the corresponding functional modules, and details are not described herein again.
- FIG. 7 shows a schematic structural diagram of an authentication server 700.
- the verification server 700 can include a receiving module 701, a verification module 702, and a sending module 703.
- the receiving module 701 is configured to execute 311 in the embodiment shown in FIG. 3, or S412 in the embodiment shown in FIG. 4, or other processes for supporting the technology described in the embodiment of the present application.
- the verification module 702 is configured to execute S312 in the embodiment shown in FIG. 3, or S413 in the embodiment shown in FIG. 4, or other processes for supporting the techniques described in the embodiments of the present application.
- the sending module 703 is configured to execute S313 in the embodiment shown in FIG. 3, or S414 in the embodiment shown in FIG. 4, or other processes for supporting the techniques described in the embodiments of the present application. All the related content of the steps involved in the foregoing method embodiments may be referred to the functional descriptions of the corresponding functional modules, and details are not described herein again.
- the VNFI device 500, the VNFI management device 600, and the verification server 700 are presented in the form of dividing each functional module into functions, or may be presented in an integrated manner to divide the functional modules.
- a “module” herein may refer to an application-specific integrated circuit (ASIC), a processor and memory that executes one or more software or firmware programs, integrated logic circuits, and/or other devices that provide the above functionality. .
- ASIC application-specific integrated circuit
- FIG. 8 shows a schematic structural diagram of a VNFI device 800.
- the VNFI device 800 can include a processor 801 and a communication interface 802.
- the VNFI device 800 may also include a memory 803 in which the processor 801, the memory 803, and the communication interface 802 are connected by a system bus 804.
- the memory 803 is for storing a computer program, and when the VNFI device 800 is running, the processor 801 executes instructions included in the computer program stored in the memory 803 to cause the VNFI device 800 to perform the virtual network function provided by the embodiment shown in FIG. 3 or FIG. VNF initialization credential generation method.
- FIG. 9 shows a schematic structural diagram of a VNFI management device 900.
- the management device 900 can include a processor 901 and a communication interface 902.
- the management device 900 may also include a memory 903 in which the processor 901, the memory 903, and the communication interface 902 are connected by a system bus 904.
- the memory 903 is used to store a computer program, and when the management device 900 is running, the processor 901 executes instructions included in the computer program stored in the memory 903 to cause the management device 900 to perform the virtual network function provided by the embodiment shown in FIG. 3 or FIG. VNF initialization credential generation method.
- FIG. 10 shows a schematic structural diagram of an authentication server 1000.
- the verification server 1000 can include a processor 1001 and a communication interface 1002.
- the verification server 1000 may further include a memory 1003 in which the processor 1001, the memory 1003, and the communication interface 1002 are connected through the system bus 1004.
- the memory 1003 is configured to store a computer program.
- the processor 1001 executes instructions included in the computer program stored in the memory 1003 to cause the verification server 1000 to perform the virtual network function provided by the embodiment shown in FIG. 3 or FIG. VNF initialization credential generation method.
- the communication interface 802, the communication interface 902, or the communication interface 1002 may be a transceiver or an independent receiver and transmitter.
- the transmitting module 502 can correspond to the communication interface 802 of FIG.
- the generation module 501 can be embedded in hardware form/software form or independent of the VNFI device 800 corresponding to the processor 801 in FIG.
