CN114760048A - Method, equipment and system for establishing data secure connection between VNFM and VNF - Google Patents

Method, equipment and system for establishing data secure connection between VNFM and VNF Download PDF

Info

Publication number
CN114760048A
CN114760048A CN202011576431.4A CN202011576431A CN114760048A CN 114760048 A CN114760048 A CN 114760048A CN 202011576431 A CN202011576431 A CN 202011576431A CN 114760048 A CN114760048 A CN 114760048A
Authority
CN
China
Prior art keywords
vnf
vnfm
key
ciphertext
content
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011576431.4A
Other languages
Chinese (zh)
Inventor
潘娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202011576431.4A priority Critical patent/CN114760048A/en
Priority to PCT/CN2021/121787 priority patent/WO2022142555A1/en
Publication of CN114760048A publication Critical patent/CN114760048A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method, equipment and a system for establishing data secure connection between a VNFM and a VNF, and relates to the technical field of virtual resource arrangement and operation. The method comprises the following steps: when the VNF is deployed, sending first encryption configuration information to the VNF, wherein indication information in the first encryption configuration information is used for indicating whether the VNFM supports encryption functions; receiving second encryption configuration information sent by the VNF, wherein the second encryption configuration information is used for indicating whether the VNF supports encryption functions; if the VNFM and the VNF are determined to support the encryption function, the password is sent to the VNF in a ciphertext mode; if it is determined that at least one of the VNFM and the VNF does not support the cryptographic function, the password is sent to the VNF in clear text. The invention can realize smooth transition from the non-encryption function to the encryption function between the VNFM and the VNF, so that the system has better compatibility.

Description

Method, equipment and system for establishing data security connection between VNFM and VNF
Technical Field
The invention relates to the technical field of virtualized resource arrangement and operation, in particular to a method, equipment and a system for establishing data security connection between a VNFM and a VNF.
Background
The NFV (Network Function Virtualization) architecture aims to replace private, dedicated and closed Network elements in a communication Network, and implement an open architecture of a unified general hardware platform + service logic software. The NFV architecture includes NFVI (Network Function virtualization infrastructure), MANO (Management and organization), and a plurality of VNFs (virtual Network functions). The NFVI is used to provide an operating environment of the VNF, including required hardware and software resources; VNFM (VNF Manager) in MANO is used to control the VNF lifecycle (instantiation, configuration, shutdown, etc.).
The data security connection between the VNFM and the VNF needs to be established, and a password needs to be transmitted when the data security connection is established. In the past, the VNFM could send the generated password to the VNF in plaintext without high security requirements. In recent years, with the increase in security requirements, the VNFM is required to transmit the generated password to the VNF in a ciphertext form. In order to meet the requirement, a secret key may be configured when the VNFM and all VNFs are upgraded at the same time, so that the upgraded VNFM encrypts the password by using the secret key configured when upgrading, and sends an encrypted ciphertext to the VNF, and the VNF decrypts the ciphertext by using the secret key configured when upgrading, thereby obtaining the password.
Because the secret key can be obtained only after the VNFM and all VNFs are upgraded at the same time, the VNFM and all VNFs are required to be upgraded at the same time, and the upgrading at the same time can cause that the system cannot work normally in a short time, so that the normal operation of the service is influenced, and the upgrading of the VNFM and all VNFs has higher requirements on operation and maintenance and higher implementation difficulty.
Disclosure of Invention
The invention provides a method, equipment and a system for establishing data security connection between a VNFM (Virtual Network Function) and a VNF (Virtual Network Function), and the technical purpose of the method, the equipment and the system is to realize smooth transition from the VNFM and the VNF which do not support the encryption Function to the VNF which supports the encryption Function, so that the system has better compatibility, and the problems of long-term unchangeability of a secret key and loss of the secret key can be solved.
The technical purpose of the invention is realized by the following technical scheme:
a method for a VNFM to establish a data security connection with a VNF, wherein the VNFM is used for the VNF, and the method comprises the following steps:
when a VNF is deployed, sending first encryption configuration information to the VNF, wherein the first encryption configuration information carries indication information, and the indication information is used for indicating whether the VNFM supports an encryption function;
receiving second encryption configuration information sent by the VNF, wherein the second encryption configuration information is used for indicating whether the VNF supports encryption functions or not;
if the VNFM and the VNF are determined to both support the encryption function, sending a password to the VNF in a ciphertext mode;
if it is determined that at least one of the VNFM and the VNF does not support cryptographic functions, a password is sent to the VNF in clear text.
Optionally, the sending the password to the VNF in ciphertext form includes:
when the first encryption configuration information further comprises a first key, acquiring the first key from the first encryption configuration information; or when the configuration file of the VNFM comprises a first key, acquiring the first key from the configuration file of the VNFM;
encrypting the password by adopting the first secret key to obtain a first ciphertext;
sending the first ciphertext to the VNF.
Optionally, after the receiving of the second encryption configuration information sent by the VNF, the method further includes:
storing the second encryption configuration information;
when a password needs to be transmitted, whether the VNFM and the VNF both support encryption functions is determined according to the first encryption configuration information and the stored second encryption configuration information.
Optionally, after the sending the password to the VNF in ciphertext form, the method further comprises:
receiving a key exchange request sent by the VNF, wherein the key exchange request carries a first key exchange number;
generating a second key exchange number according to the key exchange request, and sending the second key exchange number to the VNF, where the second key exchange number is used for the VNF to generate a second key, and the second key is used for updating the first key;
and generating the second key according to the first key exchange number.
Optionally, after the generating the second key according to the first key exchange number, the method further includes:
encrypting first content by using the second key to obtain a second ciphertext, wherein the first content is a password in request content in a first life cycle operation request, or the first content is the password and other information in the request content;
and carrying the second ciphertext in the first life cycle operation request and sending the second ciphertext to the VNF, wherein the second ciphertext is decrypted by the VNF by adopting the second key to obtain the first content.
Optionally, after the generating the second key according to the first key exchange number, the method further includes:
receiving a second lifecycle operation request sent by the VNF;
encrypting second content by using the second key to obtain a third ciphertext, wherein the second content is a password in response content in a response message, or the second content is the password and other information in the response content, and the response message is used for responding to the second lifecycle operation request;
and carrying the third ciphertext in the response message and sending the third ciphertext to the VNF, wherein the third ciphertext is decrypted by the VNF by using the second key to obtain the second content.
Optionally, after the generating the second key according to the first key exchange number, the method further includes:
receiving a third life cycle operation request sent by the VNF, where the third life cycle operation request carries a fourth ciphertext, where the fourth ciphertext is obtained by encrypting, by the VNF, a third content with the second key, where the third content is a password in request content in the third life cycle operation request, or the third content is a password and other information in the request content;
and decrypting the fourth ciphertext by using the second key to obtain the third content.
Optionally, before the receiving the key exchange request sent by the VNF, the method further includes: sending a notification message of deployment completion to the VNF, wherein the VNF is used for sending the key exchange request under the trigger of the notification message; or sending a fourth lifecycle operation request to the VNF, where the VNF is configured to send the key exchange request under a trigger of the fourth lifecycle operation request; alternatively, the key exchange request is sent after a predetermined lifecycle operation occurs in the VNF.
A method of a VNFM establishing a data security connection with a VNF, for use in the VNF, the method comprising:
when the VNF is deployed, receiving first encryption configuration information sent by a VNFM, wherein the first encryption configuration information carries indication information, and the indication information is used for indicating whether the VNFM supports an encryption function;
sending second encryption configuration information to the VNFM, wherein the second encryption configuration information is used for indicating whether the VNF supports encryption functions;
receiving a password sent by the VNFM in a ciphertext form, wherein the password is sent by the VNFM in the ciphertext form when the VNFM determines that the VNFM and the VNF both support the encryption function; alternatively, the first and second electrodes may be,
receiving a password sent by the VNFM in plaintext, the password being sent by the VNFM in plaintext when the VNFM determines that at least one of the VNFM and the VNF does not support cryptographic functionality.
Optionally, after the receiving the first encryption configuration information sent by the VNFM, the method further includes: storing the first encryption configuration information;
after the receiving the password sent by the VNFM in ciphertext, the method further comprises: determining whether the VNFM and the VNF both support a cryptographic function according to the second cryptographic configuration information and the stored first cryptographic configuration information;
if it is determined that both the VNFM and the VNF support the encryption function, acquiring a first key from the first encryption configuration information when the first encryption configuration information further includes the first key; or, when the configuration file of the VNF includes the first key, obtaining the first key from the configuration file of the VNF;
and decrypting the first ciphertext transmitted in a ciphertext form by using the first key to obtain the password.
Optionally, after the receiving the password sent by the VNFM in ciphertext, the method further includes:
sending a key exchange request to the VNFM, wherein the key exchange request carries a first key exchange number, the first key exchange number is used for the VNFM to generate a second key, and the second key is used for updating the first key;
receiving a second key exchange number sent by the VNFM, wherein the second key exchange number is generated by the VNFM according to the key exchange request;
and generating the second key according to the second key exchange number.
Optionally, after the generating the second key according to the second key exchange number, the method further includes:
receiving a first life cycle operation request sent by the VNFM, wherein the first life cycle operation request carries a second ciphertext, the second ciphertext is obtained by encrypting first content by the VNFM through a second key, and the first content is a password in request content in the first life cycle operation request, or the first content is a password and other information in the request content;
and decrypting the second ciphertext by using the second key to obtain the first content.
Optionally, after the generating the second key according to the second key exchange number, the method further includes:
sending a second lifecycle operation request to the VNFM;
receiving a response message sent by the VNFM, where the response message is used to respond to the second lifecycle operation request, and the response message carries a third ciphertext, where the third ciphertext is obtained by encrypting, by the VNFM, a second content with the second key, and the second content is a password in response content in the response message, or the second content is a password and other information in the response content;
and decrypting the third ciphertext by using the second key to obtain the second content.
Optionally, after the generating the second key according to the second key exchange number, the method further includes:
encrypting third content by using the second key to obtain a fourth ciphertext, wherein the third content is a password in request content in a third life cycle operation request, or the third content is the password and other information in the request content;
and carrying the fourth ciphertext in the third life cycle operation request and sending the third ciphertext to the VNFM, wherein the fourth ciphertext is decrypted by the VNFM by using the generated second key to obtain the third content.
Optionally, before the sending the key exchange request to the VNFM, the method further comprises:
receiving a notification message of deployment completion sent by the VNFM, and executing the step of sending a key exchange request to the VNFM under the trigger of the notification message; alternatively, the first and second electrodes may be,
receiving a fourth lifecycle operation request sent by the VNFM, and executing the step of sending a key exchange request to the VNFM under the trigger of the fourth lifecycle operation request; alternatively, the first and second electrodes may be,
the step of sending a key exchange request to the VNFM is performed triggered by a predetermined lifecycle operation occurring in the VNF.
A VNFM, comprising:
a first sending unit, configured to send, when a VNF is deployed, first encryption configuration information to the VNF, where the first encryption configuration information carries indication information, and the indication information is used to indicate whether the VNFM supports an encryption function;
a first receiving unit, configured to receive second encryption configuration information sent by the VNF, where the second encryption configuration information is used to indicate whether the VNF supports an encryption function;
the first sending unit is further configured to send a password to the VNF in a ciphertext form if it is determined that both the VNFM and the VNF support an encryption function;
the first sending unit is further configured to send a password to the VNF in a plaintext form if it is determined that at least one of the VNFM and the VNF does not support an encryption function.
A VNF, comprising:
a second receiving unit, configured to receive first encryption configuration information sent by a VNFM when the VNF is deployed, where the first encryption configuration information carries indication information, and the indication information is used to indicate whether the VNFM supports an encryption function;
a second sending unit, configured to send second encryption configuration information to the VNFM, where the second encryption configuration information is used to indicate whether the VNF supports an encryption function;
the second receiving unit is further configured to receive a password sent by the VNFM in a ciphertext form, where the password is sent in the ciphertext form when the VNFM determines that both the VNFM and the VNF support an encryption function; alternatively, the first and second liquid crystal display panels may be,
the second receiving unit is further configured to receive a password sent by the VNFM in a plaintext form, where the password is sent by the VNFM in the plaintext form when the VNFM determines that at least one of the VNFM and the VNF does not support an encryption function.
A system comprising a VNFM and a VNF;
the VNFM is the VNFM described above;
the VNF is a VNF as described above.
The invention has the beneficial effects that: in a process of deploying a VNF, sending first encryption configuration information to the VNF by the VNFM, wherein the first encryption configuration information carries indication information used for indicating whether the VNFM supports an encryption function, sending second encryption configuration information to the VNFM by the VNF, wherein the second encryption configuration information is used for indicating whether the VNF supports the encryption function, and sending a password to the VNF in a ciphertext form when the VNFM and the VNF both support the encryption function according to the first encryption configuration information and the second encryption configuration information; when it is determined that at least one of the VNFM and the VNF does not support the cryptographic function according to the first cryptographic configuration information and the second cryptographic configuration information, the password is transmitted to the VNF in a plaintext form. Therefore, the system may include a device supporting the encryption function (i.e., a device after upgrade) or a device not supporting the encryption function (i.e., a device before upgrade), and all devices in the system are not required to be upgraded at the same time, so that a smooth transition from the device not supporting the encryption function to the device supporting the encryption function can be realized, and the system has better compatibility.
The first key can be configured in the first encryption configuration information or in the configuration file, so that the acquisition mode of the first key is expanded.
After the VNF initiates the key exchange request, the VNF and the VNFM can generate the same second key after negotiation, and then update the first key by using the second key, so that the purpose of updating the key can be achieved, and the problem that the secure data connection is affected due to the fact that the key is unchanged for a long time or the key is lost can be solved.
Drawings
Fig. 1 is a flowchart of a method for establishing a data secure connection between a VNFM and a VNF according to an embodiment of the present invention;
fig. 2 is a flowchart of negotiating key update between a VNFM and a VNF according to a second embodiment of the present invention;
fig. 3 is a flowchart illustrating that the VNFM provided in the third embodiment of the present invention carries a ciphertext in a lifecycle operation request and sends the ciphertext to the VNF;
fig. 4 is a flowchart of the VNFM that carries the ciphertext in the response message and sends the response message to the VNF according to the third embodiment of the present invention;
fig. 5 is a flowchart of sending, by the VNF according to the third embodiment of the present invention, a ciphertext carried in the lifecycle operation request to the VNFM;
FIG. 6 is a schematic structural diagram of a VNFM provided by the fourth embodiment of the present invention;
fig. 7 is a schematic structural diagram of a VNF according to a fifth embodiment of the present invention;
fig. 8 is a schematic structural diagram of a system according to a sixth embodiment of the present invention.
Detailed Description
The technical solution of the present invention will be described in detail below with reference to the accompanying drawings. In the description of the present application, it is to be understood that the terms "first", "second", "third" and "fourth" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated, but merely as differentiating between different components.
Example one
As shown in fig. 1, the present embodiment provides a method for establishing a data security connection between a VNFM and a VNF, where the method may be applied to a system including the VNFM and the VNF, and the method includes the following steps:
step S101, when the VNF is deployed, the VNFM sends first encryption configuration information to the VNF, where the first encryption configuration information carries indication information, and the indication information is used to indicate whether the VNFM supports an encryption function.
The VNFM may create a VNF first and then deploy the VNF. When the VNF is deployed, the VNFM may determine whether the VNFM supports the encryption function according to its configuration, and if the VNFM supports the encryption function, generate indication information indicating that the VNFM supports the encryption function, and send the indication information to the VNF by being carried in the first encryption configuration information; if the VNFM does not support the encryption function, indication information used for indicating that the VNFM does not support the encryption function is generated and carried in the first encryption configuration information to be sent to the VNF.
In this embodiment, a key used for encrypting the password for the first time when the VNF is deployed is referred to as a first key, and the first key is usually configured in advance. In a first implementation manner, only the first key is configured in the VNFM, and then the VNFM needs to add the first key to the first encryption configuration information and send the first key to the VNF, where the first encryption configuration information at least includes the indication information and the first key. In a second implementation manner, the first key may be configured in a configuration file of the VNFM and a configuration file of the VNF, and then, the VNFM does not need to add the first key to the first encryption configuration information and send the first key to the VNF, where the first encryption configuration information at least includes the indication information.
In step S102, the VNF receives first encryption configuration information sent by the VNFM.
And the VNF receives first encryption configuration information sent by the VNFM and stores the first encryption configuration information. Optionally, the VNF may store the first encryption configuration information in a database.
In step S103, the VNF sends second encryption configuration information to the VNFM, where the second encryption configuration information is used to indicate whether the VNF supports the encryption function.
The VNF may determine whether the VNF supports the encryption function according to its own configuration, and if the VNF supports the encryption function, generate second encryption configuration information indicating that the VNF supports the encryption function, and send the second encryption configuration information to the VNFM; and if the VNF does not support the encryption function, generating second encryption configuration information for indicating that the VNF does not support the encryption function, and sending the second encryption configuration information to the VNFM.
Step S104, the VNFM receives the second encryption configuration information sent by the VNF.
And the VNFM receives second encryption configuration information sent by the VNF and stores the second encryption configuration information. Optionally, the VNFM may store the second encryption configuration information in a database.
The VNFM may continue to deploy the VNF, and when it is determined that the password needs to be sent to the VNF, the VNFM may determine whether both the VNFM and the VNF support the cryptographic function according to the first cryptographic configuration information and the stored second cryptographic configuration information; when both the VNFM and the VNF support the encryption function, step S105 is performed; step S107 is performed when the VNFM does not support the cryptographic function and the VNF supports the cryptographic function, or when the VNF does not support the cryptographic function and the VNFM supports the cryptographic function, or when neither the VNFM nor the VNF supports the cryptographic function.
In step S105, if it is determined that both the VNFM and the VNF support the encryption function, the VNFM sends the password to the VNF in a ciphertext form, and step S106 is executed.
Specifically, when the first encryption configuration information further includes a first key, the VNFM acquires the first key from the first encryption configuration information; or when the configuration file of the VNFM comprises the first key, acquiring the first key from the configuration file of the VNFM; encrypting the password by adopting a first secret key to obtain a first ciphertext; the first ciphertext is sent to the VNF. There are many encryption algorithms for encrypting the password by using the first key, and this embodiment does not limit the specific algorithms.
Step S106, the VNF receives the password sent by the VNFM in the form of the ciphertext, and the process ends.
Since the VNF does not know whether the VNFM sends the password in ciphertext or plaintext form, the VNF may first determine whether both the VNFM and the VNF support the encryption function according to the stored first encryption configuration information and second encryption configuration information. In the current scenario, both the VNFM and the VNF support an encryption function, and the VNF determines that the first ciphertext is received and needs to decrypt the first ciphertext to obtain the password. Specifically, when the first encryption configuration information further includes a first key, the VNF acquires the first key from the first encryption configuration information; or, when the configuration file of the VNF includes the first key, the VNF acquires the first key from the configuration file of the VNF; and decrypting the first ciphertext by adopting the first key to obtain the password. Wherein, the decryption algorithm for decrypting the first ciphertext by using the first key corresponds to the encryption algorithm in step S105.
Step S107, if it is determined that at least one of the VNFM and the VNF does not support the encryption function, the VNFM sends the password to the VNF in a plaintext form, and step S108 is performed.
The VNFM may send the password directly to the VNF.
In step S108, the VNF receives the password sent by the VNFM in plaintext.
Since the VNF does not know whether the VNFM sends the password in ciphertext or plaintext form, the VNF may first determine whether both the VNFM and the VNF support the encryption function according to the stored first encryption configuration information and second encryption configuration information. In the current scenario, the VNFM does not support the encryption function, and the VNF supports the encryption function, or the VNF does not support the encryption function, and the VNFM supports the encryption function, or both the VNFM and the VNF do not support the encryption function, and the VNF determines that the password in the form of plaintext is received.
Here, step S101, step S104, step S105, and step S107 may be implemented separately as an embodiment on the VNFM side, and step S102, step S103, step S106, and step S108 may be implemented separately as an embodiment on the VNF side.
To sum up, in the method for establishing a data secure connection between a VNFM and a VNF according to the embodiments of the present invention, in a process of deploying the VNF, the VNFM sends first encryption configuration information to the VNF, where the first encryption configuration information carries indication information for indicating whether the VNFM supports an encryption function, the VNF sends second encryption configuration information to the VNFM, where the second encryption configuration information is used for indicating whether the VNF supports an encryption function, and when it is determined that both the VNFM and the VNF support the encryption function according to the first encryption configuration information and the second encryption configuration information, a password is sent to the VNF in a ciphertext manner; when it is determined that at least one of the VNFM and the VNF does not support the cryptographic function according to the first cryptographic configuration information and the second cryptographic configuration information, the password is transmitted to the VNF in a plaintext form. Therefore, the system may include a device supporting the encryption function (i.e., a device after upgrade) or a device not supporting the encryption function (i.e., a device before upgrade), and all devices in the system are not required to be upgraded at the same time, so that a smooth transition from the device not supporting the encryption function to the device supporting the encryption function can be realized, and the system has better compatibility.
Example two
After the first key is obtained, the VNFM and the VNF may generate a second key through negotiation, and update the first key with the second key, so that the purpose of updating the key may be achieved, and the problem that the secure connection of data is affected due to the fact that the key is unchanged for a long time or the key is lost may be solved. As shown in fig. 2, the method may include:
step S201, the VNF sends a key exchange request to the VNFM, where the key exchange request carries a first key exchange number.
Wherein the first key exchange number is generated by the VNF according to a predetermined algorithm. Alternatively, the predetermined algorithm may be a Diffie-Hellman algorithm.
In this embodiment, the VNF may send the key exchange request to the VNFM in the following three cases, which are explained below.
1) After the VNF deployment is completed, the VNF sends a key exchange request to the VNFM.
After the VNF is deployed, the VNFM sends a notification message of completion of deployment to the VNF, and the VNF receives the notification message of completion of deployment sent by the VNFM and sends a key exchange request to the VNFM under the trigger of the notification message. Optionally, the notification message may be a post-instantiation extension request.
2) After receiving the lifecycle operation request sent by the VNFM, the VNF sends a key exchange request to the VNFM.
The lifecycle operation request is an operation request for controlling a lifecycle of the VNF, and may be sent to the VNF by the VNFM, for example, a lifecycle operation request for adding a virtual machine in the VNF, a lifecycle operation request for modifying a capacity of the VNF, and the like; it may also be sent by the VNF to the VNFM, for example, a lifecycle operation request requesting self-healing, a lifecycle operation request for system restart, etc.
In this embodiment, the VNF may be configured to send the key exchange request after receiving any lifecycle operation request, may also be configured to send the key exchange request after receiving a part of a specific lifecycle operation request, and may also be configured not to send the key exchange request after receiving any lifecycle operation request. For convenience of distinction from the lifecycle operation request appearing hereinafter, the lifecycle operation request that triggers the VNF to send the key exchange request is referred to as a fourth lifecycle operation request in this embodiment.
In the current scenario, the VNFM sends a fourth lifecycle operation request to the VNF, and the VNF receives the fourth lifecycle operation request sent by the VNFM, and sends a key exchange request to the VNFM under the trigger of the fourth lifecycle operation request.
3) After a predetermined lifecycle operation occurs in the VNF, the VNF sends a key exchange request to the VNFM.
After a predetermined lifecycle operation occurs in the VNF, a key exchange request is sent to the VNFM triggered by the predetermined lifecycle operation. The predetermined lifecycle operation may be preset, for example, the predetermined lifecycle operation is set to be a system restart, and after the system restart, the VNF sends a key exchange request to the VNFM.
It should be noted that, after the system is restarted, the VNF further needs to send a lifecycle operation request for system restart to the VNFM, and in this embodiment, the sending order of the lifecycle operation request and the key exchange request is not limited.
Step S202, the VNFM receives a key exchange request sent by the VNF, where the key exchange request carries a first key exchange number.
In step S203, the VNFM generates a second key exchange number according to the key exchange request, and sends the second key exchange number to the VNF.
The VNFM may generate a second key exchange number according to a predetermined algorithm after receiving the key exchange request. Alternatively, the predetermined algorithm may be a Diffie-Hellman algorithm.
In step S204, the VNFM generates a second key according to the first key exchange number.
The VNFM may input the first key exchange number into a predetermined algorithm to obtain the second key. Alternatively, the predetermined algorithm may be a Diffie-Hellman algorithm.
The VNFM stores the generated second key in the database encrypted.
In step S205, the VNF receives the second key exchange number sent by the VNFM.
In this embodiment, the execution sequence of step S204 and step S205 is not limited.
In step S206, the VNF generates a second key according to the second key exchange number.
The VNF may input the second key exchange number into a predetermined algorithm to obtain the second key. Alternatively, the predetermined algorithm may be a Diffie-Hellman algorithm.
The VNF stores the generated second key in the database in an encrypted manner.
It should be noted that the predetermined algorithm may generate the same output (second key) according to different inputs (first key exchange number and second key exchange number).
Wherein, step S202, step S203 and step S204 may be implemented separately as an embodiment on the VNFM side, and step S201, step S205 and step S206 may be implemented separately as an embodiment on the VNF side.
EXAMPLE III
After generating the second key, the VNFM and VNF may perform ciphertext transmission using the second key, and three transmission scenarios are described below.
1) As shown in fig. 3, the VNFM sends the ciphertext to the VNF with the lifecycle operation request.
In step S301, the VNFM encrypts the first content with the second key to obtain a second ciphertext, where the first content is a password in the request content in the first life cycle operation request, or the first content is a password and other information in the request content.
And when the VNFM determines that the first life cycle operation request needs to be sent to the VNF, the VNFM reads the second secret key from the database, acquires the first content in the request content in the first life cycle request, and encrypts the first content by adopting the second secret key to obtain a second ciphertext.
When the request content includes the password and other information, the VNFM may determine only the password as the first content, and at this time, the VNFM encrypts only the password in the request content, but not encrypt other information in the request content; alternatively, the VNFM may determine both the password and other information as the first content, at which point the VNFM encrypts both the password and other information in the requested content. When the request content includes only the password without including other information, the VNFM may determine the password as the first content, at which point the VNFM encrypts the password in the request content.
Step S302, the VNFM sends the second ciphertext to the VNF by carrying the second ciphertext in the first lifecycle operation request.
In step S303, the VNF receives a first life cycle operation request sent by the VNFM, where the first life cycle operation request carries a second ciphertext.
In step S304, the VNF decrypts the second ciphertext using the second key to obtain the first content.
The VNF may read the second ciphertext from the first life cycle operation request, read the second key from the database, and decrypt the second ciphertext with the second key to obtain the first content. The decryption algorithm for decrypting the second ciphertext by using the second key corresponds to the encryption algorithm in step S301.
Wherein, step S301 and step S302 may be implemented separately as an embodiment on the VNFM side, and step S303 and step S304 may be implemented separately as an embodiment on the VNF side.
2) As shown in fig. 4, the VNFM carries the ciphertext in a response message, and sends the response message to the VNF, where the response message is used to respond to the lifecycle operation request sent by the VNF.
In step S401, the VNF sends a second lifecycle operation request to the VNFM.
In step S402, the VNFM receives a second lifecycle operation request sent by the VNF.
Step S403, the VNFM encrypts the second content by using the second key to obtain a third ciphertext, where the second content is a password in the response content in the response message, or the second content is a password and other information in the response content, and the response message is used to respond to the second lifecycle operation request.
After receiving the second lifecycle operation request, the VNFM needs to send a response message to the VNF, and at this time, the VNFM reads the second key from the database, acquires the second content in the response message, and encrypts the second content with the second key to obtain a third ciphertext.
When the response content includes the password and other information, the VNFM may determine only the password as the second content, and at this time, the VNFM encrypts only the password in the response content, but not encrypts other information in the response content; alternatively, the VNFM may determine both the password and other information as the second content, in which case the VNFM encrypts both the password and other information in the response content. When the response content includes only the password and does not include other information, the VNFM may determine the password as the second content, at which point the VNFM encrypts the password in the response content.
Step S404, the VNFM sends the third ciphertext to the VNF in a response message.
Step S405, the VNF receives a response message sent by the VNFM, where the response message carries a third ciphertext.
In step S406, the VNF decrypts the third ciphertext with the second key, so as to obtain the second content.
The VNF may read the third ciphertext from the response message, read the second key from the database, and decrypt the third ciphertext with the second key to obtain the second content. The decryption algorithm for decrypting the third ciphertext by using the second key corresponds to the encryption algorithm in step S403.
Wherein, step S402, step S403 and step S404 may be implemented separately as an embodiment on the VNFM side, and step S401, step S405 and step S406 may be implemented separately as an embodiment on the VNF side.
3) As shown in fig. 5, the VNF sends the ciphertext to the VNFM with the lifecycle operation request.
In step S501, the VNF encrypts a third content with a second key to obtain a fourth ciphertext, where the third content is a password in the request content of the third lifecycle operation request, or the third content is a password and other information in the request content.
And when the VNF determines that a third life cycle operation request needs to be sent to the VNFM, the VNF reads the second secret key from the database, acquires third content in request content in the third life cycle request, and encrypts the third content by adopting the second secret key to obtain a fourth ciphertext.
When the request content includes the password and other information, the VNF may determine only the password as the third content, and at this time, the VNF encrypts only the password in the request content, and does not encrypt other information in the request content; alternatively, the VNF may determine both the password and other information as the third content, at which point the VNF encrypts both the password and other information in the requested content. When the request content includes only the password and no other information, the VNF may determine the password as the third content, and at this time, the VNF encrypts the password in the request content.
Step S502, the VNF sends the fourth ciphertext to the VNFM with the third life cycle operation request.
In step S503, the VNFM receives a third life cycle operation request sent by the VNF, where the third life cycle operation request carries a fourth ciphertext.
In step S504, the VNFM decrypts the fourth ciphertext with the second key to obtain the third content.
The VNFM may read the fourth ciphertext from the third life cycle operation request, read the second key from the database, and decrypt the fourth ciphertext with the second key to obtain the third content. The decryption algorithm for decrypting the fourth ciphertext with the second key corresponds to the encryption algorithm in step S501.
Wherein, step S503 and step S504 may be implemented separately as an embodiment on the VNFM side, and step S501 and step S502 may be implemented separately as an embodiment on the VNF side.
Example four
As shown in fig. 6, the present embodiment provides a VNFM, which may include:
a first sending unit 601, configured to send first encryption configuration information to a VNF when the VNF is deployed, where the first encryption configuration information carries indication information, and the indication information is used to indicate whether a VNFM supports an encryption function;
a first receiving unit 602, configured to receive second encryption configuration information sent by the VNF, where the second encryption configuration information is used to indicate whether the VNF supports an encryption function;
a first sending unit 601, configured to send the password to the VNF in a ciphertext form if it is determined that both the VNFM and the VNF support the encryption function;
the first sending unit 601 is further configured to send the password to the VNF in plaintext if it is determined that at least one of the VNFM and the VNF does not support the encryption function.
Optionally, the VNFM may further include:
a first processing unit 603, configured to, when the first encryption configuration information further includes a first key, obtain the first key from the first encryption configuration information; or when the configuration file of the VNFM comprises the first key, acquiring the first key from the configuration file of the VNFM;
the first processing unit 603 is further configured to encrypt the password with the first key to obtain a first ciphertext;
a first sending unit 601, configured to send the first ciphertext to the VNF.
Optionally, the first processing unit 603 is further configured to:
after the first receiving unit 602 receives the second encryption configuration information sent by the VNF, the second encryption configuration information is stored;
when the password needs to be transmitted, whether the VNFM and the VNF both support the encryption function is determined according to the first encryption configuration information and the stored second encryption configuration information.
Optionally, the first receiving unit 602 is further configured to receive a key exchange request sent by the VNF after the first sending unit 601 sends the password to the VNF in a ciphertext manner, where the key exchange request carries a first key exchange number;
the first processing unit 603 is further configured to generate a second key exchange number according to the key exchange request;
a first sending unit 601, further configured to send a second key exchange number to the VNF, where the second key exchange number is used for the VNF to generate a second key, and the second key is used for updating the first key;
the first processing unit 603 is further configured to generate a second key according to the first key exchange number.
Optionally, the first processing unit 603 is further configured to encrypt the first content with the second key after generating the second key according to the first key exchange number, to obtain a second ciphertext, where the first content is a password in the request content in the first life cycle operation request, or the first content is a password and other information in the request content;
the first sending unit 601 is further configured to send a second ciphertext to the VNF by carrying the second ciphertext in the first life cycle operation request, where the second ciphertext is decrypted by the VNF using a second key to obtain the first content.
Optionally, the first receiving unit 602 is further configured to receive a second lifecycle operation request sent by the VNF after the first processing unit 603 generates the second key according to the first key exchange number;
the first processing unit 603 is further configured to encrypt the second content with the second key to obtain a third ciphertext, where the second content is a password in response content in the response message, or the second content is a password and other information in the response content, and the response message is used to respond to the second lifecycle operation request;
the first sending unit 601 is further configured to send a third ciphertext to the VNF in a response message, where the third ciphertext is decrypted by the VNF using the second key to obtain a second content.
Optionally, the first receiving unit 602 is further configured to receive, after the first processing unit 603 generates the second key according to the first key exchange number, a third life cycle operation request sent by the VNF, where the third life cycle operation request carries a fourth ciphertext, where the fourth ciphertext is obtained by encrypting, by using the second key, a third content by the VNF, where the third content is a password in a request content in the third life cycle operation request, or the third content is a password and other information in the request content;
the first processing unit 603 is further configured to decrypt the fourth ciphertext with the second key, so as to obtain a third content.
Optionally, the first sending unit 601 is further configured to send a notification message of completion of deployment to the VNF before the first receiving unit 602 receives the key exchange request sent by the VNF, where the VNF is configured to send the key exchange request under the trigger of the notification message; or sending a fourth lifecycle operation request to the VNF, where the VNF is configured to send a key exchange request under the trigger of the fourth lifecycle operation request; alternatively, the first and second electrodes may be,
the key exchange request is sent after a predetermined lifecycle operation has occurred in the VNF.
EXAMPLE five
As shown in fig. 7, the present embodiment provides a VNF, which may include:
a second receiving unit 701, configured to receive, when a VNF is deployed, first encryption configuration information sent by a VNFM, where the first encryption configuration information carries indication information, and the indication information is used to indicate whether the VNFM supports an encryption function;
a second sending unit 702, configured to send second encryption configuration information to the VNFM, where the second encryption configuration information is used to indicate whether the VNF supports an encryption function;
a second receiving unit 701, configured to receive a password sent by the VNFM in a ciphertext form, where the password is sent by the VNFM in the ciphertext form when the VNFM determines that both the VNFM and the VNF support the encryption function; alternatively, the first and second electrodes may be,
the second receiving unit 701 is further configured to receive a password sent by the VNFM in plaintext, where the password is sent by the VNFM in plaintext when the VNFM determines that at least one of the VNFM and the VNF does not support the encryption function.
Optionally, the VNF may further include:
a second processing unit 703, configured to store the first encryption configuration information sent by the VNFM after the second receiving unit 701 receives the first encryption configuration information;
a second processing unit 703, further configured to, after the second receiving unit 701 receives the password transmitted by the VNFM in a ciphertext form, determine whether both the VNFM and the VNF support the encryption function according to the second encryption configuration information and the stored first encryption configuration information; if the VNFM and the VNF are determined to support the encryption function, acquiring a first key from the first encryption configuration information when the first encryption configuration information further comprises the first key; or when the configuration file of the VNF comprises the first key, acquiring the first key from the configuration file of the VNF; and decrypting the first ciphertext transmitted in the form of the ciphertext by using the first key to obtain the password.
Optionally, the second sending unit 702 is further configured to send, after the second receiving unit 701 receives the password sent by the VNFM in a ciphertext form, a key exchange request to the VNFM, where the key exchange request carries a first key exchange number, the first key exchange number is used for the VNFM to generate a second key, and the second key is used for updating the first key;
a second receiving unit 701, further configured to receive a second key exchange number sent by the VNFM, where the second key exchange number is generated by the VNFM according to the key exchange request;
the second processing unit 703 is further configured to generate a second key according to the second key exchange number.
Optionally, the second receiving unit 701 is further configured to receive, after the second processing unit 703 generates a second key according to the second key exchange number, a first life cycle operation request sent by the VNFM, where the first life cycle operation request carries a second ciphertext, where the second ciphertext is obtained by encrypting, by using the second key, the first content in the request content of the first life cycle operation request, or the first content is a password and other information in the request content;
the second processing unit 703 is further configured to decrypt the second ciphertext with the second key to obtain the first content.
Optionally, the second sending unit 702 is further configured to send a second lifecycle operation request to the VNFM after the second processing unit 703 generates a second key according to the second key exchange number;
the second receiving unit 701 is further configured to receive a response message sent by the VNFM, where the response message is used to respond to the second lifecycle operation request, and the response message carries a third ciphertext, where the third ciphertext is obtained by encrypting, by the VNFM, a second content with a second key, where the second content is a password in response content in the response message, or the second content is a password and other information in the response content;
the second processing unit 703 is further configured to decrypt the third ciphertext with the second key to obtain the second content.
Optionally, the second processing unit 703 is further configured to encrypt the third content with the second key after generating the second key according to the second key exchange number, so as to obtain a fourth ciphertext, where the third content is a password in the request content in the third life cycle operation request, or the third content is a password and other information in the request content;
the second sending unit 702 is further configured to send a fourth ciphertext to the VNFM by carrying the fourth ciphertext in the third life cycle operation request, where the fourth ciphertext is decrypted by the VNFM using the generated second key to obtain a third content.
Optionally, before sending the key exchange request to the VNFM, the second receiving unit 701 is further configured to receive a notification message that deployment is completed and sent by the VNFM, and the second sending unit 702 is further configured to execute the step of sending the key exchange request to the VNFM under the trigger of the notification message; or, the second receiving unit 701 is further configured to receive a fourth lifecycle operation request sent by the VNFM, and the second sending unit 702 is further configured to execute the step of sending the key exchange request to the VNFM under the trigger of the fourth lifecycle operation request; alternatively, the second sending unit 702 is further configured to perform the step of sending the key exchange request to the VNFM under the trigger of the predetermined lifecycle operation after the predetermined lifecycle operation occurs in the VNF.
EXAMPLE six
As shown in fig. 8, the present embodiment provides a system, which includes a VNFM801 and a VNF802, where the VNFM801 may be the VNFM shown in fig. 6, and the VNF802 may be the VNF shown in fig. 7.
One of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
The preferred embodiments of the present invention have been described above with reference to the accompanying drawings, and are not to be construed as limiting the scope of the invention. Any modifications, equivalents and improvements which may occur to those skilled in the art without departing from the scope and spirit of the present invention are intended to be within the scope of the claims.

Claims (18)

1. A method for a VNFM to establish a data security connection with a VNF, wherein the method is used in the VNFM, and comprises the following steps:
when a VNF is deployed, sending first encryption configuration information to the VNF, wherein the first encryption configuration information carries indication information, and the indication information is used for indicating whether the VNFM supports an encryption function;
receiving second encryption configuration information sent by the VNF, wherein the second encryption configuration information is used for indicating whether the VNF supports encryption functions;
if the VNFM and the VNF are determined to both support the encryption function, sending a password to the VNF in a ciphertext mode;
if it is determined that at least one of the VNFM and the VNF does not support cryptographic functions, a password is sent to the VNF in clear text.
2. The method of claim 1, wherein sending the password to the VNF in ciphertext form comprises:
when the first encryption configuration information further comprises a first key, acquiring the first key from the first encryption configuration information; or when the configuration file of the VNFM comprises a first key, acquiring the first key from the configuration file of the VNFM;
encrypting the password by adopting the first secret key to obtain a first ciphertext;
sending the first ciphertext to the VNF.
3. The method of claim 1, wherein after the receiving the second encryption configuration information sent by the VNF, the method further comprises:
storing the second encryption configuration information;
when a password needs to be transmitted, whether the VNFM and the VNF both support encryption functions is determined according to the first encryption configuration information and the stored second encryption configuration information.
4. The method of any of claims 1 to 3, wherein after the sending of the password to the VNF in ciphertext form, the method further comprises:
receiving a key exchange request sent by the VNF, wherein the key exchange request carries a first key exchange number;
generating a second key exchange number according to the key exchange request, and sending the second key exchange number to the VNF, where the second key exchange number is used for the VNF to generate a second key, and the second key is used for updating the first key;
and generating the second key according to the first key exchange number.
5. The method of claim 4, wherein after the generating the second key based on the first key exchange number, the method further comprises:
encrypting first content by using the second key to obtain a second ciphertext, wherein the first content is a password in request content in a first life cycle operation request, or the first content is the password and other information in the request content;
and carrying the second ciphertext in the first life cycle operation request and sending the second ciphertext to the VNF, wherein the second ciphertext is decrypted by the VNF by adopting the second key to obtain the first content.
6. The method of claim 4, wherein after the generating the second key according to the first key exchange number, the method further comprises:
receiving a second lifecycle operation request sent by the VNF;
encrypting second content by using the second key to obtain a third ciphertext, wherein the second content is a password in response content in a response message, or the second content is the password and other information in the response content, and the response message is used for responding to the second life cycle operation request;
and carrying the third ciphertext in the response message and sending the third ciphertext to the VNF, wherein the third ciphertext is decrypted by the VNF by using the second key to obtain the second content.
7. The method of claim 4, wherein after the generating the second key according to the first key exchange number, the method further comprises:
receiving a third life cycle operation request sent by the VNF, where the third life cycle operation request carries a fourth ciphertext, where the fourth ciphertext is obtained by encrypting, by the VNF, a third content with the second key, where the third content is a password in request content in the third life cycle operation request, or the third content is a password and other information in the request content;
and decrypting the fourth ciphertext by using the second key to obtain the third content.
8. The method of claim 4,
prior to the receiving the key exchange request sent by the VNF, the method further comprises: sending a notification message of deployment completion to the VNF, the VNF being configured to send the key exchange request triggered by the notification message; or sending a fourth lifecycle operation request to the VNF, wherein the VNF is configured to send the key exchange request under a trigger of the fourth lifecycle operation request; alternatively, the first and second electrodes may be,
the key exchange request is sent after a predetermined lifecycle operation has occurred in the VNF.
9. A method for a VNFM to establish a data security connection with a VNF, wherein the method is used in the VNF and comprises the following steps:
when the VNF is deployed, receiving first encryption configuration information sent by a VNFM, wherein the first encryption configuration information carries indication information, and the indication information is used for indicating whether the VNFM supports an encryption function;
sending second encryption configuration information to the VNFM, wherein the second encryption configuration information is used for indicating whether the VNF supports encryption functions;
receiving a password sent by the VNFM in a ciphertext form, wherein the password is sent by the VNFM in the ciphertext form when the VNFM determines that the VNFM and the VNF both support the encryption function; alternatively, the first and second liquid crystal display panels may be,
receiving a password sent by the VNFM in plaintext, the password being sent by the VNFM in plaintext when the VNFM determines that at least one of the VNFM and the VNF does not support cryptographic functionality.
10. The method of claim 9,
after the receiving the first encryption configuration information sent by the VNFM, the method further includes: storing the first encryption configuration information;
after the receiving the password sent by the VNFM in ciphertext, the method further comprises: determining whether the VNFM and the VNF both support a cryptographic function according to the second cryptographic configuration information and the stored first cryptographic configuration information;
if it is determined that both the VNFM and the VNF support the encryption function, acquiring a first key from the first encryption configuration information when the first encryption configuration information further includes the first key; or, when the configuration file of the VNF includes the first key, obtaining the first key from the configuration file of the VNF;
and decrypting the first ciphertext transmitted in a ciphertext form by using the first key to obtain the password.
11. The method of claim 9 or 10, wherein after the receiving the password that the VNFM sent in ciphertext, the method further comprises:
sending a key exchange request to the VNFM, wherein the key exchange request carries a first key exchange number, the first key exchange number is used for the VNFM to generate a second key, and the second key is used for updating the first key;
receiving a second key exchange number sent by the VNFM, wherein the second key exchange number is generated by the VNFM according to the key exchange request;
and generating the second key according to the second key exchange number.
12. The method of claim 11, wherein after the generating the second key according to the second key exchange number, the method further comprises:
receiving a first life cycle operation request sent by the VNFM, wherein the first life cycle operation request carries a second ciphertext, the second ciphertext is obtained by encrypting first content by the VNFM through a second key, and the first content is a password in request content in the first life cycle operation request, or the first content is a password and other information in the request content;
and decrypting the second ciphertext by using the second key to obtain the first content.
13. The method of claim 11, wherein after the generating the second key according to the second key exchange number, the method further comprises:
sending a second lifecycle operation request to the VNFM;
receiving a response message sent by the VNFM, wherein the response message is used for responding to the second lifecycle operation request and carries a third ciphertext, the third ciphertext is obtained by encrypting a second content by the VNFM through a second key, and the second content is a password in response content in the response message, or the second content is a password and other information in the response content;
and decrypting the third ciphertext by using the second key to obtain the second content.
14. The method of claim 11, wherein after the generating the second key according to the second key exchange number, the method further comprises:
encrypting third content by using the second key to obtain a fourth ciphertext, wherein the third content is a password in request content in a third life cycle operation request, or the third content is the password and other information in the request content;
and carrying the fourth ciphertext in the third life cycle operation request and sending the third ciphertext to the VNFM, wherein the fourth ciphertext is decrypted by the VNFM by using the generated second key to obtain the third content.
15. The method of claim 11, wherein prior to the sending a key exchange request to the VNFM, the method further comprises:
receiving a notification message sent by the VNFM that deployment is completed, and executing the step of sending a key exchange request to the VNFM under the trigger of the notification message; alternatively, the first and second electrodes may be,
receiving a fourth lifecycle operation request sent by the VNFM, and executing the step of sending a key exchange request to the VNFM under the trigger of the fourth lifecycle operation request; alternatively, the first and second electrodes may be,
the step of sending a key exchange request to the VNFM is performed triggered by a predetermined lifecycle operation occurring in the VNF.
16. A VNFM, comprising:
a first sending unit, configured to send, when a VNF is deployed, first encryption configuration information to the VNF, where the first encryption configuration information carries indication information, and the indication information is used to indicate whether the VNFM supports an encryption function;
a first receiving unit, configured to receive second encryption configuration information sent by the VNF, where the second encryption configuration information is used to indicate whether the VNF supports an encryption function;
the first sending unit is further configured to send a password to the VNF in a ciphertext form if it is determined that both the VNFM and the VNF support an encryption function;
the first sending unit is further configured to send a password to the VNF in a plaintext form if it is determined that at least one of the VNFM and the VNF does not support an encryption function.
17. A VNF, comprising:
a second receiving unit, configured to receive first encryption configuration information sent by a VNFM when the VNF is deployed, where the first encryption configuration information carries indication information, and the indication information is used to indicate whether the VNFM supports an encryption function;
a second sending unit, configured to send second encryption configuration information to the VNFM, where the second encryption configuration information is used to indicate whether the VNF supports an encryption function;
the second receiving unit is further configured to receive a password sent by the VNFM in a ciphertext form, where the password is sent in the ciphertext form when the VNFM determines that both the VNFM and the VNF support an encryption function; alternatively, the first and second electrodes may be,
the second receiving unit is further configured to receive a password sent by the VNFM in a plaintext form, where the password is sent by the VNFM in the plaintext form when the VNFM determines that at least one of the VNFM and the VNF does not support an encryption function.
18. A system, characterized in that the system comprises a VNFM and a VNF;
the VNFM is the VNFM of claim 16;
the VNF of claim 17.
CN202011576431.4A 2020-12-28 2020-12-28 Method, equipment and system for establishing data secure connection between VNFM and VNF Pending CN114760048A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202011576431.4A CN114760048A (en) 2020-12-28 2020-12-28 Method, equipment and system for establishing data secure connection between VNFM and VNF
PCT/CN2021/121787 WO2022142555A1 (en) 2020-12-28 2021-09-29 Method, device and system for establishing secure data connection between vnfm and vnf

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011576431.4A CN114760048A (en) 2020-12-28 2020-12-28 Method, equipment and system for establishing data secure connection between VNFM and VNF

Publications (1)

Publication Number Publication Date
CN114760048A true CN114760048A (en) 2022-07-15

Family

ID=82259047

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011576431.4A Pending CN114760048A (en) 2020-12-28 2020-12-28 Method, equipment and system for establishing data secure connection between VNFM and VNF

Country Status (2)

Country Link
CN (1) CN114760048A (en)
WO (1) WO2022142555A1 (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106797323B (en) * 2014-09-25 2021-04-30 苹果公司 Network function virtualization
WO2016179803A1 (en) * 2015-05-12 2016-11-17 华为技术有限公司 Method, device and system for establishing connection between vnfm and vim
WO2018120182A1 (en) * 2016-12-30 2018-07-05 华为技术有限公司 Private information distribution method and device

Also Published As

Publication number Publication date
WO2022142555A1 (en) 2022-07-07

Similar Documents

Publication Publication Date Title
EP3937046A1 (en) Trusted startup methods and apparatuses of dedicated blockchain node device
CN101258505B (en) Secure software updates
US11604633B2 (en) Trusted startup methods and apparatuses of blockchain integrated station
JP4993733B2 (en) Cryptographic client device, cryptographic package distribution system, cryptographic container distribution system, and cryptographic management server device
EP3937045A1 (en) Hash updating methods and apparatuses of dedicated blockchain node device
CN108197485B (en) Terminal data encryption method and system and terminal data decryption method and system
EP3306509B1 (en) Vtpm-based method and system for virtual machine security and protection
EP2605175A2 (en) Method and apparatus for checking field replaceable unit, and communication device
EP3511853B1 (en) Security authentication method, integrated circuit and system
CN111274611A (en) Data desensitization method, device and computer readable storage medium
CN111901285B (en) Credibility verification method, system, equipment and storage medium
US10841287B2 (en) System and method for generating and managing a key package
US11637704B2 (en) Method and apparatus for determining trust status of TPM, and storage medium
CN111669434A (en) Method, system, device and equipment for establishing communication group
EP2689367B1 (en) Data protection using distributed security key
EP3796197A1 (en) Information processing method and information processing system for encryptor
US9270649B1 (en) Secure software authenticator data transfer between processing devices
CN114760048A (en) Method, equipment and system for establishing data secure connection between VNFM and VNF
CN116226940A (en) PCIE-based data security processing method and data security processing system
CN114691034A (en) Data storage method and data processing equipment
CN113014545B (en) Data processing method and device, computer equipment and storage medium
JP6741236B2 (en) Information processing equipment
CN114339630B (en) Method and device for protecting short message
US20220191010A1 (en) Key management in an integrated circuit
EP4174695A1 (en) Method to store data persistently by a software payload

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination