WO2023187442A1

WO2023187442A1 - Cloud native key management using physical network function

Info

Publication number: WO2023187442A1
Application number: PCT/IB2022/052909
Authority: WO
Inventors: James Donald Reno; Gunnar FORSSELL
Original assignee: Telefonaktiebolaget Lm Ericsson (Publ)
Priority date: 2022-03-29
Filing date: 2022-03-29
Publication date: 2023-10-05

Abstract

Systems and methods for managing keys to encrypt or decrypt data by a software function in a cloud network are disclosed. In one embodiment, a method performed by the software function in the cloud network comprises establishing a communication channel with a Physical Network Function (PNF) in a non-cloud network, receiving a key from the PNF. The key is used to secure data associated with the PNF. 5 The method further comprises performing one or more actions related to securing data associated with the PNF using the key received from the PNF.

Description

CLOUD NA TIVE KEY MANAGEMENT USING PHYSICAL NETWORK FUNCTION

Technical Field

[0001] The present disclosure relates to systems and methods for managing keys to encrypt or decrypt data by a software function in a cloud network. The keys may be provided by a Physical Network Function (PNF) in a non-cloud network, thus the key is not persistently stored in the software function in the cloud network.

Background

[0002] The trend towards the cloud and, in particular, cloud native systems has created security challenges. In the past, data was processed in proprietary systems or closed hardware systems like a Multi -Standard (or Multi-System) Radio Base Station (MSRBS). At present, data has moved to cloud environments that may be shared by many users. Such data can be sensitive data of customers or subscribers. When data is stored in the cloud environment, there is a risk that the data may be exposed to third parties like hackers. As processing functions previously executed in the proprietary systems or the closed hardware systems move to the cloud, a company's intellectual property also becomes at risk. The physical perimeter of the proprietary systems or the closed hardware systems is no longer present to protect the company's intellectual property.

Summary

[0003] Systems and methods for managing keys to encrypt or decrypt data by a software function in a cloud network are disclosed. In one embodiment, a method performed by the software function in the cloud network comprises establishing a communication channel with a Physical Network Function (PNF) in a non-cloud network, receiving a key from the PNF. The key is used to secure data associated with the PNF. The method further comprises performing one or more actions related to securing data associated with the PNF using the key received from the PNF. In this way, highly proprietary or sensitive data is protected in the cloud from other entities using the cloud and from operators of the cloud.

[0004] In one embodiment, the software function in the cloud network is (a) a Cloud Native Function (CNF), (b) a virtual machine, or (c) other virtualized software. [0005] In one embodiment, the PNF in the non-cloud network is (a) a hardwarebased base station, (b) a Multi-Standard Radio Base Station (MSRBS) (c) a Radio Access Network (RAN) node, (d) a router, (e) a switch, (f) a firewall, or (g) other nonvirtualized, physical hardware.

[0006] In one embodiment, the non-cloud network is a cellular network.

[0007] In one embodiment, the key is not persistently stored by the software function in the cloud network.

[0008] In one embodiment, the one or more actions using the key comprises (a) decrypting data received from the PNF, (b) decrypting stored data associated with the PNF, (c) encrypting data received from the PNF, (d) encrypting stored data associated with the PNF, or (e) transmitting the key or encrypted data to another software function.

[0009] In one embodiment, the communication channel is a secured channel.

[0010] In one embodiment, a method performed by a software function in a cloud network, comprises establishing communication channels with a plurality of PNFs in a non-cloud network, receiving a part of a key, respectively, from each of the plurality of the PNFs, deriving a shared key at least based on some of the parts of the key. The shared key is to be used to secure data associated with at least one of the plurality of the PNFs. The method further comprises performing one or more actions related to securing data associated with the at least one of the plurality of the PNFs using the shared key.

[0011] In one embodiment, the software function in the cloud network is (a) a CNF, (b) a virtual machine, or (c) other virtualized software.

[0012] In one embodiment, the PNF in the non-cloud network is (a) a hardwarebased base station, (b) a MSRBS (c) a Radio Access Network RAN node, (d) a router, (e) a switch, (f) a firewall, or (g) other non-virtualized, physical hardware.

[0013] In one embodiment, the non-cloud network is a cellular network.

[0014] In one embodiment, the shared key is not persistently stored by the software function in the cloud network.

[0015] In one embodiment, the one or more actions using the shared key comprises (a) decrypting data received from the PNF, (b) decrypting stored data associated with the PNF, (c) encrypting data received from the PNF, (d) encrypting stored data associated with the PNF, or (e) transmitting the key or encrypted data to another software function.

[0016] In one embodiment, the communication channels are secured channels.

[0017] In one embodiment, a method performed by a PNF in a non-cloud network comprises establishing a communication channel with a software function in a cloud network, preparing a key for the software function. The key is a key to be used by the software function to secure data associated with the physical network function in the non-cloud network. The method further comprises transmitting the key to the software function.

[0018] In one embodiment, the step of preparing the key for the software function comprises generating the key when a key for the software function is unavailable at the PNF.

[0019] In one embodiment, the step of preparing the key for the software function comprises obtaining the key from a storage of the PNF.

[0020] In one embodiment, the non-cloud network is a cellular network.

[0021] In one embodiment, the software function in the cloud network is (a) a CNF, (b) a virtual machine, or (c) other virtualized software.

[0022] In one embodiment, the PNF in the non-cloud network is (a) a hardwarebased base station, (b) a MSRBS, (c) a RAN node, (d) a router, (e) a switch, (f) a firewall, or (g) other non-virtualized, physical hardware.

[0023] Corresponding embodiment of the software function and the PNF are also disclosed.

[0024] In one embodiment, a software function in the cloud network is adapted to establish a communication channel with a PNF in a non-cloud network, receive a key from the PNF. The key is used to secure data associated with the PNF. The software function is further adapted to perform one or more actions related to securing data associated with the PNF using the key received from the PNF.

[0025] In one embodiment, the software function comprises processing circuitry configured to cause the software function to establish a communication channel with a PNF in a non-cloud network, receive a key from the PNF. The key is used to secure data associated with the PNF. The processing circuitry is further configured to cause the software function to perform one or more actions related to securing data associated with the PNF using the key received from the PNF.

[0026] In one embodiment, a software function in a cloud network is adapted to establish communication channels with a plurality of PNFs in a non-cloud network, receive a part of a key, respectively, from each of the plurality of the PNFs, derive a shared key at least based on some of the parts of the key. The shared key is to be used to secure data associated with at least one of the plurality of the PNFs. The software function in the cloud network is further adapted to perform one or more actions related to securing data associated with the at least one of the plurality of the PNFs using the shared key.

[0027] In one embodiment, a software function comprises processing circuitry configured to cause the software function to establish communication channels with a plurality of PNFs in a non-cloud network, receive a part of a key, respectively, from each of the plurality of the PNFs, derive a shared key at least based on some of the parts of the key. The shared key is to be used to secure data associated with at least one of the plurality of the PNFs. The processing circuitry is further configured to cause the software function to perform one or more actions related to securing data associated with the at least one of the plurality of the PNFs using the shared key.

[0028] In one embodiment, a PNF in a non-cloud network is adapted to establish a communication channel with a software function in a cloud network, prepare a key for the software function. The key is a key to be used by the software function to secure data associated with the physical network function in the non-cloud network. The PNF is further adapted to transmit the key to the software function.

[0029] In one embodiment, a PNF in a non-cloud network comprises processing circuitry configured to cause the PNF to establish a communication channel with a software function in a cloud network, prepare a key for the software function. The key is a key to be used by the software function to secure data associated with the physical network function in the non-cloud network. The processing circuitry is further configured to cause the PNF to transmit the key to the software function.

[0030] In one embodiment, a method performed by a PNF in a non-cloud network comprises establishing a communication channel with a software function in a cloud network, receiving a data from the software function, preparing a key to be used for the data received from the software function, performing a cryptographic operation on the data with the key, and transmitting the cryptographically operated data to the software function.

[0031] Corresponding embodiments of the PNF are also disclosed. [0032] A PNF in a non-cloud network is adapted to establish a communication channel with a software function in a cloud network, receive a data from the software function, prepare a key to be used for the data received from the software function, perform a cryptographic operation on the data with the key, and transmit the cryptographically operated data to the software function.

[0033] A PNF in a non-cloud network comprises processing circuitry configured to cause the PNF to establish a communication channel with a software function in a cloud network, receive a data from the software function, prepare a key to be used for the data received from the software function, perform a cryptographic operation on the data with the key, and transmit the cryptographically operated data to the software function.

Brief Description of the Drawings

[0034] The accompanying drawing figures incorporated in and forming a part of this specification illustrate several aspects of the disclosure, and together with the description serve to explain the principles of the disclosure.

[0035] Figure 1 illustrates a system involving software functions (e.g., Cloud Network Functions (CNFs)) in a cloud network and Physical Network Functions (PNFs) (e.g., Multi-Standard (or Multi-System) Radio Base Stations (MSRBS)) in a non-cloud network in accordance with the present disclosure.

[0036] Figure 2 is a flow chart for a transmission of a key between the software function and the PNF.

[0037] Figure 3 is a flow chart for multiple transmissions of parts of a key among the software function and the PNF.

[0038] Figure 4 is a flow chart for a transmission of a cryptographically operated data between the software function and the PNF.

[0039] Figure 5 is a schematic block diagram of the PNF according to some embodiments of the present disclosure.

[0040] Figure 6 is a schematic block diagram that illustrates the software function according to some embodiments of the present disclosure.

[0041] Figure 7 is a schematic block diagram of the PNF of Figure 5 according to some other embodiments of the present disclosure. Detailed Description

[0042] The embodiments set forth below represent information to enable those skilled in the art to practice the embodiments and illustrate the best mode of practicing the embodiments. Upon reading the following description in light of the accompanying drawing figures, those skilled in the art will understand the concepts of the disclosure and will recognize applications of these concepts not particularly addressed herein. It should be understood that these concepts and applications fall within the scope of the disclosure.

[0043] Cloud Network (alternatively, cloud environment or cloud): A "cloud network" is a network for the connectivity to and between all variations of on-premises, edge and cloud-based (e.g., Infrastructure as a Service (laaS), Platform as a Service (PaaS), Software as a Service (SaaS)) services. That is, the cloud network is a type of infrastructure or network in which some or all of an organization's network capabilities and resources are hosted in a public or private cloud platform, managed in-house or by a service provider, and available on demand. Companies can either use on-premises cloud networking resources to build a private cloud network or use cloud-based networking resources in the public cloud, or a hybrid cloud combination of both. These network resources can include virtual routers, firewalls, and bandwidth and network management software, with other tools and functions available as required. The solutions of the present disclosures fundamentally apply to cloud functions. In the present disclosure, the "cloud" (including public and private clouds) can include any processing of data remote from hardware components in a non-cloud network. Such processing could be located anywhere, including highly centralized public clouds such as Amazon Web Services (AWS) or Azure, or closer to the hardware components in the non-cloud network, such as in an edge cloud or on premise.

[0044] Software Function in a Cloud Network: A software function in a cloud network replaces specialized hardware operating in the cloud network. Examples of the software function include Cloud Network Function (CNF), network routers, bridges, firewalls, or Virtual Private Network (VPN) gateway services. The software function may be comprised in any core network nodes discussed above, e.g., a Mobility Management Entity (MME), a Packet Data Network Gateway (P-GW), a Service Capability Exposure Function (SCEF), a Home Subscriber Server (HSS), an Access & Mobility Management Function (AMF), a User Plane Function (UPF), a Session Management Function (SMF), an Authentication Server Function (AUSF), a Network Slice Selection Function (NSSF), a Network Exposure Function (NEF), a Network Repository Function (NRF), a Policy Control Function (PCF), a Unified Data Management (UDM), or the like. The software function in the cloud network may replace Physical Network Functions (PNFs) that are purpose-built hardware devices (with embedded software or systems) which provide essential network services.

[0045] Physical Network Function (PNF) in a Non-Cloud Network: A PNF in a non-cloud network refers to a purposely built hardware that provides specific networking functions. Examples of the PNF are a hardware-based base station, a MultiStandard Radio Base Station (MSRBS), a Radio Access Network (RAN) node, a router, a switch, a firewall, or other non-virtualized, physical hardware.

[0046] MSRBS: A MSRBS may be an example of the PNF described above. In particular, the MSRBS is a base station characterized by the ability of its receiver and transmitter to process two or more carriers in common active Radio Frequency (RF) components simultaneously in a declared RF bandwidth, where at least one carrier is of a different Radio Access Technology (RAT) than the other carrier(s).

[0047] The typical approach to protect cloud data is to encrypt the cloud data with keys. This approach changes the problem from one of protecting the data to one of protecting the keys used to encrypt the cloud data. Common mechanisms for protecting the keys are Kubernetes secrets, key management systems (like Key cloak), and Hardware Security Modules (HSMs). Hyperscale cloud providers like AWS provide services of these mechanisms.

[0048] These common mechanisms have limitations. The mechanisms add cost and complexity to the management of the cloud system. Also, the mechanisms imply some level of trust of the cloud operator. For example, using key management services on AWS requires trusting AWS, which may not be desirable for a client using clouds and cloud services provided by the cloud operator (like AWS) when highly sensitive data, such as Intellectual Property (IP) owned by the client, is stored in a cloud storage provided by the cloud operator. Similarly, running on a private cloud owned by the cloud operator may be undesirable for the client of the private cloud especially if operation of the private cloud has been contracted to a competitor of the client because there is a risk that the IP owned by the client may be exposed to the competitor of the client, who is operating the private cloud (storing the IP) of the client. [0049] As an example, there are proposals for systems that centralize Machine Learning (ML) functions outside of base stations. Data streamed from the base station to a cloud function can be used for Artificial Intelligence (AI)/ML learning or inference to improve the base station's operation. Such data can be highly proprietary, going well beyond data that previously was possible to extract. If the cloud function stores this highly proprietary data, ideally it would be protected in a way that other entities in the cloud, and cloud operators, cannot read or extract the highly proprietary data. However, if the existing common mechanisms to protect the keys as a cloud function are used, there is no assurance that other entities and cloud operators cannot read or extract the highly proprietary data.

[0050] Systems and methods that address the aforementioned and/or other problems are disclosed herein. In one embodiment of the present disclosure, a PNF (e.g., MSRBS) is used as a key store to generate and save the key used by a software function (e.g., CNF) in the cloud to protect data, such as data associated with the PNF or any data stored by the software function associated with the PNF.

[0051] In one embodiment, when the software function in the cloud network and the PNF in the non-cloud network are connected with each other for the first time, the PNF generates an encryption key, optionally, saves the encryption key in local flash storage, and gives the encryption key to the software function in the cloud network. Then, the software function uses that key to encrypt/decrypt all data stored in a storage connected to the software function. Optionally, the data stored in the storage comes from the PNF.

[0052] In one embodiment, the key is never persistently stored in the cloud. If the software function in the cloud network crashes and restarts, the software function will retrieve the key when the software function connects to the PNF. Thus, only a software function with a connection to the PNF may access (e.g., receive) data for that PNF. [0053] For new cloud functions (like the above ML example), a (new) protocol between the software function and the PNF can take this key delivery into account. For existing functions, possibly even standardized ones, it may be possible to overload existing protocols to carry the key information.

[0054] If data must be shared by multiple PNFs, key splitting/sharing techniques (well known in cryptography) can be used to split the key across the parties, with the software function in the cloud network serving as an orchestrator. For example, a shared key may be split into 50 pieces for 50 PNFs, such that the shared key can be reconstituted from any 40 pieces.

[0055] In the present disclosure, it is proposed that the PNF is used as a key store. The MSRBS is one example of the PNF. More generally, the key could be stored in any hardware device including other PNFs.

[0056] The present disclosure proposes solutions to use a hardware device, for example, the PNF, as a keystore for software functions. The solutions of the present disclosure provide a number of advantages. First, highly proprietary or sensitive data is protected in the cloud from other entities using the cloud and from operators of the cloud. Second, IP that was previously protected by hardware boundaries can now be exposed more safely in cloud functions. That is, the IP can be exposed only to users who are properly authenticated for their legitimate identities. Third, no additional infrastructure (like key management systems) is needed in the cloud. Fourth, according to the solutions of the present disclosure, the system can be designed for zero touch operation, needing no management whatsoever. Generation of keys in the hardware device (e.g., PNF) can be entirely automatic and invisible. If key lifecycle features like expiration and rotation are desired, these features can be implemented in the PNF and be executed automatically. Fifth, once implemented in both functions the system will be entirely invisible to operators. Sixth, the approach should scale easily to large networks and to PNF groups.

[0057] Figure 1 illustrates a system 100 in which a hardware device is uses as a keystore for software function(s) in the cloud in accordance with one embodiment of the present disclosure. As illustrated, the system 100 includes a cloud network 102 and a non-cloud network 104. For example, the non-cloud network 104 is a cellular network. For example, one possible purpose of the system 100 is to run a radio network or a cellular network. The cloud network 102 includes software functions 106- 1, 106-2. Examples of the software functions 106-1 and 106-2 are a CNF, a virtual machine, or other virtualized software. The software functions 106-1, 106-2 are associated to (e.g., communicatively coupled to) storages 108-1, 108-2, respectively. The storages 108 could be any kinds of cloud storage, for example, (a) disks (Solid State Drives (SSDs) or hard drives) on the same hardware nodes as the processes, (b) network-attached storage like S3 or AWS block storage or (c) a database accessed through Structured Query Language (SQL) queries. The storages 108-1, 108-2 store data received from external entities. The software functions 106-1, 106-2 may connect to each other via a communication interface 110.

[0058] The cloud network 102 connects to the non-cloud network 104 via a communication channel 112 such as a public or non-public network. The non-cloud network 104 includes PNFs 114-1, 114-2, 114-3. Examples of the PNFs are a hardwarebased base station, a MSRBS, a RAN node, a router, a switch, a firewall, or other nonvirtualized, physical hardware. Some of the PNFs 114-1, 114-2 provide a keystore function whereby they store (and possibly generate) keys to be used by the software functions 106 in the cloud network 102 to encrypt and/or decrypt data, e.g., data stored in the storage 108-1, 108-2. In one embodiment, upon request by the software function 106, the PNF 114 transmits a key to the software function 106. After receiving the key from the PNF 114, the software function 106 uses the key to encrypt or decrypt data stored in the storage 108, where this data may be data associated to the PNF 114 (e.g., encrypted data previously provided to the software function 106 by the PNF 114). [0059] In another embodiment, the PNFs 114-1, 114-2, 114-3 each store a portion, or part, of a key, and some minimum number of these "key portions" are needed to recreate the actual key, which is a shared key that is used to encrypt/decrypt data associated to all of the PNFs 114-1, 114-2, and 114-3. Note that while only three PNFs 114 are shown in the example of Figure 1, there may be any number (N) PNFs 114 that share the shared key, where M<N key portions are needed to recreate the shared key. In this embodiment, the software function 106 requests the key portions from the PNFs 114-1, 114-2, and 114-3. Upon receiving the key portions from at least a minimum number of the PNFs 114-1, 114-2, and 114-3 needed to recreate the shared key, the software function 106 derives the shared key from the received key portions. The software function 106 then uses the shared key to, e.g., decrypt data stored in the associated storage 108 that is associated to at least one of the PNFs 114-1, 114-2, and 114-3 or to encrypt data received from at least one of the PNFs 114-1, 114-2, 114-3, e.g., before storing the encrypted data in the associated storage 108.

[0060] Figure 2 illustrates a flow chart of operations between the PNF 114 and the software function 106 in accordance with one embodiment of the present disclosure. As stated above, examples of the PNF 114 are a hardware-based base station, a MSRBS, a Radio Access Network (RAN) node, a router, a switch, a firewall, or other non- virtualized, physical hardware. Also, examples of the software function include CNF, network routers, bridges, firewalls, or Virtual Private Network (VPN) gateway services. [0061] In step 200, the PNF 114 and the software function 106 establish a communication channel. For example, the communication channel is a secured communication channel. This step occurs using mechanisms already present in the system involving the non-cloud network and the cloud network, with security mechanisms such as mutual authentication and channel protection.

[0062] In step 201, the PNF 114 prepares a key to be used by the software function 106 to secure data associated with the PNF 114. That is, the PNF 114 determines whether it already has a key for the software function 106. If no key already exists, the PNF 114 generates a key and saves the key locally in a storage of the PNF 114. [0063] In step 202, the PNF 114 sends the key to the software function 106. That is, the key is not persistently stored by the software function 106 in the cloud network because the software function 106 receives the key from the PNF 114 when necessary.

[0064] In step 204, the software function 106 performs one or more actions related to securing data associated with the PNF 114 using the key received from the PNF 114. The software function 106 may receive data from the PNF 114 and store the data in the storage 108. For example, the one or more actions comprise (a) decrypting data received from the PNF 114, (b) decrypting stored data associated with the PNF 114, (c) encrypting data received from the PNF 114, (d) encrypting stored data associated with the PNF 114, or (e) transmitting the key or encrypted data from the software function 106-1 to another software function 106-2 (for example, via the communication interface 110).

[0065] In one embodiment, in addition to store the key, the PNF 114 may perform one or more other services historically performed by HSMs. For example, HSM related services comprise securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services for a wide range of applications.

[0066] Figure 3 illustrates a flow chart of operations among the first PNF 114-1, the second PNF 114-2, and the software function 106 in accordance with another embodiment of the present disclosure. In step 300A, the software function 106 establishes a first communication channel with the first PNF 114-1. In step 300B, the software function 106 establishes a second communication channel with the second PNF 114-2.

[0067] In step 302A, the software function 106 receives a first part of a shared key from the first PNF 114-1 via the first communication channel. In step 302B, the software function 106 receives a second part of a shared key from the first PNF 114-1 via the second communication channel.

[0068] In step 304, the software function 106 derives a shared key at least based on some parts of the keys (e.g., the received first part and second part of the shared key). That is, the shared key is not persistently stored by the software function 106 in the cloud network.

[0069] In step 306, the software function 106 performs one or more actions related to securing data associated with at least one of the PNFs using the shared key. For example, the one or more actions comprise (a) decrypting data received from the PNF 114, (b) decrypting stored data associated with the PNF 114, (c) encrypting data received from the PNF 114, (d) encrypting stored data associated with the PNF 114, or (e) transmitting the shared key from the software function 106-1 to another software function 106-2 (for example, via the communication interface 110).

Additional Description

[0070] In one embodiment, the PNF 114, rather than sending a key to the software function 106, instead performs a cryptographic operation on behalf of the software function 106. For example, the software function 106 transmits a data to the PNF 114. Then, the PNF 114 performs a cryptographic operation on the received data (e.g., an encryption of the received data) using a key and sends the cryptographically operated (e.g., encrypted) data back to the software function 106.

[0071] Figure 4 illustrates the above-described steps performed by the PNF 114. In step 400, the PNF 114 establishes a (secured) communication channel with the software function 106. In step 402, the PNF 114 receives a data from the software function 106. In step 404, the PNF 114 prepares a key to be used for the data received from the software function 106. In step 406, the PNF 114 performs a cryptographic operation on the data (e.g., encryption of the data) with the key. In step 408, the PNF 114 transmits the cryptographically operated data (e.g., encrypted data) to the software function 106. [0072] Figure 5 is a schematic block diagram of the PNF 114 according to some embodiments of the present disclosure. Optional features are represented by dashed boxes. Examples of the PNF 114 are a hardware-based base station, a MSRBS, a RAN node, a router, a switch, a firewall, or other non-virtualized, physical hardware. As illustrated, the PNF 114 includes a control system 502 that includes one or more processors 504 (e.g., Central Processing Units (CPUs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), and/or the like), memory 506, and a network interface 508. The one or more processors 504 are also referred to herein as processing circuitry. In addition, the PNF 114 may include one or more radio units 510 that each includes one or more transmitters 512 and one or more receivers 514 coupled to one or more antennas 516. The radio units 510 may be referred to or be part of radio interface circuitry. In some embodiments, the radio unit(s) 510 is external to the control system 502 and connected to the control system 502 via, e.g., a wired connection (e.g., an optical cable). However, in some other embodiments, the radio unit(s) 510 and potentially the antenna(s) 516 are integrated together with the control system 502. The one or more processors 504 operate to provide one or more functions of a the PNF 114 as described herein. In some embodiments, the function(s) are implemented in software that is stored, e.g., in the memory 506 and executed by the one or more processors 504.

[0073] Figure 6 is a schematic block diagram that illustrates the software function 106 included in the cloud network 102 according to some embodiments of the present disclosure. Again, optional features are represented by dashed boxes.

[0074] As illustrated, the cloud network 102 includes one or more processing nodes 600. If present, the PNF 114 is connected to the processing node(s) 600 via the communication channel 112. Each processing node 600 includes one or more processors 604 (e.g., CPUs, ASICs, FPGAs, and/or the like), memory 606, and a network interface 608.

[0075] In particular, the software functions 106 described herein are implemented at the one or more processing nodes 600 or distributed across the one or more processing nodes 600. In some particular embodiments, some or all of the software functions 106 described herein are implemented as virtual components executed by one or more virtual machines implemented in a virtual environment(s) hosted by the processing node(s) 600. As will be appreciated by one of ordinary skill in the art, additional signaling or communication between the processing node(s) 600 and the PNF 114 is used in order to carry out at least some of features performed by the software functions 106.

[0076] In some embodiments, a computer program including instructions which, when executed by at least one processor, causes the at least one processor to carry out the functionality of a processing node 600 implementing one or more of the software functions 106 in a virtual environment according to any of the embodiments described herein is provided. In some embodiments, a carrier comprising the aforementioned computer program product is provided. The carrier is one of an electronic signal, an optical signal, a radio signal, or a computer readable storage medium (e.g., a non- transitory computer readable medium such as memory).

[0077] Figure 7 is a schematic block diagram of the PNF 114 according to some other embodiments of the present disclosure. The PNF 114 includes one or more modules 700, each of which is implemented in software. The module(s) 700 provide the functionality of the PNF 114 described herein. This discussion is equally applicable to the processing node 600 of Figure 6 where the modules 700 may be implemented at one of the processing nodes 600 or distributed across multiple processing nodes 600 and/or distributed across the processing node(s) 600.

[0078] Any appropriate steps, methods, features, functions, or benefits disclosed herein may be performed through one or more functional units or modules of one or more virtual apparatuses. Each virtual apparatus may comprise a number of these functional units. These functional units may be implemented via processing circuitry, which may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include Digital Signal Processors (DSPs), special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as Read Only Memory (ROM), Random Access Memory (RAM), cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory includes program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein. In some implementations, the processing circuitry may be used to cause the respective functional unit to perform corresponding functions according one or more embodiments of the present disclosure.

[0079] While processes in the figures may show a particular order of operations performed by certain embodiments of the present disclosure, it should be understood that such order is exemplary (e.g., alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, etc.).

[0080] At least some of the following abbreviations may be used in this disclosure. If there is an inconsistency between abbreviations, preference should be given to how it is used above. If listed multiple times below, the first listing should be preferred over any subsequent listing(s).

• Al Artificial Intelligence

• AMF Access & Mobility Management Function

• AN Access Network

• ASIC Application Specific Integrated Circuit

• AUSF Authentication Server Function

• AWS Amazon Web Services

• CNF Cloud Native Function

• CPU Central Processing Unit

• DSP Digital Signal Processor

• eNB Enhanced or Evolved Node B

• EPS Evolved Packet System

• E-UTRA Evolved Universal Terrestrial Radio Access

• FPGA Field Programmable Gate Array

• gNB New Radio Base Station

• gNB-DU New Radio Base Station Distributed Unit

• HSM Hardware Security Module

• HSS Home Subscriber Server

• laaS Infrastructure as a Service

• IP Intellectual Property

• LTE Long Term Evolution

• ML Machine Learning

• MME Mobility Management Entity

• MSRBS Multi-Standard (or Multi-System) Radio Base Station

• NEF Network Exposure Function

• NF Network Function • NR New Radio

• NRF Network Repository Function

• NSSF Network Slice Selection Function

• PaaS Platform as a Service

• PC Personal Computer

• PCF Policy Control Function

• P-GW Packet Data Network Gateway

• PNF Physical Network Function

• QoS Quality of Service

• RAM Random Access Memory

• RAN Radio Access Network

• RAT Radio Access Technology

• RF Radio Frequency

• ROM Read Only Memory

• SaaS Software as a Service

• SCEF Service Capability Exposure Function

• SMF Session Management Function

• SSD Solid State Drive

• SQL Structured Query Language

• UE User Equipment

• UDM Unified Data Management

• UPF User Plane Function

• VNF Virtualized Network Function

• VPN Virtual Private Network

[0081] Those skilled in the art will recognize improvements and modifications to the embodiments of the present disclosure. All such improvements and modifications are considered within the scope of the concepts disclosed herein.

Claims

1. A method performed by a software function (106) in a cloud network, the method comprising: establishing (200) a communication channel with a Physical Network Function, PNF, (104) in a non-cloud network; receiving (202) a key from the PNF (104), the key being a key to be used to secure data associated with the PNF (104); and performing (204) one or more actions related to securing data associated with the PNF (104) using the key received from the PNF (104).

2. The method of claim 1, wherein the software function (106) in the cloud network is (a) a Cloud Native Function, CNF, (b) a virtual machine, or (c) other virtualized software.

3. The method of claim 1 or 2, wherein the PNF (104) in the non-cloud network is (a) a hardware-based base station, (b) a Multi-Standard Radio Base Station, MSRBS, (c) a Radio Access Network, RAN, node, (d) a router, (e) a switch, (f) a firewall, or (g) other non-virtualized, physical hardware.

4. The method of any of claims 1 to 3, wherein the non-cloud network is a cellular network.

5. The method of any of claims 1 to 3, wherein the key is not persistently stored by the software function (106) in the cloud network.

6. The method of any of claims 1 to 5, wherein the one or more actions using the key comprises (a) decrypting data received from the PNF (104), (b) decrypting stored data associated with the PNF (104), (c) encrypting data received from the PNF (104), (d) encrypting stored data associated with the PNF (104), or (e) transmitting the key or encrypted data to another software function (106).

7. The method of claims 1 to 6, wherein the communication channel is a secured channel.

8. A method performed by a software function (106), in a cloud network, the method comprising: establishing (300A, 300B) communication channels with a plurality of Physical Network Functions, PNFs, (104) in a non-cloud network; receiving (302A, 302B) a part of a key, respectively, from each of the plurality of the PNFs (104); deriving (304) a shared key at least based on some of the parts of the key, the shared key to be used to secure data associated with at least one of the plurality of the PNFs (104); and performing (306) one or more actions related to securing data associated with the at least one of the plurality of the PNFs (104) using the shared key.

9. The method of claim 8, wherein the software function (106) in the cloud network is (a) a Cloud Native Function, CNF, (b) a virtual machine, or (c) other virtualized software.

10. The method of claim 8 or 9, wherein the PNFs (104) in the non-cloud network are one or more of (a) a hardware-based base station, (b) a Multi -Standard Radio Base Station, MSRBS, (c) a Radio Access Network, RAN, node, (d) a router, (e) a switch, (f) a firewall, or (g) other non-virtualized, physical hardware.

11. The method of any of claims 8 to 10, wherein the non-cloud network is a cellular network.

12. The method of any of claims 8 to 11, wherein the shared key is not persistently stored by the software function (106) in the cloud network.

13. The method of any of claims 8 to 12, wherein the one or more actions using the shared key comprises (a) decrypting data received from the at least one of the plurality of the PNFs (104), (b) decrypting stored data associated with the at least one of the plurality of the PNFs (104), (c) encrypting data received from the at least one of the plurality of the PNFs (104), (d) encrypting stored data associated with the at least one of the plurality of the PNFs (104), or (e) transmitting the shared key to another software function (106-2).

14. The method of claims 8 to 13, wherein the communication channels are secured channels.

15. A method performed by a Physical Network Function, PNF, (104) in a non-cloud network, the method comprising: establishing (200) a communication channel with a software function (106) in a cloud network; preparing (201) a key for the software function (106), the key being a key to be used by the software function (106) to secure data associated with the physical network function in the non-cloud network; and transmitting (202) the key to the software function (106).

16. The method of claim 15, preparing (201) the key for the software function (106) comprises generating the key when a key for the software function (106) is unavailable at the PNF (104).

17. The method of claim 15, wherein preparing (201) the key for the software function (106) comprises obtaining the key from a storage of the PNF.

18. The method of any of claims 15 to 17 wherein the non-cloud network is a cellular network.

19. The method of any of claims 15 to 18, wherein the software function (106) in the cloud network is (a) a Cloud Native Function, CNF, (b) a virtual machine, or (c) other virtualized software.

20. The method of any of claims 15 to 19, wherein the PNF (104) in the non-cloud network is (a) a hardware-based base station, (b) a Multi-Standard Radio Base Station, MSRBS, (c) a Radio Access Network, RAN, node, (d) a router, (e) a switch, (f) a firewall, or (g) other non-virtualized, physical hardware.

21. The method of any of claims 15 to 20, wherein the PNF (104) is further configured to provide one or more additional Hardware Security Module, HSM, related services.

22. A software function (106) in a cloud network, the software function (106) adapted to: establish (200) a communication channel with a Physical Network Function, PNF, (104) in a non-cloud network; receive (202) a key from the PNF (104), the key being a key to be used to secure data associated with the PNF (104); and perform (204) one or more actions related to securing data associated with the PNF (104) using the key received from the PNF (104).

23. The software function (106) of claim 22, wherein the software function (106) is further adapted to perform the method of any of claims 2 to 7.

24. A software function (106) in a cloud network, the software function (106) comprising processing circuitry configured to cause the software function (106) to: establish (200) a communication channel with a Physical Network Function, PNF, (106) in a non-cloud network; receive (202) a key from the PNF (106), the key being a key to be used to secure data associated with the PNF (106); and perform (204) one or more actions related to securing data associated with the PNF (106) using the key received from the PNF (106).

25. The software function (106) of claim 24 wherein the processing circuitry is further configured to cause the software function (106) to perform the method of any of claims 2 to 7.

26. A software function (106) in a cloud network, the software function (106) adapted to: establish (300A, 300B) communication channels with a plurality of Physical Network Functions, PNFs, (104) in a non-cloud network; receive (302A, 302B) a part of a key, respectively, from each of the plurality of the PNFs (104); derive (304) a shared key at least based on some of the parts of the key, the shared key to be used to secure data associated with at least one of the plurality of the PNFs (104); and perform (306) one or more actions related to securing data associated with the at least one of the plurality of the PNFs (104) using the shared key.

27. The software function (106) of claim 26, wherein the software function (106) is further adapted to perform the method of any of claims 9 to 14.

28. A software function (106) in a cloud network, the software function (106) comprising processing circuitry configured to cause the software function (106) to: establish (300A, 300B) communication channels with a plurality of Physical Network Functions, PNFs, (104) in a non-cloud network; receive (302A, 302B) a part of a key, respectively, from each of the plurality of the PNFs (104); derive (304) a shared key at least based on some of the parts of the key, the shared key to be used to secure data associated with at least one of the plurality of the PNFs (104); and perform (306) one or more actions related to securing data associated with the at least one of the plurality of the PNFs (104) using the shared key.

29. The software function (106) of claim 28 wherein the processing circuitry is further configured to cause the software function (106) to perform the method of any of claims 9 to 14.

30. A Physical Network Function, PNF, (104) in a non-cloud network, the PNF (104) adapted to: establish (200) a communication channel with a software function (106) in a cloud network; prepare (201) a key for the software function (106), the key being a key to be used by the software function (106) to secure data associated with the PNF in the noncloud network; and transmit (202) the key to the software function (106).

31. The PNF (104) of claim 30, wherein the software function (106) is further adapted to perform the method of any of claims 16 to 21.

32. A Physical Network Function, PNF, (104) in a non-cloud network, the PNF (104) comprising processing circuitry configured to cause the PNF (104) to: establish (200) a communication channel with a software function (106) in a cloud network; prepare (201) a key for the software function (106), the key being a key to be used by the software function (106) to secure data associated with the PNF (104) in the non-cloud network; and transmit (202) the key to the software function (106).

33. The PNF (104) of claim 32 wherein the processing circuitry is further configured to cause the PNF (104) to perform the method of any of claims 16 to 21.

34. A method performed by a Physical Network Function, PNF, (104) in a non-cloud network, the method comprising: establishing (400) a communication channel with a software function (106) in a cloud network; receiving (402) a data from the software function (106); preparing (404) a key to be used for the data received from the software function (106); performing (406) a cryptographic operation on the data with the key; and transmitting (408) the cryptographically operated data to the software function

(106).

35. A Physical Network Function, PNF, (104) in a non-cloud network, the PNF (104) adapted to: establish (400) a communication channel with a software function (106) in a cloud network; receive (402) a data from the software function (106); prepare (404) a key to be used for the data received from the software function (106); performing (406) a cryptographic operation on the data with the key; and transmit (408) the cryptographically operated data to the software function (106).

36. A Physical Network Function, PNF, (104) in a non-cloud network, the PNF (104) comprising processing circuitry configured to cause the PNF (104) to: establish (400) a communication channel with a software function (106) in a cloud network; receive (402) a data from the software function (106); prepare (404) a key to be used for the data received from the software function (106); perform (406) a cryptographic operation on the data with the key; and transmit (408) the cryptographically operated data to the software function

(106).