Search

US-12627646-B2 - Method and apparatus for establishing transport layer security protocol

US12627646B2US 12627646 B2US12627646 B2US 12627646B2US-12627646-B2

Abstract

Provided are a method and an apparatus for establishing a transport layer security protocol. The method includes: receiving, by an edge configuration server ECS, first negotiation request information from an edge enabler client EEC, where the first negotiation request information is used to indicate that the EEC supports a first authentication mode; and in a case that the ECS supports the first authentication mode, sending, by the ECS, first negotiation response information to the EEC, where the first negotiation response information is used to indicate that the ECS supports the first authentication mode.

Inventors

  • Lihui XIONG
  • Lu Gan
  • Jin Cao
  • Chao Shang
  • Xiongpeng REN
  • Ruhui Ma
  • Hui Li

Assignees

  • GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP., LTD.

Dates

Publication Date
20260512
Application Date
20240612

Claims (11)

  1. 1 . A method for establishing a transport layer security protocol, comprising: receiving, by an edge configuration server (ECS), first negotiation request information from an edge enabler client (EEC), wherein the first negotiation request information is used to indicate that the EEC supports a first authentication mode; in a case that the ECS supports the first authentication mode, sending, by the ECS, first negotiation response information to the EEC, wherein the first negotiation response information is used to indicate that the ECS supports the first authentication mode; sending, by the ECS, EES indication information to the EEC, wherein the EES indication information is used to indicate a first EES, wherein the first EES is an EES selected by the ECS for the EEC; receiving, by the ECS, first key information from the EEC, wherein the first key information comprises identification information of a specific key in an authentication network element, the specific key is a specific key obtained during a process in which the EEC performs authentication on the authentication network element by using the first authentication mode, and the authentication network element is configured to implement authentication that is based on the first authentication mode; and obtaining, by the ECS, the specific key from the authentication network element based on the first key information.
  2. 2 . The method according to claim 1 , wherein the method further comprises: sending, by the ECS, a fully qualified domain name (FQDN) of the ECS to the EEC; receiving, by the ECS, second key information from the EEC, wherein the second key information comprises identification information of a specific key and digest information, the digest information is generated by using the identification information of the specific key on an authentication network element as a user name and the specific key as a password, the specific key is a specific key obtained during a process in which the EEC performs authentication on the authentication network element by using the first authentication mode, and the authentication network element is configured to implement authentication that is based on the first authentication mode; obtaining, by the ECS from the authentication network element, the specific key identified by the second key information; and successfully verifying, by the ECS, the digest information based on the specific key obtained from the authentication network element.
  3. 3 . The method according to claim 1 , wherein an authentication mode supported by each EES of at least one EES is configured in the ECS.
  4. 4 . An apparatus for establishing a transport layer security protocol, comprising a processor and a memory, wherein the memory is configured to store a computer program, and the processor is configured to invoke and run the computer program stored in the memory to cause the apparatus device to: receive first negotiation request information from an edge enabler client (EEC), wherein the first negotiation request information is used to indicate that the EEC supports a first authentication mode; in a case that the apparatus supports the first authentication mode, send first negotiation response information to the EEC, wherein the first negotiation response information is used to indicate that the apparatus supports the first authentication mode; send EES indication information to the EEC, wherein the EES indication information is used to indicate a first EES, wherein the first EES is an EES selected by the ECS for the EEC; receive first key information from the EEC, wherein the first key information comprises identification information of a specific key in an authentication network element, the specific key is a specific key obtained during a process in which the EEC performs authentication on the authentication network element by using the first authentication mode, and the authentication network element is configured to implement authentication that is based on the first authentication mode; and obtain the specific key from the authentication network element based on the first key information.
  5. 5 . The apparatus according to claim 4 , wherein an authentication mode supported by each EES of at least one EES is configured in the apparatus.
  6. 6 . An apparatus for establishing a transport layer security protocol, comprising a processor and a memory, wherein the memory is configured to store a computer program, and the processor is configured to invoke and run the computer program stored in the memory to cause the apparatus device to: send first negotiation request information to an edge configuration server (ECS), wherein the first negotiation request information is used to indicate that the apparatus supports a first authentication mode; receive first negotiation response information from the ECS, wherein the first negotiation response information is used to indicate that the ECS supports the first authentication mode; receive EES indication information from the ECS, wherein the EES indication information is used to indicate a first EES, wherein the first EES is an EES selected by the ECS for the EEC; perform authentication on an authentication network element based on the first authentication mode to obtain a specific key, wherein the authentication network element is configured to implement authentication that is based on the first authentication mode; and send first key information to the ECS, wherein the first key information comprises identification information of the specific key in the authentication network element, the first key information is used by the ECS to obtain the specific key from the authentication network element.
  7. 7 . The apparatus according to claim 6 , wherein the processor is configured to invoke and run the computer program stored in the memory to cause the apparatus device to: receive a fully qualified domain name (FQDN) from the ECS; verify the ECS based on the FQDN; and in a case that the apparatus successfully verifies the ECS based on the FQDN, send second key information to the ECS, wherein the second key information comprises a specific key and digest information, the digest information is generated by using identification information of the specific key on an authentication network element as a user name and the specific key as a password, the specific key is a specific key obtained during a process in which the apparatus performs authentication on the authentication network element by using the first authentication mode, and the authentication network element is configured to implement authentication that is based on the first authentication mode.
  8. 8 . The apparatus according to claim 6 , wherein the first authentication mode is an authentication mode based on a generic bootstrapping architecture (GBA) mechanism of transport layer security (TLS) protocol, the first key information comprises a bootstrapping transaction identifier B-TID of the specific key, and the specific key comprises a GBA derived key or a GBA derived key stored in a universal integrated circuit card (UICC).
  9. 9 . The apparatus according to claim 6 , wherein the first authentication mode is an authentication mode based on an authentication and key management for applications (AKMA) mechanism, the first key information comprises an AKMA key identifier of the specific key, and the specific key comprises an AKMA key.
  10. 10 . The apparatus according to claim 6 , wherein the processor is configured to invoke and run the computer program stored in the memory to cause the apparatus device to: generate a pre-shared key of TLS between the ECS and the apparatus based on the specific key.
  11. 11 . The apparatus according to claim 6 , wherein the processor is configured to invoke and run the computer program stored in the memory to cause the apparatus device to: send sixth authentication mode information to the ECS, wherein the sixth authentication mode information is used to indicate that the apparatus supports a second authentication mode; and receive authentication result indication information from the ECS, wherein the authentication result indication information is used to indicate that authentication mode negotiation between the ECS and the apparatus fails.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation of International Application No. PCT/CN2022/073731, filed on Jan. 25, 2022, the disclosure of which is hereby incorporated by reference in its entirety. TECHNICAL FIELD This application relates to the field of communication network security technologies, and more particularly, to a method and an apparatus for establishing a transport layer security protocol. BACKGROUND In some communication networks, secure and trusted data communication between an edge enabler client (EEC) and an edge configuration server (ECS) requires establishment of a transport layer security (TLS) protocol tunnel. Mutual authentication is required for the establishment of the TLS tunnel between the EEC and the ECS. Current standards only specify which authentication modes can be used for mutual authentication between the EEC and the ECS, but do not further specify how to use these available authentication modes to achieve mutual authentication between the EEC and the ECS. In other words, the EEC and the ECS do not know how to achieve mutual authentication based on these authentication modes. SUMMARY This application provides a method and an apparatus for establishing a transport layer security protocol, to help achieve mutual authentication between an EEC and an ECS. According to a first aspect, a method for establishing a transport layer security protocol is provided, including: receiving, by an edge configuration server ECS, first negotiation request information from an edge enabler client EEC, where the first negotiation request information is used to indicate that the EEC supports a first authentication mode; and in a case that the ECS supports the first authentication mode, sending, by the ECS, first negotiation response information to the EEC, where the first negotiation response information is used to indicate that the ECS supports the first authentication mode. According to a second aspect, a method for establishing a transport layer security protocol is provided, including: sending, by an edge enabler client EEC, first negotiation request information to an edge configuration server ECS, where the first negotiation request information is used to indicate that the edge enabler client EEC supports a first authentication mode; and receiving, by the EEC, first negotiation response information from the ECS, where the first negotiation response information is used to indicate that the ECS supports the first authentication mode. According to a third aspect, a method for establishing a transport layer security protocol is provided, including: receiving, by an edge enabler server EES, fifth authentication mode information and third key information from an edge configuration server ECS, where the fifth authentication mode information is used to indicate that a first EEC supports a first authentication mode, an authentication mode supported by the ECS includes the first authentication mode, an authentication mode supported by the EES includes the first authentication mode, the third key information is used to indicate identification information of a specific key in a first authentication network element, the specific key is a specific key obtained during a process in which the EEC performs authentication on the first authentication network element by using the first authentication mode, and the first authentication network element is configured to implement authentication that is based on the first authentication mode; and obtaining, by the EES, the specific key from the first authentication network element based on the third key information. According to a fourth aspect, an apparatus for establishing a transport layer security protocol is provided, including: a receiving unit, configured to receive first negotiation request information from an edge enabler client EEC, where the first negotiation request information is used to indicate that the EEC supports a first authentication mode; and a sending unit, configured to: in a case that the apparatus supports the first authentication mode, send first negotiation response information to the EEC, where the first negotiation response information is used to indicate that the apparatus supports the first authentication mode. According to a fifth aspect, an apparatus for establishing a transport layer security protocol is provided, including: a sending unit, configured to send first negotiation request information to an edge configuration server ECS, where the first negotiation request information is used to indicate that the edge enabler client EEC supports a first authentication mode; and a receiving unit, configured to receive first negotiation response information from the ECS, where the first negotiation response information is used to indicate that the ECS supports the first authentication mode. According to a sixth aspect, an apparatus for establishing a transport layer security protocol is provided, including: a r