Search

EP-4443927-B1 - TRUSTED MEASUREMENT-INTEGRATED COMMUNICATION METHOD AND APPARATUS

EP4443927B1EP 4443927 B1EP4443927 B1EP 4443927B1EP-4443927-B1

Inventors

  • WANG, DONGHUI
  • LIU, FEI
  • CHEN, LIQUN
  • NEWTON, Christopher·J·P
  • PARTHIPAN, Loganathan
  • LI, YUNPENG

Dates

Publication Date
20260506
Application Date
20221222

Claims (13)

  1. A communication method integrated with trustworthiness measurement, wherein the method is performed by a first network device or a chip thereof, and the method comprises: sending (S210, S301, S401, S501) a transmission request message, wherein the transmission request message is used to request to establish a transport layer security/secure sockets layer, TLS/SSL protocol-based connection, and the transmission request message is further used to request to verify whether a second network device is trusted; and receiving (S220, S304, S404, S503) a transmission response message, wherein the transmission response message is used to respond to the transmission request message; wherein the transmission request message comprises attestation request information, and the attestation request information is used to request to verify whether the second network device is trusted; the transmission request message comprises a first extension, the first extension comprises extension information supported by the first network device, and the attestation request information is comprised in the first extension; and the attestation request information comprises a storage object identifier, the storage object identifier identifies a storage object of a measurement value of the second network device, and the storage object identifier is comprised in the first extension.
  2. The communication method according to claim 1, wherein the method further comprises: sending (S408) second attestation information or a second attestation result, wherein the second attestation information is used to verify whether the first network device is trusted, and the second attestation result comprises an attestation result indicating that the second network device is attested to be trusted.
  3. The communication method according to claim 2, wherein before the sending (S408) second attestation information, the method further comprises: determining (S405), based on the transmission response message, that the second network device is trusted.
  4. The communication method according to claim 2, wherein before the sending (S408) second attestation information, the method further comprises: obtaining a second challenge value, wherein the second challenge value is used to generate the second attestation information.
  5. The communication method according to claim 4, wherein the second challenge value is any one of a timestamp, a trusted random number, and a value of an agreed field.
  6. A communication method integrated with trustworthiness measurement, wherein the method is performed by a second network device or a chip thereof, and the method comprises: receiving (S210, S301, S401, S501) a transmission request message, wherein the transmission request message is used to request to establish a transport layer security/secure sockets layer, TLS/SSL protocol-based connection, and the transmission request message is further used to request to verify whether the second network device is trusted; and sending (S220, S304, S404, S503) a transmission response message in response to the transmission request message; wherein the transmission request message comprises attestation request information, and the attestation request information is used to request to verify whether the second network device is trusted; the transmission request message comprises a first extension, the first extension comprises extension information supported by a first network device, and the attestation request information is comprised in the first extension; and the attestation request information comprises a storage object identifier, the storage object identifier identifies a storage object of a measurement value of the second network device, and the storage object identifier is comprised in the first extension.
  7. The communication method according to claim 1 or 6, wherein the transmission request message comprises attestation identity information, the attestation identity information is used to request to obtain first attestation information or a first attestation result, the first attestation information is used to verify whether the second network device is trusted, and the first attestation result comprises an attestation result indicating that the second network device is attested to be trusted.
  8. The communication method according to any one of claims 1, 6, or 7, wherein the transmission response message comprises the first attestation result, the first attestation result comprises the attestation result indicating that the second network device is attested to be trusted, and the transmission response message further comprises a parameter needed for establishing the TLS/SSL protocol-based connection.
  9. The communication method according to claim 8, wherein the first attestation result comprises one or more of identity information, trusted content, and freshness, the identity information indicates an identity of a verifier attesting that the second network device is trusted, the trusted content indicates content that is of the second network device and that is attested to be trusted, and the freshness indicates a time period in which the second network device is attested to be trusted.
  10. The communication method according to any one of claims 1, 6, or 7, wherein the transmission response message comprises the first attestation information, the first attestation information is used to verify whether the second network device is trusted, and the transmission response message further comprises a parameter needed for establishing the TLS/SSL protocol-based connection.
  11. The communication method according to any one of claims 6 to 10, wherein the method further comprises: receiving second attestation information or a second attestation result from the first network device, wherein the second attestation information is used to verify whether the first network device is trusted, and the second attestation result comprises an attestation result indicating that the first network device is attested to be trusted.
  12. A communication apparatus, comprising at least one module configured to implement the method according to any one of claims 1 to 11.
  13. A computer program product, wherein the computer program product comprises computer program code; and when the computer program code is run on a computer, the method according to any one of claims 1 to 11 is performed.

Description

TECHNICAL FIELD This application relates to the communication field, and more specifically, to a communication method integrated with trustworthiness measurement and apparatus. BACKGROUND With the advent of the Internet of everything era, people are more dependent on networks and devices, and have increasingly higher requirements on security of the networks and the devices. A transport layer security (transport layer security, TLS) protocol is a secure channel that may ensure confidentiality and data integrity for applications that communicate with each other. This protocol considers only security of communication between the applications and cannot determine whether the communication parties are in a trusted execution state. If either party is in an untrusted state, data leakage may occur in a communication process, and the security of communication is threatened. Therefore, when the secure channel is established, it is necessary to perform trustworthiness measurement on the communication parties, to improve the security of the networks and the devices. US 2020/0320199 A1 describes methods for applying attestation to cryptographic security protocols. A method includes: sending, via a server and using a cryptographic security protocol, a message associated with establishing an encrypted network session; receiving a response from a client device; identifying a level of trust of the client device based on the response; determining whether to perform a next step in the cryptographic security protocol based on the level of trust, wherein the cryptographic security protocol comprises a TLS and/or SSL protocol. The response can include metadata about the client device's proof of integrity provided by a trusted platform module crypto-processor based on an evaluation of the response, with respect to the identity of hardware and software components of a responding client device. The response may be evaluated based on logs maintained in a trusted storage of the client device, wherein the logs indicate a set of transactions that have occurred since a boot time of the client device and provides data regarding the client device's trustworthiness. The response may further include a proof of freshness based on signed data generated within a threshold period of time including a current time when the response is sent. The message may comprise a challenge to the freshness of any response, the challenge comprising a nonce that is passed through a trusted platform module crypto-processor associated with the client device to generate a signature based on the nonce, and wherein the response comprises the signature. SUMMARY This application provides a communication method integrated with trustworthiness measurement, to implement trustworthiness measurement during establishment of a communication channel between two communication parties, to improve security of a network and a device. According to a first aspect, a communication method integrated with trustworthiness measurement is provided. The method may be performed by a first network device, or may be performed by software, hardware, a chip, or a circuit used by a first network device. This is not limited in this application. For ease of description, an example in which the method is performed by the first network device is used below for description. The method includes: The first network device sends a transmission request message, where the transmission request message is used to request to establish a transport layer security/secure sockets layer TLS/SSL protocol-based connection, and the transmission request message is further used to request to verify whether a second network device is trusted. The first network device receives a transmission response message, where the transmission response message is used to respond to the transmission request message. The transmission request message is sent, so that the second network device may obtain a request for establishing a connection and a request for attesting that the second network device is trusted, which are sent by the first network device, and the second network device may make a response based on request content. Therefore, the first network device can determine whether the second network device may establish the TLS/SSL protocol-based connection and whether the second network device is trusted. This helps improve security of communication between the first network device and the second network device, helps improve security of the first network device, and helps protect security of communication data between the network devices. With reference to the first aspect, in some implementations of the first aspect, the transmission request message includes attestation identity information. The attestation identity information is used to request to obtain first attestation information or a first attestation result. The first attestation information is used to verify whether the second network device is trusted. The first att