[go: up one dir, main page]

WO2020000428A1 - Methods, devices and computer readable medium for key management - Google Patents

Methods, devices and computer readable medium for key management Download PDF

Info

Publication number
WO2020000428A1
WO2020000428A1 PCT/CN2018/093830 CN2018093830W WO2020000428A1 WO 2020000428 A1 WO2020000428 A1 WO 2020000428A1 CN 2018093830 W CN2018093830 W CN 2018093830W WO 2020000428 A1 WO2020000428 A1 WO 2020000428A1
Authority
WO
WIPO (PCT)
Prior art keywords
keys
pair
encrypted
virtual machine
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/093830
Other languages
French (fr)
Inventor
Yulong Zhang
Ning Xu
Peijun FU
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Original Assignee
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co Ltd, Nokia Solutions and Networks Oy filed Critical Nokia Shanghai Bell Co Ltd
Priority to CN201880095153.5A priority Critical patent/CN112368989B/en
Priority to PCT/CN2018/093830 priority patent/WO2020000428A1/en
Publication of WO2020000428A1 publication Critical patent/WO2020000428A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/131Protocols for games, networked simulations or virtual reality

Definitions

  • Embodiments of the present disclosure generally relate to communication techniques, and more particularly, to methods, devices and computer readable medium for key management.
  • LTE Long Term Evolved
  • 5G 5 th generation wireless systems
  • All of the key management used by applications for example, Transport Layer Security (TLS) , Internet Protocol Security (IPSec) , and CertMan
  • TLS Transport Layer Security
  • IPSec Internet Protocol Security
  • CertMan CertMan
  • embodiments of the present disclosure relate to a method for a key management and the corresponding devices.
  • embodiments of the present disclosure provide a communication method implemented at a first device.
  • the method comprises: establishing a secured connection between the first device and a second device.
  • the method also comprises generating, by a virtual machine on the first device, a first request for generating a first pair of keys at the second device.
  • the method further comprises transmitting the first request to the second device via the secured connection.
  • the method comprises transmitting, to the second device, a second pair of keys generated by the virtual machine.
  • the method also comprises receiving, from the second device, an encrypted second pair of keys for data transmission. The encrypted second pair of keys encrypted at the second device with the first pair of keys.
  • embodiments of the present disclosure provide a communication method implemented at a second device.
  • the method comprises: establishing a secured connection between the first device and the second device.
  • the method also comprises in response to receiving, from a virtual machine on the first device, a first request for generating a first pair of keys via the secured connection, generating the first pair of keys.
  • the method further comprises receiving, from the first device, a second pair of keys for encrypting.
  • the method comprises encrypting the second pair of keys with the first pair of keys.
  • the method also comprises transmitting, to the first device, an encrypted second pair of keys for data transmission.
  • inventions of the disclosure provide a first device.
  • the first device comprises: at least on processor; and a memory coupled to the at least one processor, the memory storing instructions therein, the instructions, when executed by the at least one processor, causing the first device to at least perform: establish a secured connection between the first device and a second device.
  • the first device is also caused to generate, by a virtual machine on the first device, a first request for generating a first pair of keys at the second device.
  • the first device is caused to transmit the first request to the second device via the secured connection.
  • the first device is caused to transmit, to the second device, a second pair of keys generated by the virtual machine.
  • the first device is also caused to receive, from the second device, an encrypted second pair of keys for data transmission.
  • the encrypted second pair of keys is encrypted at the second device with the first pair of keys.
  • inventions of the disclosure provide a second device.
  • the second device comprises: at least on processor; and a memory coupled to the at least one processor, the memory storing instructions therein, the instructions, when executed by the at least one processor, causing the second device to at least perform establish a secured connection between the first device and the second device.
  • the second device is also caused to in response to receive, from a virtual machine on the first device, a first request for generate a first pair of keys via the secured connection, generating the first pair of keys.
  • the second device is further caused to receive, from the first device, a second pair of keys for encrypting.
  • the second device is caused to encrypt the second pair of keys with the first pair of keys.
  • the second device is also caused transmit, to the first device, an encrypted second pair of keys for data transmission.
  • inventions of the disclosure provide an apparatus for communication.
  • the apparatus comprises means for performing the method according to the first aspect.
  • inventions of the disclosure provide an apparatus for communication.
  • the apparatus comprises means for performing the method according to the second aspect.
  • embodiments of the disclosure provide a computer readable medium.
  • the computer readable medium stores instructions thereon, the instructions, when executed by at least one processing unit of a machine, causing the machine to implement the method according to the first aspect.
  • embodiments of the disclosure provide a computer readable medium.
  • the computer readable medium stores instructions thereon, the instructions, when executed by at least one processing unit of a machine, causing the machine to implement the method according to the second aspect.
  • Fig. 1 illustrates a schematic diagram of a system for key management according to conventional technologies
  • Fig. 2 illustrates a schematic diagram of a system according to embodiments of the present disclosure
  • FIG. 3 illustrates a flow chart of a method implemented at a first device according to embodiments of the present disclosure
  • Fig. 4 illustrates a flow chart of a method implemented a second device according to embodiments of the present disclosure
  • Fig. 5 illustrates an interaction operation between a first device and a second device according to embodiments of the present disclosure
  • Fig. 6 illustrates an interaction operation between a first device and a second device according to embodiments of the present disclosure
  • Fig. 7 illustrates a schematic diagram of keys according to embodiments of the present disclosure
  • Fig. 8 illustrates an interaction operation between virtual machines according to embodiments of the present disclosure.
  • Fig. 9 illustrates a schematic diagram of a device according to embodiments of the present disclosure.
  • the term “communication network” refers to a network following any suitable communication standards, such as Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , and so on.
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • WCDMA Wideband Code Division Multiple Access
  • HSPA High-Speed Packet Access
  • the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system. For the purpose of illustrations, embodiments of the present disclosure will be described with reference to E-UTRAN New Radio-Dual Connectivity (EN-DC) network in 5G communication system.
  • EN-DC E-UTRAN New Radio-Dual Connectivity
  • the term “communication device” may refer to a network device and/or a terminal device.
  • the term “network device” includes, but not limited to, a base station (BS) , a gateway, a management entity, and other suitable device in a communication system.
  • base station or “BS” represents a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, and so forth.
  • NodeB or NB node B
  • eNodeB or eNB evolved NodeB
  • RRU Remote Radio Unit
  • RH radio header
  • RRH remote radio head
  • relay a low power node such as a femto, a pico, and so forth.
  • terminal device includes, but not limited to, “user equipment (UE) ” and other suitable end device capable of communicating with the network device.
  • the “terminal device” may refer to a terminal, a Mobile Terminal (MT) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) .
  • MT Mobile Terminal
  • SS Subscriber Station
  • MS Mobile Station
  • AT Access Terminal
  • VNF virtual network function
  • VM virtual machine
  • circuitry used herein may refer to one or more or all of the following:
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • the conventional key management is software based.
  • a software based system is deployed in virtualized network function (VNF) level. All the data/keys may be protected by software only.
  • the hardware for example, trusted platform module (TPM) , hardware security module (HSM)
  • TPM trusted platform module
  • HSM hardware security module
  • the pre-installed certificate inside a virtual machine may be used for TLS and/or hypertext transfer protocol secure (HTTPS) authentication to enable the secure connection between virtual machine clients and server.
  • Fig. 1 illustrates a system 100 for key management according to conventional technologies. All the VNF instances share the same certificate instance. The conventional technologies do not involve the hardware (for example TPM) in key management since the communication between the hardware and the VNF cannot be secured and trust.
  • embodiments of the present disclosure provide solutions for key management.
  • a secured communication between the VNF and the hardware is established and the key in the virtual machine can be protected with the hardware.
  • Fig. 2 illustrates a schematic diagram of a system 200 for key management according to embodiments of the present disclosure.
  • the system 200 may comprise a device 210 (referred to as “the first device 210” hereinafter) , a device 230 (referred to as “the second device 230” hereinafter) .
  • the first device 210 and the second device 230 can be any suitable devices.
  • the first device 210 may be regarded as a compute node and the second device 230 may be regarded as a controller/storage node.
  • a virtual machine 220 may be implemented on the first device 210.
  • the first device 210 may also comprise other modules, for example middleware. It should be noted that the numbers of devices and modules shown in Fig. 1 are only for the purpose of illustrations.
  • the first device 210, the second device 230 and the virtual machine 220 may comprise cloud key management solution (CKMS) modules.
  • the virtual machine 220 may comprise a CKMS server 2210 and a CKMS agent 2220.
  • the first device 210 may also comprise a CKMS broker 2110.
  • the second device 230 may comprise a CKMS broker 2310 and a privacy Certificate Authority (CA) 2320.
  • the device may also comprise hardware components, for example, TPM 2330.
  • the CKMS server 2210 may securely store data and ensure a key management service is minimally disruptive.
  • the CKMS 2210 may connect to the TPM via the CKMS brokers 2110 and 2310.
  • the CKMS agent may provide a secure way for applications (for example, TLS, IPSec, CertMan) to access the data from the CKMS server 2210.
  • the CKMS brokers 2110 and 2310 may be bridge for establishing a secure communication between the CKMS server 2210 and the hardware TPM 2330 to protect the keys.
  • the privacy CA 2320 may ensure the secured communication among the CKMS modules.
  • modules for example the CKMS server 2210, the CKMS agent 2220, the CKMS broker 2110, the CKMS broker 2310, the privacy CA 2320, and the TPM 2330 shown in Fig. 1 are only for the purpose of illustrations not limitation.
  • the system 200 may comprise any suitable modules for implementing embodiments of the present disclosure.
  • Communications in the system 200 may be implemented according to any proper communication protocol (s) , including, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • s including, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • IEEE Institute for Electrical and Electronics Engineers
  • the communication may utilize any proper wireless communication technology, including but not limited to: Code Divided Multiple Address (CDMA) , Frequency Divided Multiple Address (FDMA) , Time Divided Multiple Address (TDMA) , Frequency Divided Duplexer (FDD) , Time Divided Duplexer (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Divided Multiple Access (OFDMA) and/or any other technologies currently known or to be developed in the future.
  • CDMA Code Divided Multiple Address
  • FDMA Frequency Divided Multiple Address
  • TDMA Time Divided Multiple Address
  • FDD Frequency Divided Duplexer
  • TDD Time Divided Duplexer
  • MIMO Multiple-Input Multiple-Output
  • OFDMA Orthogonal Frequency Divided Multiple Access
  • Fig. 3 illustrates a flow chart of a method 300 according to embodiments of the present disclosure.
  • the method 300 may be implemented at the first device 210.
  • the first device 210 may establish a secured connection between the first device 210 and the second device 230.
  • the secured connection may be established based on predetermined configurations.
  • the first device 210 may transmit a request for singing certificate to the second device 230.
  • the first device 210 may receive a certificate response from the second device 230.
  • the first device 210 may initialize the virtual machine 220 based at least in parts on the certificate.
  • the VM instantiation parameters may comprise the certificate.
  • Fig. 5 illustrates an example interaction operation 500 which may be used to establish the secured connection according to embodiments of the present disclosure.
  • Fig. 3 is described with the reference to Fig. 5.
  • the CKMS broker 2310 in the second device 230 may generate 502 own private keys and certificate singing request (CSR) .
  • the CKMS broker 2310 may transmit 504 the CSR for certificate signing to the privacy CA 2320.
  • the privacy CA 2320 may transmit 506 the certificate response to the CKMS broker 2310. In this way, the secured communication between the CKMS broker 2310 and the privacy CA 2320 is built.
  • the CKMS broker 2110 in the first device 210 may generate 508 its own private key and CSR.
  • the CKMS broker 2110 may transmit 510 the CSR for certificate signing to the second device 230.
  • the CKMS broker 2310 may forward 512 the CSR to the privacy CA 2320.
  • the privacy CA 2320 may transmit 514 certificate responses to the CKMS broker 2310.
  • the CKMS broker 2310 may forward 514 the certificate response to the CKMS broker 2110. In this way, the secured communication among the CKMSA broker 2110, the CKMS broker 2310 and the privacy CA 2320 is built.
  • the nova 2120 in the first device 210 may be used to load and trigger virtual machines.
  • the nova 2120 may measure and verify 518 the VM image of the virtual machine 220.
  • the nova 2120 may transmit 520 a request for a certificate for the virtual machine 220 to the CKMS broker 2110.
  • the CKMS broker 2110 may generate 522 private key and CSR for the virtual machine 220.
  • the CKMS broker 2110 may transmit 524 the CSR for certificate signing for the virtual machine 220 to the CKMS broker 2310.
  • the CKMS broker 2310 may forward 526 the request to the privacy CA 2320.
  • the privacy CA 2320 may transmit 528 certificate responses to the CKMS broker 2310.
  • the CKMS broker 2310 may forward 530 the certificate response to the CKMS broker 2110.
  • the CKMS broker 2110 may inject the certificate and key pair into the virtual machine 210 in VM instance creation.
  • the certificate and its key may be propagated via VM instantiation parameters to the CKMS agent in the virtual machine 220.
  • the CKMS agent may encode and install the certificate and key pairs to temporary location with proper access control. In this way, the secured communication among the CKMS modules has been established.
  • the first device 210 and the second device 230 are connected securely.
  • the certificate and key pair may be only bound with the specific VM instance, if the virtual machine 220 needs to be recreated via the Nova 2120, the Nova 2120 needs to request a new certificate. In other embodiments, if another virtual machine needs to be created, the interaction operation 500 may be repeated.
  • the virtual machine 220 on the first device 210 generates a first request for generating a first pair of keys at the second device 230 at block 320.
  • the first pair of keys may be the root key and only bound to the specific CKMS modules.
  • Fig. 7 illustrates a schematic diagram of keys according to embodiments of the present disclosure. In the example embodiment shown in Fig. 7, the first pair of keys may be the CKMS root key 710 and the second pair of keys may be the CKMS master key 720.
  • the first device 210 transmits the first request to the second device 230 via the secured connection.
  • the virtual machine 220 may generate a second pair of keys.
  • the second pair of keys may be generated in the first start-up.
  • the first device 210 transmits the second pair of keys to the second device 230.
  • the first device 210 may also transmit a request for encrypting the second pair of keys with the first pair of keys.
  • the first device 210 receives an encrypted second pair of keys from the second device 230 at block 350.
  • the second pair of keys is encrypted with the first pair of keys and may be stored in a local storage.
  • Fig. 6 illustrates an interaction operation 600 between the first device 210 and the second device 230 according to embodiments of the present disclosure. An example embodiment is to be described with the reference to Fig. 6 below. It should be noted that the interaction operation 600 shown in Fig. 6 is only for the purpose of illustrations not limitations.
  • the first device 210 and the second device 230 are connected securely.
  • the CKMS server 2210 generates 602 the first request for generating the first pair of keys 710 at the second device 230.
  • the CKMS server 2210 may transmit 604 the first request to the second device 230.
  • the CKMS server 2210 may transmit the first request to the CKMS broker 2210 and the CKMS broker 2210 may forward 606 the request to the CKMS 2310 in the second device 230.
  • the CKMS broker may further forward 608 the first request to the TPM 2330.
  • the TPM 2330 generates 610 the first pair of keys 710.
  • the CKMS server 2210 may generate the second pair of keys 720.
  • the CKMS server 2210 transmits 614 the second pair of keys to the second device 230.
  • the CKMS server 2210 may transmit the second pair of keys 720 to the CKMS broker 2110 and the CKMS broker 2110 may forward 616 the second pair of keys 720 to the CKMS broker 2310 which further forward the second pair of keys 720 to the TPMS 2330.
  • the TPM 2330 encrypts 618 the second pair of keys 720 with the first pair of keys 710.
  • the TPM 2330 transmits 620 the encrypted second pair of keys to the first device 210.
  • the TPM 2330 may transmit the encrypted second pair of keys to the CKMS broker 2310 and forward 622 the encrypted second pair of keys to the CKMS broker 2110 which further forwards 624 the encrypted second pair of keys to the CKMS server 2210.
  • the CKMS server 2210 may store 626 the encrypted second pair of keys.
  • the CKMS server 2210 may synchronize the encrypted second pair of keys to other virtual machines which have a standby CKMS server thereon.
  • the CKMS server 2210 may have one or more standby CKMS servers to improve the reliability. If the CKMS server 2210 fails, the standby CKMS server may come into use. In this way, the second pair of keys 720 is protected with the first pair of keys 710 which are generated and stored in hardware.
