CN106506166B - Terminal trusted platform system under cloud computing environment - Google Patents
Terminal trusted platform system under cloud computing environment Download PDFInfo
- Publication number
- CN106506166B CN106506166B CN201610948428.8A CN201610948428A CN106506166B CN 106506166 B CN106506166 B CN 106506166B CN 201610948428 A CN201610948428 A CN 201610948428A CN 106506166 B CN106506166 B CN 106506166B
- Authority
- CN
- China
- Prior art keywords
- trusted
- layer
- application
- application layer
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
Abstract
The invention provides a terminal trusted platform system in a cloud computing environment, which comprises: the system comprises a bottom hardware layer, a middle operating system layer and a top application layer, wherein a trusted chain is established from the bottom hardware layer to the top application layer. The application layer establishes an external trusted chain with the trusted network through the trusted application program and is connected with the cloud computing server through the trusted network. According to the method, the TPM trusted computing module is transplanted to the bottom hardware layer and the Android system, so that the whole terminal trusted platform system is transplanted and integrated with a trusted technology, the bottom hardware layer of the system can be started up in a trusted and safe mode, the trusted transmission technology is applied to transmission of a trusted chain, and the trusted transmission is performed from the bottom hardware layer to the operating system layer, then to the application layer, and even to the access cloud computing server.
Description
Technical Field
The invention relates to the field of cloud computing, in particular to a terminal trusted platform system in a cloud computing environment.
Background
The cloud computing unifies a large number of network resources, and provides efficient and convenient software services for users. The cloud computing initiatives would like: the user can use the software service conveniently, anytime and anywhere as required just like using electricity and water. In the cloud computing mode, a user can access the cloud through various 'ends', the 'ends' can be any electronic equipment capable of surfing the internet, the 'cloud' is the service provided, the 'cloud' can be huge, connected into a whole, and borderless, and can also be tiny and isolated, and in any case, the 'cloud' is ubiquitous and can provide various services required by the user.
Cloud computing is simply composed of three parts: the system comprises a terminal, a network and a remote server, wherein the terminal comprises various devices such as a mobile phone, a netbook, a tablet computer and the like; the network comprises WIFI, 3G and the like and is used for connecting a remote server. When using the cloud computing service, the terminal device is only equivalent to an input device and an output device such as a display, a keyboard and a mouse. According to the Google assumption, the remote server for cloud computing is composed of computers on a network, the idle computing power of one computer may not be very large, but hundreds of millions of online computers are owned all over the world, so that the remote server has infinite computing power. Since the Android system is a system with the internet as the center of gravity from the birth date of 2008, the Android system places cloud services in an important position.
The flexibility, openness, and public availability of the cloud computing environment present many challenges to application security.
How to establish a safe and credible terminal computing system from the root, prevent information leakage and stop potential attacks is a problem to be solved urgently in the field of cloud computing at present.
Disclosure of Invention
According to the invention, a safe and reliable terminal trusted Platform system is constructed by introducing a TPM (trusted Platform Module) trusted computing module into Android terminal equipment and combining protection modes such as a trusted chain and remote certification.
The technical scheme of the invention is realized as follows:
a terminal trusted platform system in a cloud computing environment, comprising: the system comprises a bottom hardware layer, a middle operating system layer and a top application layer, wherein a trusted chain is established from the bottom hardware layer to the top application layer;
the hardware layer comprises a CPU, a BIOS and peripheral equipment and provides hardware support for the system, the hardware layer also comprises a TPM trusted computing module, and trusted chain building between the hardware layer and the operating system layer is realized through the TPM trusted computing module;
the operating system layer establishes a trusted link connection with a TPM trusted computing module of the hardware layer through a trusted application program, and after trusted computing verification is performed through the trusted application program, Android system application is started, and Android terminal equipment starts to work; the operating system also comprises a TPM trusted computing module, and the trusted chain building between the operating system and the application layer is realized through the TPM trusted computing module;
the application layer establishes a trusted link connection with a TPM trusted computing module of the operating system through a trusted application program, and starts the application layer operation after trusted computing verification is performed through the trusted application program; the application layer comprises a trusted computing domain and realizes the global function index of the terminal trusted platform system; the application layer also comprises a trusted chain management module, so that trusted chain management from the bottom layer to the top layer is realized, and the security level of the trusted chain is set through setting the trusted chain management module; the application layer also comprises a remote certification module based on the identity and attribute certificate, the remote certification module based on the identity and attribute certificate comprises the receiving and analyzing of the identity and attribute certificate, firstly, a command number query function is added in a trusted application program of the application layer, after the application layer is connected with the operating system layer, the hardware layer sends a local identity and attribute certificate to the operating system layer, the operating system layer feeds back command numbers corresponding to all the local identity and attribute certificates to the application layer, the application layer and the hardware layer realize interactive control, the application layer directly realizes the execution of all the functions on the hardware layer through the command numbers, the application layer analyzes the command numbers, enters a command parser of the remote certification module based on the identity and attribute certificate, and parses the command strings and command parameters into character forms;
the application layer establishes an external trusted chain with the trusted network through the trusted application program and is connected with the cloud computing server through the trusted network.
