WO2023216913A1

WO2023216913A1 - Communication method and apparatus

Info

Publication number: WO2023216913A1
Application number: PCT/CN2023/091397
Authority: WO
Inventors: 李论; 吴义壮; 崔洋; 雷骜; 胡华东
Original assignee: 华为技术有限公司
Priority date: 2022-05-08
Filing date: 2023-04-27
Publication date: 2023-11-16
Also published as: CN117081928A

Abstract

The present application belongs to the technical field of communications. Provided are a communication method and apparatus, which solve the problem of a verifier being unable to determine, by means of an attester, whether a VNF can be trusted. In the method, when a first verifier determines to use a first attester to attest whether a first network element can be trusted, if the first verifier cannot determine whether the first attester can be trusted, the first verifier can request a second verifier with higher security to attest the first attester, so as to determine that the first attester can be trusted. In this way, a first verifier can determine, by means of attesting a first network element such as a VNF by using a trusted first attester, whether the first network element can be trusted.

Description

Communication methods and devices

This application claims priority to the Chinese patent application filed with the State Intellectual Property Office on May 8, 2022, with the application number 202210494964.0 and the application title "Communication Method and Device", the entire content of which is incorporated into this application by reference.

Technical field

The present application relates to the field of communication, and in particular, to a communication method and device.

Background technique

Network functions virtualization (NFV) refers to the separation of the network functions (functions virtualization (NF) of traditional types of communication equipment from their physical devices, and then uses them in the form of software, such as virtual network functions (VNF)) , running on commercial off-the-shelf (COTS) to achieve flexible deployment. On this basis, VNF can be trusted to be verified through remote attestation to ensure security. Among them, the remote proof can include an attester and a verifier. The measurer can be deployed near the VNF, such as in a computer room, to collect evidence of the VNF. The verifier can be deployed remotely to determine whether the VNF is trustworthy based on the VNF's evidence.

However, the measurer and the VNF are usually deployed together. If the VNF is attacked, the measurer may also be attacked, causing the measurer to be untrustworthy. At this time, the verifier cannot determine whether the VNF is trustworthy through the measurer.

Contents of the invention

Embodiments of the present application provide a communication method and device to solve the problem that the verifier cannot determine whether the VNF is trustworthy through the metric.

In order to achieve the above purpose, this application adopts the following technical solutions:

The first aspect is to provide a communication method. The method includes: when the first verifier determines whether using the first measurer to measure the first network element is trustworthy, the first verifier sends a first request to the second verifier, and receives the second verifier's response to the first request. The first response returned from a request. Among them, the first request is used to request the second verifier to initiate measurement of the first measurer. The security of the second verifier is higher than the security of the first measurer. The first response is used to indicate the first measurer. Believable. In this way, the first verifier uses the first measurer to measure whether the first network element is trustworthy.

According to the method described in the first aspect, when the first verifier cannot determine whether the first metric is trustworthy, the first verifier can request a second verifier with higher security to measure the first metric. to determine the credibility of the first metric. In this way, the first verifier can determine whether the first network element is trustworthy by measuring the first network element, such as the VNF, through the trusted first measurer.

In one possible design solution, the first verifier sends a first request to the second verifier, including: the first verifier obtains the addressing information of the first measurer, and sends a message containing the addressing information to the second verifier. The first request is made so that the second verifier can find the first measurer and measure it.

Optionally, the first verifier obtains the addressing information of the first measurer, including: when the first verifier is a functional network element, the first verifier obtains the identification information of the first network element. For example, the first measurer is usually located in the virtualization layer. Functional network elements may not be aware of the existence of the virtualization layer, and therefore cannot obtain the identification information of the first measurer. interest. In this case, the functional network element can provide service layer information, such as identification information of the first network element related to the first measurer, so that the second verifier can find the first measurer through the first network element. Or, in the case where the first verifier is a functional network manager, the first verifier obtains at least one of the following: identification information of the first measurer or identification information of the first network element. That is, the functional network element can not only obtain virtualization layer information, such as the identification information of the first measurer, but also obtain service layer information, such as the identification information of the first network element. In this way, functional network elements can selectively provide relevant information without limitation.

Further, in the case where the first verifier is a functional network element, the identification information of the first network element includes the identification of the network function NF. It can be understood that since the functional network element may not be aware of the existence of the virtualization layer, the first network element is the function of the business layer for the functional network element, that is, NF, so the identification of NF can be obtained. Or, in the case where the first authenticator is the functional network management, the identification information of the first network element includes the identification of the virtual network function VNF. It can be understood that since the functional network management can sense the existence of the virtualization layer, the first network element is the function of the virtualization layer for the functional network element, that is, the VNF, and therefore the identification of the VNF can be obtained.

One possible design solution is that the first measurer is deployed in the business domain and the second verifier is deployed in the management domain. That is to say, the second validator can be deployed in a more secure network environment than the first metric to ensure that the security of the second validator is higher than the security of the first metric.

A possible design solution is that before the first verifier sends the first request to the second verifier, the method in the first aspect may also include: the first verifier determines that the first measurer is a credible measurer of doubtful measures. By. In other words, the first verifier only triggers the measurement of the first measurer when it is unable to determine whether the first measurer is trustworthy. On the contrary, if the first verifier determines that the first measurer is trustworthy, it can directly use the first measurer to measure the first network element without triggering the measurement of the first measurer to avoid executing an invalid measurement process. Save communication overhead.

Optionally, the first measurer being a measurer whose credibility is doubtful means that the first measurer is a measurer who has not been measured, or the first measurer has been measured and the measurement certificate is invalid. measurer. In other words, for a credible first measurer, its credible status is time-limited. If the time limit is exceeded, the first measurer needs to be re-measured to further improve security.

In a possible design solution, the first verifier determines whether the first network element is trusted using the first measurer, including: the first verifier receives indication information from the second network element; the second network element communicates with the first Network element association, the instruction information is used to instruct the first verifier to initiate measurement of the first network element; the first verifier determines to use the first measurer to measure the first network element based on the instruction information. That is to say, the measurement of the first network element can be triggered by other network elements, such as the second network element. For example, if the second network element determines that communication with the first network element is abnormal, the measurement of the first network element may be triggered. In this way, measurement can be triggered on demand to avoid executing invalid measurement processes and save communication overhead.

Optionally, the indication information includes the identification information of the first network element. The first verifier stores the corresponding relationship between the identification information of each measurer and the identification information of the network element associated with the measurer. The first verifier performs the verification according to the indication information. Determining to use the first measurer to measure the first network element includes: the first verifier determines the first measurer corresponding to the first network element according to the identification information of the first network element and the corresponding relationship. That is to say, even if the second network element initiates measurement of multiple network elements at the same time, the first measurer can still find the corresponding measurer of each network element based on the identification information and corresponding relationship of the network element, thereby realizing the measurement. Synchronous measurement of multiple network elements improves measurement efficiency.

In a possible design solution, the first verifier uses the first measurer to measure whether the first network element is trustworthy, including: the first verifier sends a second request to the first measurer; the second request is used to request the first measurer. A measurer measures the first network element; the first verifier receives the second response returned by the first measurer in response to the second request; the second response includes the Metric evidence of a network element; the first verifier determines whether the first network element is trustworthy based on the metric evidence of the first network element. It can be seen that the first measurer is mainly used to collect measurement evidence, and the first verifier is mainly used to verify the measurement evidence. This can evenly share the load of the first measurer and the first verifier to improve the overall operating efficiency.

Optionally, the measurement evidence of the first network element includes at least one of the following: operating data of the first network element, or communication data of the first network element. It can be seen that the operation data and communication data of the first network element are data in different dimensions, so as to measure the first network element through multiple dimensions and ensure the accuracy of the measurement.

In a possible design solution, after the first verifier receives the first response returned by the second verifier in response to the first request, the method further includes: the first verifier uses the first measurer to measure whether the third network element is trustworthy. . When the first measurer is trustworthy, the first verifier can directly use the first measurer to measure other network elements without triggering the measurement of the first measurer to avoid executing invalid measurement processes and save communication. overhead.

The second aspect is to provide a communication method. The method includes: the second verifier receives a first request from the first verifier, and determines a second measurer associated with the first measurer according to the first request; the first request is used to request the second verifier to initiate a verification The measurement of the first measurer, the first measurer is the measurer associated with the first verifier, and the security of the second measurer is higher than the security of the first measurer. In this way, the second verifier measures the first measurer through the second measurer, determines that the first measurer is trustworthy, and then sends a first response to the first verifier. The first response is used to indicate that the first verifier can letter.

One possible design solution is for the second verifier to measure the first measurer through the second measurer and determine that the first measurer is trustworthy, including: the second verifier sends a third request to the second measurer and receives The third response returned by the second metric for the third request. The third request is used to request the second measurer to measure the first measurer, and the third response includes the measurement evidence of the first measurer. In this way, the second verifier determines that the first measurer is credible based on the measurement evidence of the first measurer. It can be seen that the second measurer is mainly used to collect measurement evidence, and the second verifier is mainly used to verify the measurement evidence. This can evenly share the load of the second measurer and the second verifier to improve the overall operating efficiency.

Optionally, the measurement evidence of the first measurer includes the operating data of the first measurer, such as the startup data of the first measurer, the operating data in the memory of the first measurer, etc., without limitation.

Optionally, the third request is used to instruct the second measurer to provide measurement evidence, or the second verifier can also provide measurement evidence by default without limitation.

Another possible design solution is for the second verifier to measure the first measurer through the second measurer and determine that the first measurer is trustworthy, including: the second verifier sends a third request to the second measurer, and A third response returned by the second measurer in response to the third request is received. Wherein, the third request is used to request the second measurer to measure the first measurer, and the third response includes the endorsement result of the first measurer, and the endorsement result is used to indicate that the second measurer determines that the first measurer can letter. In this way, the second verifier confirms that the first measurer is trustworthy by verifying the endorsement result. That is to say, in the case where the second measurer endorses the first measurer, such as providing the second measurer with an endorsement result that determines the trustworthiness of the first measurer, the second verifier only verifies the endorsement result, such as verifying Whether the endorsement has been tampered with can determine the credibility of the first measurer, which can reduce the computational load of the second verifier and improve operating efficiency.

Optionally, the third request is used to instruct the second measurer to provide the endorsement result, or the second verifier can also provide the endorsement result by default without limitation.

In a possible design solution, the first request includes the addressing information of the first measurer, and the second verifier determines the second measurer associated with the first measurer based on the first request, including: the second verifier determines the second measurer associated with the first measurer based on the first request. The search for the first measurer The address information determines the first measurer so that the second verifier determines the second measurer based on the first measurer.

Optionally, the addressing information of the first measurer includes at least one of the following: identification information of the first measurer, or identification information of the first network element associated with the first measurer.

Optionally, the identification of the first network element includes the identification of the network function NF, or the identification information of the first network element includes the identification of the virtual network function VNF.

In one possible design solution, the first measurer is deployed at the software layer, and the second measurer is deployed at the hardware layer. That is, the second measurer can be deployed in a more secure hardware environment than the first measurer to ensure that the security of the second measurer is higher than the security of the first measurer.

In addition, other technical effects of the communication method described in the second aspect can be referred to the technical effects of the communication method described in the first aspect, which will not be described again here.

In a third aspect, a communication device is provided. The communication device includes: a module for executing the communication method described in the first aspect, such as a transceiver module and a processing module. The transceiver module can be used to realize the function of sending and receiving messages of the communication device described in the third aspect, and the processing module can be used to realize other functions of the communication device except sending and receiving messages, without limitation.

Optionally, the transceiver module may include a sending module and a receiving module. The sending module is used to implement the sending function of the communication device described in the third aspect, and the receiving module is used to implement the receiving function of the communication device described in the third aspect.

Optionally, the communication device described in the third aspect may further include a storage module that stores programs or instructions. When the processing module executes the program or instruction, the communication device can execute the communication method described in the first aspect.

It should be noted that the communication device described in the third aspect may be a network device, such as the first verifier, or may be a chip (system) or other component or component that can be disposed in the network device, or may include a network device. device, this application does not limit this.

In addition, the technical effects of the communication device described in the third aspect can be referred to the technical effects of the communication method described in the first aspect, which will not be described again here.

A fourth aspect provides a communication device. The communication device includes: a module for executing the communication method described in the second aspect, such as a transceiver module and a processing module. The transceiver module can be used to realize the function of sending and receiving messages of the communication device described in the fourth aspect, and the processing module can be used to realize other functions of the communication device except sending and receiving messages, without limitation.

Optionally, the transceiver module may include a sending module and a receiving module. The sending module is used to implement the sending function of the communication device described in the fourth aspect, and the receiving module is used to implement the receiving function of the communication device described in the fourth aspect.

Optionally, the communication device described in the fourth aspect may further include a storage module that stores programs or instructions. When the processing module executes the program or instruction, the communication device can execute the communication method described in the second aspect.

It should be noted that the communication device described in the fourth aspect may be a network device, such as a second verifier, or may be a chip (system) or other component or component that can be disposed in the network device, or may include a network device. device, this application does not limit this.

In addition, the technical effect of the communication device described in the fourth aspect can be referred to the communication method described in the second aspect. The technical effects will not be repeated here.

In a fifth aspect, a communication device is provided. The communication device includes: a processor configured to execute the communication method described in the first aspect or the second aspect.

In a possible design solution, the communication device described in the fifth aspect may further include a transceiver. The transceiver can be a transceiver circuit or an interface circuit. The transceiver can be used for the communication device described in the fifth aspect to communicate with other communication devices.

In a possible design solution, the communication device described in the fifth aspect may further include a memory. This memory can be integrated with the processor or provided separately. The memory may be used to store computer programs and/or data involved in the communication method described in the first aspect or the second aspect.

In this application, the communication device described in the fifth aspect may be a network device, or may be a chip (system) or other component or component disposed in the network device, or a device including the network device.

In addition, the technical effects of the communication device described in the fifth aspect may be referred to the technical effects of the communication method described in the first aspect or the second aspect, and will not be described again here.

A sixth aspect provides a communication device. The communication device includes: a processor coupled with a memory, and the processor is used to execute a computer program stored in the memory, so that the communication device executes the communication method described in the first aspect or the second aspect.

In a possible design solution, the communication device described in the sixth aspect may further include a transceiver. The transceiver can be a transceiver circuit or an interface circuit. The transceiver can be used for the communication device described in the sixth aspect to communicate with other communication devices.

In this application, the communication device described in the sixth aspect may be a network device, or may be a chip (system) or other component or component disposed in the network device, or a device including the network device.

In addition, the technical effects of the communication device described in the sixth aspect may be referred to the technical effects of the communication method described in the first aspect or the second aspect, and will not be described again here.

A seventh aspect provides a communication device, including: a processor and a memory; the memory is used to store a computer program, and when the processor executes the computer program, the communication device executes the first aspect or the second aspect. the communication method described above.

In a possible design solution, the communication device described in the seventh aspect may further include a transceiver. The transceiver can be a transceiver circuit or an interface circuit. The transceiver can be used for the communication device described in the seventh aspect to communicate with other communication devices.

In this application, the communication device described in the seventh aspect may be a network device, or a chip (system) or other component or component that may be disposed in the network device, or a device including the network device.

In addition, the technical effects of the communication device described in the seventh aspect may be referred to the technical effects of the communication method described in the first aspect or the second aspect, and will not be described again here.

In an eighth aspect, a communication device is provided, including: a processor; the processor is configured to be coupled to a memory, and after reading the computer program in the memory, execute the method described in the first aspect or the second aspect according to the computer program. Communication methods.

In a possible design solution, the communication device described in the eighth aspect may further include a transceiver. The transceiver can be a transceiver circuit or an interface circuit. The transceiver can be used for the communication device described in the eighth aspect to communicate with other communication devices.

In this application, the communication device described in the eighth aspect may be a network device, or a chip (system) or other component or component that may be disposed in the network device, or a device including the terminal or network device.

In addition, the technical effects of the communication device described in the eighth aspect can be referred to the technical effects of the communication method described in the seventh aspect, and will not be described again here.

A ninth aspect provides a communication system. The communication system includes the first verifier described in the first aspect, and the second verifier described in the second aspect.

In a tenth aspect, a computer-readable storage medium is provided, including: a computer program or instructions; when the computer program or instructions are run on a computer, the computer is caused to execute the communication method described in the first aspect or the second aspect.

In an eleventh aspect, a computer program product is provided, which includes a computer program or instructions. When the computer program or instructions are run on a computer, the computer is caused to execute the communication method described in the first aspect or the second aspect.

Description of the drawings

Figure 1 is a schematic diagram of the architecture of the 5G system;

Figure 2 is a schematic process diagram of remote certification;

Figure 3 is a schematic diagram of the NFV architecture;

Figure 4 is a schematic diagram of the architecture of NFV based on remote attestation;

Figure 5 is a schematic diagram 1 of the architecture of the communication system provided by the embodiment of the present application;

Figure 6 is a schematic diagram 2 of the architecture of the communication system provided by the embodiment of the present application;

Figure 7 is a schematic flowchart 1 of the communication method provided by the embodiment of the present application;

Figure 8 is a schematic flow chart 2 of the communication method provided by the embodiment of the present application;

Figure 9 is a schematic structural diagram of a communication device provided by an embodiment of the present application;

Figure 10 is a schematic second structural diagram of a communication device provided by an embodiment of the present application.

Detailed ways

To facilitate understanding, the technical terms involved in the embodiments of this application are first introduced below.

1. Fifth generation (5G) mobile communication system

Figure 1 is a schematic diagram of the architecture of the 5G system. As shown in Figure 1, the 5G system includes: access network (AN) and core network (core network, CN), and may also include: terminals.

The above-mentioned terminal may be a terminal with a transceiver function, or a chip or chip system that can be installed on the terminal. The terminal may also be called user equipment (UE), access terminal, subscriber unit, subscriber station, mobile station (MS), mobile station, remote station, remote terminal, mobile device, User terminal, terminal, wireless communication device, user agent or user device. The terminal in the embodiment of the present application may be a mobile phone, a cellular phone, a smart phone, a tablet, a wireless data card, or a personal digital assistant (PDA). ), wireless modems, handheld devices, laptop computers, machine type communication (MTC) terminals, computers with wireless transceiver functions, virtual reality (VR) Terminals, augmented reality (AR) terminals, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical, smart grids wireless terminals in grid, wireless terminals in transportation safety, wireless terminals in smart cities, smart Wireless terminals in smart homes, vehicle-mounted terminals, road side units (RSU) with terminal functions, etc. The terminal of this application may also be a vehicle-mounted module, vehicle-mounted module, vehicle-mounted component, vehicle-mounted chip, or vehicle-mounted unit built into the vehicle as one or more components or units.

The above-mentioned AN is used to implement access-related functions. It can provide network access functions for authorized users in specific areas, and can determine transmission links of different qualities to transmit user data according to user levels, business needs, etc. The AN forwards control signals and user data between the terminal and the CN. AN may include: access network equipment, which may also be called radio access network equipment (radio access network, RAN) equipment.

RAN equipment may be equipment that provides access to terminals. For example, the RAN equipment may include 5G, such as a gNB in a new radio (NR) system, or one or a group (including multiple antenna panels) of antenna panels of a base station in 5G, or may also constitute a gNB. , transmission point (transmission and reception point, TRP or transmission point, TP) or transmission measurement function (transmission measurement function, TMF) network node, such as baseband unit (building base band unit, BBU), or centralized unit (centralized unit) , CU) or distributed unit (DU), RSU with base station function, or wired access gateway, or 5G core network element. Alternatively, RAN equipment can also include access points (APs) in wireless fidelity (WiFi) systems, wireless relay nodes, wireless backhaul nodes, various forms of macro base stations, micro base stations (also (called small stations), relay stations, access points, wearable devices, vehicle-mounted devices, etc. Alternatively, RAN equipment may also include: next-generation mobile communication systems, such as 6G access network equipment, such as 6G base stations, or in the next-generation mobile communication system, the network equipment may also have other naming methods, which are all covered in this article. Within the protection scope of the application embodiments, this application does not impose any limitations on this.

CN is mainly responsible for maintaining mobile network subscription data and providing terminals with functions such as session management, mobility management, policy management, and security authentication. CN mainly includes the following network elements: user plane function (UPF) network element, authentication server function (AUSF) network element, access and mobility management function (AMF) network element Element, session management function (SMF) network element, network slice selection function (NSSF) network element, network exposure function (NEF) network element, network function repository function (NF repository function, NRF) network element, policy control function (PCF) network element, unified data management (UDM) network element, unified data repository (UDR), application function, AF) network element, and charging function (CHF) network element.

Among them, the UPF network element is mainly responsible for user data processing (forwarding, receiving, accounting, etc.). For example, the UPF network element can receive user data from the data network (DN) and forward the user data to the terminal through the access network device. The UPF network element can also receive user data from the terminal through the access network equipment and forward the user data to the DN. DN network element refers to the operator network that provides data transmission services to users. For example, Internet protocol (IP), multimedia service (IP multi-media service, IMS), Internet, etc. The DN can be an operator's external network or a network controlled by the operator, used to provide business services to terminal devices.

The AUSF network element is mainly used to perform terminal security authentication.

AMF network elements are mainly used for mobility management in mobile networks. For example, user location update, user registration network, user switching, etc.

SMF network elements are mainly used for session management in mobile networks. For example, session establishment, modification, and release. Specific functions include assigning Internet Protocol (IP) addresses to users, selecting UPF that provides message forwarding functions, etc.

The PCF network element mainly supports providing a unified policy framework to control network behavior, provides policy rules to the control layer network functions, and is also responsible for obtaining user subscription information related to policy decisions. PCF network elements can provide policies to AMF network elements and SMF network elements, such as quality of service (QoS) policies, slice selection policies, etc.

NSSF network elements are mainly used to select network slices for terminals.

NEF network elements are mainly used to support the opening of capabilities and events.

UDM network elements are mainly used to store user data, such as contract data, authentication/authorization data, etc.

UDR network elements are mainly used to store structured data. The stored content includes contract data and policy data, externally exposed structured data and application-related data.

The AF network element mainly supports interaction with the CN to provide services, such as affecting data routing decisions, policy control functions, or providing some third-party services to the network side.

2. Remote attestation technology

In recent years, with the substantial increase in the number of embedded systems, cyber-physical systems, and IoT devices, these systems or devices have been involved in many scenarios of daily life, such as homes, offices, and factories. These systems or devices can be connected to the Internet to provide users with corresponding network services, but they also expand the attacker's attack surface. For example, attackers' malware can affect the security of these systems or devices or steal private data when their drivers are upgraded. Alternatively, the attacker's malware may turn these systems or devices into "zombie" devices, which are maliciously manipulated to become the source of distributed denial of service (DDoS) attacks. However, due to factors such as cost, size, and power, security is often not a priority for these systems or devices, making it difficult to prevent attacks on their own.

In this case, we can use remote attestation technology to verify the security of these systems or devices to determine whether they are under attack. Remote proof includes attester and verifier. The measurer and the verifier can be separated. For example, the measurer can be deployed on the side of these systems or devices, and the verifier can be deployed remotely. Verifiers can request measurers to measure these systems or devices to obtain evidence. Verifiers can use this evidence to verify the security of these systems or devices. Details are introduced below.

Figure 2 is a schematic diagram of the process of remote certification. As shown in Figure 2, the process of remote certification includes:

S201, the verifier sends a challenge message to the measurer. Accordingly, the measurer accepts the challenge message from the challenger.

Challenge messages can carry request information. The request information is used to request the measurer to perform measurement, for example, to request the measurer to measure the above-mentioned system or equipment. The challenge message can also carry a random number uniquely corresponding to this measurement. This random number is used by the measurer for measurement.

S202, the measurer performs measurement.

The measurer can measure based on the challenge message and obtain the evidence required for measurement from the above-mentioned system or device. For example, the measurer can obtain the programs or files inside these systems or devices, and calculate the hash values corresponding to these programs or files based on random numbers.

S203. The measurer sends a response message to the verifier. Correspondingly, the verifier receives the response message from the measurer.

Response messages can be used to indicate measurement completion. The response message can carry the above hash value.

S204, the verifier performs verification.

The verifier can compare the hash value in the response message to the preset hash value of the system or device mentioned above. If the hash value in the response message is the same as the preset hash value of the system or device, it means that the programs or software of these systems or devices have not been tampered with, so the verifier can determine that these systems or devices are trusted devices, that is Make sure the verification is passed. If the hash value in the response message is different from the preset hash value of the system or device, it means that the program or software of these systems or devices may have been tampered with, so the verifier can determine that these systems or devices are untrusted devices, that is, OK verification failed.

3. Network functions virtualization (NFV)

NFV refers to stripping the network functions of traditional types of communication equipment from their physical equipment, and then running them in the form of software on commercial off-the-shelf (COTS) hosts. It can also be said that NFV is a virtual entity (Virtual Instance) implemented by borrowing virtualization technology from Internet technology (IT), and deploys the communication technology (CT) services of traditional communication equipment to the virtual entity. The virtual entity can be a virtual machine (VM) or container (container), or any other possible virtualization function entity, and there is no specific limitation on this.

Figure 3 is a schematic diagram of the architecture of NFV. As shown in Figure 3, NFV includes: network functions virtualization infrastructure (NFVI), virtual network function (VNF), and element management system system, EMS), management, automation and network orchestration (management and orchestration, MANO).

Among them, NFVI can be used to provide virtual resources for VNF. NFVI includes hardware resources, such as hardware network, computing, storage and other devices. In addition, NFVI also includes software resources, such as a virtualization layer, which may include a hypervisor or a container management system. The virtualization layer can virtualize hardware resources into virtual resources, such as virtual network, computing, storage and other functions, for use by VNFs.

EMS and VNF usually have a one-to-one correspondence and are used to configure and manage VNF functions.

VNF is virtualized NF. VNF can be used to provide network services, such as data forwarding, file sharing, directory services, IP configuration, etc. The form of VNF can be application software, that is, it can be an application software that provides network services. VNFs can be deployed in VMs or containers. Taking VM as an example, a VNF can be deployed on one or more VMs, that is, one or more VMs can jointly provide this VNF. Since the operator network may not be aware of VNF, VNF can also be understood as NF in the operator network. In this case, if the VNF provides different network services, the form of the NF may also be different. For example, if the VNF provides data transmission services, the NF can be a UPF network element; if the VNF provides mobility management services, the NF can be an AMF network element; if the VNF provides session management services, the NF can be an SMF network element; if the VNF To provide policy management services, the NF can be a PCF network element, and so on. In this embodiment of the present application, the VNF may have an independent identifier (identifier), such as the identifier of the VNF, to directly identify the VNF. Alternatively, the VNF may not have an independent identity, and the VNF may be indirectly identified by other identities related to the VNF. For example, the identifier of one or more VMs can be used to indirectly identify the VNF provided by the one or more VMs, or the identifier of the NF can also be used to indirectly identify the corresponding VNF. It is understandable that since the business may not be aware of the VNF, for the business, the VNF is the NF.

MANO can provide a framework for managing NFVI and VNF. For example, MANO can include: Network Function virtualization orchestrator (network functions virtualization orchestrator, NFVO), virtualized infrastructure management (virtualized infrastructure management, VIM), and virtual network functions virtualization manager (VNFM).

NFVO is used for the deployment and management of network services and coordinates the deployment and management of VNFs based on network services. NFVO can interface with operations support system (OSS) or business support system (BSS) to obtain business descriptions of network services. NFVO can deploy and manage corresponding network services based on service descriptions. For example, create network services, manage the life cycle of network services, etc. NFVO can coordinate the deployment of VIM and VNFM or manage the corresponding VNF according to network services.

VNFM is used to deploy or manage the corresponding VNF. For example, VNFM can obtain a virtualized network function descriptor (VNFD) from NFVO to add VNF, delete VNF, search for VNF, or manage VNF according to VNFD, such as monitoring and adjusting the status of VNF.

VIM is used to control NFVI to provide corresponding virtual resources for VNF. For example, VIM can control NFVI to provide corresponding virtual resources for VNF deployment or management according to NFVO scheduling. VIM can be a cloud platform, such as an open source cloud platform such as OpenStack, or a commercial cloud platform such as VMWare.

4. VNF security solution based on remote attestation

Figure 4 is a schematic diagram of the architecture of NFV based on remote attestation. As shown in Figure 4, the verifier can be deployed in MANO and the measurer can be deployed in the virtualization layer of NFVI. NFV usually belongs to a service-based architecture (SBA) architecture. For example, network elements or functions within NFV can communicate based on the 3rd generation partnership project (3GPP) protocol, and the measurer and verifier Verifiers usually do not belong to the SBA architecture. For example, the communication between measurers and verifiers is usually based on the European Telecommunications Standards Institute (ETSI) protocol, so configuration files and attestation checking functions can also be deployed between VNFs and verifiers ( profile and attestation check function (PACF), used to implement communication between VNF and verifiers through protocol conversion. On this basis, 3GPP-Security Association (SA) 3#105e-213897 roughly defines the implementation process of the VNF security solution based on remote attestation, as follows.

The measurement process can be triggered by a certain business. For example, after NRF receives a registration request message from a certain customer (customer) NF, it can trigger PACF to start measuring traffic for the customer NF. PACF can send the measurement policy to the verifier, as well as a description of the network element being measured (such as an untrusted VNF). The verifier can request the measurer to measure various data of the untrusted VNF to obtain corresponding evidence. The verifier can verify the evidence to obtain measurement results (attestation results) and send the measurement results to PACF. PACF can convert the measurement conclusion from the ETSI protocol to the 3GPP protocol and send the converted measurement conclusion to the relying party (relying party) VNF. In this way, the relying party VNF may take subsequent actions based on the measurement conclusion. For example, if the relying party VNF is an NRF, the NRF may restrict untrusted NFs from registering to the network if the measurement conclusion is abnormal.

It is understandable that the physical locations of NFVI and VNF are usually together, such as being deployed in a computer room. In this case, if the VNF is attacked, the NFVI may also be attacked, causing the metric deployed on the NFVI to be equally untrustworthy. At this time, the verifier still cannot prove whether the untrusted VNF is trustworthy based on the evidence provided by the measurer, and cannot complete the measurement.

In summary, in response to the above technical problems, the embodiments of this application propose the following technical solutions to avoid the problem that the evidence provided by the measurer still cannot prove whether the untrusted VNF is trustworthy. The technical solutions in this application will be described below with reference to the accompanying drawings.

The technical solutions of the embodiments of this application can be applied to various communication systems, such as wireless fidelity (WiFi) systems, vehicle to everything (V2X) communication systems, device-to-device (D2D) Communication systems, Internet of Vehicles communication systems, fourth generation (4G) mobile communication systems, such as long term evolution (LTE) systems, global interoperability for microwave access (WiMAX) communication systems, 5G, such as new radio (NR) system, and future communication systems.

This application will present various aspects, embodiments, or features in terms of systems, which may include multiple devices, components, modules, etc. It should be understood and appreciated that various systems may include additional devices, components, modules, etc., and/or may not include all devices, components, modules, etc. discussed in connection with the figures. Additionally, a combination of these scenarios can be used.

In addition, in the embodiments of this application, words such as "exemplary" and "for example" are used to represent examples, illustrations or explanations. Any embodiment or design described herein as "example" is not intended to be construed as preferred or advantageous over other embodiments or designs. Rather, the use of the word example is intended to present a concept in a concrete way.

In the embodiments of this application, "information", "signal", "message", "channel" and "signaling" can sometimes be used interchangeably. It should be noted that, When the difference is not emphasized, the meanings they convey are consistent. "Of", "corresponding, relevant" and "corresponding" can sometimes be used interchangeably. It should be noted that when the difference is not emphasized, the meanings they convey are consistent. In addition, the "/" mentioned in this application may be used to express an "or" relationship.

The network architecture and business scenarios described in the embodiments of this application are for the purpose of explaining the technical solutions of the embodiments of this application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of this application. Those of ordinary skill in the art will know that with the network With the evolution of architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.

In order to facilitate understanding of the embodiments of the present application, the communication system applicable to the embodiments of the present application is first described in detail, taking the communication system shown in FIG. 5 as an example. Exemplarily, FIG. 5 is an architectural schematic diagram of a communication system to which the communication method provided by the embodiment of the present application is applicable.

As shown in Figure 5, the communication system can be applied to the above-mentioned 5G system, and mainly includes at least one of the following: VNF, VNF verifier (virtual network function-verifier, V-verifier), VNF measurer (virtual network function-attester, V-attester), hardware measurer (hardware-attester, H-attester), hardware verifier (hardware-verifier, H-Verifier).

For the specific implementation of VNF, please refer to the relevant introduction above and will not be described again. There can be one or more VNFs, such as VNF1, VNF2,...VNFn, where n is an integer greater than or equal to 1.

The VNF measurer is mainly used to measure the VNF to obtain corresponding evidence for verifying whether the VNF is trustworthy. The VNF measurer can be one or more, such as VNF measurer 1, VNF measurer 2, ... VNF measurer m, where m is an integer greater than or equal to 1. A VNF measurer can measure one or more The trustworthiness of VNF is measured.

The VNF verifier is mainly used to verify whether the VNF is trustworthy based on the evidence provided by the VNF measurer. The VNF verifier can verify the VNF locally, or request the remote server to verify the VNF, with no restrictions. The VNF verifier can be a functional network element or network manager, without limitation.

Hardware measurers can be used to measure or endorse VNF measurers. Measurement may refer to: the hardware measurer measures the VNF measurer to obtain corresponding evidence and provide the evidence to the hardware verifier. Endorsement can mean: after obtaining the corresponding evidence, the hardware measurer can verify whether the VNF measurer is trustworthy based on the evidence, thereby providing the hardware verifier with measurement results on whether the VNF measurer is trustworthy. The hardware measurer can be one or more, such as hardware measurer 1, hardware measurer 2,...hardware measurer x, where x is an integer greater than or equal to 1. A hardware measurer can measure or endorse the trustworthiness of one or more VNF measurers.

The hardware verifier can be used to provide the VNF verifier with measurement results of whether the VNF measurer is trustworthy. For example, the hardware verifier can verify whether the VNF measurer is trustworthy based on the evidence provided by the hardware measurer, thereby providing the VNF verifier with the measurement result of whether the VNF measurer is trustworthy. Alternatively, the hardware verifier can provide the VNF verifier with the measurement results of whether the VNF measurer is trustworthy based on the endorsement of the hardware measurer.

In the embodiment of the present application, the VNF measurer is usually deployed in an environment capable of measuring VNF to implement measurement of the VNF. It can be understood that if the VNF measurer is deployed within the VNF, the VNF measurer may not have the authority to measure the VNF. Therefore, a VNF measurer deployed in an environment capable of measuring the VNF usually means that the VNF measurer is deployed outside the VNF. The VNF measurer needs to be deployed in layers or in separate domains with the hardware measurer. That is, the VNF measurer and the hardware measurer need to be deployed in different layers or in different domains so that they can be isolated from each other in the deployment environment to ensure the security of the measurement. Hardware scalers can be deployed within a more secure layer or domain than VNF scalers.

Different domains may refer to networks with different functions. For example, the management network and the service network are different domains. The management network may also be called a management domain, and the service network may also be called a service domain. A domain may include different layers, and there may be a bearer relationship between layers. For example, a domain can include: hardware layer, system layer, and application layer. In order of security from high to low, they are hardware layer, system layer, and application layer. At this time, the system layer can be hosted on the hardware layer, and the application layer can be hosted on the system layer.

The VNF verifier is usually deployed in an environment that can communicate with the VNF so that the VNF verifier can manage the VNF, such as initiating measurements of the VNF. The VNF measurer needs to be deployed in layers or in separate domains with the hardware measurer. That is, the VNF measurer and the hardware measurer need to be deployed in different layers or in different domains so that they can be isolated from each other in the deployment environment to ensure the security of the measurement.

To facilitate understanding, the communication system is introduced below based on specific scenarios.

As shown in (a) in Figure 6, the deployment environment of the communication system includes a business domain and a management domain. VNF1, VNF2,...VNFn are deployed in the virtual machine layer, or VNF layer, in the business domain. One or more VNFs among VNF1, VNF2,...VNFn can serve as VNF verifiers, that is, there can be multiple VNF verifiers to achieve flexible deployment. The VNF metric can be application 1, deployed in the system layer in the business domain, also called the virtualization layer, such as Hypervisor or Host OS. The hardware measurer can be a chip, which is deployed at the hardware layer in the business domain, such as system hardware, firmware, basic input output system (BIOS), operating system (OS), etc. The hardware verifier can be application 2, deployed in the management domain, such as the MANO software of the management domain.

Or, as shown in (b) of Figure 6, the deployment environment of the communication system includes a business domain and a management domain. VNF1, VNF2,...VNFn are deployed in the virtual machine layer in the business domain. The VNF measurer and VNF verifier can be deployed together, such as application 1, at the system layer within the business domain, such as the Hypervisor or Host OS. Hardware measurers and hardware verifiers can be deployed together, such as chips, in the hardware of the management domain.

Or, as shown in (c) in Figure 6, the deployment environment of the communication system includes a business domain and a management domain. VNF1, VNF2,...VNFi are deployed in virtual machine layer 1 in the business domain, VNFi+1, VNF i+2,...VNF n are deployed in virtual machine layer 2 in the business domain, i is any integer between 1 and n. Virtual machine layer 1 and virtual machine layer 2 are different application layers, that is, VNF1, VNF2,...VNFi and VNFi+1, VNF i+2,...VNFn can be isolated from each other to ensure security. One or more VNFs among VNF1, VNF2,...VNFi can serve as VNF verifiers. Similarly, one or more VNFs among VNFi+1, VNF i+2,...VNFn can also serve as VNF verifiers. On this basis, the VNF measurer may include VNF measurer 1 and VNF measurer 2. VNF measurer 1 can be application 1, which is deployed in system layer 1 of the business domain, such as Hypervisor1 or Host OS1, and is used to measure the VNF in virtual machine layer 1. VNF measurer 2 can be application 2, which is deployed in system layer 2 of the business domain, such as Hypervisor2 or Host OS2, and is used to measure the VNF in virtual machine layer 2. System layer 1 and system layer 2 are different system layers, that is, VNF metric 1 and VNF metric 2 can be isolated from each other to ensure security. Hardware measurers and hardware verifiers can be deployed together, such as in application 3. Application 3 may be a software with high trust execution capabilities, such as a software-implemented trusted module (virtual TPM, vTPM), anti-virus software, Or a program with biometric functions, etc., deployed in the operating system of the remote device in the management domain.

In the embodiment of this application, before the VNF verifier triggers the VNF measurer to measure an untrusted VNF, the VNF verifier can request the hardware verifier to measure the VNF measurer. At this time, the hardware verifier can trigger the higher-security hardware measurer to measure or endorse the relatively low-security VNF measurer, so as to provide the VNF verifier with measurement results on whether the VNF measurer is trustworthy. At this time, if the measurement result indicates that the VNF measurer is trustworthy, the VNF verifier can trigger the VNF measurer to measure an untrusted VNF to verify whether the VNF is trustworthy. Otherwise, if the measurement result indicates that the VNF measurer is not trustworthy, the VNF verifier aborts the process. That is to say, the VNF verifier uses the VNF measurer to verify an untrusted VNF only after determining that the VNF measurer is trustworthy to ensure that the evidence provided by the VNF measurer can prove whether the untrusted VNF is trustworthy. letter.

It can be understood that a trustworthy VNF measurer may mean that the VNF measurer may not present security risks. For example, the VNF measurer is a VNF measurer that has performed a secure boot, that is, the VNF measurer's running program and startup sequence are executed according to the predetermined plan, the VNF measurer's program has not been tampered with, or the VNF measurer's program running indicators Within the expected range and so on. In the same way, a VNF that is trustworthy can mean that the VNF may not present security risks. For example, a VNF is a VNF metric that performs safe startup, that is, the VNF running program and startup sequence are executed according to the predetermined plan, the VNF program has not been tampered with, or the VNF program running indicators are within the expected range, etc.

In addition, the VNF verifier and VNF measurer are usually deployed in the operator network to facilitate the operator network to manage and maintain the VNF, but this is not a limitation. For example, the VNF verifier can be deployed in the operator network, and the VNF measurer is deployed in the third-party network, or in the NFVI domain of the public cloud platform. In addition, the hardware verifier and hardware measurer can be deployed in the operator network or in a third-party network, such as an application network, without limitation.

It can be understood that VNF measurer, VNF verifier, hardware measurer, and hardware verifier are exemplary names for convenience in describing the embodiments of the present application, and they can also be replaced by any other possible names. For example, a VNF measurer may also be called a virtual root of trust (VRoT), first measurer or first measure function, and a VNF verifier may also be called a first verifier or first verification Function, the hardware measurer can also be called the root of trust (RoT), the second measurer or the second measure function, and the hardware verifier can also be called the second verifier or the second measure function, without limitation. .

To facilitate understanding, the interaction process between each network element/function in the above communication system will be introduced in detail through method embodiments in conjunction with Figures 7-8 below.

The communication method provided by the embodiment of the present application can be applied to the above-mentioned communication system, and is specifically applied to various scenarios mentioned in the above-mentioned communication system, which will be introduced in detail below.

Exemplarily, FIG. 7 is a schematic flowchart of a communication method provided by an embodiment of the present application. This communication method can be applied to the above communication system, and is mainly suitable for communication between VNF measurers, VNF verifiers, hardware measurers, and hardware verifiers. Among them, the VNF measurer can be one or more, such as VNF measurer 1, VNF2,...VNFn, where n is an integer greater than or equal to 1, and are respectively deployed in one or more system layers. The VNF verifier, hardware metric, and hardware verifier can be one to reduce solution complexity. For the deployment methods of VNF measurer, VNF verifier, hardware measurer, and hardware verifier, please refer to the relevant introduction in the above communication system and will not be described again.

Specifically, as shown in Figure 7, the flow of this communication method is as follows:

S700, the customer function (CF) triggers the VNF verifier to measure the VNF.

Among them, CF may be various forms of network functions/network elements/devices. In a possible way, the CF may be a network manager within the operator's network, such as a resource monitor. CF can periodically trigger the VNF verifier to measure the VNF according to the pre-configured policy of the operator network. Alternatively, CF can monitor the status of the VNF to trigger the VNF verifier to measure the VNF based on the status of the VNF, such as the VNF being in a high-load state for a long time. In another possible way, the CF can be a functional network element within the operator's network, and the CF can trigger measurement of the VNF based on the execution of the business process. For example, CF is an SMF network element and VNF is a PCF network element. If the SMF network element attempts to subscribe to the PCF network element multiple times but fails, the SMF network element can trigger the VNF verifier to measure the PCF network element.

The CF may send a first message to the VNF verifier, and the first message may be used to trigger the VNF verifier to initiate measurement of the VNF. For example, the first message can be any possible message without limitation. The first message may include identification information of the VNF. The first message can trigger the VNF verifier to initiate measurement of the VNF through the message type or the identification information of the VNF it carries. Alternatively, the first message may also carry additional information elements to trigger the VNF verifier to initiate measurement of the VNF through the information elements.

The identification information of the VNF can be used to directly identify the VNF. For example, the identification information of the VNF can include the identifier (identifier, ID) of the VNF. Alternatively, the identification information of the VNF may be used to indirectly identify the VNF. For example, the identification information of the VNF may include the identification of the NF corresponding to the VNF. It can be understood that whether the identification information of the VNF is specifically the identification of the VNF or the identification of the NF may depend on the CF capability. For example, if the capability of CF can support the function of CF being aware of the virtual machine layer, that is, CF pre-configures the identity of the VNF, then the CF provides the identity of the VNF. If CF's capability supports CF to perceive the functions of the business layer but cannot perceive the functions of the virtual machine layer, that is, CF pre-configures the identifier of the NF corresponding to the VNF but does not configure the identifier of the VNF, then CF provides the identifier of the NF. logo. In addition, the VNF may not have an identity. In this case, the CF may also provide the VNF verifier with the identity of the NF corresponding to the VNF. For example, in 5GC, the identifier of the UDM network element at the service layer, that is, the identifier of the UDM network element is 00111. However, UDM network elements are deployed through virtualization, and the corresponding VNF identifier in NFVI is ab247a8cb. At this time, CF is a functional network element, and CF can pre-configure the VNF identifier to provide the VNF authenticator with the VNF identifier, that is, ab247a8cb. Alternatively, if the CF does not pre-configure the identity of the VNF, the CF may provide the VNF verifier with the identity of the UDM network element, that is, 00111.

Optionally, the identification information of the VNF may also include at least one of the following: the computer room number of the VNF, the host number of the VNF, or the operating system number on the host of the VNF, etc., used to locate the VNF, such as locating the VNF. The deployment location can also be called VNF description information or VNF positioning information. In other words, since the VNF and the VNF metric corresponding to the VNF may be deployed in the same physical location, such as in the same computer room or on the same host, the VNF verifier can also address the VNF based on the identification information of the VNF. The corresponding VNF metric.

It can be understood that CF can trigger the measurement of multiple VNFs at the same time. In this case, CF's execution logic for each VNF is similar. You can refer to the above understanding and will not go into details.

In addition, S700 is an optional step. For example, CF and VNF verifiers can be combined and set up, that is, the VNF verifier can include the functions of CF, and the VNF verifier can trigger the measurement of VNF by itself.

S701. The VNF verifier determines that the VNF measurer is a trusted VNF measurer, or the VNF measurer is a trustworthy and questionable VNF measurer.

Among them, a trusted VNF measurer refers to: the VNF measurer is a trusted VNF measurer who has been measured, or the VNF measurer is a trusted VNF measurer who has been measured and whose measurement credentials have not expired, that is, , the VNF verifier determines that the VNF measurer is trustworthy. A VNF measurer whose trustworthiness is doubtful means: the VNF measurer is a measurer who has not been measured, or the VNF measurer is a VNF measurer who has been measured and whose measurement certificate is invalid, that is, the VNF verifier is not sure about the measurer. Whether the VNF measurer is trustworthy.

Specifically, the VNF verifier can determine the VNF measurer corresponding to the VNF based on the identification information of the VNF.

