WO2018120042A1 - Credential distribution method and apparatus - Google Patents

Abstract

Disclosed in embodiments of the present invention is a credential distribution method, the method comprising: network function virtualization infrastructure (NFVI) employing a virtual Trusted Platform Module (vTPM) instance created thereon to create a credential or acquire a credential; and the NFVI providing the credential to a VNF instance created by the NFVI. The credential distribution method provided in the embodiments of the present invention can reduce risks of a security credential leak.

Description

Method and device for credential distribution Technical field

The present invention relates to the field of communications, and in particular, to a method and an apparatus for credential distribution.

Background technique

Network Function Virtualization (NFV) technology can implement some network functions in software on general-purpose hardware. For example, in telecom networks, NFV technology can be used to implement partial telecommunications in general-purpose cloud servers, switches, and storage. Network capabilities to enable rapid and efficient deployment of network services.

The NFV technology implements the telecommunication network function through a virtualized network function (VNF). In order to prevent the counterfeiter from attacking the network, the VNF needs to communicate with other network elements in the network through security credentials (or credentials) after initialization. However, in the prior art, after a credential is generated, a plurality of network elements can reach the VNF, and the credentials are stolen or fraudulently used.

Summary of the invention

In view of this, the embodiments of the present invention provide a method and a device for credential distribution, which can reduce the risk that a credential is stolen or fraudulently used.

In one aspect, an embodiment of the present invention provides a method for credential distribution, the method comprising: creating a virtual trusted platform module vTPM instance in a network function virtualization infrastructure NFVI to generate credentials or obtaining credentials; the vTPM instance will be The credentials are provided to the virtualized network function VNF instance created by the NFVI.

The credential distribution method provided by the embodiment of the present invention creates a vTPM instance in the NFVI by applying the vTPM technology to the NFV instantiation process, and generates or obtains a credential generated by the vTPM instance, and provides the VNF instance created based on the NFVI. It ensures that the credentials are not in a trusted environment, which improves the security of credential distribution.

Optionally, before the vTPM instance provides the credential to the VNF instance created by the NFVI, the method further includes: the vTPM instance registering the created credential into a certificate authority CA. After the vTPM instance generates the credentials, it registers with the CA, so that the VNF instance can use the obtained credentials to perform a certificate request to the CA.

Optionally, the vTPM instance registers the credential into a certificate authority CA, specifically The method includes: the vTPM instance registering the credential with a CA via a vTPM O&M proxy and a vTPM O&M through a secure channel, the secure channel including an interactive protocol conforming to the TLS, IPsec, or SSH standard. Registering through a specific secure channel makes registration of credentials more secure.

Optionally, the obtaining, by the vTPM instance, the credential specifically includes: obtaining, by the vTPM instance, a credential generated by a certificate issuing center CA.

Optionally, before the vTPM instance and the VNF instance are instantiated, the MANO is managed and arranged to register the VNF with the CA, and the CA generates a corresponding credential according to the VNF registered by the MANO.

Optionally, the vTPM instance on the NFVI obtains the credential generated by the CA, specifically: the CA generates the credential and distributes the credential to the vTPM O&M agent located in the NFVI through the vTPM O&M; the vTPM O&M agent in the NFVI Create a vTPM instance and distribute the credentials to the created vTPM instance.

Optionally, the credential is a one-time credential. One-time credentials are only used in one registration request, making the use of credentials and the application for certificates more secure.

Optionally, after the vTPM instance provides the credential to the VNF instance, the VNF instance uses the credential to perform a certificate request. In a possible implementation, the VNF can also use the obtained credentials as a PSK.

In another aspect, an embodiment of the present invention provides a method for credential distribution, the method comprising: a network function virtualization infrastructure NFVI creates a virtualized network function VNF instance according to a VNF initialization command; the VNF instance from the NFVI Obtain credentials in the virtual trusted platform module vTPM instance.

Optionally, the method further includes: using the credential, the VNF instance requests a certificate from the CA or is used as a PSK.

In still another aspect, an embodiment of the present invention provides a network function virtualization infrastructure NFVI, which includes a virtual trusted platform module vTPM instance, where the vTPM instance is used to create credentials or obtain credentials, and provide the credentials. A VNF instance created for the NFVI.

In a further aspect, the embodiment of the present invention provides a virtual network function VNF instance, which is characterized in that it comprises: a credential obtaining unit, and the credential obtaining unit is configured to obtain a credential from a virtual trusted platform module vTPM instance in the NFVI.

Optionally, the VNF instance further includes a certificate application unit, where the certificate application unit is used for Use the credentials to request a certificate from the CA.

The present application also provides a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the methods described in the various aspects above.

The present application also provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the various aspects above.

DRAWINGS

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without paying any creative work.

1 is a schematic diagram of a possible NFV network architecture to which an embodiment of the present invention is applied;

2 is a schematic structural diagram of a system for implementing credential distribution by using vTPM according to an embodiment of the present invention;

3 is a schematic diagram of a credential distribution method according to an embodiment of the present invention;

4 is a schematic diagram of a credential distribution method according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of a credential distribution method according to an embodiment of the present invention; FIG.

6 is a schematic structural diagram of a NFVI according to an embodiment of the present invention;

7 is a schematic structural diagram of a VNF provided by an embodiment of the present invention;

FIG. 8 is a schematic structural diagram of a credential distribution system according to an embodiment of the present invention; FIG.

FIG. 9 is a schematic structural diagram of hardware of a computer device according to an embodiment of the present invention.

detailed description

The technical solutions in the embodiments of the present invention will be described below in conjunction with the accompanying drawings in the embodiments of the present invention.

The network architecture and the service scenario described in the embodiments of the present invention are for the purpose of more clearly illustrating the technical solutions of the embodiments of the present invention, and are not limited to the technical solutions provided by the embodiments of the present invention. The technical solutions provided by the embodiments of the present invention are equally applicable to similar technical problems.

FIG. 1 is a schematic diagram of an NFV-based network architecture according to an embodiment of the present invention. As shown in Figure 1, the network architecture includes: Network Function Virtualization Orchestrator (Network Function Virtualization Orchestrator (NFVO), Virtualized Network Function Manager (VNFM), Virtualized Infrastructure Manager (VIM), Network Function Virtualization Infrastructure (NFVI), Virtual Machine (VM), Virtualized Network Function (VNF), and Element Manager System (EMS), where NFVO, VNFM, and VIM are management orchestration of NFV systems (Management and Orchestration) , MANO), MANO related functions can be realized by hardware or by software.

In order to facilitate the understanding of the embodiments of the present invention, the above network elements and elements related to the present invention are briefly introduced below.

A virtualisation container is part of a compute node that provides an isolated virtualized computing environment. An example of a typical virtualization container is a VM. A VM is a virtual device that is simulated on a physical device by virtual machine software. For applications running in virtual machines, these virtual machines work just like real physical devices, which can have operating systems and applications installed on them, and virtual machines can access network resources.

VNF, also known as virtualized network elements, corresponds to physical network functions in traditional non-virtualized networks. The functional behavior and state of the network function is independent of the virtualization of the network function. The VNF can be composed of multiple lower-level components. Optionally, one VNF can be deployed on multiple VMs, and each VM hosts a Virtualized Network Function Component (VNFC). Optionally, a VNF can also be deployed on a VM.

The VNFM is mainly used to implement the lifecycle management of the VNF instance, including the initialization of the VNF instance, the expansion or contraction of the VNF instance, and the termination of the VNF instance.

The EMS is mainly used to perform traditional FCAPS (Fault Management, Configuration Management, Accounting Management, Performance Management and Security Management, fault management, configuration management, billing management, performance management, and security management) functions for the VNF. The EMS can exist alone or as a VNF with EMS functionality.

VIM is mainly responsible for: management, monitoring, and fault reporting of infrastructure layer hardware resources and virtualized resources, and providing virtualized resource pools for upper-layer applications.

NFVI is mainly used to provide hardware and virtual resources for the entire system, including hardware resources (including computing, network, and storage), virtualization layer (virtualization of hardware resources into resource pools), and virtual resources (also divided into computing and networking). , storage three parts) composition. From the perspective of VNF, The virtualization layer and hardware resources appear to be an entity that provides the required virtual resources.

NFVO is used to implement Network Service Descriptor (NSD), Virtualized Network Function Descriptor (VNFD), Virtualized Network Function Forwarding Graph (VNFFG) management, and network services ( Network Service, NS) Lifecycle management, and global view of resources.

Trusted Environment (TE), which is used to protect the operating system and software running on a host (for example, a VM). The TE can be implemented in hardware or in software. Regardless of the implementation, for the VNF, Both are modules that provide trusted computing capabilities and interface calls.

CA (Certificate Authority): A certificate authority that issues certificates, certificates, and network organizations that have issued certificates. The registration center (RA) verifies the digital certificate provided by the applicant, and the certificate is issued after the CA is verified. The CA is responsible for developing policies and specific steps to verify, identify, and sign user credentials to ensure the identity of the certificate holder and the ownership of the public key. An entity that performs full lifecycle management of digital certificates. A functional organization trusted by one or more users to create and distribute certificates. The certification authority can also create a user key.

RA (Registration Authority): Registration Center. Entities in the PKI system are mainly used to review the identity of applicants. The RA and CA deployments are usually on the unified entity. In the simplified protocol, the RA function is implemented during the certificate issuance process. The embodiments of the present invention collectively refer to the functions of the foregoing CA and/or RA by CA.

Credential: Also called credential, used for initial identity authentication to prove the legality of the identity of the entity. The credentials can be one-time passwords, tokens, keys, and so on.

In the embodiment of the present invention, the virtualization system supports the TE, and the TE may be implemented in hardware or in software. For the VNF instance, the TE is a module that can provide a trusted computing function and an interface call. If the TE is implemented by software, the TE is part of the VM. The NFVI creates the TE while creating the VM that carries the VNF instance. Thus, when the VNF instance is started, the accessed TE is the TE assigned by the NFVI to the VNF instance. Similar to the hardware TE, NFVI cannot access the data stored by the software TE, nor can it use the function of the software TE.

When the VNF establishes a management channel with the EMS or the VNFM, both parties need to perform identity authentication to prevent the counterfeiter from attacking the network. For example, the transport layer protocol (TLS) and the Secure Shell (SSH) can be used. Identity authentication, however After the VNF is initialized, it is actually a trust island. It does not have any trust relationship with any other network element. Therefore, it is necessary to generate a trust credential for the VNF instance after the VNF is instantiated, for example, to apply for a digital certificate. Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

The present invention uses the vTPM (Virtual Trust Platform Module) technology to securely distribute the credentials of the VNF in a trusted environment. FIG. 2 is a schematic diagram of a system architecture for implementing credential distribution by using the vTPM technology according to an embodiment of the present invention.

vTPM is one of the TPM virtualization solutions, which enables each virtual machine to obtain complete trusted computing functions in a virtualized environment. Through the virtual trusted platform module, the secure storage and encryption functions of the TPM can be used in the VM. . The vTPM instance is a TPM in a VM. Each VM that requires the TPM function is associated with a unique vTPM instance throughout the lifetime, that is, one-to-one correspondence.

In the embodiment of the present invention, NFVI supports deploying a vTPM for each VNF. The credentials are generated by a trusted environment or trusted module constructed by vTPM technology, and the credentials are not known to any non-owners.

The vTPM O&M (management module) in Figure 2 is used to manage the creation and deletion of vTPM instances. It belongs to a centralized control point and can be located in the VIM, VNFM, NFVO, etc. in MANO. Generally, vTPM O&M is located in VIM. If located in NFVO/VNFM, it can be combined with security orchestration;

vTPM O&M agent (proxy process) for performing vTPM instance creation and deletion on each hypervisor (also called VMM, virtual machine monitor), including allocating vTPM AIK/EK information, vTPM O&M agent controlled by vTPM O&M . The vTPM O&M agent is located in the NFVI and can be understood as a TPM proxy process on the I layer.

FIG. 3 is a schematic diagram of a method for distributing a credential according to an embodiment of the present invention. The method uses the system architecture supporting the vTPM technology provided by the system of FIG. 2 to perform the following methods, including:

S310: The virtual trusted platform module vTPM instance generates a credential or obtains a credential, and the vTPM instance is created on the NFVI;

S320. The VNF instance obtains credentials from the vTPM instance.

After the VNF instance obtains the credential, it can be used to apply for a certificate to the CA, or can be used as a pre-shared key (PSK), which is not limited in the embodiment of the present invention.

Further, in the case of creating/generating credentials by the vTPM instance, the vTPM instance may pass the created credentials to the vTPM O&M, vTPM O&M before the VNF instance obtains the credentials. The agent is finally registered to the CA. Since the credentials are already registered in the CA before being obtained by the VNF instance, the CA authenticates the VNF, and it is more secure for the VNF instance to use the credentials to apply for a certificate to the CA.

For the case that the credential is not generated by the vTPM instance, but is obtained by the vTPM instance, the credential may be generated by the CA and written into the vTPM instance by the vTPM O&M, vTPM O&M agent during the instantiation of the vTPM. The CA may generate a credential corresponding to the VNF after receiving the request for registering the VNF sent by the MANO, and send the credential to the corresponding vTPM instance.

In the NFV system, MANO triggers the NFVI to generate a VNF instance. After the instance is generated, the newly generated VNF instance needs to securely obtain credentials for an interaction process such as a certificate application that requires identification. In the embodiment of the present invention, the vTPM technology is applied to the NFV instantiation process to create a vTPM instance in the NFVI, and the vTPM instance generates or obtains a credential, and provides the VNF instance created based on the NFVI to ensure that the credential is not trusted. Environment, which increases the security of credential distribution.

The embodiments of the present invention will be further described in detail below based on the common aspects of the invention described above.

FIG. 4 is a schematic diagram of a method for distributing a credential according to an embodiment of the present invention. In this embodiment, a vTPM instance is used to generate a credential for a VNF instance, and is registered with a CA center. The specific process is as follows:

Prior to the start of the method, at least one vTPM instance created by the vTPM O&M and vTPM O&M agents already exists in the NFVI, and at least one VNF instance created by the NFVI already exists in the system.

S401, the vTPM instance generates credentials;

The vTPM instance generates a credential according to the control of the vTPM O&M, where the credential is generally a one-time credential, such as a one-time password;

S402. The vTPM instance forwards the credential to the vTPM O&M proxy.

S403. The vTPM O&M agent forwards the credential to the vTPM O&M;

S404, vTPM O&M registers the credentials with the CA, and generally completes the registration of the credentials through a secure channel, such as TLS, IPsec, SSH protocol, and the like;

S405. The VNF instance reads the credentials in the vTPM.

S406: The VNF instance uses the credential to apply for a certificate to the CA;

Since the credential has been registered to the CA in step S404, the credential is trusted for the CA, and after the VNF obtains the credential, the certificate can be applied to the CA.

According to the credential distribution method of the embodiment of the present invention, a vTPM instance located in the NFVI generates a credential, and the VNF instance created by the NFVI obtains the credential from the vTPM instance to ensure secure distribution of the credential; the vTPM instance generates the credential and further registers with the CA. The VNF instance can be further used to perform certificate application to the CA by using the obtained credentials, and the credential is generated by the vTPM instance, instead of being generated by the CA and then sent to the vTPM, which can reduce the burden of the CA.

FIG. 5 is a schematic diagram of communication of a credential distribution method according to an embodiment of the present invention. In this embodiment, a CA allocates credentials to a VNF, and the method includes:

S501, MANO registers VNF identity information with the CA, and the identity information includes a VNF ID;

S502. The MANO registers the VNF identity information, including the VNF ID, with the vTPM O&M.

S503. The CA generates a credential, which is generally a one-time credential, such as a one-time password; the credential generated by the CA corresponds to the VNF ID registered by the MANO;

S504, the CA distributes the credential to the vTPM O&M, and generally sends the credential to the vTPM O&M through a secure channel, such as TLS, IPsec, SSH, etc.; the message distributed by the CA to the vTPM O&M generally carries the VNF ID and the credential. Correspondence relationship, so that vTPM O&M confirms the VNF corresponding to the credential;

S505. The vTPM O&M initiates a vTPM instance indication to the vTPM O&M Agent, and distributes the credentials.

S506, vTPM O&M Agent creates a vTPM and writes credentials;

Since the VN has registered the VNF with the VTPM O&M, and the TPM O&M obtains the credentials corresponding to the VNF, the vTPM instance obtained after the instantiation will also obtain the credentials corresponding to the VNF;

S507, MANO instantiate VNF;

S508, NFVI instantiating VNF;

The S509 and the VNF instance obtain the credentials from the vTPM instance.

The credentials obtained by the VNF at this time are the credentials generated by the CA corresponding to the VNF ID;

The S510 and the VNF instance use the credentials to apply for a certificate;

According to the credential distribution method of the embodiment of the present invention, the credential is generated by the CA, and the credential is written into the vTPM instance during the vTPM instantiation process, and is provided to the VNF to ensure that the credential does not have a feasible environment. The security of credential distribution is improved. As a security center, the CA generates credentials and verifies it by itself, which is more secure.

In all of the foregoing embodiments of the present invention, the MANO may be any of NFVO, VNFM, and VIM. Alternatively, the VNF instantiation/initialization command may be sent to the NFVI through the VIM. The manner in which the NFVI creates a VNF instance according to the VNF initialization command is a well-known technology in the art, and details are not described herein.

The foregoing embodiment mainly introduces the solution of the embodiment of the present invention from the perspective of interaction between the network elements. It can be understood that each network element, such as an NFVI, a vTPM instance, and a VNF instance, in order to implement the above functions, includes corresponding hardware structures and/or software modules for performing various functions. Those skilled in the art will readily appreciate that the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.

The embodiments of the present invention may perform functional unit division on the NFVI, the vTPM instance, and the VNF instance according to the foregoing method example. For example, each functional unit may be divided according to each function, or two or more functions may be integrated into one processing. In the unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present invention is schematic, and is only a logical function division, and the actual implementation may have another division manner.

In the case of an integrated unit, FIG. 6 shows a possible structural diagram of the NFVI involved in the above embodiment. NFVI600 includes: vTPM instance;

The vTPM instance is configured to generate credentials or obtain credentials and provide the credentials to the VNF instance created by the NFVI.

It can be clearly understood by those skilled in the art that for the convenience and brevity of the description, the specific working process of the apparatus and unit described above can refer to the corresponding process of NFVI in the embodiment described in the foregoing FIG. 2 to FIG. No longer.

The embodiments are provided by way of example only, and the embodiments of the present invention are not limited thereto. The NFVI, in addition to the features of the present invention, is in compliance with the relevant provisions of the European Telecommunication Standards Institute (ETSI). For example, the NFVI for generating security credentials provided by the embodiment of the present invention conforms to the following documents. [1] and the definition of NFVI in [2],

[1] ETSI GS NFV 002: "Network Functions Virtualisation (NFV); Architectural Framework,

[2] ETSI GS NFV 003: "Network Functions Virtualisation (NFV); Terminology for main concepts in NFV".

Therefore, the NFVI provided by the embodiment of the present invention can reduce the risk of security credential leakage by using the vTPM instance to generate or obtain the security credential and provide the VNF instance to the VNF instance.

In the case of employing an integrated unit, FIG. 7 shows a possible structural diagram of the VNF example involved in the above embodiment. The VNF instance 700 includes a credential obtaining unit that is configured to obtain credentials from a virtual trusted platform module vTPM instance in the NFVI.

Optionally, the VNF instance further includes a certificate requesting unit, where the certificate requesting unit is configured to apply for a certificate to the CA by using the credential.

A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the device and the unit described above can refer to the corresponding process of the VNF instance in the embodiment described in the foregoing FIG. 2 to FIG. This will not be repeated here.

The foregoing embodiment is only an example, and the embodiment of the present invention is not limited thereto. Therefore, the VNF instance provided by the embodiment of the present invention can reduce the network element experienced after the full credential generation by obtaining the credential from the vTPM instance in the NFVI. The risk of the credentials being compromised, and the credentials can be further utilized to request a certificate from the CA.

The embodiment of the present invention further provides a credential distribution system. As shown in FIG. 8, the credential distribution system 800 includes an NFVI, an NFV instance.

The NFVI is configured to generate a credential or obtain a credential through a virtual trusted platform module vTPM instance created thereon, and provide the credential to the VNF instance created by the NFVI;

The NFV instance is used to obtain credentials from a virtual trusted platform module vTPM instance in the NFVI.

The system may further include a CA center for receiving the NFV instance according to the The certificate request is sent by the credential, and after the credential verification is passed, the certificate is sent to the NFV instance.

All the relevant contents of the steps involved in the foregoing method embodiments may be referred to the functional modules in the system, and details are not described herein again.

The NFVI and VNF examples in all of the foregoing embodiments of the present invention can be implemented in the form of a computer device. FIG. 9 is a schematic diagram showing the hardware structure of a computer device 900 according to an embodiment of the present application. As shown in FIG. 9, computer device 900 includes a processor 902, a memory 904, a communication interface 906, and a bus 908. Among them, the processor 902, the memory 904, and the communication interface 906 implement a communication connection with each other through the bus 908. The processor 902 can be a general-purpose central processing unit (CPU), a microprocessor, an application specific integrated circuit (ASIC), or one or more integrated circuits for executing related programs. The technical solution provided by the embodiment of the present application is implemented. The memory 904 may be a read only memory (ROM), a static storage device, a dynamic storage device, or a random access memory (RAM). Memory 904 can store operating system 9041 and other applications 9042. When the technical solution provided by the embodiment of the present application is implemented by software or firmware, the program code for implementing the technical solution provided by the embodiment of the present application is saved in the memory 904 and executed by the processor 902. Communication interface 906 implements communication with other devices or communication networks using transceivers such as, but not limited to, transceivers. Bus 908 can include a path for communicating information between various components (e.g., processor 902, memory 904, communication interface 906).

When the computer device 900 is a VNFI, the processor 902 is configured to: configure a virtual trusted platform module vTPM instance on the VNFI, where the vTPM instance generates credentials or obtains credentials;

The vTPM instance provides the credential to the VNF instance created by the NFVI;

When the computer device 900 is a VNF, the processor 902 is configured to: obtain credentials from the virtual trusted platform module vTPM instance in the NFVI, and further utilize the credentials to request a certificate from the CA.

The embodiment of the present application further provides a computer storage medium, which can store program instructions for indicating any of the above methods.

In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another The system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The computer instructions can be stored in or transmitted by a computer readable storage medium. The computer instructions can be from a website site, computer, server or data center to another website site by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.) Transfer from a computer, server, or data center. The computer readable storage medium can be any available media that can be accessed by a computer. For example, the computer instructions can be stored or transmitted using a magnetic medium, such as a floppy disk, a hard disk, a magnetic tape, an optical medium (eg, a DVD), or a semiconductor medium (eg, a Solid State Disk (SSD)).

The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any equivalent person can be easily conceived within the technical scope of the present invention by any person skilled in the art. Modifications or substitutions are intended to be included within the scope of the invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims (14)

A method for credential distribution, characterized in that the method comprises: The virtual trusted platform module vTPM instance generates credentials or obtains credentials, and the vTPM is created in the network function virtualization infrastructure NFVI; The vTPM instance provides the credentials to the virtualized network function VNF instance created by the NFVI. The method of claim 1, wherein before the vTPM instance provides the credential to the VNF instance created by the NFVI, the method further comprises: the vTPM instance registering the created credential Go to the Certificate Authority CA. The method of claim 2, wherein the vTPM instance registers the credential in a certificate authority CA, specifically: The vTPM instance registers the credentials with the CA over a secure channel via a vTPM O&M agent and vTPM O&M, the secure channel including an interactive protocol compliant with the TLS, IPsec or SSH standards. The method as claimed in claim 1, wherein the obtaining, by the vTPM instance, the credential comprises: obtaining, by the vTPM instance, a credential generated by a certificate issuing center CA. A method as claimed in claim 4, wherein before the instantiation of the vTPM instance and the VNF instance, the MANO is managed and arranged to register the VNF with the CA, the CA according to the VNF registered by the MANO. , generate the corresponding credentials. The method of claim 5, wherein the vTPM instance on the NFVI obtains the credentials generated by the CA, specifically: The CA generates credentials and distributes the credentials to the vTPM O&M agent located in the NFVI via vTPM O&M; The vTPM O&M agent creates a vTPM instance in the NFVI and distributes the credentials into the created vTPM instance. The method of any of claims 1-6, wherein the credential is a one-time credential. The method according to any one of claims 1 to 7, wherein after the vTPM instance provides the credential to the VNF instance, the VNF instance uses the credential to perform a certificate request. A method of credential distribution, characterized in that the method comprises The network function virtualization infrastructure NFVI creates a virtualized network function VNF instance according to the VNF initialization command; The VNF instance obtains credentials from a virtual trusted platform module vTPM instance in the NFVI. The method of claim 9 wherein said method further comprises The VNF instance uses the credentials to request a certificate from the CA. A network function virtualization infrastructure NFVI, comprising: a virtual trusted platform module vTPM instance, the vTPM instance being used to create credentials or obtain credentials, and provide the credentials to the VNF instance created by the NFVI. A VNF instance of a virtual network function, comprising: a credential obtaining unit, The credential obtaining unit is configured to obtain credentials from a virtual trusted platform module vTPM instance in the NFVI. The VNF instance according to claim 12, further comprising a certificate application unit, wherein the certificate application unit is configured to apply for a certificate to the CA by using the credential. A computer readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of claims 1-10.

Images