The invention has the beneficial effects that:
(1) according to the invention, the TPM trusted computing module is transplanted to the bottom hardware layer and the Android system, so that the whole terminal trusted platform system is transplanted and integrated with a trusted technology, and the terminal trusted platform system can be used after being verified by trusted computing regardless of whether the BIOS is started or the application of the upper application layer, thereby ensuring the credibility of the transmission process, ensuring the reliability and safety of the system during the installation and operation of the application program of the terminal equipment and finally ensuring the credibility of the terminal equipment.
(2) The invention ensures the safe access of the terminal equipment to the cloud server based on the use of the remote certification technology of identity and attribute, is not interfered and attacked by the outside, better promotes the communication between the terminal equipment and the server, and improves the safety and the confidentiality of the terminal equipment.
(3) According to the method, a security level mechanism is introduced according to the computer virus outbreak principle and characteristics, so that the security of the system is guaranteed, the data storage security problem of the Android system is solved, and the invasion of the Android system virus is prevented.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a system block diagram of a terminal trusted platform system in a cloud computing environment according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The characteristics of flexibility, openness, public availability and the like of a cloud computing environment bring a lot of challenges to application security, how to establish a safe and credible terminal computing system from the root, prevent information leakage and avoid potential attacks, and the method is a problem to be solved urgently in the field of cloud computing at present.
According to the invention, a safe and reliable terminal trusted Platform system is constructed by introducing a TPM (trusted Platform Module) trusted computing module into Android terminal equipment and combining protection modes such as a trusted chain and remote certification.
The invention is described in detail below with reference to the accompanying drawings.
As shown in fig. 1, a terminal trusted platform system in a cloud computing environment according to the present invention includes: the system comprises a bottom hardware layer, a middle operating system layer and a top application layer, wherein a trusted chain is established from the bottom hardware layer to the top application layer. The application layer establishes an external trusted chain with the trusted network through the trusted application program and is connected with the cloud computing server through the trusted network.
According to the method, the TPM trusted computing module is transplanted to the bottom hardware layer and the Android system, so that the whole terminal trusted platform system is transplanted and integrated with a trusted technology, the bottom hardware layer of the system can be started up in a trusted and safe mode, the trusted transmission technology is applied to transmission of a trusted chain, and the trusted transmission is performed from the bottom hardware layer to the operating system layer, then to the application layer, and even to the access cloud computing server.
As shown in fig. 1, the hardware layer includes a CPU, a BIOS, and peripheral devices, and provides hardware support for the system, and the hardware layer further includes a TPM trusted computing module, and the trusted computing module realizes establishment of a trusted link with the operating system layer, and rejects the untrusted BIOS boot operation, and does not transfer to the operating system layer, thereby ensuring that the hardware layer at the bottom of the system can be booted in a trusted and secure manner.
The operating system layer establishes a trusted link connection with a TPM trusted computing module of the hardware layer through a trusted application program, and after trusted computing verification is performed through the trusted application program, Android system application is started, and the Android terminal device starts to work; the operating system also comprises a TPM trusted computing module, and the trusted chain building between the operating system and the application layer is realized through the TPM trusted computing module. And for the untrusted operation after the operating system layer is started, the TPM trusted computing module rejects and does not transmit the untrusted operation to the application layer.
The application layer establishes a trusted link connection with a TPM trusted computing module of the operating system through a trusted application program, and starts the application layer operation after trusted computing verification is performed through the trusted application program; the application layer comprises a trusted computing domain and realizes the global function index of the terminal trusted platform system; the application layer also comprises a trusted chain management module, so that trusted chain management from the bottom layer to the top layer is realized, the security level of the trusted chain is set through the trusted chain management module, and a security level mechanism is introduced according to the outbreak principle and characteristics of the computer virus, so that the security of the system is guaranteed, the data storage security problem of the Android system is solved, and the invasion of the Android system virus is prevented; the application layer also comprises a remote certification module based on the identity and attribute certificate, the remote certification module based on the identity and attribute certificate comprises the receiving and analyzing of the identity and attribute certificate, firstly, a command number query function is added in a trusted application program of the application layer, after the application layer is connected with the operating system layer, the hardware layer sends the local identity and attribute certificate to the operating system layer, the operating system layer feeds back command numbers corresponding to all the local identity and attribute certificates to the application layer, the application layer and the hardware layer realize interactive control, the application layer directly realizes the execution of all the functions on the hardware layer through the command numbers, the application layer analyzes the command numbers, enters a command analyzer of the remote certification module based on the identity and attribute certificate, and analyzes the command strings and command parameters into character forms.
According to the invention, the TPM trusted computing module is transplanted to the bottom hardware layer and the Android system, so that the whole terminal trusted platform system is transplanted and integrated with a trusted technology, and the terminal trusted platform system can be used after being verified by trusted computing regardless of whether the BIOS is started or the application of the upper application layer, thereby ensuring the credibility of the transmission process, ensuring the reliability and safety of the system during the installation and operation of the application program of the terminal equipment and finally ensuring the credibility of the terminal equipment.
The invention ensures the safe access of the terminal equipment to the cloud server based on the use of the remote certification technology of identity and attribute, is not interfered and attacked by the outside, better promotes the communication between the terminal equipment and the server, and improves the safety and the confidentiality of the terminal equipment.
According to the method, a security level mechanism is introduced according to the computer virus outbreak principle and characteristics, so that the security of the system is guaranteed, the data storage security problem of the Android system is solved, and the invasion of the Android system virus is prevented.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (1)
1. A terminal trusted platform system in a cloud computing environment, comprising: the system comprises a bottom hardware layer, a middle operating system layer and a top application layer, wherein a trusted chain is established from the bottom hardware layer to the top application layer;
the hardware layer comprises a CPU, a BIOS and peripheral equipment and provides hardware support for the system, the hardware layer also comprises a TPM trusted computing module, and trusted chain building between the hardware layer and the operating system layer is realized through the TPM trusted computing module;
the operating system layer establishes a trusted link connection with a TPM trusted computing module of the hardware layer through a trusted application program, and after trusted computing verification is performed through the trusted application program, Android system application is started, and Android terminal equipment starts to work; the operating system also comprises a TPM trusted computing module, and the trusted chain building between the operating system and the application layer is realized through the TPM trusted computing module;
the application layer establishes a trusted link connection with a TPM trusted computing module of the operating system through a trusted application program, and starts the application layer operation after trusted computing verification is performed through the trusted application program; the application layer comprises a trusted computing domain and realizes the global function index of the terminal trusted platform system; the application layer also comprises a trusted chain management module, so that trusted chain management from the bottom layer to the top layer is realized, and the security level of the trusted chain is set through setting the trusted chain management module; the application layer also comprises a remote certification module based on the identity and attribute certificate, the remote certification module based on the identity and attribute certificate comprises the receiving and analyzing of the identity and attribute certificate, firstly, a command number query function is added in a trusted application program of the application layer, after the application layer is connected with the operating system layer, the hardware layer sends a local identity and attribute certificate to the operating system layer, the operating system layer feeds back command numbers corresponding to all the local identity and attribute certificates to the application layer, the application layer and the hardware layer realize interactive control, the application layer directly realizes the execution of all the functions on the hardware layer through the command numbers, the application layer analyzes the command numbers, enters a command parser of the remote certification module based on the identity and attribute certificate, and parses the command strings and command parameters into character forms;
the application layer establishes an external trusted chain with the trusted network through the trusted application program and is connected with the cloud computing server through the trusted network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610948428.8A CN106506166B (en) | 2016-10-26 | 2016-10-26 | Terminal trusted platform system under cloud computing environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610948428.8A CN106506166B (en) | 2016-10-26 | 2016-10-26 | Terminal trusted platform system under cloud computing environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106506166A CN106506166A (en) | 2017-03-15 |
| CN106506166B true CN106506166B (en) | 2020-02-11 |
Family
ID=58322154
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610948428.8A Active CN106506166B (en) | 2016-10-26 | 2016-10-26 | Terminal trusted platform system under cloud computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106506166B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018119990A1 (en) * | 2016-12-30 | 2018-07-05 | 刘清华 | Cloud data platform key setting method |
| CN107680693B (en) * | 2017-09-11 | 2021-03-23 | 山东第一医科大学(山东省医学科学院) | Android terminal trusted computing platform based on cloud computing |
| CN109660530B (en) * | 2018-12-08 | 2021-11-26 | 公安部第三研究所 | Information security protection method based on hardware certificate |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103218553A (en) * | 2013-03-08 | 2013-07-24 | 深圳数字电视国家工程实验室股份有限公司 | Authorizing method and system based on trusted platform module |
| CN103748594A (en) * | 2011-07-29 | 2014-04-23 | 微软公司 | Firmware-based trusted platform module for arm processor architectures and trustzone security extensions |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| CN103929422A (en) * | 2014-04-08 | 2014-07-16 | 北京工业大学 | Trusted inter-domain safety certificate protocol based on SDN |
| WO2014198340A1 (en) * | 2013-06-14 | 2014-12-18 | Nec Europe Ltd. | Method for performing a secure boot of a computing system and computing system |
| CN104239802A (en) * | 2014-10-15 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Design method for trusted server on basis of cloud data center |
| CN105718807A (en) * | 2016-01-26 | 2016-06-29 | 东北大学 | Android system based on software TCM and trusted software stack and trusted authentication system and method thereof |
-
2016
- 2016-10-26 CN CN201610948428.8A patent/CN106506166B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103748594A (en) * | 2011-07-29 | 2014-04-23 | 微软公司 | Firmware-based trusted platform module for arm processor architectures and trustzone security extensions |
| CN103218553A (en) * | 2013-03-08 | 2013-07-24 | 深圳数字电视国家工程实验室股份有限公司 | Authorizing method and system based on trusted platform module |
| WO2014198340A1 (en) * | 2013-06-14 | 2014-12-18 | Nec Europe Ltd. | Method for performing a secure boot of a computing system and computing system |
| CN103929422A (en) * | 2014-04-08 | 2014-07-16 | 北京工业大学 | Trusted inter-domain safety certificate protocol based on SDN |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| CN104239802A (en) * | 2014-10-15 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Design method for trusted server on basis of cloud data center |
| CN105718807A (en) * | 2016-01-26 | 2016-06-29 | 东北大学 | Android system based on software TCM and trusted software stack and trusted authentication system and method thereof |
Non-Patent Citations (1)
| Title |
|---|
| 基于平台可信链的可信边界扩展模型;刘皖等;《计算机工程》;20080320;第176-179页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106506166A (en) | 2017-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7086994B2 (en) | Secure authentication of BOT users | |
| US8490167B2 (en) | Preventing password presentation by a computer system | |
| TWI553505B (en) | Method and system of managing a security key for a rack server system | |
| CN108965480A (en) | Cloud desktop login management-control method, device and computer readable storage medium | |
| CN108920366B (en) | Sub-application debugging method, device and system | |
| CN107743702B (en) | Single sign-on for hosting mobile devices | |
| CN111414407A (en) | Data query method and device of database, computer equipment and storage medium | |
| US11068583B2 (en) | Management of login information affected by a data breach | |
| WO2020181841A1 (en) | Method for automatically testing horizontal over-permission vulnerabilities and related device | |
| WO2022247359A1 (en) | Cluster access method and apparatus, electronic device, and medium | |
| CN106506166B (en) | Terminal trusted platform system under cloud computing environment | |
| CN107872447A (en) | Electronic device, server, communication system and communication method | |
| CN107704308B (en) | Virtual platform vTPM management system, trust chain construction method and device, and storage medium | |
| CN105046138A (en) | FT-processor based trust management system and method | |
| EP3832971A1 (en) | Phishing mitigation service | |
| CN106452753B (en) | Method for constructing terminal trusted platform in cloud computing environment | |
| US11463440B2 (en) | Cloud-based shared security cache | |
| WO2020198178A1 (en) | Cached file reputations | |
| CN103973649A (en) | Authentication system and authentication method | |
| CN114462096A (en) | Block chain-based Internet of things equipment control method and device, computer equipment and storage medium | |
| Tang et al. | Ssldetecter: detecting SSL security vulnerabilities of android applications based on a novel automatic traversal method | |
| Angelogianni et al. | How many FIDO protocols are needed? Surveying the design, security and market perspectives | |
| US20120254956A1 (en) | Securely Managing Password Access to a Computer System | |
| Song et al. | App’s auto-login function security testing via android os-level virtualization | |
| CN114154128A (en) | User information cloud sharing method and system, computer and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |