CN116528234B - Virtual machine security and credibility verification method and device - Google Patents
Virtual machine security and credibility verification method and device Download PDFInfo
- Publication number
- CN116528234B CN116528234B CN202310781692.7A CN202310781692A CN116528234B CN 116528234 B CN116528234 B CN 116528234B CN 202310781692 A CN202310781692 A CN 202310781692A CN 116528234 B CN116528234 B CN 116528234B
- Authority
- CN
- China
- Prior art keywords
- nas
- authentication
- key
- eap
- aka
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012795 verification Methods 0.000 title claims abstract description 48
- 230000004044 response Effects 0.000 claims abstract description 112
- 230000015654 memory Effects 0.000 claims description 34
- 238000012545 processing Methods 0.000 claims description 15
- 238000004891 communication Methods 0.000 abstract description 36
- 230000006870 function Effects 0.000 description 52
- 238000013461 design Methods 0.000 description 13
- 230000005540 biological transmission Effects 0.000 description 11
- 238000007726 management method Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 8
- 238000009795 derivation Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 230000000694 effects Effects 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 238000010295 mobile communication Methods 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 235000019800 disodium phosphate Nutrition 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 101150119040 Nsmf gene Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 229920001690 polydopamine Polymers 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a method and a device for verifying security and credibility of a virtual machine, which are used for guaranteeing communication security in a virtualization scene. The method comprises the following steps: when a VM of the UE is to establish NAS secure connection with a core network, the AUSF receives a UE authentication request message from an SEAF, wherein the UE authentication request message is used for requesting to perform trusted verification on the VM, and the UE authentication request message carries an EAP-AKA' authentication response of the VM; the AUSF performs trusted verification on the EAP-AKA' authentication response of the VM; if the trusted verification of the VM passes, the AUSF sends a UE authentication response message to the SEAF, wherein the UE authentication response message is used for indicating that the VM is allowed to establish NAS secure connection with the core network.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a method and apparatus for verifying security and trust of a virtual machine.
Background
The third generation partnership project (3rd generation partnership project,3GPP) defines an authentication procedure for a User Equipment (UE). For example, the main authentication procedure, i.e. during the UE accessing the network, the network authenticates the UE and allows the UE to access the network only if the UE is confirmed to be authentic. For another example, the second authentication procedure, i.e. during the session establishment of the UE, the network authenticates the UE again and confirms again that the UE is trusted to allow the UE to establish the session.
In future networks, the network may provide a virtualization service for the UE, that is, provide a service for a Virtual Machine (VM) deployed on the UE, in which case, how to guarantee the communication security is a problem to be solved.
Disclosure of Invention
The embodiment of the application provides a method and a device for verifying security and credibility of a virtual machine, which are used for guaranteeing communication security in a virtualization scene.
In order to achieve the above purpose, the application adopts the following technical scheme:
in a first aspect, a method for verifying security and trust of a virtual machine is provided, and the method is applied to an AUSF, and includes: when a VM of the UE is to establish NAS secure connection with a core network, the AUSF receives a UE authentication request message from an SEAF, wherein the UE authentication request message is used for requesting to perform trusted verification on the VM, and the UE authentication request message carries an EAP-AKA' authentication response of the VM; the AUSF performs trusted verification on the EAP-AKA' authentication response of the VM; if the trusted verification of the VM passes, the AUSF sends a UE authentication response message to the SEAF, wherein the UE authentication response message is used for indicating that the VM is allowed to establish NAS secure connection with the core network.
It can be seen that, in the case that the UE has accessed the network, if the network needs to provide services for the VM of the UE, a network element in the network, such as AUSF, can perform trusted verification, such as EAP-AKA' authentication, on the VM. Therefore, only if authentication is passed, namely the VM is trusted, the network allows NAS secure connection to be established for the VM, and the communication security in a virtualization scene is ensured.
In one possible design, the EAP-AKA' authentication response is derived by the UE using RAND, NAS key of the UE, hardware information of the deployment environment of the VM, and software information of the VM as input parameters. Compared with software information, the hardware information is more private information and is more difficult to steal by an attacker, so that the verification reliability can be further improved by taking the hardware information as an input parameter.
Optionally, RAND is a parameter that the core network sends to the UE in advance; the NAS key of the UE is a key required by the UE to establish NAS secure connection with network elements except the AMF in the core network; the hardware information of the deployment environment of the VM is one of the following indications in the hardware information of the UE: the firmware information of the memory, the firmware information of the main board, or the processed firmware information, such as the version number of the firmware, the original code of the trusted boot program of the firmware, and the like.
In one possible design, the AUSF performs trusted verification on the EAP-AKA' authentication response of the VM, including: the AUSF compares the EAP-AKA 'authentication response of the VM with the EAP-AKA' expected authentication response of the VM, wherein if the EAP-AKA 'authentication response of the VM is consistent with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM passes, otherwise, if the EAP-AKA 'authentication response of the VM is not identical with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM fails.
Optionally, the method further comprises: when a VM is to establish NAS secure connection with a core network, an AUSF sends a UE authentication acquisition request message to a UDM, wherein the UE authentication acquisition request message carries an identification of the UE and an identification of the VM corresponding to the identification of the UE and is used for requesting to generate an expected authentication response of EAP-AKA' for the VM deployed on the UE; the AUSF receives a UE authentication acquisition response message from the UDM, wherein the UE authentication acquisition response message carries an EAP-AKA 'expected authentication response of the VM, and the EAP-AKA' expected authentication response of the VM is deduced by taking RAND, NAS keys of the UE, hardware information of a deployment environment of the VM and software information of the VM as input parameters. That is, the existing parameters of the authentication flow of the UE, such as the NAS key of the UE, are multiplexed, so as to reduce implementation difficulty and avoid excessive protocol modification.
Optionally, if the VM is to establish the NAS security connection with the core network, that is, the VM is to establish the NAS security connection with the first network element in the core network, the NAS key of the UE is a first NAS key, the first network element is a network element other than the AMF in the core network, and the first NAS key is a key required for the UE to establish the NAS security connection with the first network element. Or if the VM is to establish NAS security connection with the core network, that is, the VM is to establish NAS security connection with a first network element and a second network element in the core network respectively, the NAS key of the UE is a first NAS key and a second NAS key of the UE, the first network element and the second network element are different and are all network elements except AMF in the core network, the first NAS key is a key required for the UE to establish NAS security connection with the first network element, and the second NAS key is a key required for the UE to establish NAS security connection with the second network element. That is, in the process of accessing the network, the UE can determine NAS keys of the UE and each network element in advance, so that the NAS keys can be directly reused when the VM of the UE has service requirements, no deduction is needed, and the time delay is smaller.
Furthermore, the NAS key of the UE is deduced based on the AS key of the UE, namely, the coupling between the AS and the NAS is realized, the key deduction mode is more complex, and the security is better.
Further, the NAS key of the UE is derived by the core network based on an intermediate key, where the intermediate key is a key derived by the gNB where the UE resides using the latest NCC of the UE, the AS key of the UE, and the NAS message sent by the UE to the core network AS input parameters.
In a possible design, in the case that the VM is allowed to establish a NAS security connection with the core network, the VM and the core network can derive the NAS key of the VM based on the NAS key of the UE, and the NAS key of the VM can be used for the VM to establish the NAS security connection with the core network.
In a second aspect, a secure trust verification apparatus for a virtual machine is provided, where the secure trust verification apparatus is applied to an AUSF, and the apparatus includes: the receiving and transmitting module is used for receiving a UE authentication request message from the SEAF when the VM of the UE is to establish NAS secure connection with a core network, wherein the UE authentication request message is used for requesting the trusted verification of the VM, and the UE authentication request message carries an EAP-AKA' authentication response of the VM; the processing module is used for carrying out trusted verification on the EAP-AKA' authentication response of the VM by the AUSF; and the transceiver module is used for sending a UE authentication response message to the SEAF by the AUSF if the trusted verification of the VM is passed, wherein the UE authentication response message is used for indicating that the VM is allowed to establish NAS secure connection with the core network.
In one possible design, the EAP-AKA' authentication response is derived by the UE using RAND, NAS key of the UE, hardware information of the deployment environment of the VM, and software information of the VM as input parameters.
Optionally, RAND is a parameter that the core network sends to the UE in advance; the NAS key of the UE is a key required by the UE to establish NAS secure connection with network elements except the AMF in the core network; the hardware information of the deployment environment of the VM is one of the following indications in the hardware information of the UE: firmware information of a memory, firmware information of a main board, or processed firmware information.
In one possible design, the AUSF performs trusted verification on the EAP-AKA' authentication response of the VM, including: the AUSF compares the EAP-AKA 'authentication response of the VM with the EAP-AKA' expected authentication response of the VM, wherein if the EAP-AKA 'authentication response of the VM is consistent with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM passes, otherwise, if the EAP-AKA 'authentication response of the VM is not identical with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM fails.
Optionally, the transceiver module is further configured to, when the VM is to establish NAS secure connection with the core network, send a UE authentication obtaining request message to the UDM, where the UE authentication obtaining request message carries an identifier of the UE and an identifier of the VM corresponding to the identifier of the UE, and is configured to request generation of an expected authentication response of EAP-AKA' for the VM deployed on the UE; the AUSF receives a UE authentication acquisition response message from the UDM, wherein the UE authentication acquisition response message carries an EAP-AKA 'expected authentication response of the VM, and the EAP-AKA' expected authentication response of the VM is deduced by taking RAND, NAS keys of the UE, hardware information of a deployment environment of the VM and software information of the VM as input parameters.
Optionally, if the VM is to establish the NAS security connection with the core network, that is, the VM is to establish the NAS security connection with the first network element in the core network, the NAS key of the UE is a first NAS key, the first network element is a network element other than the AMF in the core network, and the first NAS key is a key required for the UE to establish the NAS security connection with the first network element. Or if the VM is to establish NAS security connection with the core network, that is, the VM is to establish NAS security connection with a first network element and a second network element in the core network respectively, the NAS key of the UE is a first NAS key and a second NAS key of the UE, the first network element and the second network element are different and are all network elements except AMF in the core network, the first NAS key is a key required for the UE to establish NAS security connection with the first network element, and the second NAS key is a key required for the UE to establish NAS security connection with the second network element.
Further, the NAS key of the UE is derived based on the AS key of the UE.
Further, the NAS key of the UE is derived by the core network based on an intermediate key, where the intermediate key is a key derived by the gNB where the UE resides using the latest NCC of the UE, the AS key of the UE, and the NAS message sent by the UE to the core network AS input parameters.
In a possible design, in the case that the VM is allowed to establish a NAS security connection with the core network, the VM and the core network can derive the NAS key of the VM based on the NAS key of the UE, and the NAS key of the VM can be used for the VM to establish the NAS security connection with the core network.
In a third aspect, an electronic device is provided, comprising: a processor and a memory; the memory is for storing a computer program which, when executed by the processor, causes the electronic device to perform the method of the first aspect.
In one possible design, the electronic device according to the third aspect may further include a transceiver. The transceiver may be a transceiver circuit or an interface circuit. The transceiver may be for use in the electronic device of the third aspect to communicate with other electronic devices.
In an embodiment of the present application, the electronic device according to the third aspect may be the terminal according to the first aspect, or a chip (system) or other parts or components that may be disposed in the terminal, or a device including the terminal.
In addition, the technical effects of the electronic device described in the third aspect may refer to the technical effects of the method described in the first aspect, which are not described herein.
In a fourth aspect, there is provided a computer-readable storage medium comprising: computer programs or instructions; the computer program or instructions, when run on a computer, cause the computer to perform the method of the first aspect.
Drawings
FIG. 1 is a schematic diagram of a 5G system architecture;
Fig. 2 is a schematic diagram of a communication system according to an embodiment of the present application;
FIG. 3 is a flow chart of a method for verifying security and trust of a virtual machine according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a security trust verification device for a virtual machine according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For convenience of understanding, technical terms related to the embodiments of the present application are first described below.
1. Fifth generation (5th generation,5G) mobile communication systems (5G systems, 5gs for short):
fig. 1 is a schematic diagram of a 5GS non-roaming architecture. As shown in fig. 1, 5GS includes: access Networks (ANs) and Core Networks (CNs), may further include: and (5) a terminal.
The terminal may be a terminal having a transceiver function, or a chip system that may be provided in the terminal. The terminal may also be referred to as a User Equipment (UE), an access terminal, a subscriber unit (subscriber unit), a subscriber station, a Mobile Station (MS), a remote station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user device. The terminals in embodiments of the present application may be mobile phones (mobile phones), cellular phones (cellular phones), smart phones (smart phones), tablet computers (pads), wireless data cards, personal digital assistants (personal digital assistant, PDAs), wireless modems (modems), handheld devices (handsets), laptop computers (lap computers), machine type communication (machine type communication, MTC) terminals, computers with wireless transceiving functions, virtual Reality (VR) terminals, augmented reality (augmented reality, AR) terminals, wireless terminals in industrial control (industrial control), wireless terminals in unmanned aerial vehicle (self driving), wireless terminals in smart grid (smart grid), wireless terminals in transportation security (transportation safety), wireless terminals in smart city (smart city), wireless terminals in smart home (smart home), roadside units with functions, RSU, etc. The terminal of the present application may also be an in-vehicle module, an in-vehicle part, an in-vehicle chip, or an in-vehicle unit built in a vehicle as one or more parts or units.
The AN is used for realizing the function related to access, providing the network access function for authorized users in a specific area, and determining transmission links with different qualities according to the level of the users, the service requirements and the like so as to transmit user data. The AN forwards control signals and user data between the terminal and the CN. The AN may include: an access network device, which may also be referred to as a radio access network device (radio access network, RAN) device. The CN is mainly responsible for maintaining subscription data of the mobile network and providing session management, mobility management, policy management, security authentication and other functions for the terminal. The CN mainly comprises the following network elements: user plane function (user plane function, UPF) network elements, authentication service function (authentication server function, AUSF) network elements, access and mobility management function (access and mobility management function, AMF) network elements, session management function (session management function, SMF) network elements, network slice selection function (network slice selection function, NSSF) network elements, network opening function (network exposure function, NEF) network elements, network function warehousing function (NF repository function, NRF) network elements, policy control function (policy control function, PCF) network elements, unified data management (unified data management, UDM) network elements, unified data storage (unified data repository, UDR), and application function (application function, AF).
The UE accesses a 5G network through RAN equipment, and communicates with an AMF network element through an N1 interface (N1 for short); the RAN network element communicates with the AMF network element through an N2 interface (N2 for short); the RAN network element communicates with the UPF network element through an N3 interface, namely N3; the SMF communicates with a UPF network element through an N4 interface (abbreviated as N4), and the UPF network element accesses a Data Network (DN) through an N6 interface (abbreviated as N6). In addition, control plane functions such as an AUSF network element, an AMF network element, an SMF network element, an NSSF network element, a NEF network element, an NRF network element, a PCF network element, a UDM network element, a UDR network element, or an AF shown in (a) in fig. 1 use a service interface to interact. For example, the server interface provided by the AUSF network element is Nausf; the AMF network element provides a service interface as Namf; the SMF network element provides a serving interface as Nsmf; the NSSF provides a service interface for the outside as Nnssf; the network element of NEF provides a service interface for the outside as Nnef; the service interface externally provided by the NRF network element is Nnrf; the service interface externally provided by the PCF network element is an Npcf; the service interface externally provided by the UDM network element is Nudm; the server interface externally provided by the UDR network element is Nudr; the service interface provided by the AF is Naf.
The RAN device may be a device that provides access to the terminal. For example, the RAN device may include: the next generation mobile communication system, such as a 6G access network device, such as a 6G base station, or in the next generation mobile communication system, the network device may have other naming manners, which are covered by the protection scope of the embodiments of the present application, which is not limited in any way. Alternatively, the RAN apparatus may also include a 5G, such as a next generation node B (gNB) in a New Radio (NR) system, or one or a group (including a plurality of antenna panels) of base stations in the 5G, or may also be a network node, such as a baseband unit (building base band unit, BBU), or a Centralized Unit (CU) or a Distributed Unit (DU), an RSU with a base station function, or a wired access gateway, or a core network element of the 5G, constituting the gNB, a transmission point (transmission and reception point, TRP or transmission point, TP), or a transmission measurement function (transmission measurement function, TMF). Alternatively, the RAN device may also include an Access Point (AP) in a wireless fidelity (wireless fidelity, wiFi) system, a wireless relay node, a wireless backhaul node, various forms of macro base stations, micro base stations (also referred to as small stations), relay stations, access points, wearable devices, vehicle devices, and so on.
The UPF network element is mainly responsible for user data processing (forwarding, receiving, charging, etc.). For example, the UPF network element may receive user data from a Data Network (DN), which is forwarded to the terminal through the access network device. The UPF network element may also receive user data from the terminal through the access network device and forward the user data to the DN. DN network elements refer to the operator network that provides data transmission services for subscribers. Such as the internet protocol (internet protocol, IP) Multimedia Services (IMS), the internet, etc. The DN may be an external network of the operator or a network controlled by the operator, and is configured to provide service to the terminal device.
The AUSF network element is mainly used for executing security authentication of the terminal.
The AMF network element is mainly used for mobility management in a mobile network. Such as user location updates, user registration networks, user handoffs, etc.
The SMF network element is mainly used for session management in a mobile network. Such as session establishment, modification, release. Specific functions are for example assigning internet protocol (internet protocol, IP) addresses to users, selecting UPF network elements providing packet forwarding functions, etc.
The PCF network element mainly supports providing a unified policy framework to control network behavior, provides policy rules for a control layer network function, and is responsible for acquiring user subscription information related to policy decision. The PCF network element may provide policies, such as quality of service (quality of service, qoS) policies, slice selection policies, etc., to the AMF network element, SMF network element.
The NSSF network element is mainly used to select network slices for the terminal.
The NEF network element is mainly used for supporting the opening of capabilities and events.
The UDM network element is mainly used for storing subscriber data, such as subscription data, authentication/authorization data, etc.
The UDR network element is mainly used for storing structured data, and the stored content includes subscription data and policy data, externally exposed structured data and application related data.
AF mainly supports interactions with CN to provide services, such as influencing data routing decisions, policy control functions or providing some services of third parties to the network side. In the embodiment of the application, AF is a network element in 5 GC.
2. And (3) key deduction:
all key derivation in 5GS is performed using the key derivation function (key derivation function, KDF) specified in third generation partnership project protocol (3rd Generation Partnership Project,3GPP) TS 33.220 v17.4, appendix b.2.0. The inputs to the KDF function include: the Key Key and the input parameter are the character string S; the Key is a Key used for deriving the Key, and if the Key #1 is derived from the Key #2, the Key #2 is the Key of the Key # 1. That is, the Key derivation may be HMAC-SHA-256 (Key, S), where HMAC-SHA-256 is a specific function of the KDF functions, and the specific principle of HMAC-SHA-256 may refer to the principle in the prior art, which is not described herein.
The string S is constructed from n+1 input parameters, and its expression is as follows:
S=FC||P0||L0||P1||L1||P2||L2||P3||L3||...||Pn||Ln
where FC is used to distinguish between different instances of the algorithm. P0..pn is the n+1 input parameter code, L0, …, ln is the corresponding input parameter code P0.
For example, in KAMF derivation, key is KSEAF, and each input parameter of the string S is: fc=0x D, P0 = IMSI or NAI or GCI or GLI, l0=p0length-number of octets in P0, p1=abba parameter, and l1=p1length-number of octets in P1, where P0 is the identity of the terminal and P1 is the custom parameter sent to the terminal by the security anchor function (Security Anchor Function, SEAF).
The technical scheme of the application will be described below with reference to the accompanying drawings.
The technical solution of the embodiment of the present application may be applied to various communication systems, such as a wireless network (Wi-Fi) system, a vehicle-to-arbitrary object (vehicle to everything, V2X) communication system, an inter-device (D2D) communication system, a car networking communication system, a fourth generation (4th generation,4G) mobile communication system, such as a long term evolution (long term evolution, LTE) system, a worldwide interoperability for microwave access (worldwide interoperability for microwave access, wiMAX) communication system, a fifth generation (5th generation,5G) system, such as a new radio, NR) system, and a future communication system.
In the embodiment of the application, the indication can comprise direct indication and indirect indication, and can also comprise explicit indication and implicit indication. In the specific implementation process, the manner of indicating the information to be indicated is various, for example, but not limited to, the information to be indicated may be directly indicated, such as the information to be indicated itself or an index of the information to be indicated. The information to be indicated can also be indicated indirectly by indicating other information, wherein the other information and the information to be indicated have an association relation. It is also possible to indicate only a part of the information to be indicated, while other parts of the information to be indicated are known or agreed in advance. For example, the indication of the specific information may also be achieved by means of a pre-agreed (e.g., protocol-specified) arrangement sequence of the respective information, thereby reducing the indication overhead to some extent. And meanwhile, the universal part of each information can be identified and indicated uniformly, so that the indication cost caused by independently indicating the same information is reduced.
The specific indication means may be any of various existing indication means, such as, but not limited to, the above indication means, various combinations thereof, and the like. Specific details of various indications may be referred to the prior art and are not described herein. As can be seen from the above, for example, when multiple pieces of information of the same type need to be indicated, different manners of indication of different pieces of information may occur. In a specific implementation process, a required indication mode can be selected according to specific needs, and the selected indication mode is not limited in the embodiment of the present application, so that the indication mode according to the embodiment of the present application is understood to cover various methods that can enable a party to be indicated to learn information to be indicated.
It should be understood that the information to be indicated may be sent together as a whole or may be sent separately in a plurality of sub-information, and the sending periods and/or sending timings of these sub-information may be the same or different. Specific transmission method the embodiment of the present application is not limited. The transmission period and/or the transmission timing of the sub-information may be predefined, for example, predefined according to a protocol, or may be configured by the transmitting end device by transmitting configuration information to the receiving end device.
The "pre-defining" or "pre-configuring" may be implemented by pre-storing corresponding codes, tables, or other manners that may be used to indicate relevant information in the device, and the embodiments of the present application are not limited to the specific implementation manner. Where "save" may refer to saving in one or more memories. The one or more memories may be provided separately or may be integrated in an encoder or decoder, processor, or electronic device. The one or more memories may also be provided separately as part of a decoder, processor, or electronic device. The type of memory may be any form of storage medium, and embodiments of the application are not limited in this regard.
The "protocol" referred to in the embodiments of the present application may refer to a protocol family in the communication field, a standard protocol similar to a frame structure of the protocol family, or a related protocol applied to a future communication system, which is not specifically limited in the embodiments of the present application.
In the embodiment of the application, the descriptions of "when … …", "in the case of … …", "if" and "if" all refer to that the device will perform corresponding processing under some objective condition, and are not limited in time, nor do the descriptions require that the device must have a judging action when implementing, nor do the descriptions mean that other limitations exist.
In the description of the embodiments of the present application, unless otherwise indicated, "/" means that the objects associated in tandem are in a "or" relationship, e.g., A/B may represent A or B; the "and/or" in the embodiment of the present application is merely an association relationship describing the association object, and indicates that three relationships may exist, for example, a and/or B may indicate: a alone, a and B together, and B alone, wherein A, B may be singular or plural. Also, in the description of the embodiments of the present application, unless otherwise indicated, "plurality" means two or more than two. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural. In addition, in order to facilitate the clear description of the technical solution of the embodiments of the present application, in the embodiments of the present application, the words "first", "second", etc. are used to distinguish the same item or similar items having substantially the same function and effect. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ. Meanwhile, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion that may be readily understood.
The network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided by the embodiments of the present application, and those skilled in the art can know that, with the evolution of the network architecture and the appearance of the new service scenario, the technical solution provided by the embodiments of the present application is applicable to similar technical problems.
To facilitate understanding of the embodiments of the present application, a communication system suitable for use in the embodiments of the present application will be described in detail with reference to the communication system shown in fig. 3. Fig. 3 is a schematic diagram of a communication system to which the security and trust verification method of a virtual machine according to an embodiment of the present application is applicable.
As shown in fig. 2, the communication system may be adapted for the above 5GS, including: UE and AUSF. The following describes the interaction flow between each network element/device in the above communication system in detail through an embodiment of the method in conjunction with fig. 3. The method for verifying the security and the credibility of the virtual machine provided by the embodiment of the application can be applied to the communication system, and is specifically applied to various scenes mentioned in the communication system, and is specifically described below.
Fig. 3 is a schematic flow chart of a method according to an embodiment of the present application. The security and credibility verification method of the virtual machine is applicable to the communication system and relates to interaction between the UE and the AUSF. Specifically, the trusted authentication of the AUSF to the VM of the UE may be implemented by multiplexing the primary authentication or the secondary authentication of the UE, or, in other words, it is similar to the primary authentication or the secondary authentication of the UE, and the same selective extension authentication protocol (extensible authentication protocol, EAP) -authentication and key agreement protocol (Authentication and Key Agreement, AKA) 'mechanism is adopted, where the AUSF adopts the EAP-AKA' mechanism, and the trusted authentication is performed to the VM of the UE by the SEAF, and the specific procedure is as follows:
S301, when a VM of the UE is to establish a Non-Access-Stratum (NAS) secure connection with a core network, the AUSF receives a UE authentication request message from the SEAF.
The UE authentication request message may be used to request a trusted verification of the VM, where the UE authentication request message carries an EAP-AKA' authentication response, i.e. Response (RES), of the VM. The S301 may be implemented by multiplexing an EAP-AKA 'flow, that is, when the VM of the UE has a service requirement with the network, for example, when the NAS security connection with the core network is to be established, the UE may send information (such as an identifier) of the VM to the SEAF through an N1 message, and trigger the SEAF to initiate the EAP-AKA' flow for authenticating the VM. For example, the SEAF may resend the information of the VM to the UDM, and the information required for authenticating the VM may be generated, which is specifically described with reference to the following description S302, and will not be repeated herein. Then, the SEAF requests the UE to authenticate the network (i.e. authenticate RES) through the authentication request message, and in the case that the authentication network passes, the UE may send an authentication response message to the SEAF to request the network to authenticate the VM. The SEAF may encapsulate the information in the authentication response message into the UE authentication request message described above and then send it to the AUSF.
In one possible implementation, the EAP-AKA' authentication response may be derived by the UE using a random number (RAND), a NAS key of the UE, and hardware information of a deployment environment of the VM and software information of the VM as input parameters. Compared with software information, the hardware information is more private information and is more difficult to steal by an attacker, so that the verification reliability can be further improved by taking the hardware information as an input parameter.
Alternatively, the RAND may be a parameter that the core network sends to the UE in advance (i.e., a parameter carried in the authentication request message described above).
Alternatively, the NAS key of the UE may be a key required for the UE to establish a NAS secure connection with a network element other than the AMF in the core network. For example, if the VM is to establish a NAS security connection with the core network, the VM is to establish a NAS security connection with a first network element in the core network, and the NAS key of the UE is a first NAS key, where the first network element is a network element other than the AMF in the core network, and the first NAS key is a key required for the UE to establish the NAS security connection with the first network element. Or if the VM is to establish NAS security connection with the core network, that is, the VM is to establish NAS security connection with a first network element and a second network element in the core network respectively, the NAS key of the UE is a first NAS key and a second NAS key of the UE, the first network element and the second network element are different and are all network elements except AMF in the core network, the first NAS key is a key required for the UE to establish NAS security connection with the first network element, and the second NAS key is a key required for the UE to establish NAS security connection with the second network element. That is, in the process of accessing the network, the UE can determine NAS keys of the UE and each network element in advance, so that the NAS keys can be directly reused when the VM of the UE has service requirements, no deduction is needed, and the time delay is smaller.
The NAS key of the UE is deduced based on an Access-Stratum (AS) key of the UE, namely, the AS and the NAS are coupled, the key deduction mode is more complex, and the security is better. For example, the NAS key of the UE is derived by the core network based on an intermediate key, where the gcb where the UE resides derives the UE's latest next-hop chain calculation parameters (next-hop chaining count, NCC), the UE's AS key, and the NAS message the UE sends to the core network AS input parameters.
For example, the UE and the SMF can establish NAS security connection through NAS key #1 (including confidentiality and integrity), that is, NAS encryption communication is directly performed between the UE and the SMF by using NAS key #1, without participation of the AMF in NAS protection, and the AMF directly performs transparent transmission. Similarly, the UE and the UDM may also establish a NAS secure connection with NAS key # 2. Similarly, the UE and PCF may also establish a NAS secure connection via NAS key # 3. Similarly, the UE and the AF (AF belonging to the operator network) may also establish NAS security connection through NAS key # 4. In this case, if the VM of the UE has a service requirement (or a service requirement) with the UDM, the NAS key #2 may be directly used as an input parameter to derive the NAS key #a (including confidentiality and integrity) required for NAS communication between the VM of the UE and the UDM. Similarly, if the VM and the AF of the UE have service requirements (or service requirements), the NAS key #4 may be directly used as an input parameter to derive the NAS key #b required for NAS communication between the VM and the AF of the UE.
Of course, the above implementation is only an example, for example, NAS keys of each other may also be cross-multiplexed to further enhance security, for example, UE and SMF may be preconfigured, and UE and UDM may be used as a service pair, if VM of UE and UDM have service requirements, NAS key #1 may be directly used as an input parameter, NAS key #a required for NAS communication between VM of UE and UDM may be deduced, and if VM of UE and SMF have service requirements, NAS key #1 may be directly used as an input parameter, NAS key #c required for NAS communication between VM of UE and UDM may be deduced.
Optionally, the hardware information of the deployment environment of the VM is one of the following indications in the hardware information of the UE: the firmware information of the memory, the firmware information of the main board, or the processed firmware information, such as the version number of the firmware, the original code of the trusted boot program of the firmware, and the like.
It can be understood that the input parameters of the key derivation are not limited to the above parameters, but may also include other parameters, and specific reference may be made to the description of "2" and "key derivation" above, which are not described herein.
S302, the AUSF performs trusted verification on the EAP-AKA' authentication response of the VM.
The AUSF compares the EAP-AKA 'authentication response of the VM with the EAP-AKA' expected authentication response of the VM, wherein if the EAP-AKA 'authentication response of the VM is consistent with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM passes, otherwise, if the EAP-AKA 'authentication response of the VM is not identical with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM fails.
When a VM is to establish NAS secure connection with a core network, an AUSF sends a UE authentication acquisition request message to a UDM, wherein the UE authentication acquisition request message carries an identification of the UE and an identification of the VM corresponding to the identification of the UE and is used for requesting to generate an expected authentication response of EAP-AKA' for the VM deployed on the UE; the AUSF receives a UE authentication acquisition response message from the UDM, wherein the UE authentication acquisition response message carries an EAP-AKA 'expected authentication response of the VM, and the EAP-AKA' expected authentication response of the VM is deduced by taking RAND, NAS keys of the UE, hardware information of a deployment environment of the VM and software information of the VM as input parameters. That is, the existing parameters of the authentication flow of the UE, such as the NAS key of the UE, are multiplexed, so as to reduce implementation difficulty and avoid excessive protocol modification.
The embodiment of the application does not limit how the UDM acquires the hardware information of the deployment environment of the VM and the software information of the VM as input parameters, and the hardware information and the software information of the VM can be preconfigured, or acquired from AF or UE in advance.
S303, if the trusted verification of the VM is passed, the AUSF sends a UE authentication response message to the SEAF, wherein the UE authentication response message is used for indicating that the VM is allowed to establish NAS secure connection with the core network.
Under the condition that the NAS secure connection with the core network is allowed to be established by the VM, the NAS key of the VM can be deduced by the VM and the core network based on the NAS key of the UE, and the NAS secure connection with the core network is established by the VM. For example, the NAS key of the UE may be used as an input parameter, and of course, other input parameters may also be used, and specific reference may be made to the description of "2 and key derivation" above, which is not described herein. In order to further improve security, the VM and the core network can use a confidentiality key in the NAS key of the UE as an input parameter, deduce an integrity protection key of the NAS key of the VM, and can also use an integrity key in the NAS key of the UE as an input parameter, deduce a confidentiality key of the NAS key of the VM.
In summary, if the network needs to provide services for the VM of the UE in the case that the UE has access to the network, a network element in the network, such as AUSF, may perform trusted verification, such as EAP-AKA' authentication, on the VM. Therefore, only if authentication is passed, namely the VM is trusted, the network allows NAS secure connection to be established for the VM, and the communication security in a virtualization scene is ensured.
The method for verifying the security and the trust of the virtual machine provided by the embodiment of the application is described in detail above with reference to fig. 3. The following describes in detail a secure trust verification apparatus for executing a virtual machine provided by an embodiment of the present application with reference to fig. 4 and 5.
Fig. 4 is a schematic structural diagram of a security trust verification device for a virtual machine according to an embodiment of the present application. Illustratively, as shown in fig. 4, the secure trust verification apparatus 400 of a virtual machine includes: a transceiver module 401 and a processing module 402. For ease of illustration, fig. 4 shows only the main components of the secure trust verification apparatus of the virtual machine.
In some embodiments, the security trust verification apparatus 400 of the virtual machine may be suitable for use in the communication system shown in fig. 2, and perform the functions of the AUSF in the method shown in fig. 3.
A transceiver module 401, configured to, when a VM of a UE is to establish a NAS security connection with a core network, receive, by an AUSF, a UE authentication request message from a SEAF, where the UE authentication request message is used to request trusted verification of the VM, and the UE authentication request message carries an EAP-AKA' authentication response of the VM; a processing module 402, configured to perform trusted verification on the EAP-AKA' authentication response of the VM by using the AUSF; the transceiver module 401 is configured to send, if the trusted verification of the VM passes, a UE authentication response message to the SEAF, where the UE authentication response message is used to indicate that the VM is allowed to establish NAS security connection with the core network.
In one possible design, the EAP-AKA' authentication response is derived by the UE using RAND, NAS key of the UE, hardware information of the deployment environment of the VM, and software information of the VM as input parameters.
Optionally, RAND is a parameter that the core network sends to the UE in advance; the NAS key of the UE is a key required by the UE to establish NAS secure connection with network elements except the AMF in the core network; the hardware information of the deployment environment of the VM is one of the following indications in the hardware information of the UE: firmware information of a memory, firmware information of a main board, or processed firmware information.
In one possible design, the AUSF performs trusted verification on the EAP-AKA' authentication response of the VM, including: the AUSF compares the EAP-AKA 'authentication response of the VM with the EAP-AKA' expected authentication response of the VM, wherein if the EAP-AKA 'authentication response of the VM is consistent with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM passes, otherwise, if the EAP-AKA 'authentication response of the VM is not identical with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM fails.
Optionally, the transceiver module 401 is further configured to, when the VM is to establish a NAS secure connection with the core network, send a UE authentication obtaining request message to the UDM by using the AUSF, where the UE authentication obtaining request message carries an identifier of the UE and an identifier of the VM corresponding to the identifier of the UE, and is configured to request generation of an expected authentication response of EAP-AKA' for the VM deployed on the UE; the AUSF receives a UE authentication acquisition response message from the UDM, wherein the UE authentication acquisition response message carries an EAP-AKA 'expected authentication response of the VM, and the EAP-AKA' expected authentication response of the VM is deduced by taking RAND, NAS keys of the UE, hardware information of a deployment environment of the VM and software information of the VM as input parameters.
Optionally, if the VM is to establish the NAS security connection with the core network, that is, the VM is to establish the NAS security connection with the first network element in the core network, the NAS key of the UE is a first NAS key, the first network element is a network element other than the AMF in the core network, and the first NAS key is a key required for the UE to establish the NAS security connection with the first network element. Or if the VM is to establish NAS security connection with the core network, that is, the VM is to establish NAS security connection with a first network element and a second network element in the core network respectively, the NAS key of the UE is a first NAS key and a second NAS key of the UE, the first network element and the second network element are different and are all network elements except AMF in the core network, the first NAS key is a key required for the UE to establish NAS security connection with the first network element, and the second NAS key is a key required for the UE to establish NAS security connection with the second network element.
Further, the NAS key of the UE is derived based on the AS key of the UE.
Further, the NAS key of the UE is derived by the core network based on an intermediate key, where the intermediate key is a key derived by the gNB where the UE resides using the latest NCC of the UE, the AS key of the UE, and the NAS message sent by the UE to the core network AS input parameters.
In a possible design, in the case that the VM is allowed to establish a NAS security connection with the core network, the VM and the core network can derive the NAS key of the VM based on the NAS key of the UE, and the NAS key of the VM can be used for the VM to establish the NAS security connection with the core network.
Alternatively, the transceiver module 401401 may include a transmitting module (not shown in fig. 4) and a receiving module (not shown in fig. 4). The sending module is used for realizing the sending function of the security and trust verification device 400 of the virtual machine, and the receiving module is used for realizing the receiving function of the security and trust verification device 400 of the virtual machine.
Optionally, the secure trust verification apparatus 400 of the virtual machine may further include a storage module (not shown in fig. 4) storing a program or instructions. The processing module 402502, when executing the program or instructions, enables the security trust verification apparatus 400 of the virtual machine to perform the functions of the AMF in the method shown in fig. 3 in the above method.
In addition, the technical effects of the security trust verification apparatus 400 of the virtual machine may refer to the technical effects of the method shown in fig. 3, and will not be described herein.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device may be a network device, such as an AUSF, for example, or may be a chip (system) or other part or component that may be provided on the network device. As shown in fig. 5, the electronic device 500 may include a processor 501. Optionally, the electronic device 500 may also include memory 502 and/or a transceiver 503. Wherein the processor 501 is coupled to the memory 502 and the transceiver 503, such as may be connected by a communication bus.
The following describes the various constituent elements of the electronic device 500 in detail with reference to fig. 5:
the processor 501 is a control center of the electronic device 500, and may be one processor or a collective term of a plurality of processing elements. For example, processor 501 is one or more central processing units (central processing unit, CPU), but may also be an integrated circuit (application specific integrated circuit, ASIC), or one or more integrated circuits configured to implement embodiments of the present application, such as: one or more microprocessors (digital signal processor, DSPs), or one or more field programmable gate arrays (field programmable gate array, FPGAs).
Alternatively, the processor 501 may perform various functions of the electronic device 500, such as performing the secure trust verification method of the virtual machine shown in fig. 4 described above, by running or executing a software program stored in the memory 502 and invoking data stored in the memory 502.
In a particular implementation, processor 501 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 5, as an embodiment.
In a particular implementation, as one embodiment, the electronic device 500 may also include multiple processors. Each of these processors may be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The memory 502 is configured to store a software program for executing the solution of the present application, and the processor 501 controls the execution of the software program, and the specific implementation may refer to the above method embodiment, which is not described herein again.
Alternatively, memory 502 may be, but is not limited to, read-only memory (ROM) or other type of static storage device that may store static information and instructions, random access memory (random access memory, RAM) or other type of dynamic storage device that may store information and instructions, but may also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (compact disc read-only memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 502 may be integrated with the processor 501 or may exist separately and be coupled to the processor 501 through an interface circuit (not shown in fig. 5) of the electronic device 500, which is not specifically limited by the embodiment of the present application.
A transceiver 503 for communication with other electronic devices. For example, the electronic device 500 is a terminal and the transceiver 503 may be used to communicate with a network device or with another terminal device. As another example, the electronic device 500 is a network device and the transceiver 503 may be used to communicate with a terminal or with another network device.
Alternatively, the transceiver 503 may include a receiver and a transmitter (not separately shown in fig. 5). The receiver is used for realizing the receiving function, and the transmitter is used for realizing the transmitting function.
Alternatively, transceiver 503 may be integrated with processor 501 or may exist separately and be coupled to processor 501 via interface circuitry (not shown in fig. 5) of electronic device 500, as embodiments of the application are not specifically limited in this regard.
It will be appreciated that the configuration of the electronic device 500 shown in fig. 5 is not limiting of the electronic device, and that an actual electronic device may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
In addition, the technical effects of the electronic device 500 may refer to the technical effects of the method described in the above method embodiments, which are not described herein.
It should be appreciated that the processor in embodiments of the application may be a central processing unit (central processing unit, CPU), which may also be other general purpose processors, digital signal processors (digital signal processor, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), off-the-shelf programmable gate arrays (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It should also be appreciated that the memory in embodiments of the present application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example but not limitation, many forms of random access memory (random access memory, RAM) are available, such as Static RAM (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), synchronous Link DRAM (SLDRAM), and direct memory bus RAM (DR RAM).
The above embodiments may be implemented in whole or in part by software, hardware (e.g., circuitry), firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that the term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" herein generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.
In the present application, "at least one" means one or more, and "a plurality" means two or more. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (4)
1. A method for verifying security and trust of a virtual machine, applied to an AUSF, the method comprising:
when a VM of a UE is to establish NAS secure connection with a core network, the AUSF receives a UE authentication request message from an SEAF, wherein the UE authentication request message is used for requesting to perform trusted verification on the VM, and the UE authentication request message carries an EAP-AKA' authentication response of the VM;
the UE sends the information of the VM to the SEAF through the N1 message, and triggers the SEAF to initiate an EAP-AKA' flow for authenticating the VM; the SEAF sends the information of the VM to the UDM to generate information required by authenticating the VM; the SEAF requests the UE to authenticate the network through the authentication request message, and the UE sends an authentication response message to the SEAF under the condition that the authentication network passes, so as to request the network to authenticate the VM; the SEAF encapsulates the information in the authentication response message into a UE authentication request message and sends the UE authentication request message to the AUSF;
The AUSF performs trusted verification on the EAP-AKA' authentication response of the VM;
if the trusted verification of the VM passes, the AUSF sends a UE authentication response message to the SEAF, wherein the UE authentication response message is used for indicating that the VM is allowed to establish NAS secure connection with the core network;
the EAP-AKA' authentication response is obtained by deducting the RAND, the NAS key of the UE, the hardware information of the deployment environment of the VM and the software information of the VM as input parameters by the UE;
the RAND is a parameter that the core network previously transmits to the UE; the NAS key of the UE is a key required by the UE to establish NAS secure connection with network elements except an AMF in the core network; the hardware information of the deployment environment of the VM is one of the following indications in the hardware information of the UE: firmware information of a memory, firmware information of a main board or processed firmware information;
the AUSF performs trusted verification on the EAP-AKA' authentication response of the VM, including: the AUSF compares the EAP-AKA 'authentication response of the VM with the EAP-AKA' expected authentication response of the VM, wherein if the EAP-AKA 'authentication response of the VM is consistent with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM passes, otherwise, if the EAP-AKA 'authentication response of the VM is not identical with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM fails;
When the VM is to establish NAS secure connection with the core network, the AUSF sends a UE authentication acquisition request message to a UDM, wherein the UE authentication acquisition request message carries an identifier of the UE and an identifier of the VM corresponding to the identifier of the UE, and is used for requesting to generate an expected authentication response of EAP-AKA' for the VM deployed on the UE; the AUSF receives a UE authentication acquisition response message from the UDM, wherein the UE authentication acquisition response message carries an EAP-AKA 'expected authentication response of the VM, and the EAP-AKA' expected authentication response of the VM is deduced by using the RAND, the NAS key of the UE, hardware information of a deployment environment of the VM and software information of the VM as input parameters;
if the VM is to establish NAS security connection with the core network, that is, the VM is to establish NAS security connection with a first network element in the core network, the NAS key of the UE is a first NAS key, the first network element is a network element except for the AMF in the core network, and the first NAS key is a key required for the UE to establish NAS security connection with the first network element; or if the VM is to establish NAS security connection with the core network, that is, the VM is to establish NAS security connection with a first network element and a second network element in the core network respectively, the NAS key of the UE is a first NAS key and a second NAS key of the UE, where the first network element and the second network element are different and are network elements except for the AMF in the core network, the first NAS key is a key required for the UE to establish NAS security connection with the first network element, and the second NAS key is a key required for the UE to establish NAS security connection with the second network element; the NAS key of the UE is derived based on the AS key of the UE.
2. The method according to claim 1, wherein the NAS key of the UE is derived by the core network based on an intermediate key, the intermediate key being a key derived by the gNB where the UE resides from the NCC latest by the UE, the AS key of the UE, and NAS messages sent by the UE to the core network AS input parameters.
3. The method according to any of claims 1-2, wherein in case the VM is allowed to establish a NAS secure connection with the core network, the VM and the core network can deduce the NAS key of the VM based on the NAS key of the UE, the NAS key of the VM can be used for the VM to establish a NAS secure connection with the core network.
4. A security trust verification apparatus for a virtual machine, the apparatus comprising:
the receiving and transmitting module is used for receiving a UE authentication request message from SEAF when a VM of the UE is to establish NAS secure connection with a core network, wherein the UE authentication request message is used for requesting to perform trusted verification on the VM, and the UE authentication request message carries an EAP-AKA' authentication response of the VM;
the UE sends the information of the VM to the SEAF through the N1 message, and triggers the SEAF to initiate an EAP-AKA' flow for authenticating the VM; the SEAF sends the information of the VM to the UDM to generate information required by authenticating the VM; the SEAF requests the UE to authenticate the network through the authentication request message, and the UE sends an authentication response message to the SEAF under the condition that the authentication network passes, so as to request the network to authenticate the VM; the SEAF encapsulates the information in the authentication response message into a UE authentication request message and sends the UE authentication request message to the AUSF;
When a VM is to establish NAS secure connection with a core network, an AUSF sends a UE authentication acquisition request message to a UDM, wherein the UE authentication acquisition request message carries an identification of the UE and an identification of the VM corresponding to the identification of the UE and is used for requesting to generate an expected authentication response of EAP-AKA' for the VM deployed on the UE; the AUSF receives a UE authentication acquisition response message from the UDM, wherein the UE authentication acquisition response message carries an EAP-AKA 'expected authentication response of the VM, and the EAP-AKA' expected authentication response of the VM is deduced by taking RAND, NAS keys of the UE, hardware information of a deployment environment of the VM and software information of the VM as input parameters;
the RAND is a parameter that the core network previously transmits to the UE; the NAS key of the UE is a key required by the UE to establish NAS secure connection with network elements except an AMF in the core network; the hardware information of the deployment environment of the VM is one of the following indications in the hardware information of the UE: firmware information of a memory, firmware information of a main board or processed firmware information;
the transceiver module is further configured to send, if the trusted verification of the VM passes, a UE authentication response message to the SEAF by the AUSF, where the UE authentication response message is used to indicate that the VM is allowed to establish NAS secure connection with the core network;
Under the condition that the VM is allowed to establish NAS secure connection with the core network, the VM and the core network can deduce the NAS key of the VM based on the NAS key of the UE, and the NAS key is used for the VM to establish NAS secure connection with the core network;
the processing module is used for performing trusted verification on the EAP-AKA' authentication response of the VM by the AUSF;
the AUSF compares the EAP-AKA 'authentication response of the VM with the EAP-AKA' expected authentication response of the VM, if the EAP-AKA 'authentication response of the VM is consistent with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM passes, otherwise, if the EAP-AKA 'authentication response of the VM is not identical with the EAP-AKA' expected authentication response of the VM, the trusted authentication of the VM fails.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310781692.7A CN116528234B (en) | 2023-06-29 | 2023-06-29 | Virtual machine security and credibility verification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310781692.7A CN116528234B (en) | 2023-06-29 | 2023-06-29 | Virtual machine security and credibility verification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116528234A CN116528234A (en) | 2023-08-01 |
| CN116528234B true CN116528234B (en) | 2023-09-19 |
Family
ID=87390525
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310781692.7A Active CN116528234B (en) | 2023-06-29 | 2023-06-29 | Virtual machine security and credibility verification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116528234B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110121196A (en) * | 2018-02-05 | 2019-08-13 | 电信科学技术研究院有限公司 | A kind of security identifier management method and device |
| CN110291803A (en) * | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | Privacy protection and extensible authentication protocol authentication and authorization in cellular networks |
| CN110431867A (en) * | 2017-03-18 | 2019-11-08 | 华为技术有限公司 | A kind of networking authentication method based on non-3 GPP network, relevant device and system |
| WO2020094475A1 (en) * | 2018-11-05 | 2020-05-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Authentication and key agreement for a terminal device |
| CN111669276A (en) * | 2019-03-07 | 2020-09-15 | 华为技术有限公司 | Network verification method, device and system |
| CN112087753A (en) * | 2019-06-14 | 2020-12-15 | 华为技术有限公司 | Authentication method, device and system |
| CN112788598A (en) * | 2019-11-01 | 2021-05-11 | 华为技术有限公司 | Method and device for protecting parameters in authentication process |
| CN113615124A (en) * | 2019-03-29 | 2021-11-05 | 瑞典爱立信有限公司 | Methods and apparatus related to authentication of wireless devices |
| CN114025352A (en) * | 2020-07-17 | 2022-02-08 | 华为技术有限公司 | Authentication method and device for terminal equipment |
| WO2022037998A1 (en) * | 2020-08-17 | 2022-02-24 | Telefonaktiebolaget Lm Ericsson (Publ) | Security establishment for non‐public networks |
| WO2022071779A1 (en) * | 2020-09-30 | 2022-04-07 | Samsung Electronics Co., Ltd. | Method, ue, and network entity for handling synchronization of security key in wireless network |
| WO2022253899A1 (en) * | 2021-06-04 | 2022-12-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Serving network authentication of a communication device |
| CN116235462A (en) * | 2020-09-30 | 2023-06-06 | 中兴通讯股份有限公司 | Method for protecting encrypted user identity from replay attacks |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020099148A1 (en) * | 2018-11-12 | 2020-05-22 | Telefonaktiebolaget Lm Ericsson (Publ) | Authentication of a communications device |
-
2023
- 2023-06-29 CN CN202310781692.7A patent/CN116528234B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110431867A (en) * | 2017-03-18 | 2019-11-08 | 华为技术有限公司 | A kind of networking authentication method based on non-3 GPP network, relevant device and system |
| CN110291803A (en) * | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | Privacy protection and extensible authentication protocol authentication and authorization in cellular networks |
| CN110121196A (en) * | 2018-02-05 | 2019-08-13 | 电信科学技术研究院有限公司 | A kind of security identifier management method and device |
| WO2020094475A1 (en) * | 2018-11-05 | 2020-05-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Authentication and key agreement for a terminal device |
| CN111669276A (en) * | 2019-03-07 | 2020-09-15 | 华为技术有限公司 | Network verification method, device and system |
| CN113615124A (en) * | 2019-03-29 | 2021-11-05 | 瑞典爱立信有限公司 | Methods and apparatus related to authentication of wireless devices |
| CN112087753A (en) * | 2019-06-14 | 2020-12-15 | 华为技术有限公司 | Authentication method, device and system |
| CN112788598A (en) * | 2019-11-01 | 2021-05-11 | 华为技术有限公司 | Method and device for protecting parameters in authentication process |
| CN114025352A (en) * | 2020-07-17 | 2022-02-08 | 华为技术有限公司 | Authentication method and device for terminal equipment |
| WO2022037998A1 (en) * | 2020-08-17 | 2022-02-24 | Telefonaktiebolaget Lm Ericsson (Publ) | Security establishment for non‐public networks |
| WO2022071779A1 (en) * | 2020-09-30 | 2022-04-07 | Samsung Electronics Co., Ltd. | Method, ue, and network entity for handling synchronization of security key in wireless network |
| CN116235462A (en) * | 2020-09-30 | 2023-06-06 | 中兴通讯股份有限公司 | Method for protecting encrypted user identity from replay attacks |
| WO2022253899A1 (en) * | 2021-06-04 | 2022-12-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Serving network authentication of a communication device |
Non-Patent Citations (6)
| Title |
|---|
| "5G_Americas_5G_Security_White_Paper_Final".3GPP pcg\pcg_42.2019,全文. * |
| 3GPP Organizational Partners.3rd Generation Partnership Project * |
| 5G移动通信系统的安全研究;毕晓宇;;信息安全研究(第01期);全文 * |
| ngKSI in EAP-Request/AKA-Challenge;Intel Corporation;3GPP TSG CT WG1 Meeting #111bis C1-184350;全文 * |
| Study on the security aspects of the next generation system (Release 14).3GPP TR 33.899 V1.3.0.2017,全文. * |
| Technical Specification Group Services and System Aspects * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116528234A (en) | 2023-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102147446B1 (en) | Systems, methods, and apparatus for authentication during fast initial link setup | |
| CN116723507B (en) | Terminal security method and device for edge network | |
| CN113132334B (en) | Authorization result determination method and device | |
| CN113055879B (en) | User identification access method and communication device | |
| US20210045050A1 (en) | Communications method and apparatus | |
| WO2023011630A1 (en) | Authorization verification method and apparatus | |
| CN113709736A (en) | Network authentication method, device and system | |
| CN114584969B (en) | Information processing method and device based on associated encryption | |
| US20240305983A1 (en) | Communication method and apparatus | |
| CN116528234B (en) | Virtual machine security and credibility verification method and device | |
| CN117320002A (en) | Communication method and device | |
| CN116561810B (en) | Storage management big data processing method and device based on hybrid cloud platform | |
| CN114640988B (en) | Information processing method and device based on implicit indication encryption | |
| CN117295138B (en) | Control method and device for hydraulic equipment cluster | |
| CN117221884B (en) | Base station system information management method and system | |
| CN117062173B (en) | Secure communication method and device under edge network | |
| CN115320428B (en) | Charging control method and device for electric automobile charging pile | |
| US20240284174A1 (en) | Communication method, apparatus, and system | |
| CN117202287B (en) | Order distribution management method and device based on big data analysis | |
| CN116996985A (en) | Communication method and device based on edge network | |
| CN116980218A (en) | Building equipment life cycle control SaaS system and method | |
| CN118317302A (en) | Authentication method and communication device | |
| CN118200930A (en) | Data security transmission method for cloud computing | |
| CN118102330A (en) | Control method and system for VOC waste gas pollution treatment equipment | |
| CN117336167A (en) | Network distribution method and system for Internet of things equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |