虚拟平台环境中一种新的可信证书链扩展方法

谭良; 齐能; 胡玲碧

doi:10.11959/j.issn.1000-436x.2018090

您当前的位置：

首页 >

文章列表页 >

虚拟平台环境中一种新的可信证书链扩展方法

学术论文 | 更新时间：2024-06-05

- 虚拟平台环境中一种新的可信证书链扩展方法
- New extension method of trusted certificate chain in virtual platform environment
- 通信学报 2018年39卷第6期页码：133-145
- 作者机构：
  
  1. 四川师范大学计算机科学学院，四川成都 610101
  2. 中国科学院计算技术研究所，北京 100190
- 作者简介：
  
  [ "谭良（1972-），男，四川泸州人，博士，四川师范大学教授，主要研究方向为可信计算、网络安全、云计算及大数据处理等。" ]
  [ "齐能（1993-），男，河南商丘人，四川师范大学硕士生，主要研究方向为可信计算。" ]
  [ "胡玲碧（1993-），女，四川威远人，四川师范大学硕士生，主要研究方向为可信计算。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61373162);四川省科技基金资助项目(2014GZ0007);可视化计算与虚拟现实四川省重点实验室基金资助项目(KJ201402)
- DOI：10.11959/j.issn.1000-436x.2018090
  中图分类号： TP309
- 网络出版日期：2018-06，
  
  纸质出版日期：2018-06-25
- 稿件说明：
移动端阅览
谭良, 齐能, 胡玲碧. 虚拟平台环境中一种新的可信证书链扩展方法[J]. 通信学报, 2018,39(6):133-145.

Liang TAN, Neng QI, Lingbi HU. New extension method of trusted certificate chain in virtual platform environment[J]. Journal on communications, 2018, 39(6): 133-145.
谭良, 齐能, 胡玲碧. 虚拟平台环境中一种新的可信证书链扩展方法[J]. 通信学报, 2018,39(6):133-145. DOI： 10.11959/j.issn.1000-436x.2018090.

Liang TAN, Neng QI, Lingbi HU. New extension method of trusted certificate chain in virtual platform environment[J]. Journal on communications, 2018, 39(6): 133-145. DOI： 10.11959/j.issn.1000-436x.2018090.

摘要

利用可信计算技术构建可信虚拟平台环境时，如何合理地将底层物理的可信平台模块（TPM

trusted platform module）的证书信任扩展延伸到虚拟机环境是值得关注的问题。目前，已有的证书信任扩展方案均不完善，有的方案存在违背TCG规范的情况，有的方案增加密钥冗余和Privacy CA性能负担，有的方案甚至不能进行证书信任扩展。因此，提出了一种新的可信证书链扩展方法。首先，在TPM中新增一类证书——VMEK（virtual machine extension key），并构建对VMEK的管理机制，该证书的主要特点是其密钥不可迁移，且可对TPM内和TPM外的数据进行签名和加密。其次，利用证书VMEK对vTPM的vEK签名构建底层TPM和虚拟机vTPM的证书信任关系，实现可信证书链在虚拟机中的延伸。最后，在Xen中实现了VMEK证书及其管理机制和基于VMEK的证书信任扩展。实验结果表明，所提方案可以有效地实现虚拟平台的远程证明功能。

Abstract

When using trusted computing technology to build a trusted virtual platform environment

it is a hot problem that how to reasonably extend the underlying physical TPM certificate chain to the virtual machine environment.At present

the certificate trust expansion schemes are not perfect

either there is a violation of the TCG specifications

or TPM and vTPM certificate results inconsistent

either the presence of key redundancy

or privacy CA performance burden

some project cannot even extend the certificate trust.Based on this

a new extension method of trusted certificate chain was proposed.Firstly

a new class of certificate called VMEK (virtual machine extension key) was added in TPM

and the management mechanism of certificate VMEK was constructed

the main feature of which was that its key was not transferable and could be used to sign and encrypt the data inside and outside of TPM.Secondly

it used certificate VMEK to sign vTPM’s vEK to build the trust relationship between the underlying TPM and virtual machine

and realized extension of trusted certificate chain in virtual machine.Finally

in Xen

VMEK certificate and its management mechanism

and certificate trust extension based on VMEK were realized.The experiment results show that the proposed scheme can effectively realize the remote attestation function of virtual platform.

关键词

Keywords

references

ZHANG Y , ZHOU Y . 4VP:A novel meta OS approach for streaming programs in ubiquitous computing [C ] // International Conference on Advanced Information NETWORKING and Applications . 2007 : 394 - 403 .

ZHANG Y , ZHOU Y . Transparent computing:a new paradigm for pervasive computing [C ] // International Conference on Ubiquitous Intelligence and Computing . 2006 : 1 - 11 .

陈康 , 郑纬民 . 云计算:系统实例与研究现状 [J ] . 软件学报 , 2009 , 20 ( 5 ): 1337 - 1348 .

CHEN K , ZHENG W M . Cloud computing:system case and research status [J ] . Journal of Software , 2009 , 20 ( 5 ): 1337 - 1348 .

罗军舟 , 金嘉晖 , 宋爱波 , 等 . 云计算:体系架构与关键技术 [J ] . 通信学报 , 2011 , 32 ( 7 ): 3 - 21 .

LUO J Z , JIN J H , SONG A B , et al . Cloud computing:architecture and key technologies [J ] . Journal on Communications , 2011 , 32 ( 7 ): 3 - 21 .

林闯 , 苏文博 , 孟坤 , 等 . 云计算安全:架构、机制与模型评价 [J ] . 计算机学报 , 2013 , 36 ( 9 ): 1765 - 1784 .

LIN C , SU W B , MENG K , et al . Cloud computing security:architecture,mechanism and model evaluation [J ] . Chinese Journal of Computers , 2013 , 36 ( 9 ): 1765 - 1784 .

王国峰 , 刘川意 , 潘鹤中 , 等 . 云计算模式内部威胁综述 [J ] . 计算机学报 , 2017 , 40 ( 2 ): 296 - 316 .

WANG G F , LIU C Y , PAN H Z , et al . An overview of internal threats in cloud computing models [J ] . Chinese Journal of Computers , 2017 , 40 ( 2 ): 296 - 316 .

MAHAJAN A , SHARMA S . The malicious insiders threat in the cloud [J ] . International Journal of Engineering Research and General Science , 2015 , 3 ( 2 ): 245 - 256 .

BOUCHÉ J , KAPPES M . Attacking the cloud from an insider perspective [C ] // Internet Technologies and Applications . 2015 .

王焘 , 张文博 , 魏峻 , 等 . 一种基于故障预测的云计算系统自适应监测方法 [P ] . CN105677538A , 2016 .

WANG H , ZHANG W B , WEI J , et al . An adaptive monitoring method for cloud computing systems based on fault prediction [P ] . CN105677538A , 2016 .

沈昌祥 , 张焕国 , 王怀民 , 等 . 可信计算的研究与发展 [J ] . 中国科学:信息科学 , 2010 ( 2 ): 139 - 166 .

SHEN C X , ZHANG H G , WANG H M , et al . Research and development of trusted computing [J ] . Chinese Science:Information Science , 2010 ( 2 ): 139 - 166 .

冯登国 , 秦宇 , 汪丹 , 等 . 可信计算技术研究 [J ] . 计算机研究与发展 , 2011 , 48 ( 8 ): 1332 - 1349 .

FENG D G , QIN Y , WANG D , et al . Research on trusted computing technology [J ] . Journal of Computer Research and Development , 2011 , 48 ( 8 ): 1332 - 1349 .

CHEN Y , PAXSON V , KATZ R H . What’s new about cloud computing security? [J ] . 2014 , 20 .

KO R K L , JAGADPRAMANA P , MOWBRAY M , et al . Trust cloud:a framework for accountability and trust in cloud computing [C ] // Services . 2011 : 584 - 588 .

刘川意 , 王国峰 , 林杰 , 等 . 可信的云计算运行环境构建和审计 [J ] . 计算机学报 , 2016 , 39 ( 2 ): 339 - 350 .

LIU C Y , WANG G F , LIN J , et al . Trusted cloud computing operating environment construction and auditing [J ] . Chinese Journal of Computers , 2016 , 39 ( 2 ): 339 - 350 .

田俊峰 , 常方舒 . 基于 TPM 联盟的可信云平台管理模型 [J ] . 通信学报 , 2016 , 37 ( 2 ): 1 - 10 .

TIAN J F , CHANG F S . Trusted cloud platform management model based on TPM alliance [J ] . Journal on Communications , 2016 , 37 ( 2 ): 1 - 10 .

吴吉义 , 沈千里 , 章剑林 , 等 . 云计算:从云安全到可信云 [J ] . 计算机研究与发展 , 2011 , 48 ( S1 ): 229 - 233 .

WU J Y , SHEN Q L , ZHANG J L , et al . Cloud computing:from cloud security to trusted clouds [J ] . Journal of Computer Research and Development , 2011 , 48 ( S1 ): 229 - 233 .

BERGER S , GOLDMAN K A , PEREZ R , et al . vTPM:virtualizing the trusted platform module [C ] // Conference on Usenix Security Symposium . 2006 :21.

ENGLAND P , LOESER J . Para-virtualized TPM sharing [C ] // International Conference on Trusted Computing and Trust in Information Technologies:Trusted Computing-Challenges and Applications . 2008 : 119 - 132 .

STUMPF F , ECKERT C . Enhancing trusted platform modules with hardware-based virtualization techniques [C ] // Second International Conference on Emerging Security Information,Systems and Technologies . 2008 : 1 - 9 .

ALBELOOSHI B , SALAH K , MARTIN T , et al . Securing cryptographic keys in the IaaS cloud model [C ] // IEEE/ACM International Conference on Utility and Cloud Computing . 2016 : 42 - 56 .

YU Z , WANG Q , ZHANG W , et al . A cloud certificate authority architecture for virtual machines with trusted platform module [C ] // IEEE International Conference on High PERFORMANCE Computing and Communications . 2015 : 1377 - 1380 .

CHANG D , CHU X , QIN Y , et al . TSD:a flexible root of trust for the cloud [C ] // IEEE International Conference on Trust,Security and Privacy in Computing and Communications . 2012 : 119 - 126 .

WAN X , XIAO Z , REN Y . Building trust into cloud computing using virtualization of TPM [C ] // Fourth International Conference on Multimedia Information NETWORKING and Security . 2013 : 59 - 63 .

XUE D , WU X , GAO Y , et al . TrustVP:construction and evolution of trusted chain on virtualization computing platform [C ] // Eighth International Conference on Computational Intelligence and Security . 2013 : 623 - 630 .

GOYETTE R . A review of “vTPM:virtualizing the trusted platform module” [R ] . Network Security and Cryptography Symposium , 2007 : 1 - 17 .

王丽娜 , 高汉军 , 余荣威 , 等 . 基于信任扩展的可信虚拟执行环境构建方法研究 [J ] . 通信学报 , 2011 , 32 ( 9 ): 1 - 8 .

WANG L N , GAO H J , YU R W , et al . Research on the construction method of trusted virtual execution environment based on trust extension [J ] . Journal on Communications , 2011 , 32 ( 9 ): 1 - 8 .

杨永娇 , 严飞 , 毛军鹏 , 等 . Ng-vTPM:新一代TPM虚拟化框架设计 [J ] . 武汉大学学报(理学版) , 2015 , 61 ( 2 ): 103 - 111 .

YANG Y J , YAN F , MAO J P , et al . Ng-vTPM:a new generation of TPM virtualization framework design [J ] . Journal of Wuhan University (Science Materials) , 2015 , 61 ( 2 ): 103 - 111 .

浏览量

813

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

跨平台的可信执行环境模块方案研究

理性安全的公平两方比较协议

云虚拟化平台可信证明技术研究综述

可信云平台技术综述

基于标签的vTPM私密信息保护方案