Among them, the VNF verifier can locate the VNF based on the identification information of the VNF and find the VNF measurer at the deployment location of the VNF. For example, the identification information of the VNF includes host number 1. The VNF verifier can use host number 1 to find that VNF metric 1 is deployed on the host corresponding to host number 1. Alternatively, the VNF verifier is pre-configured with a corresponding relationship between the identification information of the VNF and the identification information of the VNF measurer. Among them, the identification information of the VNF measurer can be used to identify the VNF measurer, and can be used by subsequent hardware verifiers to find the hardware measurer corresponding to the VNF measurer based on the identification information of the VNF measurer. For details, please refer to S702, which will not be described again. The identification information of the VNF measurer may include an identification of the VNF measurer. The identifier of the VNF measurer may be an identifier assigned to the VNF measurer by the operator network, which is used by the operator network to distinguish different VNF measurers. Description of the VNF measurer. Optionally, the identification information of the VNF measurer may also include at least one of the following: the computer room number of the VNF measurer, the host number of the VNF measurer, the operating system number on the host of the VNF measurer, and the number of the VNF corresponding to the VNF measurer. The identifier, the identifier of the NF corresponding to the VNF, etc., is used to locate the VNF measurer, such as locating the deployment location of the VNF measurer, which can also be called the description information of the VNF measurer or the positioning information of the VNF measurer. The VNF verifier can traverse the corresponding relationship based on the VNF information to find the VNF measurer corresponding to the VNF.

For example, an example of the above correspondence relationship can be shown in Table 1 below.

Table 1

It can be understood that the above methods are only some examples and are used as limitations. For example, the VNF verifier can also combine positioning and traversing the corresponding relationship to determine the VNF measurer. For example, the identification information of the VNF includes host number 2. The VNF verifier can use host number 2 to find that VNF measurer 2 is deployed on the host corresponding to host number 2. And, the VNF verifier can also traverse the corresponding relationship according to the identification information of the VNF to determine VNF measurer 2 and VNF measurer 3. In this way, the VNF verifier finally determines that the VNF measurer that needs to be verified is VNF measurer 2.

After determining the VNF measurer corresponding to the VNF, the VNF verifier can determine whether the VNF measurer is a trusted VNF measurer or a trustworthy and questionable VNF through security credentials or measurement records, or any other possible method. The measurer is introduced in detail below.

In one possible way, the VNF verifier can determine whether the VNF measurer is a trusted VNF measurer or a doubtful VNF measurer based on the security credentials. The security certificate can be a security certificate issued by a VNF verifier or a hardware verifier for a trusted VNF measurer, that is, a measurement certificate. For example, after the VNF verifier triggers the hardware verifier to initiate measurement of a certain VNF measurer, if it is determined that the VNF measurer is trustworthy, the hardware verifier or VNF verifier will issue a security certificate to the VNF measurer. Otherwise, it will not Issue security credentials. Security certificates do not have to be time-sensitive. That is, if a security certificate is issued to a trusted VNF measurer, it means that the VNF measurer will be trusted in the future. That is, if the VNF measurer has security credentials, it means that the VNF measurer is a trusted VNF measurer who has been measured. If the VNF measurer does not have a security certificate, it means that the VNF measurer is an unmeasured VNF measurer, that is, a VNF measurer who is trustworthy and questionable. Alternatively, the security certificate can also be time-sensitive. For example, the duration can be 1 day, 1 week, or 1 month, etc., to indicate that the VNF metric corresponding to the security certificate is trustworthy within this period of time, that is, the VNF A measurer is a trusted VNF measurer who has been measured and whose measurement credentials have not expired. If this period of time is exceeded, the VNF measurer is not trustworthy and needs to be measured again. That is, the VNF measurer is a VNF measurer that has been measured and whose measurement certificate is invalid. In addition, security credentials can be stored on the VNF verifier or hardware verifier, associated with the VNF metric information. Whether the CF that was previously triggered to measure the VNF measurer is credible may be different from the CF triggered this time. In the case where the security credentials are stored on the VNF verifier by default, the VNF verifier can determine whether the VNF measurer has security credentials, such as determining whether the VNF measurer's information is associated with the security credentials. If the VNF measurer's information is not associated with a security credential, it means that the VNF measurer does not have a security certificate. The VNF verifier can trigger the hardware verifier to initiate measurement of the VNF measurer, and perform S702-S706. If the VNF measurer's information is associated with security credentials, it means that the VNF measurer has security credentials. In this case, if the security certificate is not timely, there is no need to measure the VNF measurer, and S707-S711 are performed. Or, if the security credentials are time-sensitive, then The VNF measurer can also determine whether the security credentials are valid. If the security credentials are valid, there is no need to measure the VNF measurer and perform S707-S711. If the security credentials are invalid, the VNF measurer needs to be measured again, and S702-S706 are executed.

In the case where the security credentials are stored on the hardware verifier by default, the VNF verifier can request the hardware verifier to determine whether the VNF measurer is a trusted VNF measurer or a trustworthy and questionable VNF measurer based on the security credentials. Among them, the VNF verifier can provide the identification information of the VNF measurer to the hardware verifier. The hardware verifier can perform similar judgments to the VNF verifier based on the identification information of the VNF measurer. For details, please refer to the above related introduction and will not be repeated. . Thereafter, the hardware verifier may indicate to the VNF verifier whether the VNF measurer is a trusted VNF measurer or a questionable VNF measurer. Of course, the hardware verifier can also provide the VNF verifier with the security credentials of the VNF measurer, so that the VNF verifier can determine by itself whether the VNF measurer is a trusted VNF measurer or a trustworthy and questionable VNF measurer. The specific implementation can be Please refer to the relevant introduction above and will not go into details again. In this case, if the VNF verifier times out and still does not obtain the security credentials of the VNF measurer provided by the hardware verifier, the VNF verifier determines that the VNF measurer is a trustworthy and questionable VNF measurer.

Of course, in the case where either the VNF verifier or the hardware verifier may store security credentials, if the VNF verifier determines that the VNF measurer does not have security credentials, the VNF verifier can also request the hardware verifier to determine whether the VNF measurer is trustworthy. For specific implementation, please refer to the above relevant introductions and will not be described again.

In another possible way, the VNF verifier can determine whether the VNF measurer is a trusted VNF measurer or a doubtful VNF measurer based on the measurement record of the VNF measurer. For example, a VNF measurer's measurement record may be stored on a VNF verifier or hardware verifier and associated with the VNF measurer's information.

In the case where the measurement records are stored on the VNF verifier by default, the VNF verifier can determine whether the VNF measurer has a measurement record, for example, determine whether the VNF measurer's information is associated with the measurement record. If the VNF measurer's information is not associated with the measurement record, it means that the VNF measurer has not performed excessive measurements, that is, the VNF measurer is a trustworthy and questionable VNF measurer. In this case, the VNF verifier can trigger the hardware verifier to initiate measurement of the VNF measurer, and perform S702-S711. If the VNF measurer's information is associated with the measurement record, it means that the VNF measurer is a trusted VNF measurer, and there is no need to measure again. S707-S711 are performed.

In the case where the measurement records are stored on the hardware verifier by default, the VNF verifier can request the hardware verifier to determine whether the VNF measurer is a trusted VNF measurer or a trustworthy and questionable VNF measurer based on the measurement records. Among them, the VNF verifier can provide the identification information of the VNF measurer to the hardware verifier. The hardware verifier can perform similar judgments to the VNF verifier based on the identification information of the VNF measurer. For details, please refer to the above related introduction and will not be repeated. .

Of course, in the case where either the VNF verifier or the hardware verifier may store metric records, if the VNF verifier determines that the VNF metric has no metric record, the VNF verifier can also request the hardware verifier to determine the VNF metric based on the metric record. Whether it is a credible VNF measurer or a VNF measurer whose credibility is doubtful, please refer to the above related introduction for specific implementation and will not be repeated again.

It should be pointed out that if the VNF verifier is a network element with network management rights, such as a functional network manager, the VNF verifier can obtain all the information in the identification information of the above-mentioned VNF measurer. In this case, the VNF verifier can use any one or more pieces of the identification information of the VNF measurer to characterize the VNF measurer, that is, use this information to perform the above processing logic on the VNF measurer. If the VNF validator is out of network For network elements with management permissions, such as functional network elements, since the VNF measurer is usually located at the virtualization layer, the VNF verifier may not be able to obtain relevant information about the virtualization layer because it is unable to perceive the existence of the virtualization layer, such as the VNF measurer. The identification information of the VNF measurer. In this case, the VNF verifier can use the identification information of the VNF measurer other than the identification of the VNF measurer to characterize the VNF measurer, such as the identification of the NF, that is, use this information to perform the above-mentioned VNF measurement. the processor’s processing logic.

It can be understood that S701 is an optional step. For example, the VNF verifier triggers the measurement of the VNF measurer by default. In this case, S701 is not executed.

S702: The VNF verifier requests the hardware verifier to initiate measurement of the VNF measurer.

Among them, the VNF verifier can send the second message to the hardware verifier. The second message may be used to request the hardware verifier to initiate measurement of the VNF measurer. For example, the second message can be any possible message without limitation. The second message may include identification information of the VNF measurer. The second message may request the hardware verifier to initiate measurement of the VNF measurer through the message type or the identification information of the VNF measurer it carries. Alternatively, the first message may also carry an additional information element to request the hardware verifier to initiate measurement of the VNF measurer through the information element.

For the VNF verifier, if the VNF verifier is a network element with network management rights, such as a functional network manager, the VNF verifier can choose to carry any one or more of the identification information of the VNF metric in the second message. , without limitation. If the VNF verifier is a network element without network management authority, such as a functional network element, the VNF verifier carries the identification information of the VNF measurer, such as the NF identifier, in the second message by default.

For the hardware verifier, after receiving the second message, the hardware verifier can determine the hardware measurer corresponding to the VNF measurer based on the identification information of the VNF measurer.

Specifically, the hardware verifier can locate the VNF measurer based on the identification information of the VNF measurer and find the hardware measurer at the deployment location of the VNF measurer. For example, the identification information of the VNF measurer includes host number 1. The hardware verifier can use host number 1 to find that hardware verifier 1 is deployed on the host corresponding to host number 1. Alternatively, the hardware verifier is pre-configured with a corresponding relationship between the identification information of the hardware measurer and the identification information of the VNF measurer. The hardware verifier can traverse the corresponding relationship based on the identification information of the VNF measurer to find the hardware measurer corresponding to the VNF measurer. For example, an example of the corresponding relationship can be shown in Table 2 below.

Table 2

It can be understood that the above methods are only some examples and are used as limitations. For example, the hardware verifier can also determine the hardware measurer by combining positioning and traversing the corresponding relationship. For specific implementation, please refer to the above introduction to the VNF verifier, which will not be described again.

It should be noted that since hardware verifiers are usually deployed on third-party networks, hardware verifiers may not be able to identify identifiers within the operator's network, such as the identifier of the VNF metric. In this case, the hardware verifier can determine the hardware metric corresponding to the VNF metric based on other information in the identification information of the VNF metric, such as computer room number, host number, etc. In addition, if the hardware metric is one, the hardware verifier defaults to Execute S703.

S703. The hardware verifier requests the hardware measurer to measure or endorse the VNF measurer.

Wherein, the hardware verifier may send a third message to the hardware measurer. The third message can be used to request the hardware verifier to measure or endorse the VNF measurer. For example, the third message can be any possible message without limitation. The third message may include the identification of the VNF measurer. The third message may request the hardware measurer to measure or endorse the VNF measurer through the message type or the identification of the VNF measurer it carries. Alternatively, the third message may also carry an additional information element to request the hardware measurer to measure or endorse the VNF measurer through the information element.

Optionally, the third message may also include a policy indicated by the hardware verifier, which policy may be a metric or an endorsement. That is, the hardware measurer can determine whether to measure or endorse the VNF measurer according to the instructions of the policy. Among them, whether the policy indicated by the hardware verifier is measurement or endorsement may depend on the capabilities of the hardware verifier. For example, if the hardware measurer is relatively powerful, the hardware verifier can instruct the policy to endorse. If the hardware measurer's computing power is relatively poor, the hardware verifier can instruct the policy to measure. Alternatively, whether the policy indicated by the hardware certifier is measurement or endorsement may also depend on the management policy of the management domain or the security level set by the management domain to the business domain. For example, in cases where the security level is high, metrics are used. In cases where the security level is lower, endorsement is used. Of course, if the third message does not include the policy indicated by the hardware verifier, the hardware verifier may measure or endorse the VNF measurer by default.

S704: The hardware measurer measures or endorses the VNF measurer.

Among them, the hardware measurer can check the relevant processes, files, memory, etc. of the VNF measurer and obtain corresponding evidence. For example, the evidence may include the running data of the VNF measurer, which may include at least one of the following: the layer-by-layer startup data of the VNF measurer, the memory data list of the VNF measurer, the system resource change sequence when the VNF measurer is running, or other Any possible data, etc., without limitation. Among them, the layer-by-layer startup data of the VNF measurer can be a sequence of hash values. For example, each layer startup of the VNF measurer will record a corresponding hash value. When multiple layers are started in sequence, such as starting from the BIOS to the application layer, the hash value sequence can be obtained to represent the VNF measurer. Layer-by-layer startup sequence. The memory data list of the VNF measurer may be: the memory location of each program of the VNF measurer. The sequence of system resource changes when the VNF measurer is running can be: the memory and/or central processing unit (CPU) occupancy of the VNF measurer.

If the policy is a measurement, the hardware measurer can provide these evidences to the hardware verifier, that is, perform S705. If the policy is endorsement, the hardware measurer determines the endorsement result based on these evidences, and the endorsement result can be used to instruct the hardware measurer to determine whether the VNF measurer is trustworthy. For example, the hardware metric can determine whether at least one of the following matches: whether the layer-by-layer startup sequence of the VNF metric matches a preset layer-by-layer startup sequence, and whether the locations of each program in the VNF metric's memory match the preset location. , or whether the memory and/or CPU usage of the VNF measurer matches the preset usage. If any of the above at least one item does not match, the hardware measurer may determine that the VNF measurer is not trustworthy, and execute S705. Alternatively, if at least one of the above items matches, the hardware measurer may determine that the VNF measurer is trustworthy, and perform S705.

It can be understood that the above judgment methods are only some examples and are not intended to be limiting. For example, if at least one of the above items does not match, the hardware measurer may determine that the VNF measurer is not trustworthy. Alternatively, if any of the above at least one item does not match, the hardware measurer may determine that the VNF measurer is trustworthy.

S705, the hardware measurer provides evidence or endorsement results to the hardware verifier.

Wherein, the hardware measurer may send a fourth message to the hardware verifier. The fourth message can be used to provide evidence or endorsement results to the hardware verifier. For example, the fourth message can be any possible message without limitation. The fourth message may include evidence of the VNF measurer, or measurement evidence of the VNF measurer, and the measurement evidence of the VNF measurer may be used to indicate whether the VNF measurer is trustworthy. That is, if the policy is a metric, the hardware metric can encapsulate the VNF metric's evidence into the fourth message. If the policy is endorsement, the hardware measurer can generate the corresponding endorsement result based on whether the VNF measurer is trustworthy, sign the endorsement result, and then encapsulate the endorsement result into the fourth message.

For the hardware verifier, if the fourth message includes the evidence of the VNF measurer, the hardware verifier can further determine the measurement result of the VNF measurer based on the evidence of the VNF measurer, and the measurement result can be used to indicate hardware verification. The user determines whether the VNF metric is trustworthy. The specific principles are similar to those of the hardware metric and can be understood by reference without going into details. If the fourth message includes the VNF measurer's endorsement result, the hardware verifier can verify whether the signature of the endorsement result is valid. At this time, if the signature of the endorsement result is valid, the hardware verifier can determine the measurement result of the VNF measurer, and the measurement result can be used to instruct the hardware verifier to determine that the VNF measurer is trustworthy. If the signature of the endorsement result is invalid, such as being tampered with, the hardware verifier can determine the measurement result of the VNF measurer, and the measurement result can be used to indicate to the hardware verifier that the VNF measurer is not trustworthy.

S706: The hardware verifier provides the measurement results to the VNF verifier.

Among them, the hardware verifier can send the fifth message to the VNF verifier. The fifth message can be used to indicate whether the VNF measurer is trustworthy. For example, the fifth message can be any possible message without limitation. The fifth message may include: the measurement result of the VNF measurer, and the identification information of the VNF measurement, such as the identification of the VNF measurement. In this way, after receiving the fifth message, the VNF verifier can determine whether the VNF measurer is trustworthy based on the measurement results of the VNF measurer and the identification information of the VNF measure. If the VNF measurer is trustworthy, the VNF verifier triggers execution of S707-S711 to measure the VNF corresponding to the VNF measurer. If the VNF measurer is not trustworthy, the process ends.

S707. The VNF verifier requests the VNF measurer to initiate measurement of the VNF.

Wherein, the VNF verifier may send a sixth message to the VNF measurer. The sixth message may be used to request the VNF measurer to measure the VNF. For example, the sixth message can be any possible message without limitation. The sixth message may include identification information of the VNF. The sixth message may request the VNF measurer to initiate measurement of the VNF through the message type or the identification information of the VNF carried by the message type. Alternatively, the sixth message may also carry an additional information element to request the VNF measurer to initiate measurement of the VNF through the information element.

S708: The VNF measurer initiates measurement of the VNF.

Among them, the VNF measurer can obtain the corresponding operating data from the VM where the VNF is located, or the system layer where the VNF is located, such as the Host OS, which can also be called the VNF operating data, recorded as the first evidence. For example, the first evidence may include at least one of the following: network traffic data, memory and/or CPU usage, or any other possible data, etc., without limitation.

Optionally, the VNF measurer can also obtain the interaction data within the SBA architecture from the VNF, such as from the business module within the VNF, which can also be called the internal interaction data of the VNF, and record it as the second evidence. For example, the second evidence may include at least one of the following: key derivation, storage and update records, signatures of key files, signatures of key codes, or any other possible data, etc., without limitation.

Optionally, the VNF metric can also obtain the VNF metric from the network side of the VNF, such as the access side network management. The interaction data with the network, which can also be called the external interaction data of the VNF, is recorded as the third evidence. For example, the third evidence may include at least one of the following: the number of abnormal situations during transmission, the number of business alarms, or any other possible data, etc., without limitation.

Among them, the external interaction data of VNF and the internal interaction data of VNF can also be understood as the interaction data of VNF, or the communication data of VNF, and there is no specific limitation on this. In addition, the above-mentioned first evidence, second evidence and third evidence can also be understood as static evidence and dynamic evidence. For example, static evidence may include at least one of the following: signatures of key files, signatures of key codes, or any other possible static data, without limitation. Dynamic evidence can include at least one of the following: network traffic data, memory and/or CPU usage, key deduction, storage and update records, the number of abnormal situations during transmission, the number of business alarms, any other possible dynamic data, etc. No restrictions.

S709, the VNF measurer provides evidence to the VNF verifier.

The VNF measurer may send a seventh message to the VNF verifier. The seventh message can be used to provide evidence to the VNF verifier. For example, the seventh message may be any possible message, such as an attestation response (nattester_attestation_response) message or an attestation notification (nattester_attestation_notify) message, which is not specifically limited. The seventh message may include: the identification of the VNF, and the evidence obtained by the VNF measurer, such as at least one of the following: first evidence, second evidence, or third evidence, that is, static evidence and dynamic evidence.

S710, the VNF verifier determines whether the VNF is trustworthy.

Among them, after receiving the seventh message, the VNF verifier can determine whether the VNF is trustworthy based on the evidence obtained by the VNF measurer. For example, the VNF verifier can determine whether at least one of the following matches: whether the signature of the key file matches the preset file signature, whether the signature of the key code matches the preset code signature, whether the network traffic data matches the preset traffic data, whether the memory And/or whether the CPU occupancy matches the preset occupancy, whether the key derivation, storage and update records match the preset records, whether the number of abnormal situations during transmission matches the preset number, or whether the number of business alarms matches the preset number. Let the times match. If the above number of unmatched data is greater than or equal to the preset number, the VNF verifier may determine that the VNF is not trustworthy. If the number of the above unmatched data is less than the preset number, the VNF verifier can determine that the VNF is trustworthy. The preset number can be set according to actual needs and is not limited.

S711, VNF verifier execution alarm.

If the VNF verifier determines that the VNF is not trustworthy, the VNF verifier may issue an alert. For example, the VNF verifier can perform at least one of the following operations: notify the operator manager or computer room network manager, issue an alarm for the NFVI infrastructure, and record in the detection record or log, such as MANO's detection record or the log of the remote attestation system. The VNF is untrustworthy, or any other possible operations are not limited.

It can be understood that S711 is an optional step. For example, if the VNF verifier determines that the VNF is trustworthy, S711 will not be executed.

In summary, the technical solutions provided by the embodiments of this application have the following technical effects:

1) By measuring or endorsing a relatively low-security VNF metric by a relatively high-security hardware metric, it can be determined whether the VNF metric is trustworthy. In this way, when the VNF measurer is trustworthy, the VNF verifier uses the VNF measurer to verify an untrusted VNF to ensure that the evidence provided by the VNF measurer can prove whether the untrusted VNF is trustworthy.

2) Since the VNF measurer and VNF verifier can be deployed in the operator network, it is convenient for the operator network to manage and maintain the VNF measurer and VNF verifier, such as configuring/updating the VNF measurer's policy, configuring/ Update the preset parameters used to verify whether the VNF is trustworthy, etc.

3) For trusted VNF measurers, the VNF verifier can no longer trigger the measurement of the VNF measurer to avoid executing redundant processes, reduce equipment overhead, and improve operating efficiency.

4) CF can initiate measurement of multiple VNFs at the same time, which can improve measurement efficiency and achieve efficient measurement.

The above describes in detail the flow of the communication method provided by the embodiment of the present application in a specific scenario with reference to FIG. 7 . The overall process of this communication method is introduced below with reference to Figure 8.

Among them, FIG. 8 is a schematic flow chart 2 of the communication method provided by the embodiment of the present application. This communication method is suitable for communication between the first verifier, the first measurer, the second verifier and the second measurer. Among them, the first verifier can be the above-mentioned VNF verifier, the first measurer can be the above-mentioned VNF measurer, the second verifier can be the above-mentioned hardware verifier, and the second measurer can be the above-mentioned hardware measurer. .

As shown in Figure 8, the flow of this communication method is as follows:

S801. The first verifier sends the first request to the second verifier. The second verifier receives the first request from the first verifier.

The first verifier may report to the second verifier when determining whether it is trustworthy to measure the first network element (the above-mentioned VNF) using the first measurer (or the first measurer associated with the first verifier). or sends the first request.

The security of the second verifier can be higher than the security of the first metric. For example, the first measurer is deployed in the business domain and the second verifier is deployed in the management domain. That is to say, the second validator can be deployed in a more secure network environment than the first metric to ensure that the security of the second validator is higher than the security of the first metric.

The first request (the above-mentioned second message) may be used to request the second verifier to initiate measurement of the first measurer. For example, the first request may include addressing information of the first measurer (identification information of the VNF measurer described above). Among them, the first verifier obtains the addressing information of the first measurer, and sends a first request containing the addressing information to the second verifier, so that the second verifier can find the first measurer and perform verification on it. measure.

Optionally, when the first verifier is a functional network element, such as a network data analytics function (NWDAF) network element, the first verifier obtains the identification information of the first network element. For example, the first measurer is usually located in the virtualization layer, and the functional network element may not be aware of the existence of the virtualization layer, and therefore cannot obtain the identification information of the first measurer. In this case, the functional network element can provide service layer information, such as identification information of the first network element related to the first measurer, so that the second verifier can find the first measurer through the first network element. Or, in the case where the first certifier is a functional network manager, such as element management (EM) or operation administration and maintenance (OAM) in NFV, the first certifier obtains at least one of the following: The identification information of the first measurer or the identification information of the first network element. That is, the functional network element can not only obtain virtualization layer information, such as the identification information of the first measurer, but also obtain service layer information, such as the identification information of the first network element. In this way, functional network elements can selectively provide relevant information without limitation. On this basis, when the first verifier is a functional network element, the identification information of the first network element includes the identification of the network function NF. It can be understood that since the functional network element may not be aware of the existence of the virtualization layer, the first network element is the function of the business layer for the functional network element, that is, NF, so the identification of NF can be obtained. Or, in the case where the first authenticator is the functional network management, the identification information of the first network element includes the identification of the virtual network function VNF. It can be understood that since the functional network management can sense the existence of the virtualization layer, the first network element is the function of the virtualization layer for the functional network element, that is, the VNF, and therefore the identification of the VNF can be obtained.

In addition, the specific implementation of S801 can also refer to the relevant introduction in S702 above, and will not be described again.

S802: The second verifier determines the second measurer associated with the first measurer according to the first request.

The second verifier can determine the first measurer based on the addressing information of the first measurer, so that the second verifier determines the second measurer based on the first measurer. The security of the second metric is higher than the security of the first metric. The first measurer is deployed at the software layer, and the second measurer is deployed at the hardware layer. That is, the second measurer can be deployed in a more secure hardware environment than the first measurer to ensure that the security of the second measurer is higher than the security of the first measurer.

In addition, the specific implementation of S802 can also refer to the relevant introduction in S702 above, and will not be described again.

S803. The second verifier measures the first measurer through the second measurer and determines that the first measurer is credible.

In one possible design solution, the second verifier sends a third request (the above-mentioned third message) to the second measurer, and receives a third response (the above-mentioned fourth message) returned by the second measurer in response to the third request. The third request is used to request the second measurer to measure the first measurer, and the third response includes the measurement evidence of the first measurer. In this way, the second verifier determines that the first measurer is credible based on the measurement evidence of the first measurer. It can be seen that the second measurer is mainly used to collect measurement evidence, and the second verifier is mainly used to verify the measurement evidence. This can evenly share the load of the second measurer and the second verifier to improve the overall operating efficiency.

Optionally, the measurement evidence of the first measurer includes the operating data of the first measurer, such as the startup data of the first measurer, the operating data in the memory of the first measurer, etc., without limitation. For example, the operating data of the first measurer may include at least one of the following: load occupancy of the processor, storage order of the internal memory, storage occupancy of the storage space, and other information. The second verifier can verify whether these operating data are within the preset baseline value range. If these operating data are not within the baseline range, it means that these operating data are abnormal and may have been tampered with, which means that the work of the first measurer The state may be abnormal and the first measurer cannot be trusted. On the contrary, if these operating data are within the baseline range, it means that these operating data are normal, which means that the first measurer's working status is normal and the first measurer is trustworthy. Optionally, the third request is used to instruct the second measurer to provide measurement evidence, or the second verifier can also provide measurement evidence by default without limitation.

Or, in another possible design solution, the second verifier can send a third request (the above-mentioned third message) to the second measurer, and receive the third response (the above-mentioned fourth message) returned by the second measurer in response to the third request. information). Wherein, the third request is used to request the second measurer to measure the first measurer, and the third response includes the endorsement result of the first measurer, and the endorsement result is used to indicate that the second measurer determines that the first measurer can letter. In this way, the second verifier confirms that the first measurer is trustworthy by verifying the endorsement result. That is to say, in the case where the second measurer endorses the first measurer, such as providing the second measurer with an endorsement result that determines the trustworthiness of the first measurer, the second verifier only verifies the endorsement result, such as verifying Whether the endorsement has been tampered with can determine the credibility of the first measurer, which can reduce the computational load of the second verifier and improve operating efficiency.

In addition, for the specific implementation of S803, you can also refer to the relevant introductions in S703-S705 mentioned above, which will not be described again.

S804. The second verifier sends the first response to the first verifier. The first verifier receives a first response returned by the second verifier in response to the first request.

Among them, the first response (the above-mentioned fifth message) can be used to indicate that the first verifier is trustworthy. For specific implementation, you can also refer to the relevant introduction in the above-mentioned S706, which will not be described again.

S805: The first verifier uses the first measurer to measure whether the first network element is trustworthy.

Wherein, the first verifier may send a second request (the above-mentioned sixth message) to the first measurer; the second request is used to request the first measurer to measure the first network element; the first verifier receives the first The second response (the above-mentioned seventh message) returned by the measurer in response to the second request; the second response includes the measurement evidence of the first network element; the first verifier determines whether the first network element is based on the measurement evidence of the first network element Believable. It can be seen that the first measurer is mainly used to collect measurement evidence, and the first verifier is mainly used to verify the measurement evidence. This can evenly share the load of the first measurer and the first verifier to improve the overall operating efficiency.

Optionally, the measurement evidence of the first network element includes at least one of the following: operating data of the first network element, or communication data of the first network element. It can be seen that the operation data and communication data of the first network element are data in different dimensions, so as to measure the first network element through multiple dimensions and ensure the accuracy of the measurement. For example, taking the operating data of the first network element as an example, the operating data may include at least one of the following: load occupancy of the processor, storage order of the internal memory, storage occupancy of the storage space, and other information. The first verifier can verify whether these operating data are within the preset baseline value range. If these operating data are not within the baseline range, it means that these operating data are abnormal and may have been tampered with, which means that the working status of the first network element It may be abnormal and the first network element cannot be trusted. On the contrary, if these operating data are within the baseline range, it means that these operating data are normal, which means that the working status of the first network element is normal and the first network element is trustworthy.

In addition, the specific implementation of S805 can also refer to the relevant introductions in S707-S711 mentioned above, and will not be described again.

In summary, when the first verifier cannot determine whether the first measurer is trustworthy, the first verifier can request a second verifier with higher security to measure the first measurer to determine the first degree. Those who measure can be trusted. In this way, the first verifier can determine whether the first network element is trustworthy by measuring the first network element, such as the VNF, through the trusted first measurer.

In conjunction with the above embodiment, a possible design solution is that before S801, the first verifier can also determine that the first measurer is a trustworthy and questionable measurer. In other words, the first verifier only triggers the measurement of the first measurer when it is unable to determine whether the first measurer is trustworthy. On the contrary, if the first verifier determines that the first measurer is trustworthy, it can directly use the first measurer to measure the first network element without triggering the measurement of the first measurer to avoid executing an invalid measurement process. Save communication overhead.

In addition, the specific implementation of this design solution can also refer to the relevant introduction in S701 above, and will not be described again.

In conjunction with the above embodiment, a possible design solution is that before S801, the first verifier can receive indication information from the second network element (the above-mentioned CF). The second network element is associated with the first network element, and the instruction information is used to instruct the first verifier to initiate measurement of the first network element; the first verifier determines to use the first measurer to measure the first network element according to the instruction information. That is to say, the measurement of the first network element can be triggered by other network elements, such as the second network element. For example, if the second network element determines that communication with the first network element is abnormal, the measurement of the first network element can be triggered. In this way, measurement can be triggered on demand to avoid executing invalid measurement processes and save communication overhead.

Optionally, the indication information includes the identification information of the first network element. The first verifier stores the corresponding relationship between the identification information of each measurer and the identification information of the network element associated with the measurer. The first verifier performs the verification according to the indication information. , determining to use the first measurer to measure the first network element includes: the first verifier based on the identification information of the first network element and the According to the relationship, the first metric corresponding to the first network element is determined. That is to say, even if the second network element initiates measurement of multiple network elements at the same time, the first measurer can still find the corresponding measurer of each network element based on the identification information and corresponding relationship of the network element, thereby realizing the measurement. Synchronous measurement of multiple network elements improves measurement efficiency.

In addition, the specific implementation of this design solution can also refer to the relevant introduction in S710 mentioned above, which will not be described again.

Combined with the above embodiment, a possible design solution is that after S804, the first verifier uses the first measurer to measure whether the third network element is trustworthy. That is to say, if the first measurer is trustworthy, the first verifier can directly use the first measurer to measure other network elements without triggering the measurement of the first measurer again to avoid performing invalid tasks. Measure processes and save communication overhead.

The communication method provided by the embodiment of the present application is described in detail above with reference to Figures 7-8. The communication device used to perform the communication method provided by the embodiment of the present application will be described in detail below with reference to FIGS. 9 and 10 .

For example, FIG. 9 is a schematic structural diagram of a communication device provided by an embodiment of the present application. As shown in Figure 9, the communication device 900 includes: a transceiver module 901 and a processing module 902. For ease of explanation, FIG. 9 shows only the main components of the communication device.

In some embodiments, the communication device 900 may be adapted to the communication system shown in FIG. 5 to perform the above-mentioned functions of the VNF verifier or the first verifier.

Among them, the transceiver module 901 can be used to perform the function of the VNF verifier or the first verifier to transmit and receive messages in the above-mentioned communication method, such as the functions in the above-mentioned S702, S705 and other steps. The processing module 902 may perform other functions of the above-mentioned VNF verifier or first verifier other than sending and receiving messages, such as the functions in the above-mentioned S701 and other steps.

For example, the processing module 902 is configured to control the transceiver module 901 to send the first request to the second verifier and receive the second verification when determining whether the first network element is measured using the first measurer. or the first response returned for the first request. Among them, the first request is used to request the second verifier to initiate measurement of the first measurer. The security of the second verifier is higher than the security of the first measurer. The first response is used to indicate the first measurer. Believable. In this way, the processing module 902 is also configured to use the first measurer to measure whether the first network element is trustworthy.

Optionally, the transceiver module 901 may include a sending module (not shown in Figure 9) and a receiving module (not shown in Figure 9). The sending module is used to realize the sending function of the communication device 900 , and the receiving module is used to realize the receiving function of the communication device 900 .

Optionally, the communication device 900 may also include a storage module (not shown in FIG. 9), which stores programs or instructions. When the processing module 902 executes the program or instruction, the communication device 900 can execute the communication method shown in FIG. 7 or FIG. 8 .

It should be noted that the communication device 900 may be a network device, a chip (system) or other components or components that can be disposed in the network device, or a device including a network device, which is not limited in this application.

In addition, the technical effects of the communication device 900 can be referred to the technical effects of the communication method shown in Figures 7-8, which will not be described again here.

In other embodiments, the communication device 900 may be adapted to the communication system shown in FIG. 5 to perform the functions of the above-mentioned hardware verifier or the second verifier.

Among them, the transceiver module 901 can be used to perform the function of the hardware verifier or the second verifier to transmit and receive messages in the above-mentioned communication method, such as the functions in the above-mentioned S702, S705 and other steps. The processing module 902 can perform other functions of the above-mentioned hardware verifier or the second verifier other than sending and receiving messages, such as the functions in the above-mentioned steps S703, S704, etc. able.

For example, the transceiving module 901 is used to receive the first request from the first verifier; the processing module 902 is used to determine the second measurer associated with the first measurer according to the first request; the first request is used to request the first measurer. The second verifier initiates the measurement of the first measurer. The first measurer is the measurer associated with the first verifier. The security of the second measurer is higher than the security of the first measurer. In this way, the processing module 902 is also configured to measure the first measurer through the second measurer, determine that the first measurer is trustworthy, and thereby control the transceiver module 901 to send the first response to the first verifier. The first response applies Indicates that the first verifier is trustworthy.

Exemplarily, FIG. 10 is a second structural schematic diagram of a communication device provided by an embodiment of the present application. The communication device may be a terminal, or a chip (system) or other components or components that can be installed in the terminal. As shown in FIG. 10 , the communication device 1000 may include a processor 1001 . Optionally, the communication device 1000 may also include a memory 1002 and/or a transceiver 1003. The processor 1001 is coupled to the memory 1002 and the transceiver 1003, for example, through a communication bus.

The following is a detailed introduction to each component of the communication device 1000 with reference to Figure 10:

Among them, the processor 1001 is the control center of the communication device 1000, and may be a processor or a collective name for multiple processing elements. For example, the processor 1001 is one or more central processing units (CPUs), may also be an application specific integrated circuit (ASIC), or may be configured to implement one or more embodiments of the present application. An integrated circuit, such as one or more microprocessors (digital signal processor, DSP), or one or more field programmable gate arrays (field programmable gate array, FPGA).

Optionally, the processor 1001 can perform various functions of the communication device 1000 by running or executing software programs stored in the memory 1002 and calling data stored in the memory 1002, for example, performing the functions shown in FIGS. 8-10 above. communication method.

In a specific implementation, as an embodiment, the processor 1001 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 10 .

In specific implementation, as an embodiment, the communication device 1000 may also include multiple processors, such as the processor 1001 and the processor 1004 shown in FIG. 10 . Each of these processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor here may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).

The memory 1002 is used to store the software program for executing the solution of the present application, and is controlled by the processor 1001 for execution. For specific implementation methods, please refer to the above method embodiments, which will not be described again here.

Alternatively, the memory 1002 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory (RAM)) or a random access memory (RAM) that can store information and instructions. Other types of dynamic storage devices for instructions can also be electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical discs Storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and any other media capable of being accessed by a computer, without limitation. The memory 1002 may be integrated with the processor 1001, or may exist independently and be coupled to the processor 1001 through the interface circuit (not shown in Figure 10) of the communication device 1000. This is not specifically limited in the embodiment of the present application.

Transceiver 1003, used for communication with other communication devices. For example, the communication device 1000 is a terminal, and the transceiver 1003 can be used to communicate with a network device or with another terminal device. For another example, the communication device 1000 is a network device, and the transceiver 1003 can be used to communicate with a terminal or another network device.

Optionally, the transceiver 1003 may include a receiver and a transmitter (not shown separately in Figure 10). Among them, the receiver is used to implement the receiving function, and the transmitter is used to implement the sending function.

Alternatively, the transceiver 1003 can be integrated with the processor 1001, or can exist independently and be coupled to the processor 1001 through the interface circuit (not shown in Figure 10) of the communication device 1000. This is not the case in the embodiment of this application. Specific limitations.

It should be noted that the structure of the communication device 1000 shown in FIG. 10 does not constitute a limitation on the communication device. The actual communication device may include more or less components than shown in the figure, or some components may be combined, or Different component arrangements.

In addition, the technical effects of the communication device 1000 can be referred to the technical effects of the communication method described in the above method embodiments, which will not be described again here.

An embodiment of the present application provides a communication system. The communication system includes: one or more terminals shown in Figures 8-10.

It should be understood that the processor in the embodiment of the present application can be a central processing unit (CPU). The processor can also be other general-purpose processors, digital signal processors (DSP), special-purpose integrated processors, etc. Circuit (application specific integrated circuit, ASIC), off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.

It should also be understood that the memory in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory. Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory may be random access memory (RAM), which is used as an external cache. By way of illustration but not limitation Note that many forms of random access memory (RAM) are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) ) and direct memory bus random access memory (direct rambus RAM, DR RAM).

The above embodiments may be implemented in whole or in part by software, hardware (such as circuits), firmware, or any other combination. When implemented using software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmit to another website, computer, server or data center through wired (such as infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that a computer can access, or a data storage device such as a server or a data center that contains one or more sets of available media. The usable media may be magnetic media (eg, floppy disk, hard disk, tape), optical media (eg, DVD), or semiconductor media. The semiconductor medium may be a solid state drive.

It should be understood that the term "and/or" in this article is only an association relationship describing related objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, and A and B exist simultaneously. , there are three cases of B alone, where A and B can be singular or plural. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship, but it may also indicate an "and/or" relationship. For details, please refer to the previous and later contexts for understanding.

In this application, "at least one" refers to one or more, and "plurality" refers to two or more. "At least one of the following" or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items). For example, at least one of a, b, or c can mean: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .

It should be understood that in the various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its functions and internal logic, and should not be used in the embodiments of the present application. The implementation process constitutes any limitation.

Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented with electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. The division of units described above is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.

If the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of this application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program code. .

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims

A communication method, characterized in that the method includes:

When the first verifier determines whether the first network element measured by the first measurer is trustworthy, the first verifier sends a first request to the second verifier; the first request is used to request the A second verifier initiates a measurement of the first measurer, and the security of the second verifier is higher than the security of the first measurer;

The first verifier receives a first response returned by the second verifier in response to the first request; the first response is used to indicate that the first measurer is trustworthy;

The first verifier uses the first measurer to measure whether the first network element is trustworthy.
The method according to claim 1, characterized in that the first verifier sends a first request to the second verifier, including:

The first verifier obtains the addressing information of the first measurer;

The first verifier sends the first request containing the addressing information to the second verifier.
The method of claim 2, wherein the first verifier obtains the addressing information of the first measurer, including:

When the first verifier is a functional network element, the first verifier obtains the identity of the first network element; or, when the first verifier is a functional network manager, the first verifier obtains the identity of the first network element. A verifier obtains at least one of the following: identification information of the first measurer or identification information of the first network element.
The method according to claim 3, characterized in that, when the first verifier is a functional network element, the identification information of the first network element includes an identification of a network function NF; or, when the first verifier is a functional network element, When a verifier is a functional network manager, the identification information of the first network element includes the identification of the virtual network function VNF.
The method according to any one of claims 1-4, characterized in that the first measurer is deployed in the business domain, and the second verifier is deployed in the management domain.
The method according to any one of claims 1-5, characterized in that, before the first verifier sends the first request to the second verifier, the method further includes:

The first verifier determines that the first measurer is a trustworthy measurer.
The method of claim 6, wherein the first measurer is a measurer whose credibility is doubtful means: the first measurer is a measurer who has not been measured, or the first measurer is a measurer who has not been measured. A measurer is a measurer who has been measured and whose measurement certificate is invalid.
The method according to any one of claims 1-7, characterized in that the first verifier determines whether the first network element is trusted using the first measurer, including:

The first verifier receives instruction information from a second network element; the second network element is associated with the first network element, and the instruction information is used to instruct the first verifier to initiate verification of the first network element. Measurement of network elements;

The first verifier determines to use the first measurer to measure the first network element according to the instruction information.
The method according to claim 8, characterized in that the indication information includes identification information of the first network element, and the first verifier saves the identification information of each measurer and the network associated with the measurer. The first verifier determines to use the first measurer to measure the first network element based on the indication information, including:

The first verifier determines the first measurer corresponding to the first network element based on the identification information of the first network element and the corresponding relationship.
The method according to any one of claims 1 to 9, characterized in that the first verifier uses the first measurer to measure whether the first network element is trustworthy, including:

The first verifier sends a second request to the first measurer; the second request is used to request the first measurer to measure the first network element;

The first verifier receives a second response returned by the first measurer in response to the second request; the second response includes measurement evidence of the first network element;

The first verifier determines whether the first network element is trustworthy based on the metric evidence of the first network element.
The method according to claim 10, characterized in that the measurement evidence of the first network element includes at least one of the following: operating data of the first network element or communication data of the first network element.
The method according to any one of claims 1-11, characterized in that after the first verifier receives the first response returned by the second verifier in response to the first request, the method further include:

The first verifier uses the first measurer to measure whether the third network element is trustworthy.
A communication method, characterized in that the method includes:

The second verifier receives the first request from the first verifier; the first request is used to request the second verifier to initiate measurement of the first measurer, and the first measurer is the third measurer. A measurer associated with a validator;

The second verifier determines the second measurer associated with the first measurer according to the first request; the security of the second measurer is higher than the security of the first measurer;

The second verifier measures the first measurer through the second measurer and determines that the first measurer is credible;

The second verifier sends a first response to the first verifier; the first response is used to indicate that the first verifier is trustworthy.
The method of claim 13, wherein the second verifier measures the first measurer through the second measurer and determines that the first measurer is credible, including:

The second verifier sends a third request to the second measurer; the third request is used to request the second measurer to measure the first measurer;

The second verifier receives a third response returned by the second measurer in response to the third request; the third response includes measurement evidence of the first measurer;

The second verifier determines that the first measurer is credible based on the measurement evidence of the first measurer.
The method of claim 14, wherein the measurement evidence of the first measurer includes operating data of the first measurer.
The method according to claim 14 or 15, characterized in that the third request is used to instruct the second measurer to provide measurement evidence.
The method of claim 13, wherein the second verifier measures the first measurer through the second measurer and determines that the first measurer is credible, including:

The second verifier sends a third request to the second measurer; the third request is used to request the second measurer to measure the first measurer;

The second verifier receives a third response returned by the second measurer in response to the third request; the third response includes an endorsement result of the first measurer, and the endorsement result is used to indicate that the the second measurer determines that the first measurer is credible;

The second verifier determines that the first measurer is trustworthy by verifying the endorsement result.
The method of claim 17, wherein the third request is used to instruct the second measurer to provide an endorsement result.
The method according to any one of claims 13-18, characterized in that the first request includes addressing information of the first measurer, and the second verifier according to the first request, Determining a second measurer associated with the first measurer includes:

The second verifier determines the first measurer based on the addressing information of the first measurer;

The second verifier determines the second measurer based on the first measurer.
The method of claim 19, wherein the addressing information of the first measurer includes at least one of the following: identification information of the first measurer, or association of the first measurer The identification information of the first network element.
The method according to claim 20, characterized in that the identification information of the first network element includes the identification of the network function NF, or the identification information of the first network element includes the identification of the virtual network function VNF.
The method according to any one of claims 13-21, characterized in that the first measurer is deployed on the software layer, and the second measurer is deployed on the hardware layer.
A communication device, characterized in that the device includes: a module for executing the method according to any one of claims 1-22.
A communication device, characterized in that the communication device includes a processor; the processor is used to execute instructions stored in a memory, so that the communication device executes the method described in any one of claims 1-22 Communication methods.
A computer-readable storage medium, characterized in that the computer-readable storage medium includes a computer program or instructions, and when the computer program or instructions are run on a computer, the computer is caused to execute as claimed in claims 1-22 The communication method described in any one of the above.
A communication method, characterized in that the method includes:

When the first verifier determines whether the first network element measured by the first measurer is trustworthy, the first verifier sends a first request to the second verifier; the first request is used to request the A second verifier initiates a measurement of the first measurer, and the security of the second verifier is higher than the security of the first measurer;

The second verifier receives the first request from the first verifier, and determines the second measurer associated with the first measurer according to the first request; the security of the second measurer Security greater than said first metric;

The second verifier measures the first measurer through the second measurer and determines that the first measurer is credible;

The second verifier sends a first response to the first verifier; the first response is used to indicate that the first measurer is trustworthy;

The first verifier receives the first response returned by the second verifier in response to the first request;

The first verifier uses the first measurer to measure whether the first network element is trustworthy.
A communication system, characterized in that the communication system includes: a first verifier and a second verifier, wherein the first verifier is used to perform the method according to any one of claims 1-12, and The second verifier is used to perform the method according to any one of claims 13-22.