  • the first device 210 may reload the second pair of keys 720. For example, if the first device 210 needs to encrypt data to be stored, it needs to reload the second pair of keys 720. In some embodiments, the first device 210 may start up and the encrypted second pair of keys is existing.
  • the CKMS server 2210 may transmit 630 the encrypted second pair of keys to the second device 230. In some embodiments, the CKMS server 2210 may transmit the encrypted second pair of keys to the CKMS broker 2110 and the CKMS broker 2110 may forward 632 the encrypted second pair of keys to the CKMS broker 2310 which may further forward 634 the encrypted second pair of keys to the TPM 2330.
  • the TPM 2330 may decrypt 636 the encrypted second pair of keys to obtain the second pair of keys 720.
  • the TPM may transmit 638 the second pair of keys 720 to the CKMS broker 2310 and the CKMS broker 2310 may forward 640 the second pair of keys 720 to the CKMS broker 2110 which may further forward the second pair of keys 720 to the CKMS server 2210.
  • the CKMS server 2210 may load 642 the second pair of keys 720 which are in plaintext form.
  • applications may use the CKMS modules to protect data.
  • the first device 210 may derive the third keys 730 from the second pair of keys 720 for different applications to protect the data.
  • the third keys 730 may be CKMS encryption keys.
  • Fig. 8 illustrates an interaction operation 800 between virtual machines for protecting data according to embodiments of the present disclosure. It should be noted that the interaction shown in Fig. 8 is only an example. Fig. 8 shows two virtual machines 210-1 and 210-2. The virtual machine 210-1 may be regarded as the master virtual machine.
  • the CKMS server 2210-1 on the virtual machine 210-1 may generate 802 the third pair of keys. If the application on the virtual machine 210-2needs to protect data, the application may transmit 804 the data to be stored to the CKMS agent 2220-1. The CKMS agent 2220-1 transmit 806 the data to the CKMS server 2210-1. The CKMS server 2210-1 may decrypt 808 the third pair of keys with the second pair of keys 720. The CKMS server 2210-1 may encrypt the data with the decrypted third pair of keys and store 812 the encrypted data.
  • the applications may need to read the data.
  • the application may transmit 814 the request for reading the encrypted data to the CKMS agent 2220-1.
  • the CKMS agent 2220-1 may transmit 816 the request to the CKMS server 2210-1.
  • the CKMS server 2210-1 may decrypt 818 the third pair of keys and decrypt 820 the encrypted data with the decrypted third pair of keys.
  • the CKMS server 2210-1 may transmit 822 the decrypted data to the CKMS agent 2220-1 which may further transmit 824 the decrypted data to the applications.
  • Fig. 4 illustrates a flow chart of a method 400 according to embodiments of the present disclosure.
  • the method 400 may be implemented at the second device 230.
  • the second device 230 establishes a secured connection between the first device 210 and the second device 230.
  • the secured connection may be established based on predetermined configurations.
  • the second device 230 may receive a request for singing certificate from the first device 210.
  • the second device 230 may transmit a certificate response to the first device 210.
  • An example embodiment of establishing the secured connection has been described above with the reference to Fig. 5.
  • the second device 230 generates the first pair of keys if they receive the first request for generating the first pair of keys from the first device 210.
  • the second device 230 receives the second pair of keys which are generated by the first device 210. In some embodiments, the second device 230 may also receive a request for encrypting the second pair of keys with the first pair of keys. In some embodiments, the second device 230 may encrypt the second pair of keys based on a predefined rule.
  • the second device 230 encrypts the second pair of keys with the first pair of keys.
  • the second device 230 transmits the encrypted second pair of keys to the first device 210.
  • an apparatus for performing the method 300 may comprise respective means for performing the corresponding steps in the method 300.
  • These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
  • the apparatus comprises: means for establishing a secured connection between the first device and a second device; means for generating, by a virtual machine on the first device, a first request for generating a first pair of keys at the second device; means for transmitting the first request to the second device via the secured connection; means for transmitting, to the second device, a second pair of keys generated by the virtual machine; and means for receiving, from the second device, an encrypted second pair of keys for data transmission, the encrypted second pair of keys encrypted at the second device with the first pair of keys.
  • the means for establishing the secured connection comprises: means for transmitting, to the second device, a request for signing a certificate; means for receiving a certificate response from the second device; and means for initializing the virtual machine based at least in part on the certificate.
  • the means for transmitting the second pair of keys comprises: means for transmitting a request for encrypting the second pair of keys with the first pair of keys.
  • the apparatus further comprises: means for storing the encrypted second pair of keys; and means for synchronizing the encrypted second pair of keys to a further virtual machine on the first device.
  • the apparatus further comprises: means for in response to a determination that the second pair of keys is to be used, transmitting, to the second device, the encrypted second pair of keys for decrypting with the first pair of keys; means for receiving, from the second device, the second pair of keys.
  • the apparatus further comprises: means for generating a third pair of keys by the virtual machine for storing data; means for in response to receiving data to be stored, decrypting the third pair of keys with the second pair of keys; means for encrypting the data with the decrypted third pair of keys; and means for storing the encrypted data.
  • the apparatus further comprises: means for generating a third pair of keys by the virtual machine for storing data; means for in response to receiving a request for encrypted data stored at the virtual machine, decrypting the third pair of keys with the second pair of keys; means for decrypting the encrypted data with the decrypted third pair of keys; and means for transmitting the decrypted data.
  • an apparatus for performing the method 400 may comprise respective means for performing the corresponding steps in the method 400
  • These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
  • the apparatus comprises: means for establishing a secured connection between a first device and the second device; means for in response to receiving, from a virtual machine on the first device, a first request for generating a first pair of keys via the secured connection, generating the first pair of keys; means for receiving, from the first device, a second pair of keys for encrypting; means for encrypting the second pair of keys with the first pairof keys; and means for transmitting, to the first device, an encrypted second pair of keys for data transmission.
  • the means for establishing the secured connection comprises: means for in response to receiving, from the first device, a request for signing a certificate, transmitting a certificate response to the first device.
  • the means for receiving the second pair of keys comprises: means for receiving a request for encrypting the second pair of keys with the first pair of keys.
  • the apparatus further comprises: means for in response to receiving, from the first device, the encrypted second pair of keys; means for decrypting the encrypted second pair of keys with the first pair of keys to obtain the second pair of keys; and means for transmitting, to the first device, the second pair of keys.
  • Fig. 9 is a simplified block diagram of a device 900 that is suitable for implementing embodiments of the present disclosure.
  • the device 900 may be implemented at the first device 210.
  • the device 900 may also be implemented at the second device 230.
  • the device 900 includes one or more processors 910, one or more memories 920 coupled to the processor (s) 910, one or more transmitters and/or receivers (TX/RX) 940 coupled to the processor 910.
  • the processor 910 may be of any type suitable to the local technical network, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
  • the device 900 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
  • the memory 920 may be of any type suitable to the local technical network and may be implemented using any suitable data storage technology, such as a non-transitory computer readable storage medium, semiconductor based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory, as non-limiting examples.
  • the memory 920 stores at least a part of a program 930.
  • the TX/RX 940 is for bidirectional communications.
  • the TX/RX 940 has at least one antenna to facilitate communication, though in practice an Access Node mentioned in this application may have several ones.
  • the communication interface may represent any interface that is necessary for communication with other network elements.
  • the program 930 is assumed to include program instructions that, when executed by the associated processor 910, enable the device 900 to operate in accordance with the embodiments of the present disclosure, as discussed herein with reference to Figs. 3 and 8. That is, embodiments of the present disclosure can be implemented by computer software executable by the processor 910 of the device 900, or by hardware, or by a combination of software and hardware.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the disclosure provide a method, device and computer readable medium for key managements. According to embodiments of the present disclosure, a secured communication between the VNF and the hardware is established and the key in the virtual machine can be protected with the hardware.

Description

METHODS, DEVICES AND COMPUTER READABLE MEDIUM FOR KEY MANAGEMENT FIELD
Embodiments of the present disclosure generally relate to communication techniques, and more particularly, to methods, devices and computer readable medium for key management.
BACKGROUND
In communication systems, such as Long Term Evolved (LTE) communication systems or the 5 th generation wireless systems (5G) , there is no unified key management service. All of the key management used by applications (for example, Transport Layer Security (TLS) , Internet Protocol Security (IPSec) , and CertMan) is software based. Thus, further research on key management is needed.
SUMMARY
Generally, embodiments of the present disclosure relate to a method for a key management and the corresponding devices.
In a first aspect, embodiments of the present disclosure provide a communication method implemented at a first device. The method comprises: establishing a secured connection between the first device and a second device. The method also comprises generating, by a virtual machine on the first device, a first request for generating a first pair of keys at the second device. The method further comprises transmitting the first request to the second device via the secured connection. The method comprises transmitting, to the second device, a second pair of keys generated by the virtual machine. The method also comprises receiving, from the second device, an encrypted second pair of keys for data transmission. The encrypted second pair of keys encrypted at the second device with the first pair of keys.
In a second aspect, embodiments of the present disclosure provide a communication method implemented at a second device. The method comprises: establishing a secured connection between the first device and the second device. The  method also comprises in response to receiving, from a virtual machine on the first device, a first request for generating a first pair of keys via the secured connection, generating the first pair of keys. The method further comprises receiving, from the first device, a second pair of keys for encrypting. The method comprises encrypting the second pair of keys with the first pair of keys. The method also comprises transmitting, to the first device, an encrypted second pair of keys for data transmission.
In a third aspect, embodiments of the disclosure provide a first device. The first device comprises: at least on processor; and a memory coupled to the at least one processor, the memory storing instructions therein, the instructions, when executed by the at least one processor, causing the first device to at least perform: establish a secured connection between the first device and a second device. The first device is also caused to generate, by a virtual machine on the first device, a first request for generating a first pair of keys at the second device. The first device is caused to transmit the first request to the second device via the secured connection. The first device is caused to transmit, to the second device, a second pair of keys generated by the virtual machine. The first device is also caused to receive, from the second device, an encrypted second pair of keys for data transmission. The encrypted second pair of keys is encrypted at the second device with the first pair of keys.
In the fourth aspect, embodiments of the disclosure provide a second device. The second device comprises: at least on processor; and a memory coupled to the at least one processor, the memory storing instructions therein, the instructions, when executed by the at least one processor, causing the second device to at least perform establish a secured connection between the first device and the second device. The second device is also caused to in response to receive, from a virtual machine on the first device, a first request for generate a first pair of keys via the secured connection, generating the first pair of keys. The second device is further caused to receive, from the first device, a second pair of keys for encrypting. The second device is caused to encrypt the second pair of keys with the first pair of keys. The second device is also caused transmit, to the first device, an encrypted second pair of keys for data transmission.
In a fifth aspect, embodiments of the disclosure provide an apparatus for  communication. The apparatus comprises means for performing the method according to the first aspect.
In a sixth aspect, embodiments of the disclosure provide an apparatus for communication. The apparatus comprises means for performing the method according to the second aspect.
In a seventh aspect, embodiments of the disclosure provide a computer readable medium. The computer readable medium stores instructions thereon, the instructions, when executed by at least one processing unit of a machine, causing the machine to implement the method according to the first aspect.
In an eighth aspect, embodiments of the disclosure provide a computer readable medium. The computer readable medium stores instructions thereon, the instructions, when executed by at least one processing unit of a machine, causing the machine to implement the method according to the second aspect.
Other features and advantages of the embodiments of the present disclosure will also be apparent from the following description of specific embodiments when read in conjunction with the accompanying drawings, which illustrate, by way of example, the principles of embodiments of the disclosure.
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments of the disclosure are presented in the sense of examples and their advantages are explained in greater detail below, with reference to the accompanying drawings, where
Fig. 1 illustrates a schematic diagram of a system for key management according to conventional technologies;
Fig. 2 illustrates a schematic diagram of a system according to embodiments of the present disclosure;
Fig. 3 illustrates a flow chart of a method implemented at a first device according to embodiments of the present disclosure; Fig. 4 illustrates a flow chart of a method implemented a second device according to embodiments of the present disclosure;
Fig. 5 illustrates an interaction operation between a first device and a second device according to embodiments of the present disclosure;
Fig. 6 illustrates an interaction operation between a first device and a second device according to embodiments of the present disclosure;
Fig. 7 illustrates a schematic diagram of keys according to embodiments of the present disclosure;
Fig. 8 illustrates an interaction operation between virtual machines according to embodiments of the present disclosure; and
Fig. 9 illustrates a schematic diagram of a device according to embodiments of the present disclosure.
Throughout the figures, same or similar reference numbers indicate same or similar elements.
DETAILED DESCRIPTION OF EMBODIMENTS
The subject matter described herein will now be discussed with reference to several example embodiments. It should be understood these embodiments are discussed only for the purpose of enabling those skilled persons in the art to better understand and thus implement the subject matter described herein, rather than suggesting any limitations on the scope of the subject matter.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a, ” “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises, ” “comprising, ” “includes” and/or “including, ” when used herein, specify the presence of stated features, integers, steps, operations, elements and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components and/or groups thereof.
It should also be noted that in some alternative implementations, the functions/acts noted may occur out of the order noted in the figures. For example, two  functions or acts shown in succession may in fact be executed concurrently or may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
As used herein, the term “communication network” refers to a network following any suitable communication standards, such as Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system. For the purpose of illustrations, embodiments of the present disclosure will be described with reference to E-UTRAN New Radio-Dual Connectivity (EN-DC) network in 5G communication system.
The term “communication device” may refer to a network device and/or a terminal device. The term “network device” includes, but not limited to, a base station (BS) , a gateway, a management entity, and other suitable device in a communication system. The term “base station” or “BS” represents a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, and so forth.
The term “terminal device” includes, but not limited to, “user equipment (UE) ” and other suitable end device capable of communicating with the network device. By way of example, the “terminal device” may refer to a terminal, a Mobile Terminal (MT) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an  Access Terminal (AT) .
The term “virtual network function (VNF) ” used herein refers to virtualized tasks formerly carrier out by proprietary, dedicated hardware. The term “virtual machine (VM) ” used herein refers to an emulation of a computer system which is based on computer architectures and provides functionality of a physical computer. The implementation of a virtual machine may involve specialized hardware, software, a combination thereof.
The term “circuitry” used herein may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable) :
(i) a combination of analog and/or digital hardware circuit (s) with
software/firmware and
(ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation. ”
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
As described, the conventional key management is software based. In  particular, in conventional technologies, a software based system is deployed in virtualized network function (VNF) level. All the data/keys may be protected by software only. The hardware (for example, trusted platform module (TPM) , hardware security module (HSM) ) from infrastructure layer may not be used as the root of trust for secure key storage because there is no trust connection between the VNF and the infrastructure. The pre-installed certificate inside a virtual machine may be used for TLS and/or hypertext transfer protocol secure (HTTPS) authentication to enable the secure connection between virtual machine clients and server. Fig. 1 illustrates a system 100 for key management according to conventional technologies. All the VNF instances share the same certificate instance. The conventional technologies do not involve the hardware (for example TPM) in key management since the communication between the hardware and the VNF cannot be secured and trust.
In order to at least in part solve above and other potential problems, embodiments of the present disclosure provide solutions for key management. According to embodiments of the present disclosure, a secured communication between the VNF and the hardware is established and the key in the virtual machine can be protected with the hardware.
Fig. 2 illustrates a schematic diagram of a system 200 for key management according to embodiments of the present disclosure. The system 200 may comprise a device 210 (referred to as “the first device 210” hereinafter) , a device 230 (referred to as “the second device 230” hereinafter) . The first device 210 and the second device 230 can be any suitable devices. In some embodiments, the first device 210 may be regarded as a compute node and the second device 230 may be regarded as a controller/storage node. A virtual machine 220 may be implemented on the first device 210. The first device 210 may also comprise other modules, for example middleware. It should be noted that the numbers of devices and modules shown in Fig. 1 are only for the purpose of illustrations.
In some embodiments, the first device 210, the second device 230 and the virtual machine 220 may comprise cloud key management solution (CKMS) modules. For example, the virtual machine 220 may comprise a CKMS server 2210 and a CKMS agent 2220. The first device 210 may also comprise a CKMS broker 2110. The  second device 230 may comprise a CKMS broker 2310 and a privacy Certificate Authority (CA) 2320. The device may also comprise hardware components, for example, TPM 2330.
In an example embodiment, the CKMS server 2210 may securely store data and ensure a key management service is minimally disruptive. The CKMS 2210 may connect to the TPM via the  CKMS brokers  2110 and 2310. The CKMS agent may provide a secure way for applications (for example, TLS, IPSec, CertMan) to access the data from the CKMS server 2210. The  CKMS brokers  2110 and 2310 may be bridge for establishing a secure communication between the CKMS server 2210 and the hardware TPM 2330 to protect the keys. The privacy CA 2320 may ensure the secured communication among the CKMS modules.
It should be noted that the modules, for example the CKMS server 2210, the CKMS agent 2220, the CKMS broker 2110, the CKMS broker 2310, the privacy CA 2320, and the TPM 2330 shown in Fig. 1 are only for the purpose of illustrations not limitation. The system 200 may comprise any suitable modules for implementing embodiments of the present disclosure.
Only for the purpose of illustrations, embodiments of the present disclosure are described with reference to the system 200 shown in Fig. 2. It should be noted that embodiments of the present disclosure may also be implemented in other suitable systems. The present disclosure is not limited in the aspect.
Communications in the system 200 may be implemented according to any proper communication protocol (s) , including, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future. Moreover, the communication may utilize any proper wireless communication technology, including but not limited to: Code Divided Multiple Address (CDMA) , Frequency Divided Multiple Address (FDMA) , Time Divided Multiple Address (TDMA) , Frequency Divided Duplexer (FDD) , Time Divided Duplexer (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency  Divided Multiple Access (OFDMA) and/or any other technologies currently known or to be developed in the future.
Fig. 3 illustrates a flow chart of a method 300 according to embodiments of the present disclosure. The method 300 may be implemented at the first device 210.
At block 310, the first device 210 may establish a secured connection between the first device 210 and the second device 230. The secured connection may be established based on predetermined configurations. In an example embodiment, the first device 210 may transmit a request for singing certificate to the second device 230. The first device 210 may receive a certificate response from the second device 230. In a further embodiment, the first device 210 may initialize the virtual machine 220 based at least in parts on the certificate. For example, the VM instantiation parameters may comprise the certificate.
Fig. 5 illustrates an example interaction operation 500 which may be used to establish the secured connection according to embodiments of the present disclosure. Fig. 3 is described with the reference to Fig. 5.
The CKMS broker 2310 in the second device 230 may generate 502 own private keys and certificate singing request (CSR) . The CKMS broker 2310 may transmit 504 the CSR for certificate signing to the privacy CA 2320. The privacy CA 2320 may transmit 506 the certificate response to the CKMS broker 2310. In this way, the secured communication between the CKMS broker 2310 and the privacy CA 2320 is built.
The CKMS broker 2110 in the first device 210 may generate 508 its own private key and CSR. The CKMS broker 2110 may transmit 510 the CSR for certificate signing to the second device 230. The CKMS broker 2310 may forward 512 the CSR to the privacy CA 2320. The privacy CA 2320 may transmit 514 certificate responses to the CKMS broker 2310. The CKMS broker 2310 may forward 514 the certificate response to the CKMS broker 2110. In this way, the secured communication among the CKMSA broker 2110, the CKMS broker 2310 and the privacy CA 2320 is built.
The nova 2120 in the first device 210 may be used to load and trigger virtual machines. The nova 2120 may measure and verify 518 the VM image of the virtual machine 220. The nova 2120 may transmit 520 a request for a certificate for the  virtual machine 220 to the CKMS broker 2110. The CKMS broker 2110 may generate 522 private key and CSR for the virtual machine 220.
The CKMS broker 2110 may transmit 524 the CSR for certificate signing for the virtual machine 220 to the CKMS broker 2310. The CKMS broker 2310 may forward 526 the request to the privacy CA 2320. The privacy CA 2320 may transmit 528 certificate responses to the CKMS broker 2310. The CKMS broker 2310 may forward 530 the certificate response to the CKMS broker 2110. The CKMS broker 2110 may inject the certificate and key pair into the virtual machine 210 in VM instance creation. For example, the certificate and its key may be propagated via VM instantiation parameters to the CKMS agent in the virtual machine 220. The CKMS agent may encode and install the certificate and key pairs to temporary location with proper access control. In this way, the secured communication among the CKMS modules has been established. The first device 210 and the second device 230 are connected securely.
In some embodiments, the certificate and key pair may be only bound with the specific VM instance, if the virtual machine 220 needs to be recreated via the Nova 2120, the Nova 2120 needs to request a new certificate. In other embodiments, if another virtual machine needs to be created, the interaction operation 500 may be repeated.
Referring back to Fig. 3, the virtual machine 220 on the first device 210 generates a first request for generating a first pair of keys at the second device 230 at block 320. The first pair of keys may be the root key and only bound to the specific CKMS modules. Fig. 7 illustrates a schematic diagram of keys according to embodiments of the present disclosure. In the example embodiment shown in Fig. 7, the first pair of keys may be the CKMS root key 710 and the second pair of keys may be the CKMS master key 720.
At block 330, the first device 210 transmits the first request to the second device 230 via the secured connection. The virtual machine 220 may generate a second pair of keys. The second pair of keys may be generated in the first start-up.
At block 340, the first device 210 transmits the second pair of keys to the second device 230. In some embodiment, the first device 210 may also transmit a request for encrypting the second pair of keys with the first pair of keys.
The first device 210 receives an encrypted second pair of keys from the second device 230 at block 350. The second pair of keys is encrypted with the first pair of keys and may be stored in a local storage. Fig. 6 illustrates an interaction operation 600 between the first device 210 and the second device 230 according to embodiments of the present disclosure. An example embodiment is to be described with the reference to Fig. 6 below. It should be noted that the interaction operation 600 shown in Fig. 6 is only for the purpose of illustrations not limitations.
The first device 210 and the second device 230 are connected securely. The CKMS server 2210 generates 602 the first request for generating the first pair of keys 710 at the second device 230. The CKMS server 2210 may transmit 604 the first request to the second device 230. In some embodiments, the CKMS server 2210 may transmit the first request to the CKMS broker 2210 and the CKMS broker 2210 may forward 606 the request to the CKMS 2310 in the second device 230. The CKMS broker may further forward 608 the first request to the TPM 2330. The TPM 2330 generates 610 the first pair of keys 710.
The CKMS server 2210 may generate the second pair of keys 720. The CKMS server 2210 transmits 614 the second pair of keys to the second device 230. In some embodiments, the CKMS server 2210 may transmit the second pair of keys 720 to the CKMS broker 2110 and the CKMS broker 2110 may forward 616 the second pair of keys 720 to the CKMS broker 2310 which further forward the second pair of keys 720 to the TPMS 2330. The TPM 2330 encrypts 618 the second pair of keys 720 with the first pair of keys 710.
The TPM 2330 transmits 620 the encrypted second pair of keys to the first device 210. In some embodiments, the TPM 2330 may transmit the encrypted second pair of keys to the CKMS broker 2310 and forward 622 the encrypted second pair of keys to the CKMS broker 2110 which further forwards 624 the encrypted second pair of keys to the CKMS server 2210.
The CKMS server 2210 may store 626 the encrypted second pair of keys. In an example embodiment, the CKMS server 2210 may synchronize the encrypted second pair of keys to other virtual machines which have a standby CKMS server thereon. The CKMS server 2210 may have one or more standby CKMS servers to improve the  reliability. If the CKMS server 2210 fails, the standby CKMS server may come into use. In this way, the second pair of keys 720 is protected with the first pair of keys 710 which are generated and stored in hardware.
The first device 210 may reload the second pair of keys 720. For example, if the first device 210 needs to encrypt data to be stored, it needs to reload the second pair of keys 720. In some embodiments, the first device 210 may start up and the encrypted second pair of keys is existing. The CKMS server 2210 may transmit 630 the encrypted second pair of keys to the second device 230. In some embodiments, the CKMS server 2210 may transmit the encrypted second pair of keys to the CKMS broker 2110 and the CKMS broker 2110 may forward 632 the encrypted second pair of keys to the CKMS broker 2310 which may further forward 634 the encrypted second pair of keys to the TPM 2330. The TPM 2330 may decrypt 636 the encrypted second pair of keys to obtain the second pair of keys 720. The TPM may transmit 638 the second pair of keys 720 to the CKMS broker 2310 and the CKMS broker 2310 may forward 640 the second pair of keys 720 to the CKMS broker 2110 which may further forward the second pair of keys 720 to the CKMS server 2210. The CKMS server 2210 may load 642 the second pair of keys 720 which are in plaintext form.
In some embodiments, applications may use the CKMS modules to protect data. For example, the first device 210 may derive the third keys 730 from the second pair of keys 720 for different applications to protect the data. For example, the third keys 730 may be CKMS encryption keys.
Fig. 8 illustrates an interaction operation 800 between virtual machines for protecting data according to embodiments of the present disclosure. It should be noted that the interaction shown in Fig. 8 is only an example. Fig. 8 shows two virtual machines 210-1 and 210-2. The virtual machine 210-1 may be regarded as the master virtual machine.
The CKMS server 2210-1 on the virtual machine 210-1 may generate 802 the third pair of keys. If the application on the virtual machine 210-2needs to protect data, the application may transmit 804 the data to be stored to the CKMS agent 2220-1. The CKMS agent 2220-1 transmit 806 the data to the CKMS server 2210-1. The CKMS server 2210-1 may decrypt 808 the third pair of keys with the second pair of keys 720.  The CKMS server 2210-1 may encrypt the data with the decrypted third pair of keys and store 812 the encrypted data.
In some embodiments, the applications may need to read the data. The application may transmit 814 the request for reading the encrypted data to the CKMS agent 2220-1. The CKMS agent 2220-1 may transmit 816 the request to the CKMS server 2210-1. The CKMS server 2210-1 may decrypt 818 the third pair of keys and decrypt 820 the encrypted data with the decrypted third pair of keys. The CKMS server 2210-1 may transmit 822 the decrypted data to the CKMS agent 2220-1 which may further transmit 824 the decrypted data to the applications.
Fig. 4 illustrates a flow chart of a method 400 according to embodiments of the present disclosure. The method 400 may be implemented at the second device 230.
At block 410, the second device 230 establishes a secured connection between the first device 210 and the second device 230. The secured connection may be established based on predetermined configurations. In an example embodiment, the second device 230 may receive a request for singing certificate from the first device 210. The second device 230 may transmit a certificate response to the first device 210. An example embodiment of establishing the secured connection has been described above with the reference to Fig. 5.
At block 420, the second device 230 generates the first pair of keys if they receive the first request for generating the first pair of keys from the first device 210.
At block 430, the second device 230 receives the second pair of keys which are generated by the first device 210. In some embodiments, the second device 230 may also receive a request for encrypting the second pair of keys with the first pair of keys. In some embodiments, the second device 230 may encrypt the second pair of keys based on a predefined rule.
At block 440, the second device 230 encrypts the second pair of keys with the first pair of keys. The second device 230 transmits the encrypted second pair of keys to the first device 210.
In some embodiments, an apparatus for performing the method 300 (for example, the first device 210) may comprise respective means for performing the corresponding  steps in the method 300. These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
In some embodiments, the apparatus comprises: means for establishing a secured connection between the first device and a second device; means for generating, by a virtual machine on the first device, a first request for generating a first pair of keys at the second device; means for transmitting the first request to the second device via the secured connection; means for transmitting, to the second device, a second pair of keys generated by the virtual machine; and means for receiving, from the second device, an encrypted second pair of keys for data transmission, the encrypted second pair of keys encrypted at the second device with the first pair of keys.
In some embodiments, the means for establishing the secured connection comprises: means for transmitting, to the second device, a request for signing a certificate; means for receiving a certificate response from the second device; and means for initializing the virtual machine based at least in part on the certificate.
In some embodiments, the means for transmitting the second pair of keys comprises: means for transmitting a request for encrypting the second pair of keys with the first pair of keys.
In some embodiments, the apparatus further comprises: means for storing the encrypted second pair of keys; and means for synchronizing the encrypted second pair of keys to a further virtual machine on the first device.
In some embodiments, the apparatus further comprises: means for in response to a determination that the second pair of keys is to be used, transmitting, to the second device, the encrypted second pair of keys for decrypting with the first pair of keys; means for receiving, from the second device, the second pair of keys.
In some embodiments, the apparatus further comprises: means for generating a third pair of keys by the virtual machine for storing data; means for in response to receiving data to be stored, decrypting the third pair of keys with the second pair of keys; means for encrypting the data with the decrypted third pair of keys; and means for storing the encrypted data.
In some embodiments, the apparatus further comprises: means for generating a  third pair of keys by the virtual machine for storing data; means for in response to receiving a request for encrypted data stored at the virtual machine, decrypting the third pair of keys with the second pair of keys; means for decrypting the encrypted data with the decrypted third pair of keys; and means for transmitting the decrypted data.
In some embodiments, an apparatus for performing the method 400 (for example, the second device 230) may comprise respective means for performing the corresponding steps in the method 400 These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
In some embodiments, the apparatus comprises: means for establishing a secured connection between a first device and the second device; means for in response to receiving, from a virtual machine on the first device, a first request for generating a first pair of keys via the secured connection, generating the first pair of keys; means for receiving, from the first device, a second pair of keys for encrypting; means for encrypting the second pair of keys with the first pairof keys; and means for transmitting, to the first device, an encrypted second pair of keys for data transmission.
In some embodiments, the means for establishing the secured connection comprises: means for in response to receiving, from the first device, a request for signing a certificate, transmitting a certificate response to the first device.
In some embodiments, the means for receiving the second pair of keys comprises: means for receiving a request for encrypting the second pair of keys with the first pair of keys.
In some embodiments, the apparatus further comprises: means for in response to receiving, from the first device, the encrypted second pair of keys; means for decrypting the encrypted second pair of keys with the first pair of keys to obtain the second pair of keys; and means for transmitting, to the first device, the second pair of keys.
Fig. 9 is a simplified block diagram of a device 900 that is suitable for implementing embodiments of the present disclosure. The device 900 may be implemented at the first device 210. The device 900 may also be implemented at the second device 230. As shown, the device 900 includes one or more processors 910, one or more memories 920 coupled to the processor (s) 910, one or more transmitters  and/or receivers (TX/RX) 940 coupled to the processor 910.
The processor 910 may be of any type suitable to the local technical network, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 900 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
The memory 920 may be of any type suitable to the local technical network and may be implemented using any suitable data storage technology, such as a non-transitory computer readable storage medium, semiconductor based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory, as non-limiting examples.
The memory 920 stores at least a part of a program 930. The TX/RX 940 is for bidirectional communications. The TX/RX 940 has at least one antenna to facilitate communication, though in practice an Access Node mentioned in this application may have several ones. The communication interface may represent any interface that is necessary for communication with other network elements.
The program 930 is assumed to include program instructions that, when executed by the associated processor 910, enable the device 900 to operate in accordance with the embodiments of the present disclosure, as discussed herein with reference to Figs. 3 and 8. That is, embodiments of the present disclosure can be implemented by computer software executable by the processor 910 of the device 900, or by hardware, or by a combination of software and hardware.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any disclosure or of what may be claimed, but rather as descriptions of features that may be specific to particular embodiments of particular disclosures. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable sub-combination. Moreover, although  features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a sub-combination or variation of a sub-combination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of various system components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Various modifications, adaptations to the foregoing exemplary embodiments of this disclosure may become apparent to those skilled in the relevant arts in view of the foregoing description, when read in conjunction with the accompanying drawings. Any and all modifications will still fall within the scope of the non-limiting and exemplary embodiments of this disclosure. Furthermore, other embodiments of the disclosures set forth herein will come to mind to one skilled in the art to which these embodiments of the disclosure pertain having the benefit of the teachings presented in the foregoing descriptions and the associated drawings.
Therefore, it is to be understood that the embodiments of the disclosure are not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are used herein, they are used in a generic and descriptive sense only and not for purpose of limitation.

Claims (35)

  1. A communication method implemented at a first device, comprising:
    establishing a secured connection between the first device and a second device;
    generating, by a virtual machine on the first device, a first request for generating a first pair of keys at the second device;
    transmitting the first request to the second device via the secured connection;
    transmitting, to the second device, a second pair of keys generated by the virtual machine; and
    receiving, from the second device, an encrypted second pair of keys for data transmission, the encrypted second pair of keys encrypted at the second device with the first pair of keys.
  2. The method of claim 1, wherein establishing the secured connection comprises:
    transmitting, to the second device, a request for signing a certificate;
    receiving a certificate response from the second device; and
    initializing the virtual machine based at least in part on the certificate.
  3. The method of claim 1, wherein transmitting the second pair of keys comprises:
    transmitting a request for encrypting the second pair of keys with the first pair of keys.
  4. The method of claim 1, further comprising:
    storing the encrypted second pair of keys; and
    synchronizing the encrypted second pair of keys to a further virtual machine on the first device.
  5. The method of claim 1, further comprising:
    in response to a determination that the second pair of keys is to be used, transmitting, to the second device, the encrypted second pair of keys for decrypting with the first pair of keys;
    receiving, from the second device, the second pair of keys.
  6. The method of claim 5, further comprising:
    generating a third pair of keys by the virtual machine for storing data;
    in response to receiving data to be stored, decrypting the third pair of keys with the second pair of keys;
    encrypting the data with the decrypted third pair of keys; and
    storing the encrypted data.
  7. The method of claim 5, further comprising:
    generating a third pair of keys by the virtual machine for storing data;
    in response to receiving a request for encrypted data stored at the virtual machine, decrypting the third pair of keys with the second pair of keys;
    decrypting the encrypted data with the decrypted third pair of keys; and
    transmitting the decrypted data.
  8. A communication method implemented at a second device, comprising:
    establishing a secured connection between a first device and the second device;
    in response to receiving, from a virtual machine on the first device, a first request for generating a first pair of keys via the secured connection, generating the first pair of keys;
    receiving, from the first device, a second pair of keys for encrypting;
    encrypting the second pair of keys with the first pair of keys; and
    transmitting, to the first device, an encrypted second pair of keys for data transmission.
  9. The method of claim 8, wherein establishing the secured connection comprises:
    in response to receiving, from the first device, a request for signing a certificate, transmitting a certificate response to the first device.
  10. The method of claim 8, wherein receiving the second pair of keys comprises:
    receiving a request for encrypting the second pair of keys with the first pair of keys.
  11. The method of claim 8, further comprising:
    in response to receiving, from the first device, the encrypted second pair of keys;
    decrypting the encrypted second pair of keys with the first pair of keys to obtain the second pair of keys; and
    transmitting, to the first device, the second pair of keys.
  12. A first device, comprising:
    at least one processor; and
    a memory coupled to the at least one processor, the memory storing instructions therein, the instructions, when executed by the at least one processor, causing the first device to at least perform:
    establish a secured connection between the first device and a second device;
    generate, by a virtual machine on the first device, a first request for generating a first pair of keys at the second device;
    transmit the first request to the second device via the secured connection;
    transmit, to the second device, a second pair of keys generated by the virtual machine; and
    receive, from the second device, an encrypted second pair of keys for data transmission, the encrypted second pair of keys encrypted at the second device with the first pair of keys.
  13. The first device of claim 12, wherein establish the secured connection comprises:
    transmit, to the second device, a request for signing a certificate;
    receive a certificate response from the second device; and
    initialize the virtual machine based at least in part on the certificate.
  14. The first device of claim 12, wherein transmit the second pair of keys comprises:
    transmit a request for encrypting the second pair of keys with the first pair of keys.
  15. The first device of claim 12, wherein the first device is further caused to:
    store the encrypted second pair of keys; and
    synchronize the encrypted second pair of keys to a further virtual machine on the first device.
  16. The first device of claim 12, wherein the first device is further caused to:
    in response to a determination that the second pair of keys is to be used, transmit, to the second device, the encrypted second pair of keys for decrypting with the first pair of keys;
    receive, from the second device, the second pair of keys.
  17. The first device of claim 16, wherein the first device is further caused to:
    generate a third pair of keys by the virtual machine for storing data;
    in response to the received data to be stored, decrypt the third pair of keys with the second pair of keys;
    encrypt the data with the decrypted third pair of keys; and
    store the encrypted data.
  18. The first device of claim 16, wherein the first device is further caused to:
    generate a third pair of keys by the virtual machine for storing data;
    in response to receive a request for encrypted data stored at the virtual machine, decrypt the third pair of keys with the second pair of keys;
    decrypt the encrypted data with the decrypted third pair of keys; and
    transmit the decrypted data.
  19. A second device, comprising:
    at least one processor; and
    a memory coupled to the at least one processor, the memory storing instructions therein, the instructions, when executed by the at least one processor, causing the second device to at least perform:
    establish a secured connection between a first device and the second device;
    in response to receive, from a virtual machine on the first device, a first request for generating a first pair of keys via the secured connection, generate the first pair of keys;
    receive, from the first device, a second pair of keys for encrypting;
    encrypt the second pair of keys with the first pair of keys; and
    transmit, to the first device, an encrypted second pair of keys for data transmission.
  20. The second device of claim 19, wherein establish the secured connection comprises:
    in response to receive, from the first device, a request for signing a certificate, transmit a certificate response to the first device.
  21. The second device of claim 19, wherein receive the second pair of keys comprises:
    receive a request for encrypting the second pair of keys with the first pair of keys.
  22. The second device of claim 19, wherein the second device is further caused to:
    in response to receive, from the first device, the encrypted second pair of keys, decrypt the encrypted second pair of keys with the first pair of keys to obtain the second pair of keys; and
    transmit, to the first device, the second pair of keys.
  23. A communication apparatus:
    means for establishing a secured connection between a first device and a second device;
    means for generating, by a virtual machine on the first device, a first request for generating a first pair of keys at the second device;
    means for transmitting the first request to the second device via the secured connection;
    means for transmitting, to the second device, a second pair of keys generated by the virtual machine; and
    means for receiving, from the second device, an encrypted second pair of keys for data transmission, the encrypted second pair of keys encrypted at the second device with the first pair of keys.
  24. The apparatus of claim 23, wherein the means for establishing the secured connection comprises:
    means for transmitting, to the second device, a request for signing a certificate;
    means for receiving a certificate response from the second device; and
    means for initializing the virtual machine based at least in part on the certificate.
  25. The apparatus of claim 23, wherein the means for transmitting the second pair of keys comprises:
    means for transmitting a request for encrypting the second pair of keys with the first pair of keys.
  26. The apparatus of claim 23, further comprising:
    means for storing the encrypted second pair of keys; and
    means for synchronizing the encrypted second pair of keys to a further virtual machine on the first device.
  27. The apparatus of claim 23, further comprising:
    means for in response to a determination that the second pair of keys is to be used, transmitting, to the second device, the encrypted second pair of keys for decrypting with the first pair of keys;
    means for receiving, from the second device, the second pair of keys.
  28. The apparatus of claim 27, further comprising:
    means for generating a third pair of keys by the virtual machine for storing data;
    means for in response to receiving data to be stored, decrypting the third pair of keys with the second pair of keys;
    means for encrypting the data with the decrypted third pair of keys; and
    means for storing the encrypted data.
  29. The apparatus of claim 27, further comprising:
    means for generating a third pair of keys by the virtual machine for storing data;
    means for in response to receiving a request for encrypted data stored at the virtual machine, decrypting the third pair of keys with the second pair of keys;
    means for decrypting the encrypted data with the decrypted third pair of keys; and
    means for transmitting the decrypted data.
  30. A communication apparatus, comprising:
    means for establishing a secured connection between a first device and a second device;
    means for in response to receiving, from a virtual machine on the first device, a first request for generating a first pair of keys via the secured connection, generating the first pair of keys;
    means for receiving, from the first device, a second pair of keys for encrypting;
    means for encrypting the second pair of keys with the first pair of keys; and
    means for transmitting, to the first device, an encrypted second pair of keys for data transmission.
  31. The apparatus of claim 30, wherein the means for establishing the secured connection comprises:
    means for in response to receiving, from the first device, a request for signing a certificate, transmitting a certificate response to the first device.
  32. The apparatus of claim 30, wherein the means for receiving the second pair of keys comprises:
    means for receiving a request for encrypting the second pair of keys with the first pair of keys.
  33. The apparatus of claim 30, further comprising:
    means for in response to receiving, from the first device, the encrypted second pair of keys;
    means for decrypting the encrypted second pair of keys with the first pair of keys to obtain the second pair of keys; and
    means for transmitting, to the first device, the second pair of keys.
  34. A computer readable medium storing instructions thereon, the instructions, when executed by at least one processing unit of a machine, causing the machine to perform any of the method according to claims 1-8.
  35. A computer readable medium storing instructions thereon, the instructions, when executed by at least one processing unit of a machine, causing the machine to perform any of the method according to claims 9-11.
PCT/CN2018/093830 2018-06-29 2018-06-29 Methods, devices and computer readable medium for key management Ceased WO2020000428A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201880095153.5A CN112368989B (en) 2018-06-29 2018-06-29 Method, apparatus and computer readable medium for key management
PCT/CN2018/093830 WO2020000428A1 (en) 2018-06-29 2018-06-29 Methods, devices and computer readable medium for key management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/093830 WO2020000428A1 (en) 2018-06-29 2018-06-29 Methods, devices and computer readable medium for key management

Publications (1)

Publication Number Publication Date
WO2020000428A1 true WO2020000428A1 (en) 2020-01-02

Family

ID=68985700

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/093830 Ceased WO2020000428A1 (en) 2018-06-29 2018-06-29 Methods, devices and computer readable medium for key management

Country Status (2)

Country Link
CN (1) CN112368989B (en)
WO (1) WO2020000428A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160044007A1 (en) * 2013-03-28 2016-02-11 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method and device for establishing session keys
CN207251667U (en) * 2017-09-30 2018-04-17 国信优易数据有限公司 A kind of data safety service platform
CN108092958A (en) * 2017-12-05 2018-05-29 成都市共维科技有限公司 Information authentication method, device, computer equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8375437B2 (en) * 2010-03-30 2013-02-12 Microsoft Corporation Hardware supported virtualized cryptographic service
US8462955B2 (en) * 2010-06-03 2013-06-11 Microsoft Corporation Key protectors based on online keys
CN108155988A (en) * 2017-12-22 2018-06-12 浪潮(北京)电子信息产业有限公司 A kind of moving method, device, equipment and readable storage medium storing program for executing for protecting key

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160044007A1 (en) * 2013-03-28 2016-02-11 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method and device for establishing session keys
CN207251667U (en) * 2017-09-30 2018-04-17 国信优易数据有限公司 A kind of data safety service platform
CN108092958A (en) * 2017-12-05 2018-05-29 成都市共维科技有限公司 Information authentication method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN112368989A (en) 2021-02-12
CN112368989B (en) 2023-02-03

Similar Documents

Publication Publication Date Title
US9998925B2 (en) Electronic subscriber identity module provisioning
WO2020260751A1 (en) Encrypted communication based on quantum key
EP3183857B1 (en) Secure provisioning of an authentication credential
US10833876B2 (en) Protection of the UE identity during 802.1x carrier hotspot and Wi-Fi calling authentication
EP3151593A1 (en) Pre-personalization of electronic subscriber identity modules
EP2815623B1 (en) Device to device security using naf key
US20150244685A1 (en) Generalized cryptographic framework
CN113498053A (en) Electronic user identity module transfer credential package
WO2017079177A1 (en) Apparatus and methods for electronic subscriber identity module (esim) installation notification
US12273711B2 (en) Home controlled network slice privacy
EP3741147B1 (en) Security mechanism for interworking with independent seaf in 5g networks
US20230261881A1 (en) Secure network architecture
US20220303762A1 (en) Serving Network Controlled Network Slice Privacy
EP3869846A1 (en) Fake network device identification method and communication apparatus
US11765583B2 (en) Methods, devices and computer readable medium for authentication in communication
EP4322039A1 (en) Network function validation
WO2020000428A1 (en) Methods, devices and computer readable medium for key management
WO2025175539A1 (en) Akma authentication with device information
WO2024198962A1 (en) Application authentication method and apparatus
KR20240110794A (en) User plane traffic handling for emergencies
WO2025185705A1 (en) Identifier indication methods, apparatus, terminal device, and first network node
KR20200127834A (en) Method and apparatus for communications using secret key in communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18924525

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18924525

Country of ref document: EP

Kind code of ref document: A1