- receiving module 601 can correspond to communication interface 902 in FIG.
- the verification module 602 may be embedded in the hardware form/software form or the VNFI-compliant management device 900 corresponds to the processor 901 in FIG.
- the receiving module 701 and the transmitting module 703 may correspond to the communication interface 1002 in FIG.
- the verification module 702 can be embedded in hardware form/software form or independent of the verification server 1000 in the processor 1001 in FIG.
- the VNFI device 800, the VNFI management device 900 or the verification server 1000 may be a field-programmable gate array (FPGA), an application specific integrated circuit (ASIC), and a system chip (system). On chip, SoC), central processor unit (CPU), network processor (NP), digital signal processor (DSP), microcontroller (micro controller unit, MCU), A programmable logic device (PLD) or other integrated chip can also be used.
- SoC central processor unit
- NP network processor
- DSP digital signal processor
- MCU microcontroller
- PLD programmable logic device
- the VNFI device 800, the VNFI management device 900 or the authentication server 1000 may also be separate network elements, such as VNFI or VNFM or EM.
- the embodiment of the present application further provides a computer storage medium, which may include a memory, where the memory may store a program, and the program includes the network device as described in the foregoing method embodiment shown in FIG. 3 or FIG. All the steps performed.
- a computer storage medium which may include a memory, where the memory may store a program, and the program includes the network device as described in the foregoing method embodiment shown in FIG. 3 or FIG. All the steps performed.
- the first public key and the report are generated by the virtual network function instance VNFI, and then the VNFI sends the first public key and the report to the management device, so that the management device uses the received report to receive the first
- the public key is verified. Since the public key of the VNF is generated by the VNFI itself, the process of transmitting the public key to the VNFI when the public key is generated by the NFVI is omitted, thereby reducing the probability of the public key being attacked by the outside world, thereby reducing the probability of the public key being exposed. .
- embodiments of the present application can be provided as a method, system, or computer program product.
- the present application can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment in combination of software and hardware.
- the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
一种虚拟化网络功能VNF的初始化凭据生成方法及设备,用于降低公钥被暴露的几率。该方法包括:在VNF实例化过程中,虚拟网络功能实例VNFI生成VNF的第一公钥及报告;其中,所述报告与所述第一公钥之间满足设定函数关系;所述VNFI将所述第一公钥及所述报告发送给所述VNFI的管理设备,以使所述管理设备利用接收到的报告对接收到的第一公钥进行验证。
Description
本申请要求于2017年7月20日提交中国专利局、申请号为201710598073.9、发明名称为“一种虚拟网络功能VNF的初始化凭据生成方法及设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及通信技术领域,尤其涉及一种虚拟网络功能VNF的初始化凭据生成方法及设备。
欧洲电信标准化协会(European Telecommunications Standards Institude,ETSI)制定了电信网络功能虚拟化(Network Functions Virtualization,NFV)的协议标准。通过ETSI NFV制定的标准,可以实现网络的虚拟化、灵活部署、灵活扩容等能力。在网络部署过程中,需要部署相应的虚拟网络功能(Virtualized Network Function,VNF),也会实例化出相应的VNF实例(Virtualized Network Function Infrastructure,VNFI)。在VNF实例化之后,若VNFI需要与VNFI的管理设备之间建立通信通道,则管理设备需要对VNFI进行认证。
现有技术中,在VNF实例化的过程中,由网络功能虚拟化基础设施(Network Functions Virtualization Infrastructure,NFVI)生成VNF的公钥,然后将公钥分别发送给VNFI和VNF管理(Virtualized Network Funcion Manager,VNFM),在VNFI接收到由NFVI发送的公钥后,也将公钥转发给VNFM。在VNFM收到由NFVI发送的公钥及由VNFI发送的公钥后,对比接收到由NFVI发送的公钥和由VNFI发送的公钥是否相同,若相同,VNFM则通过对VNFI的验证。
在上述技术方案中,由于VNF的公钥是由NFVI生成,然后转发给VNFI。而在NFVI向VNFI转发公钥的过程中,公钥可能会受到外界的攻击,从而增加了公钥被暴露的几率,则必然会存在一定的安全隐患。
发明内容
本申请实施例提供一种虚拟化网络功能VNF的初始化凭据生成方法及设备,用于降低公钥被暴露的几率。
第一方面,本申请实施例提供一种虚拟化网络功能VNF的初始化凭据生成方法。该方法包括:在VNF实例化过程中,虚拟网络功能实例VNFI生成VNF的第一公钥及报告;其中,所述报告与所述第一公钥之间满足设定函数关系;所述VNFI将所述第一公钥及所述报告发送给所述VNFI的管理设备,以使所述管理设备利用接收到的报告对接收到的第一公钥进行验证。
本申请实施例中,由于是由VNFI自身生成VNF的公钥,省去在由NFVI生成公钥时,将公钥发送给VNFI的过程,从而能够减少公钥受到外界攻击的几率,进而能够降低公钥被暴露的几率。
在一个可能的设计中,在VNF实例化过程中,虚拟网络功能实例VNFI生成虚拟网络功能VNF的第一公钥及报告,包括:所述VNFI通过内存保护区域中的应用程序生成所述第一公钥及所述报告;其中,所述内存保护区域为NFV基础设施NFVI在所述VNFI中创建的,所述内存保护区域内的数据的安全等级高于所述VNFI上除所述内存保护区域外的其它区域内的数据的安全等级。
本申请实施例中,内存保护区域既能对抗恶意特权软件,也能够抵抗对内存的物理攻击。因此,通过内存保护区域能够保护第一公钥及报告不受恶意软件的攻击,即便是操作系统或者是Hypervisor也无法影响内存保护区域中第一公钥。所以,能够进一步降低第一公钥被暴露的几率。
在一个可能的设计中,所述方法还包括:所述VNFI通过所述内存保护区域中的应用程序生成所述报告的签名;其中,所述签名是根据所述报告、以及为所述内存保护区域的中央处理器预先配置的私钥生成的;所述VNFI将所述签名及所述中央处理器的标识发送给验证服务器,以使所述验证服务器利用第二公钥、接收到的签名、接收到的中央处理器的标识、以及所述验证服务器预先存储的中央处理器标识,验证所述管理设备发来的报告是否完整且是否为所述内存保护区域中的应用程序生成的报告;其中,所述第二公钥为所述验证服务器预先存储的与所述私钥对应的公钥。
本申请实施例中,还通过内存保护区域中的应用程序生成报告的签名,以使验证服务器利用接收到的签名验证接收到的报告是否完整,也就是报告内容是否被篡改,以及验证接收到的报告是否由内存保护区域中的应用程序生成的,也就是验证接收到的报告是否由合法CPU签名。
在一个可能的设计中,所述报告包括:用于生成所述第一公钥的代码的哈希值;和/或所述第一公钥的哈希值。
本申请实施例中,报告中可能包括与第一公钥之间满足设定函数关系的不同内容,以上几种只是举例,在本申请实施例中不作限制。在具体实现过程中,报告中还可能携带有中央处理器的标识。
第二方面,本申请实施例提供一种虚拟网络功能VNF的初始化凭证的验证方法,该方法包括:管理设备接收由虚拟网络功能实例VNFI生成并发送的VNF的第一公钥及报告;其中,所述报告与所述第一公钥之间满足设定函数关系;所述管理设备根据接收到的报告对接收到的第一公钥进行验证。
在一个可能的设计中,所述第一公钥及所述报告为通过NFV基础设施NFVI创建的内存保护区域中的应用程序生成的;其中,所述内存保护区域内的数据安全等级高于所述VNFI上除所述内存保护区域外的其它区域内的数据的安全等级。
在一个可能的设计中,所述方法还包括:所述管理设备接收由所述VNFI发送的所述报告的签名及所述内存保护区域的中央处理器的标识;其中,所述签名为所述VNFI根据所述报告、以及为所述中央处理器预先配置的私钥生成的;所述管理设备将所述签名、所述中 央处理器的标识、以及所述接收到的报告发送给验证服务器,以使所述验证服务器利用第二公钥、接收到的签名、接收到的中央处理器的标识、以及所述验证服务器预先存储的中央处理器标识,验证所述管理设备发送来的报告是否完整且是否为通过所述内存保护区域中的应用程序生成的报告;其中,所述第二公钥为所述验证服务器预先存储的与所述私钥对应的公钥;所述管理设备接收由所述验证服务器发送的验证结果,并确认所述验证结果为所述验证服务器验证所述所述管理设备发送的报告完整且为所述内存保护区域中的应用程序生成的。
在一个可能的设计中,用于生成所述第一公钥的代码的哈希值;和/或所述第一公钥的哈希值。
在一个可能的设计中,所述管理设备则根据接收到的报告对所述接收到的第一公钥进行验证,包括:所述管理设备对接收到的第一公钥使用所述设定函数关系运算得到运算结果,并根据所述运算结果和接收到的第一公钥的哈希值的一致性来验证所述接收到的第一公钥是否合法;和/或所述管理设备根据接收到的用于生成所述第一公钥的代码的哈希值和所述管理设备中预先存储的代码的哈希值的一致性,验证用于生成所述第一公钥的代码是否合法。
本申请实施例中,管理设备利用接收到的第一公钥的哈希值以及接收到的用于生成第一公钥的代码的哈希值这两方面来验证第一公钥的合法性,能够提高验证的安全性。
第三方面,本申请实施例提供一种虚拟网络功能VNF的初始化凭证的验证方法。该方法包括:验证服务器接收由虚拟网络功能实例VNFI生成并发送的报告、所述报告的签名、以及内存保护区域的中央处理器的标识,所述内存保护区域为NFV基础设施NFVI在所述VNFI中创建的,所述内存保护区域内的数据的安全等级高于所述VNFI上除所述内存保护区域外的其它区域内的数据的安全等级;所述验证服务器根据接收到的签名、第二公钥、接收到的中央处理器的标识、以及所述验证服务器预先存储的中央处理器标识,验证接收到的报告是否完整且是否为所述内存保护区域中的应用程序生成的报告;所述验证服务器将验证结果发送给所述VNFI的管理设备,以使所述管理设备在确认所述验证结果为所述验证服务器验证所述接收到的报告完整且为所述内存保护区域中的应用程序生成时,利用接收到的由所述VNFI发送的报告对接收到的由所述VNFI发送的第一公钥进行验证;其中,所述签名为根据所述VNFI生成的报告、以及为所述中央处理器预先配置的私钥生成的;所述第二公钥为所述验证服务器预先存储的与所述私钥对应的公钥;所述VNFI生成的报告与所述第一公钥之间满足设定函数关系。
在本申请实施例中,验证服务器能够验证接收到的报告是否完整,也就是验证接收到的报告是否被篡改,以及验证接收到的报告是否由内存保护区域内的应用程序生成,也就是验证接收到的报告是否由合法CPU签名,验证服务器然后将验证结果发送给管理设备,由管理设备根据接收到的报告对接收到的第一公钥进行验证。
其中,由VNFI自身生成VNF的公钥,省去在由NFVI生成公钥时,将公钥发送给VNFI的过程,从而能够减少公钥受到外界攻击的几率,进而能够降低公钥被暴露的几率。
通过内存保护区域能够保护第一公钥及报告不受恶意软件的攻击,即便是操作系统或者是Hypervisor也无法影响内存保护区域中第一公钥。所以,能够进一步降低第一公钥被 暴露的几率。
第四方面,本申请实施例提供一种虚拟网络功能实例VNFI设备,该VNFI设备的具体结构可以包括生成模块和发送模块。生成模块和发送模块可执行上述第一方面或第一方面的任意一种可能的设计所提供的方法中的相应功能。
第五方面,本申请实施例提供一种虚拟网络功能实例VNFI的管理设备,该管理设备的具体结构可以包括接收模块和验证模块。接收模块和验证模块可以执行上述第二方面或第二方面的任意一种可能的设计所提供的方法中的相应功能。
第六方面,本申请实施例提供一种验证服务器,该验证服务器的具体结构可以包括接收模块、验证模块和发送模块。接收模块、验证模块和发送模块可以执行上述第三方面所提供的方法中的相应功能。
第七方面,本申请实施例提供一种网络功能虚拟化实例VNFI设备,该VNFI设备包括:处理器以及通信接口。所述VNFI设备还可以包括存储器,存储有计算机程序;其中,处理器与存储器、通信接口耦合,存储器可以设置在处理器中,存储器和处理器可以通过芯片实现。存储器所存储的计算机程序包括指令,当处理器执行所述指令时,所述指令使VNFI设备执行上述第一方面或第一方面的任意一种可能的设计中所提供的方法。
第八方面,本申请实施例提供一种网络功能虚拟化实例VNFI的管理设备,该管理设备包括:处理器以及通信接口。所述管理设备还可以包括存储器,存储有计算机程序;其中,处理器与存储器、通信接口耦合,存储器可以设置在处理器中,存储器和处理器可以通过芯片实现。存储器所存储的计算机程序包括指令,当处理器执行所述指令时,所述指令使管理设备执行上述第二方面或第二方面的任意一种可能的设计中所提供的方法。
第九方面,本申请实施例提供一种验证服务器,该验证服务器包括处理器以及通信接口。所述验证服务器还可以包括存储器,存储有计算机程序;其中,处理器与存储器、通信接口耦合,存储器可以设置在处理器中,存储器和处理器可以通过芯片实现。存储器所存储的计算机程序包括指令,当处理器执行所述指令时,所述指令使验证服务器执行上述第三方面所提供的方法。
第十方面,本申请实施例还提供一种计算机可读存储介质,存储有用于执行上述第一方面、第一方面的任意一种设计,上述第二方面、第二方面的任意一种设计,以及上述第三方面的功能所用的计算机软件指令,并包含用于执行上述第一方面、第一方面的任意一种设计,上述第二方面、第二方面的任意一种设计,以及上述第三方面的方法所设计的程序。
在本申请实施例中,由虚拟网络功能实例VNFI生成第一公钥以及报告,然后VNFI将第一公钥和报告发送给管理设备,以使管理设备利用接收到的报告对接收到的第一公钥进行验证。由于是由VNFI自身生成VNF的公钥,省去在由NFVI生成公钥时,将公钥发送给VNFI的过程,从而能够减少公钥受到外界攻击的几率,进而能够降低公钥被暴露的几率。
图1为本申请实施例提供的网络功能虚拟化的网络架构图;
图2为现有技术中生成VNFI的初始化凭据的方法示意图;
图3为本申请实施例提供的一种VNF的初始化凭据生成方法的示意图;
图4为本申请实施例提供的另一种VNF的初始化凭据生成方法的示意图;
图5-图10为本申请实施例提供的计算机装置的几种结构示意图。
为了使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施例作进一步地详细描述。
网络功能虚拟化(Network Function Virtualization,NFV)技术可以简单地理解为将电信网络中使用的各个网元的功能从目前的专用硬件平台迁移至通用的商用货架产品(Commercial-off-the-shelf,COTS)服务器上。通过NFV技术将电信网络中使用的各个网元转变成为独立的应用,可以灵活部署在基于标准的服务器、存储以及交换机等其他设备构建的统一基础设施平台上,并通过虚拟化技术,对基础设施硬件设备资源池化及虚拟化,对上层应用提供虚拟资源,实现应用、硬件解耦,使得每一个应用能够快速增加虚拟资源以实现快速扩展系统容量的目的,或者能够快速减少虚拟资源以实现收缩系统容量的目的,以提升网络的弹性。采用通用的COTS服务器组成共享的资源池,新开发的业务,不需要单独部署硬件设备,大大缩短新业务上线时间。
NFV技术的基础包含云计算技术和虚拟化技术。通用的COTS计算/存储/网络等硬件设备通过虚拟化技术可以分解为多种虚拟资源,以供上层各种应用使用。通过虚拟化技术,实现应用与硬件之间的解耦,使得虚拟资源供给速度大大增加;通过云计算技术,可以实现应用的弹性伸缩,实现虚拟资源与业务负荷相匹配,不仅提升了虚拟资源的利用效率,而且改善了系统的响应速率。
请参见图1,图1示意性给出了可以适用本申请实施例提供的技术方案的NFV系统100的架构示意图,NFV系统100可以在各种网络中使用,例如在一个数据中心网络、运营商网络或局域网来实现。NFV系统100包括一个NFV管理和编排系统(NFV Management and Orchestration,NFV MANO)101、NFVI 130、多个VNF 108、多个网元管理(Element Management,EM)122、网络服务、VNF和基础设施描述(Network Service、VNF and Infrastructure Description)126,以及业务支持管理系统(Operations Support System/Business Support System,OSS/BSS)124。其中,NFV MANO 101包括NFV编排器(Network Function Virtualization Orchestrator,NFVO)102,一个或多个VNFM 104和虚拟化基础设施管理器(Virtualized Infrastructure Manager,VIM)106。NFVI 130包括计算硬件112、存储硬件114、网络硬件116、虚拟化层(Virtualization Layer)、虚拟计算110、虚拟存储118和虚拟网络120。下面分别进行介绍。
(1)、NFV MANO 101用于执行对VNF 108和NFVI 130的监视和管理。
(2)、NFVO 102可以实现在NFVI 130上的网络服务,例如L2和L3VPN服务,也可以执行来自一个或多个VNFM 104的资源相关请求,发送配置信息给VNFM 104,并收集VNF108的状态信息。另外,NFVO 102也可以与VIM 106通信,以实现资源的分配,和/或资源预留,以及交换虚拟化硬件资源配置和状态信息。
(3)、VNFM 104可以管理一个或多个VNF 108。VNFM 104可以执行各种管理功能,例 如实例化(instantiating),更新(updating)、查询、弹性伸缩(scaling)、终止(terminating)VNF108。VNFM 104可以与VNF 108通信以完成VNF生命周期管理以及交换配置和状态信息。在NFV架构中VNFM可以是一个,也可以是多个,负责对不同类型的VNF进行生命周期管理。
(4)、VIM 106,可以执行资源管理的功能,例如管理基础设施资源的分配(例如增加资源到虚拟容器)和操作功能(例如收集NFVI故障信息)。VNFM 104和VIM 106可以相互通信进行资源分配和交换虚拟化硬件资源的配置和状态信息。
(5)、NFVI 130,包括硬件资源、软件资源或两者组合,以建立虚拟化环境、部署、管理以及实现VNF 108。换句话说,硬件资源和虚拟化层用于为VNF 108提供虚拟化资源,例如作为VMs和其它形式的虚拟容器。硬件资源包括计算硬件112、存储硬件114、网络硬件116。计算硬件112可以是市场上现成的硬件和/或用户定制的硬件,用于提供处理和计算资源。存储硬件114可以是网络内提供的存储容量或驻留在存储硬件114本身的存储容量(位于服务器内的本地存储器)。作为一种实施方式,计算硬件112和存储硬件114的资源可以集中在一起。网络硬件116可以是交换机、路由器和/或配置成具有交换功能的任何其它网络设备。网络硬件116可以横跨多个域,并且可以包括多个由一个或一个以上传输网络互连的网络。
(6)NFVI 130中的虚拟化层可以从物理层抽象硬件资源和解耦VNF108,以便向VNF 108提供虚拟化资源。虚拟化资源包括虚拟计算110、虚拟存储118以及虚拟网络120。虚拟计算110和虚拟存储118可以系统管理程序(hypervisor),VMs和/或其它虚拟容器的形式被提供给VNF 108。例如一个或多个VNF 108被部署在一个VM上。虚拟化层抽象网络硬件116形成虚拟网络120。虚拟网络120包括虚拟交换机(Virtual Switch),虚拟交换机用来提供VMs和/或其它容纳VNF 108的虚拟容器之间的连接。此外,网络硬件116中的传输网络,可以采用集中式控制平面和一个单独的转发平面(例如软件定义网络)虚拟化。
(7)、VNF108,被配置成至少一种网络功能虚拟化。VNF108可以是一个虚拟化提供者边缘(provider edge,PE)节点,用于提供非虚拟化设备上所有的PE网络功能,例如路由器、交换机、网桥、服务器、云计算系统等。每个VNF108运行在一个虚拟容器中,对应于一组属于一个或多个物理设备的网络功能。
(8)、运营支持系统和业务支持系统(Operations Support System and Business Support System,OSS/BSS)124,支持端到端电信业务。OSS支持的管理功能包括:网络配置、业务提供、故障管理等。
如图1所示,VNFM 104可以与VNF 108和EM 122交互来对VNF的生命周期进行管理以及交换配置和状态信息。VNF 108可以被配置为通过一个物理网络设备执行的至少一个网络功能的虚拟化。例如在一个实现方案中,VNF 108可以经过配置以提供IP多媒体子系统(IP Multimedia Subsystem,IMS)网络中的不同网元具备的功能,例如代理呼叫会话控制功能实体(Proxy call session control Function,P-CSCF)、查询呼叫会话控制功能实体(Intertrogating call session control Function,I-CSCF)、服务呼叫会话控制功能实体(Serving call session control Function,S-CSCF)、归属用户服务器(Home subscriber Server,HSS),以及应用服务器(Application Server,AS)的网络功能等。EM122经过配置以对一个或多个VNF108进行管理。
目前,在进行VNF实例化之后,VNFI需要通过管理设备的认证,才能与管理设备之间建立管理通道。下面以管理设备是VNFM为例,介绍VNFM对VNFI进行验证的过程,请参见图2,可以包括如下步骤:
1、NFVO向VNFM发送实例化VNF请求;
该步骤中,在NFVO接收到VNF实例化请求后,向VNFM发送实例化VNF请求。其中,NFVO接收到的实例化请求可以是手动触发,也可以是自动触发,例如从OSS触发或BSS触发等。
2、VNFM向NFVO发送资源分配请求;
该步骤中,在VNFM计算所需资源数后,向NFVO发送资源分配请求,其中,VNFM向NFVO发送的资源分配请求中包括资源要求,例如所需的计算资源、存储资源、或者是网络资源等。
3、NFVO向VIM发送请求分配计算资源、存储资源及网络资源的请求消息;
4、VIM向NFVI发送调用计算资源、存储资源及网络资源的调用消息;
5、在NFVI接收到调用消息时,创建VNFI、虚拟机(Virtual Machine)、以及生成VNF的公钥;
在该步骤中,在NFVI生成VNF的公钥的同时,还生成VNF的与该公钥对应的私钥,并发送给VNFI。
6、NFVI将公钥发送给VNFI,同时将计算资源、存储资源和网络资源分配成功响应、以及公钥发送给VIM;
7、VIM将计算资源、存储资源和网络资源分配成功响应、以及公钥发送给NFVO;
8、NFVO将计算资源、存储资源和网络资源分配成功响应、以及公钥发送给VNFM;
9、VNFI将接收到的公钥发送给VNFM;
在本申请实施例中,VNFI可以在接收到由NFVI发送的公钥后就将公钥发送给VNFM,也可以在预定时长后将接收到的公钥发送给VNFM,在此不作限制。而VNFI无论以上述两种方式中的哪种方式发送公钥,都需要先与VNFM建立初始连接。下面将给出VNFI与VNFM建立初始连接的两种实现方式。
作为一种示例,是在NFVI创建VM时,NFVI将VNFM的端口号和IP地址报告给VM,从而由VNFI利用VNFM的端口号和IP地址主动与VNFM建立初始连接。
作为另一种示例,是在NFVI创建VM时,NFVI将VM的端口号和IP地址报告给VNFM,从而由VNFM利用VM的端口号和IP地址主动与VNFI建立初始连接。
10、VNFM对比收到的由VNFI发送的公钥和接收到的由NFVO发送的公钥是否相同,若相同,VNFM向VNFO发送VNF实例化成功的消息,同时与VNFI之间建立管理通道。
在图2所示的技术方案中,是由NFVI生成VNF的公钥,然后发送给VNFI。在NFVI向VNFI转发公钥的过程中,公钥可能会受到外界的攻击,从而就可能会增加公钥被暴露的几率,则必然会存在一定的安全隐患。
鉴于此,本申请实施例提供一种虚拟网络功能VNF的初始化凭据生成方法,在该虚拟网络功能VNF的初始化凭据生成的方法中,由VNFI生成VNF的第一公钥以及报告,然后将第一公钥和报告发送给管理设备,以使管理设备利用接收到的报告对接收到的第一公钥进行验证。由于是由VNFI自身生成VNF的公钥,省去在由NFVI生成公钥时,将公钥发送给 VNFI的过程,从而能够降低公钥受到外界攻击的几率,进而能够降低公钥被暴露的几率。
请参见图3,本发明实施例提供一种虚拟网络功能VNF的初始化凭据生成方法,该方法的流程描述大致如下:
S301:NFVO向VNFM发送实例化VNF请求;
该步骤中,在NFVO接收到VNF实例化请求后,向VNFM发送实例化VNF请求。其中,NFVO接收到的实例化请求可以是手动触发,也可以是自动触发,例如从OSS触发或BSS触发等。
S302:VNFM向NFVO发送资源分配请求;
该步骤中,在VNFM计算所需资源数后,向NFVO发送资源分配请求,其中,VNFM向NFVO发送的资源分配请求中包括资源要求,例如所需的计算资源、存储资源、或者是网络资源等。
S303:NFVO向VIM发送请求分配计算资源、存储资源及网络资源的请求消息;
S304:VIM向NFVI发送调用计算资源、存储资源及网络资源的调用消息;
S305:在NFVI接收调用消息时,创建VNFI;
S306:VNFI生成VNF的第一公钥及报告;
在本申请实施例中,报告与第一公钥之间满足设定函数关系,例如哈希函数关系。具体的,在VNFI生成的报告包括第一公钥的哈希值和用于生成第一公钥的代码的哈希值中的至少一种时,第一公钥与第一公钥的哈希值之间满足哈希函数关系,用于生成第一公钥的代码与用于生成第一公钥的代码的哈希值之间满足哈希函数关系。其中哈希函数,可以是消息摘要算法第二版(Message Digest Algorithm,MD2)、消息摘要算法第四版(Message Digest Algorithm,MD4)、消息摘要算法第五版(Message Digest Algorithm,MD5)、或者是安全哈希算法(Security Hash Algorithm,SHA)。后续将得到第一公钥的哈希值和得到用于生成第一公钥的代码的哈希值的哈希函数称为哈希函数1。
哈希值是一段数据唯一且紧凑的数值表示形式。在利用哈希函数对一段明文进行哈希时,得到第一哈希值。而若对该段明文中的任何地方做更改,例如更改该段明文的一个字母,再利用前述哈希函数对该段明文进行哈希,都将产生不同的值。因此,根据数据的哈希值可以检验该段明文的完整性。在本申请实施例中,也就是根据第一公钥的哈希值能够检验第一公钥的完整性,根据用于生成第一公钥的代码的哈希值能够检验用于生成第一公钥的代码的完整性。
在VNFI在生成第一公钥的同时,还能够生成与第一公钥对应的第一私钥,该第一私钥可以在VNFI与管理设备建立管理通道后,传输数据时使用。在本申请实施例中,第一私钥由VNFI生成,能够避免将第一私钥暴露给NFVI,因此,能够减少第一私钥被暴露的几率。
在由VNFI生成第一公钥和报告时,若VNFI受到外界的攻击,将会增加第一公钥被暴露的几率。鉴于此,在本申请实施例中,VNFI通过内存保护区域中的应用程序生成第一公钥及报告,其中,内存保护区域为NFVI在VNFI中创建的,内存保护区域内的数据的安全等级高于VNFI上除内存保护区域外的其它保护区域内的数据的安全等级,也就是在VNFI受到外界攻击时,内存保护区域中的数据并不会因外界的攻击而受到影响。
在本申请实施例中,用于支持NFVI创建内存保护区域的技术可以是Intel软件保护扩展(Intel Software Guard Extensions,Intel SGX)技术。请继续参见图1,NFVI中包 括的硬件部件中的计算硬件,例如中央处理器,能够支持Intel SGX技术。NFVI向SGX申请创建内存保护区域enclave,SGX收到创建命令之后执行创建命令,分配内存保护区域,并将用于生成第一公钥及报告的应用程序加载到内存保护区域内。这样,VNFI则能够通过内存保护区域内的应用程序生成第一公钥及报告。
其中,SGX是对CPU架构的一种扩展,为应用程序的安全执行提供硬件保护。这种扩展允许用户模式的应用程序在应用程序的虚拟地址存储空间内创建一块内存保护区域,内存保护区域既能对抗恶意特权软件,例如能对抗被入侵的主机操作系统或恶意虚拟机监视器的攻击,又能抵抗对内存的物理攻击,例如内存探测等。因此通过内存保护区域能够保护第一公钥及报告不受恶意软件的攻击,也就是说,第一公钥及报告位于内存保护区域中,即便是操作系统或者是Hypervisor也无法影响内存保护区域中的代码和数据,所以,能够进一步降低第一公钥被暴露的几率。
由于,VNFI通过内存保护区域还生成与第一公钥对应的第一私钥,因此,第一私钥位于内存保护区域中,也能减少被外界的攻击,从而减少第一私钥被暴露的几率。
在本申请实施例中,因为能够支持NFVI创建内存保护区域的中央处理器是有限的,例如Intel提供的中央处理器,或者为其它厂商提供的能够支持NFVI创建内存保护区域的中央处理器,在此不作限制。因此,为了进一步验证生成的报告是否由合法的CPU签名的,也就是验证报告是否为通过内存保护区域中的应用程序生成的,在本申请实施例中,VNFI在通过内存保护区域生成报告的同时,还通过内存保护区域中的应用程序生成报告的签名。其中,生成报告的签名的过程,是内存保护区域中的应用程序利用哈希函数及报告,生成报告的摘要信息,然后利用私钥对生成的摘要信息进行加密,从而得到报告的签名。在本申请实施例中,用于生成报告的哈希函数可以是哈希函数1,用于对生成的摘要信息进行加密的私钥可以为为内存保护区域的中央处理器预先配置,是在中央处理器出厂时就烧录在中央处理器中的。
在本申请实施例中,能够支持NFVI创建内存保护区域的中央处理器以Intel提供的中央处理器为例,不同的中央处理器对应不同的标识。其中,中央处理器的标识可以是数字、可以是字符、或者是数字和字符的组合,且中央处理器的标识可以单独发送给验证服务器,也可以携带在报告中发送给验证服务器,在此不作限制。而在下面的介绍过程中,以将中央处理器的标识单独发送给验证服务器为例。
S307:VNFI将第一公钥、报告、签名、以及中央处理器的标识发送给NFVI;
S308:NFVI将第一公钥、报告、签名、中央处理器的标识、以及VNF ID发送给VIM;
该步骤中的VNF ID为VNF的标识,用于指示当前是哪个VNF进行实例化。在该步骤中,在NFVI将第一公钥、报告、签名、中央处理器的标识、以及VNF ID发送给VIM的同时,还将计算资源、存储资源和网络资源分配成功响应发送给VIM。
S309:VIM将第一公钥、报告、签名、中央处理器的标识、以及VNF ID发送给NFVO;
在该步骤中,在VIM将第一公钥、报告、签名、中央处理器的标识以及VNF ID发送给NFVO的同时,还将计算资源、存储资源和网络资源分配成功响应发送给NFVO。
S310:NFVO将第一公钥、报告、签名、中央处理器的标识、以及VNF ID发送给用于管理VNFI的管理设备;
在该步骤中,在NFVO将第一公钥、报告、签名、中央处理器的标识以及VNF ID发送给管理设备的同时,还将计算资源、存储资源和网络资源分配成功响应发送给管理设备。
在本申请实施例中,管理设备可以是VNFM,也可以是网元管理(Element Management,EM)和VNFM。也就是说,在本申请实施例中可以通过VNFM对第一公钥进行验证,也可以通过EM对第一公钥进行验证,下面分别进行介绍。
第一种实现方式,管理设备是VNFM,继续参见图3。
S311:VNFM将接收到的报告、签名、以及中央处理器的标识发送给验证服务器;
S312:在验证服务器接收到由VNFM发送的报告、签名、以及中央处理器的标识后,利用接收到的报告的签名、第二公钥、接收到的中央处理器的标识、以及验证服务器预先存储的中央处理器的标识,验证接收到的报告是否完整且是否为通过内存保护区域的应用程序生成的报告;
该步骤中的第二公钥的实现方式有两种,那么在第二公钥的实现方式不同时,验证服务器验证接收到的报告是否完整且是否为通过内存保护区域的应用程序生成的报告的过程也不相同,下面分别介绍。
(1)、验证服务器由中央处理器厂商提供,验证服务器能够记录哪些中央处理器能够支持创建内存保护区域,以及中央处理器在出厂时烧录的公钥。在该实现方式(1)中,能够支持创建内存保护区域的不同的中央处理器对应相同的第二公钥。该情况下,在验证服务器接收到由VNFM发送的报告后,利用第二公钥对接收到的报告的签名进行解密,得到接收到的报告的摘要信息,记为摘要信息1。然后利用哈希函数1从接收到的报告中计算出摘要信息,记为摘要信息2,并对比摘要信息1和摘要信息2是否相同,若相同,则表明验证服务器接收到的报告是完整的,未被篡改。接着确定接收到的中央处理器的标识是否在验证服务器预先存储的中央处理器的标识中,若验证服务器预先存储的中央处理器的标识中包括报告中所包括的中央处理器的标识,则表明验证服务器接收到的报告为通过内存保护区域中的应用程序生成的。
(2)验证服务器由中央处理器厂商提供,验证服务器能够记录哪些中央处理器能够支持创建内存保护区域,以及中央处理器在出厂时烧录的公钥。而在该实现方式(2)中,能够支持创建内存保护区域的不同中央处理器对应不同的第二公钥。该情况下,在验证服务器上记录有公钥与中央处理器标识之间的对应关系。因此,在验证服务器接收到由VNFI发送的中央处理器的标识时,从公钥与中央处理器标识之间的对应关系中即可查找与该标识对应的公钥。在确定出与中央处理器的标识对应的公钥,也就是第二公钥之后,验证服务器利用第二公钥对接收到的报告的签名进行解密,获得与接收到的报告的签名对应的报告的摘要信息,记为摘要信息3。然后利用哈希函数1从接收到的报告中计算出摘要信息,即为摘要信息4,并对比摘要信息3和摘要信息4是否相同,若相同,则表明接收到的报告为通过内存保护区域中的应用程序生成的。
对于上述实现方式(1)和实现方式(2),本领域普通技术人员可以根据实际需要选择,在此不作限制。由验证服务器验证接收到的报告是否有内存保护区域中的应用程序生成,也就是首先验证验证服务器接收到的报告是否由合法的中央处理器签名并发送的,以实现对接收到的报告的初级验证。
S313:验证服务器将验证结果发送给VNFM;
S314:VNFM在确认验证结果为验证服务器验证VNFM发送的报告为内存保护区域中的应用程序生成时,利用接收到的报告对接收到的第一公钥进行验证;
当VNFM在确认验证结果为验证服务器验证VNFM发送的报告为内存保护区域中的应用程序生成时,也就是报告是由合法中央处理器签名并发送的,则利用接收到的报告对接收到的第一公钥进行验证。
在具体实现过程中,对接收到的第一公钥利用设定函数关系运算,例如利用哈希函数1,对接收到的第一公钥进行哈希运算,得到接收到的第一公钥的哈希值,在此,将通过运算得到的哈希值记为哈希值1,将接收到由NFVO发送的第一公钥的哈希值记为哈希值2。然后对比哈希值1和哈希值2是否相同,若相同,则确定接收到的由NFVO发送的第一公钥为合法公钥。
在本申请实施例中,还将接收到的用于生成第一公钥的代码的哈希值和VNFM中预先存储的代码的哈希值的一致性,验证用于生成第一公钥的代码是否合法。
在此需要说明的是,由于内存保护区域中能够运行的应用程序为Intel签名认可的应用程序,因此,VNFM能够从CPU提供商获取合法代码的哈希值,并存储在VNFM上。这样,在接收到由NFVO发送的用于生成第一公钥的代码的哈希值时,便可验证用于生成第一公钥的代码是否合法。
而在VNFM确认验证结果为验证服务器验证VNFM发送的报告不是内存保护区域中的应用程序生成时,也就是VNFM发送的报告由非法中央处理器签名发送时。在这种情况下,则不必利用接收到的报告对接收到的第一公钥进行验证。
本申请实施例中,管理设备利用接收到的第一公钥的哈希值以及接收到的用于生成第一公钥的代码的哈希值这两方面来验证第一公钥的合法性,能够提高验证的安全性。
S315:VNFM向VNFO发送VNF实例化成功的消息,同时与VNFI之间建立管理通道。
在本申请实施例中,VNFM还会将VNF的第一公钥发布给网络中的其它网元,例如除该VNFI外的其它VNFI,以使其它VNFI与该VNFI建立连接。
第二种实现方式,管理设备是VNFM和EM,请参见图4。
在该实现方式中,在NFVO将第一公钥、报告、、签名、中央处理器的标识、以及VNF ID发送给用于管理VNFI的管理设备之前,还包括步骤S401-S409,其中,S401-S409的步骤同图3中所示的步骤S301-S309,在此不再赘述,下面主要介绍在NFVO将第一公钥、报告、签名、中央处理器的标识、以及VNF ID发送给用于管理VNFI的管理设备这一步骤,以及该步骤之后的后续步骤,描述大致如下:
S410:NFVO将第一公钥、报告、签名、中央处理器的标识、以及VNF ID发送给VNFM;
S411:VNFM将第一公钥、报告、签名、中央处理器的标识发送给EM;
S412:EM将报告、签名、以及中央处理器的标识发送给验证服务器;
S413:在验证服务器接收到由EM发送的报告、签名、以及中央处理器的标识后,利用接收到的报告的签名、第二公钥、接收到的中央处理器的标识、以及验证服务器预先存储的中央处理器的标识,验证接收到的报告是否完整且是否为通过内存保护区域的应用程序生成的报告;
该步骤中验证服务器验证接收到的报告是否完整且是否为通过内存保护区域的应用程序生成的报告的过程同图3中所示的步骤S312,在此不再赘述。
S414:验证服务器将验证结果发送给EM;
S415:EM在确认验证结果为验证服务器验证EM发送的报告时为内存保护区域中的应用程序生成时,利用接收到的报告对接收到的第一公钥进行验证;
该步骤中EM利用接收到的报告对接收到的第一公钥进行验证的过程同图3中所示的步骤S314,在此不再赘述。
S416:EM将验证结果发送给VNFM;
S417:VNFM向VNFO发送VNF实例化成功的消息,同时与VNFI之间建立管理连接。
在本申请实施例中,VNFM还会将VNF的第一公钥发布给网络中的其它网元,例如除该VNFI外的其它VNFI,以使其它VNFI与该VNFI建立连接。
下面结合附图介绍本申请实施例提供的装置。
图5示出了一种虚拟网络功能实例VNFI设备500的结构示意图。该VNFI设备500可以包括生成模块501和发送模块502。其中,生成模块501可以用于执行图3所示的实施例中的S306,或图4所示的实施例中的S406,或用于支持本申请实施例所描述的技术的其它过程。发送模块502可以用于执行图3所示的实施例中的S307,或图4所示的实施例中的S407,或用于支持本申请实施例所描述的技术的其它过程。其中,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。
图6示出了一种虚拟网络功能实例VNFI的管理设备600的结构示意图。该VNFI的管理设备600可以包括接收模块601和验证模块602。其中,接收模块601可以用于执行图3所示的实施例中的S310,或图4所示的实施例中的S410、S411,或用于支持本申请实施例所描述的技术的其它过程。验证模块602可以用于执行图3所示的实施例中的S314,或图4所示的实施例中的S415,或用于支持本申请实施例所描述的其它过程。其中,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。
图7示出了一种验证服务器700的结构示意图。该验证服务器700可以包括接收模块701、验证模块702和发送模块703。其中,接收模块701用于执行图3所示的实施例中的311,或图4所示的实施例中的S412,或用于支持本申请实施例所描述的技术的其它过程。验证模块702用于执行图3所示的实施例中的S312,或图4所示的实施例中的S413,或用于支持本申请实施例所描述的技术的其它过程。发送模块703用于执行图3所示的实施例中的S313,或图4所示的实施例中的S414,或用于支持本申请实施例所描述的技术的其它过程。其中,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。
在本申请实施例中,VNFI设备500、VNFI的管理设备600以及验证服务器700对应各个功能划分各个功能模块的形式来呈现,或者,可以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定应用集成电路(application-specific integrated circuit,ASIC),执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。
图8示出了一种VNFI设备800的结构示意图。该VNFI设备800可以包括:处理器801以及通信接口802。VNFI设备800还可以包括存储器803,其中,处理器801、存储器803以及通信接口802通过系统总线804连接。存储器803用于存储计算机程序,当VNFI设备800运行时,处理器801执行存储器803存储的计算机程序包括的指令,以使VNFI设备800执行图3或图4所示的实施例提供的虚拟网络功能VNF的初始化凭证生成方法。
图9示出了一种VNFI的管理设备900的结构示意图。该管理设备900可以包括:处理器901以及通信接口902。管理设备900还可以包括存储器903,其中,处理器901、存储器903以及通信接口902通过系统总线904连接。存储器903用于存储计算机程序,当管理设备900运行时,处理器901执行存储器903存储的计算机程序包括的指令,以使管理设备900执行图3或图4所示的实施例提供的虚拟网络功能VNF的初始化凭证生成方法。
图10示出了一种验证服务器1000的结构示意图。该验证服务器1000可以包括:处理器1001以及通信接口1002。验证服务器1000还可以包括存储器1003,其中,处理器1001、存储器1003以及通信接口1002通过系统总线1004连接。存储器1003用于存储计算机程序,当验证服务器1000运行时,处理器1001执行存储器1003存储的计算机程序包括的指令,以使验证服务器1000执行图3或图4所示的实施例提供的虚拟网络功能VNF的初始化凭证生成方法。
具体的虚拟网络功能VNF的初始化凭证生成方法可参考上文及附图中的相关描述,此处不再赘述。其中,通信接口802、通信接口902或通信接口1002可以是收发器,或者是独立的接收器和发送器。
在一个示例中,发送模块502可以对应图8中的通信接口802。生成模块501可以以硬件形式/软件形式内嵌于或独立于VNFI设备800对应图8中的处理器801中。
在一个示例中,接收模块601可以对应图9中的通信接口902。验证模块602可以以硬件形式/软件形式内嵌于或独立于VNFI的管理设备900对应图9中的处理器901中。
在一个示例中,接收模块701及发送模块703可以对应图10中的通信接口1002。验证模块702可以以硬件形式/软件形式内嵌于或独立于验证服务器1000对应图10中的处理器1001中。
可选的,VNFI设备800、VNFI的管理设备900或验证服务器1000可以是现场可编程门阵列(field-programmable gate array,FPGA),专用集成芯片(application specific integrated circuit,ASIC),系统芯片(system on chip,SoC),中央处理器(central processor unit,CPU),网络处理器(network processor,NP),数字信号处理电路(digital signal processor,DSP),微控制器(micro controller unit,MCU),还可以采用可编程控制器(programmable logic device,PLD)或其他集成芯片。或者,VNFI设备800、VNFI的管理设备900或验证服务器1000也可以是单独的网元,例如为VNFI或者VNFM或EM。
本申请实施例还提供一种计算机存储介质,该存储介质可以包括存储器,该存储器可存储有程序,该程序执行时包括如前的图3或图4所示的方法实施例中记载的网络设备所执行的全部步骤。
在本申请实施例中,由虚拟网络功能实例VNFI生成第一公钥以及报告,然后VNFI将第一公钥和报告发送给管理设备,以使管理设备利用接收到的报告对接收到的第一公钥进行验 证。由于是由VNFI自身生成VNF的公钥,省去在由NFVI生成公钥时,将公钥发送给VNFI的过程,从而能够减少公钥受到外界攻击的几率,进而能够降低公钥被暴露的几率。
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。
Claims (21)
- 一种虚拟网络功能VNF的初始化凭据生成方法,其特征在于,包括:在VNF实例化过程中,虚拟网络功能实例VNFI生成VNF的第一公钥及报告;其中,所述报告与所述第一公钥之间满足设定函数关系;所述VNFI将所述第一公钥及所述报告发送给所述VNFI的管理设备,以使所述管理设备利用接收到的报告对接收到的第一公钥进行验证。
- 根据权利要求1所述的方法,其特征在于,在VNF实例化过程中,虚拟网络功能实例VNFI生成虚拟网络功能VNF的第一公钥及报告,包括:所述VNFI通过内存保护区域中的应用程序生成所述第一公钥及所述报告;其中,所述内存保护区域为NFV基础设施NFVI在所述VNFI中创建的,所述内存保护区域内的数据的安全等级高于所述VNFI上除所述内存保护区域外的其它区域内的数据的安全等级。
- 根据权利要求2所述的方法,其特征在于,所述方法还包括:所述VNFI通过所述内存保护区域中的应用程序生成所述报告的签名;其中,所述签名是根据所述报告、以及为所述内存保护区域的中央处理器预先配置的私钥生成的;所述VNFI将所述签名及所述中央处理器的标识发送给验证服务器,以使所述验证服务器利用第二公钥、接收到的签名、接收到的中央处理器的标识、以及所述验证服务器预先存储的中央处理器标识,验证所述管理设备发来的报告是否完整且是否为所述内存保护区域中的应用程序生成的报告;其中,所述第二公钥为所述验证服务器预先存储的与所述私钥对应的公钥。
- 根据权利要求3所述的方法,其特征在于,所述报告包括:用于生成所述第一公钥的代码的哈希值;和/或所述第一公钥的哈希值。
- 一种虚拟网络功能VNF的初始化凭证的验证方法,其特征在于,包括:管理设备接收由虚拟网络功能实例VNFI生成并发送的VNF的第一公钥及报告;其中,所述报告与所述第一公钥之间满足设定函数关系;所述管理设备根据接收到的报告对接收到的第一公钥进行验证。
- 根据权利要求5所述的方法,其特征在于,所述第一公钥及所述报告为通过NFV基础设施NFVI创建的内存保护区域中的应用程序生成的;其中,所述内存保护区域内的数据安全等级高于所述VNFI上除所述内存保护区域外的其它区域内的数据的安全等级。
- 根据权利要求6所述的方法,其特征在于,所述方法还包括:所述管理设备接收由所述VNFI发送的所述报告的签名及所述内存保护区域的中央处理器的标识;其中,所述签名为所述VNFI根据所述报告、以及为所述中央处理器预先配置的私钥生成的;所述管理设备将所述签名、所述中央处理器的标识、以及所述接收到的报告发送给验证服务器,以使所述验证服务器利用第二公钥、接收到的签名、接收到的中央处理器的标识、以及所述验证服务器预先存储的中央处理器标识,验证所述管理设备发送来的报告是否完整且是否为通过所述内存保护区域中的应用程序生成的报告;其中,所述第二公钥为所述验证服务器预先存储的与所述私钥对应的公钥;所述管理设备接收由所述验证服务器发送的验证结果,并确认所述验证结果为所述验证 服务器验证所述所述管理设备发送的报告完整且为所述内存保护区域中的应用程序生成的。
- 根据权利要求7所述的方法,其特征在于,所述报告包括:用于生成所述第一公钥的代码的哈希值;和/或所述第一公钥的哈希值。
- 根据权利要求8所述的方法,其特征在于,所述管理设备则根据接收到的报告对所述接收到的第一公钥进行验证,包括:所述管理设备对接收到的第一公钥使用所述设定函数关系运算得到运算结果,并根据所述运算结果和接收到的第一公钥的哈希值的一致性来验证所述接收到的第一公钥是否合法;和/或所述管理设备根据接收到的用于生成所述第一公钥的代码的哈希值和所述管理设备中预先存储的代码的哈希值的一致性,验证用于生成所述第一公钥的代码是否合法。
- 一种虚拟网络功能VNF的初始化凭证的验证方法,其特征在于,包括:验证服务器接收由虚拟网络功能实例VNFI生成并发送的报告、所述报告的签名、以及内存保护区域的中央处理器的标识,所述内存保护区域为NFV基础设施NFVI在所述VNFI中创建的,所述内存保护区域内的数据的安全等级高于所述VNFI上除所述内存保护区域外的其它区域内的数据的安全等级;所述验证服务器根据接收到的签名、第二公钥、接收到的中央处理器的标识、以及所述验证服务器预先存储的中央处理器标识,验证接收到的报告是否完整且是否为所述内存保护区域中的应用程序生成的报告;所述验证服务器将验证结果发送给所述VNFI的管理设备,以使所述管理设备在确认所述验证结果为所述验证服务器验证所述接收到的报告完整且为所述内存保护区域中的应用程序生成时,利用接收到的由所述VNFI发送的报告对接收到的由所述VNFI发送的第一公钥进行验证;其中,所述签名为根据所述VNFI生成的报告、以及为所述中央处理器预先配置的私钥生成的;所述第二公钥为所述验证服务器预先存储的与所述私钥对应的公钥;所述VNFI生成的报告与所述第一公钥之间满足设定函数关系。
- 一种虚拟网络功能实例VNFI设备,其特征在于,包括:处理器,用于在VNF实例化过程中,生成VNF的第一公钥及报告;其中,所述报告与所述第一公钥之间满足设定函数关系;通信接口,用于将所述第一公钥及所述报告发送给所述VNFI的管理设备,以使所述管理设备利用接收到的报告对接收到的第一公钥进行验证。
- 根据权利要求11所述的设备,其特征在于,在所述处理器生成VNF的第一公钥及报告时,具体用于:通过内存保护区域中的应用程序生成所述第一公钥及所述报告;其中,所述内存保护区域为NFV基础设施NFVI在所述VNFI中创建的,所述内存保护区域内的数据的安全等级高于所述VNFI上除所述内存保护区域外的其它区域内的数据的安全等级。
- 根据权利要求12所述的设备,其特征在于,所述处理器还用于:通过所述内存保护区域中的应用程序生成所述报告的签名;其中,所述签名是根据所述报告、以及为所述内存保护区域的中央处理器预先配置的私钥生成的;通过所述通信接口将所述签名及所述中央处理器的标识发送给验证服务器,以使所述验 证服务器利用第二公钥、接收到的签名、接收到的中央处理器的标识、以及所述验证服务器预先存储的中央处理器标识,验证所述管理设备发来的报告是否完整且是否为所述内存保护区域中的应用程序生成的报告;其中,所述第二公钥为所述验证服务器预先存储的与所述私钥对应的公钥。
- 根据权利要求13所述的设备,其特征在于,所述报告包括:用于生成所述第一公钥的代码的哈希值;和/或所述第一公钥的哈希值。
- 一种网络功能虚拟化实例VNFI的管理设备,其特征在于,包括:通信接口,用于接收由虚拟网络功能实例VNFI生成并发送的VNF的第一公钥及报告;其中,所述报告与所述第一公钥之间满足设定函数关系;处理器,用于根据接收到的报告对接收到的第一公钥进行验证。
- 根据权利要求15所述的管理设备,其特征在于,所述第一公钥及所述报告为通过NFV基础设施NFVI创建的内存保护区域中的应用程序生成的;其中,所述内存保护区域内的数据安全等级高于所述VNFI上除所述内存保护区域外的其它区域内的数据的安全等级。
- 根据权利要求16所述的管理设备,其特征在于,所述处理器还用于:通过所述通信接口接收由所述VNFI发送的所述报告的签名及所述内存保护区域的中央处理器的标识;其中,所述签名为所述VNFI根据所述报告、以及为所述中央处理器预先配置的私钥生成的;通过所述通信接口将所述签名、所述中央处理器的标识、以及所述接收到的报告发送给验证服务器,以使所述验证服务器利用第二公钥、接收到的签名、接收到的中央处理器的标识、以及所述验证服务器预先存储的中央处理器标识,验证所述管理设备发送来的报告是否完整且是否为为通过所述内存保护区域中的应用程序生成的报告;其中,所述第二公钥为所述验证服务器预先存储的与所述私钥对应的公钥;通过所述通信接口接收由所述验证服务器发送的验证结果,并确认所述验证结果为所述验证服务器验证所述所述管理设备发送的报告完整且是为所述内存保护区域中的应用程序生成的。
- 根据权利要求17所述的管理设备,其特征在于,所述报告包括:用于生成所述第一公钥的代码的哈希值;和/或所述第一公钥的哈希值。
- 根据权利要求18所述的管理设备,其特征在于,在处理器则根据接收到的报告对所述接收到的第一公钥进行验证时,具体用于:对接收到的第一公钥使用所述设定函数关系运算得到运算结果,并根据所述运算结果和接收到的第一公钥的哈希值的一致性来验证所述接收到的第一公钥是否合法;和/或根据接收到的用于生成所述第一公钥的代码的哈希值和所述管理设备中预先存储的代码的哈希值的一致性,验证用于生成所述第一公钥的代码是否合法。
- 一种验证服务器,其特征在于,包括:通信接口,用于接收由虚拟网络功能实例VNFI生成并发送的报告、所述报告的签名、以及内存保护区域的中央处理器的标识,所述内存保护区域为NFV基础设施NFVI在所述VNFI中创建的,所述内存保护区域内的数据的安全等级高于所述VNFI上除所述内存保护区域外的其它区域内的数据的安全等级;处理器,用于根据接收到的签名、第二公钥、接收到的中央处理器的标识、以及所述验 证服务器预先存储的中央处理器标识,验证接收到的报告是否完整且为NFV基础设施VNFI创建的所述内所述存保护区域中的应用程序生成的报告;以及通过所述通信接口将验证结果发送给所述VNFI的管理设备,以使所述管理设备在确认所述验证结果为所述验证服务器验证所述接收到的报告为完整且为所述内存保护区域中的应用程序生成时,利用接收到的由所述VNFI发送的报告对接收到的由所述VNFI发送的第一公钥进行验证;其中,所述签名为根据所述VNFI生成的报告、以及为所述中央处理器预先配置的私钥生成的;所述第二公钥为所述验证服务器预先存储的与所述私钥对应的公钥;所述VNFI生成的报告与所述第一公钥之间满足设定函数关系。
- 一种计算机存储介质,其特征在于,所述计算机存储介质存储有指令,当所述指令在计算机上运行时,使得所述计算机执行如权利要求1-10任一权利要求所述的方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710598073.9 | 2017-07-20 | ||
CN201710598073.9A CN109286494B (zh) | 2017-07-20 | 2017-07-20 | 一种虚拟网络功能vnf的初始化凭据生成方法及设备 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019015563A1 true WO2019015563A1 (zh) | 2019-01-24 |
Family
ID=65016537
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/095913 WO2019015563A1 (zh) | 2017-07-20 | 2018-07-17 | 一种虚拟网络功能vnf的初始化凭据生成方法及设备 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109286494B (zh) |
WO (1) | WO2019015563A1 (zh) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111988263B (zh) * | 2019-05-22 | 2021-07-16 | 华为技术有限公司 | 容器服务管理方法及容器管理器、虚拟网络功能实例和虚拟网络功能管理器 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103460216A (zh) * | 2011-03-21 | 2013-12-18 | 诺基亚西门子通信公司 | 软件许可控制 |
CN104580208A (zh) * | 2015-01-04 | 2015-04-29 | 华为技术有限公司 | 一种身份认证方法及装置 |
WO2015168913A1 (zh) * | 2014-05-08 | 2015-11-12 | 华为技术有限公司 | 一种证书获取方法和设备 |
WO2015169126A1 (zh) * | 2014-05-08 | 2015-11-12 | 华为技术有限公司 | 一种证书获取方法和设备 |
WO2017052935A1 (en) * | 2015-09-25 | 2017-03-30 | Intel Corporation | Out-of-band platform tuning and configuration |
CN106575323A (zh) * | 2014-08-22 | 2017-04-19 | 诺基亚技术有限公司 | 用于虚拟化网络的安全性和信任框架 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
ES2876311T3 (es) * | 2014-09-29 | 2021-11-12 | Koninklijke Kpn Nv | Replicación de estado de instancias de función de red virtual |
US9578008B2 (en) * | 2015-05-11 | 2017-02-21 | Intel Corporation | Technologies for secure bootstrapping of virtual network functions |
CN106664259B (zh) * | 2015-07-17 | 2020-01-10 | 华为技术有限公司 | 虚拟网络功能扩容的方法和装置 |
-
2017
- 2017-07-20 CN CN201710598073.9A patent/CN109286494B/zh active Active
-
2018
- 2018-07-17 WO PCT/CN2018/095913 patent/WO2019015563A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103460216A (zh) * | 2011-03-21 | 2013-12-18 | 诺基亚西门子通信公司 | 软件许可控制 |
WO2015168913A1 (zh) * | 2014-05-08 | 2015-11-12 | 华为技术有限公司 | 一种证书获取方法和设备 |
WO2015169126A1 (zh) * | 2014-05-08 | 2015-11-12 | 华为技术有限公司 | 一种证书获取方法和设备 |
CN106575323A (zh) * | 2014-08-22 | 2017-04-19 | 诺基亚技术有限公司 | 用于虚拟化网络的安全性和信任框架 |
CN104580208A (zh) * | 2015-01-04 | 2015-04-29 | 华为技术有限公司 | 一种身份认证方法及装置 |
WO2017052935A1 (en) * | 2015-09-25 | 2017-03-30 | Intel Corporation | Out-of-band platform tuning and configuration |
Also Published As
Publication number | Publication date |
---|---|
CN109286494B (zh) | 2020-10-23 |
CN109286494A (zh) | 2019-01-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11641361B2 (en) | Dynamic access control to network resources using federated full domain logon | |
US10977372B2 (en) | Technologies for secure bootstrapping of virtual network functions | |
KR101318524B1 (ko) | 보안 가상 머신 호스팅 프로세서 및 보안 가상 머신 설정 방법 | |
CN106575323B (zh) | 用于虚拟化网络的安全性和信任框架 | |
US11265316B2 (en) | Apparatus to automatically establish or modify mutual authentications amongst the components in a software defined networking (SDN) solution | |
CA2712815C (en) | Method and apparatus for authentication service application processes during service reallocation in high availability clusters | |
JP2019526993A (ja) | ネットワーク機能仮想化システム及び検証方法 | |
US12034869B2 (en) | Identity management for software components | |
WO2016127294A1 (zh) | 一种证书管理方法、设备及系统 | |
WO2019109942A1 (zh) | 建立虚拟网络功能实例的方法和装置 | |
Catuogno et al. | Trusted Virtual Domains–design, implementation and lessons learned | |
WO2018157787A1 (zh) | 一种预置账户的密码初始化方法及相关设备 | |
WO2019015563A1 (zh) | 一种虚拟网络功能vnf的初始化凭据生成方法及设备 | |
US11989279B2 (en) | Method and system for service image deployment in a cloud computing system based on distributed ledger technology | |
WO2018120182A1 (zh) | 一种秘密信息的分发方法和设备 | |
WO2018040095A1 (zh) | 一种生成安全凭证的方法和设备 | |
KR102162108B1 (ko) | Nfv 환경을 위한 lw_pki 시스템 및 그 시스템을 이용한 통신방법. | |
CN112464251B (zh) | 用于虚拟网络功能的安全自举的技术 | |
WO2023089438A1 (en) | Correlating remote attestation quotes with a virtualized network function (vnf) resource allocation event |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18834390 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18834390 Country of ref document: EP Kind code of ref document: A1 |