基于标签的vTPM私密信息保护方案

陈兴蜀; 王伟; 金鑫

doi:10.11959/j.issn.1000-436x.2018242

您当前的位置：

首页 >

文章列表页 >

基于标签的vTPM私密信息保护方案

学术通信 | 更新时间：2024-06-05

- 基于标签的vTPM私密信息保护方案
- Label-based protection scheme of vTPM secret
- 通信学报 2018年39卷第11期页码：170-180
- 作者机构：
  
  1. 四川大学网络空间安全研究院，四川成都 610065
  2. 四川大学网络空间安全学院，四川成都 610065
  3. 四川大学计算机学院，四川成都 610065
- 作者简介：
  
  [ "高博" ]
- 基金信息：
  
  国家自然科学基金资助项目(61802270);国家自然科学基金资助项目(61802271)
- DOI：10.11959/j.issn.1000-436x.2018242
  中图分类号： TP309.2
- 网络出版日期：2018-11，
  
  纸质出版日期：2018-11-25
- 稿件说明：
移动端阅览
陈兴蜀, 王伟, 金鑫. 基于标签的vTPM私密信息保护方案[J]. 通信学报, 2018,39(11):170-180.

Xingshu CHEN, Wei WANG, Xin JIN. Label-based protection scheme of vTPM secret[J]. Journal on communications, 2018, 39(11): 170-180.
陈兴蜀, 王伟, 金鑫. 基于标签的vTPM私密信息保护方案[J]. 通信学报, 2018,39(11):170-180. DOI： 10.11959/j.issn.1000-436x.2018242.

Xingshu CHEN, Wei WANG, Xin JIN. Label-based protection scheme of vTPM secret[J]. Journal on communications, 2018, 39(11): 170-180. DOI： 10.11959/j.issn.1000-436x.2018242.

摘要

虚拟可信平台模块是可信计算技术虚拟化的重要组件。vTPM的私密信息存在被窃取、滥用的风险，为此，提出一种基于标签的安全保护方案。首先，为每个虚拟机建立vTPM标签，标签包括签名信息、加密信息、度量信息和状态信息。然后，基于vTPM标签的状态信息设计安全增强的vTPM动态迁移协议，保障迁移前后vTPM私密信息的机密性、完整性以及虚拟机与vTPM实例关联关系的一致性。实验表明，所提方案能够有效保护vTPM的私密信息，并且给虚拟机动态迁移带来的性能开销只有19.36%。

Abstract

The virtual trusted platform module (vTPM) played an important role in virtualization of trusted computing.According to security problems of existed vTPM

a protection scheme based on vTPM label was proposed.Firstly

a vTPM label was created for each virtual machine.This label had four main components

signature information

encryption information

measurement information and status information.Then

the security-enhanced vTPM dynamic migration protocol based on vTPM label status information was designed

to ensure the security of vTPM during live migration based on status information of vTPM label.Experiments show that the proposed scheme can protect vTPM secrets effectively and the increased performance cost during live migration is only 19.36%.

关键词

Keywords

references

BERGER S , CÁCERES R , GOLDMAN K A , et al . vTPM:virtualizing the trusted platform module [C ] // The 15th Conference on USENIX Security Symposium . 2006 : 305 - 320 .

严飞 , 龚玉凤 , 于钊 . 基于硬件事务内存的 vTPM 安全保护方法:CN105678173 [P ] .2016-06-15.

YAN F , GONG Y F , YU Z . vTPM security protection method based on hardware transaction memory [P ] . CN105678173A ,2016-06-15.

严飞 , 于钊 , 张立强 , 等 . vTSE:一种基于SGX的vTPM安全增强方案 [J ] . 工程科学与技术 , 2017 , 49 ( 2 ): 133 - 139 .

YAN F , YU Z , ZHANG L Q , et al . vTSE:a solution of SGX-based vTPM secure enhancement [J ] . Advanced Engineering Sciences , 2017 , 49 ( 2 ): 133 - 139 .

SHI Y , ZHAO B , YU Z , et al . A Security-improved scheme for virtual TPM based on KVM [J ] . Wuhan University Journal of Natural Sciences , 2015 , 20 ( 6 ): 505 - 511 .

JIN X , CHEN X S , ZHAO C , et al . Trusted attestation architecture on an infrastructure-as-a-service [J ] . Tsinghua Science and Technology , 2017 , 22 ( 5 ): 469 - 477 .

黄宇晴 , 赵波 , 肖钰 , 等 . 一种基于KVM的vTPM虚拟机动态迁移方案 [J ] . 山东大学学报(理学版) , 2017 , 52 ( 6 ): 69 - 75 .

HUANG Y Q , ZHAO B , XIAO Y , et al . A vTPM-VM live migration scheme based on KVM [J ] . Journal of Shandong University (Natural Science) , 2017 , 52 ( 6 ): 69 - 75 .

石源 , 张焕国 , 赵波 , 等 . 基于SGX的虚拟机动态迁移安全增强方法 [J ] . 通信学报 , 2017 , 38 ( 9 ): 65 - 75 .

SHI Y , ZHANG H G , ZHAO B , et al . Security-enhanced live migration based on SGX for virtual machine [J ] . Journal on Communications , 2017 , 38 ( 9 ): 65 - 75 .

FAN P R , ZHAO B , SHI Y , et al . An improved vTPM-VM live migration protocol [J ] . Wuhan University Journal of Natural Sciences , 2015 , 20 ( 6 ): 512 - 520 .

WAN X , ZHANG X F , CHEN L , et al . An improved vTPM migration protocol based trusted channel [C ] // International Conference on Systems and Informatics . 2012 : 871 - 875 .

DANEV B , MASTI R J , KARAME G O , et al . Enabling secure VM-VTPM migration in private clouds [C ] // The 27th Annual Computer Security Applications Conference . 2011 : 187 - 196 .

CHALLENER D , YODER K , CATHERMAN R , et al . A practical guide to trusted computing [M ] . Beijing : China Machine PressPress , 2008 .

BERGER S , GOLDMAN K , PENDARAKIS D , et al . Scalable attestation:a step toward secure and trusted clouds [C ] // IEEE International Conference on Cloud Engineering . 2015 : 185 - 194 .

ARTHUR W , CHALLENER D , GOLDMAN K . A practical guide to TPM 20:using the trusted platform module in the new age of security [M ] . Berkeley : ApressPress , 2015 .

CUCURULL J , GUASCH S . Virtual TPM for a secure cloud:fallacy or reality? [C ] // The 13th Spanish Meeting on Cryptology and Information Security.Alicante . 2014 : 197 - 202 .

杨永娇 , 严飞 , 毛军鹏 , 等 . Ng-vTPM:新一代TPM虚拟化框架设计 [J ] . 武汉大学学报(理学版) , 2015 , 61 ( 2 ): 103 - 111 .

YANG Y J , YAN F , MAO J P , et al . Ng-vTPM:a next generation virtualized TPM architecture [J ] . Wuhan University Journal of Natural Sciences , 2015 , 61 ( 2 ): 103 - 111 .

王丽娜 , 高汉军 , 余荣威 . 基于信任扩展的可信虚拟执行环境构建方法研究 [J ] . 通信学报 , 2011 , 32 ( 9 ): 1 - 8 .

WANG L N , GAO H J , YU R W . Research of constructing trusted virtual execution environment based on trust extension [J ] . Journal on Communications , 2011 , 32 ( 9 ): 1 - 8 .

HOHMUTH M , PETER M , H¨ARTIG H , . et al Reducing TCB size by using untrusted components—small kernels versus virtual-machine monitors [C ] // The 11th workshop on ACM SIGOPS European Workshop . 2004 :22.

RAZAVI K , KIELMANN T . Scalable virtual machine deployment using VM image caches [C ] // The International Conference on High Performance Computing,Networking,Storage and Analysis . 2013 :65.

MAYES K , MARKANTONAKIS K . Smart cards,tokens,security and applications [M ] . New York : Springer PublishingPress , 2010 .

TCG Infrastructure Working Group . A CMC profile for AIK certificate enrollment [M ] . Beaverton,Oregon : TCGPress , 2011 .

浏览量

1626

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

理性安全的公平两方比较协议

可信云平台技术综述

基于TPA云联盟的数据完整性验证模型

虚拟平台环境中一种新的可信证书链扩展方法

基于改进期望值决策法的虚拟机可信审计方法