CN113315805A - Group verification method and system for cloud infrastructure trusted device - Google Patents
Group verification method and system for cloud infrastructure trusted device Download PDFInfo
- Publication number
- CN113315805A CN113315805A CN202110379713.3A CN202110379713A CN113315805A CN 113315805 A CN113315805 A CN 113315805A CN 202110379713 A CN202110379713 A CN 202110379713A CN 113315805 A CN113315805 A CN 113315805A
- Authority
- CN
- China
- Prior art keywords
- pcr value
- pcr
- virtual machine
- correct
- stage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention provides a group verification method and a group verification system for cloud infrastructure trusted equipment, wherein the method comprises the following steps: acquiring Platform Configuration Register (PCR) information and a measurement log of a target client, wherein the target client is provided with a plurality of virtual machines; verifying whether the PCR value of the equipment starting stage is correct or not through a white list of a target client during registration, verifying whether the PCR value of the operating system operating stage is correct or not through the IMA measurement log, and verifying whether the PCR value of the virtual machine operating stage is correct or not through the virtual machine measurement log; and if the PCR value of the equipment starting stage, the PCR value of the operating system running stage and the PCR value of the virtual machine running stage are correct, judging that the target client is credible. The method and the system can ensure that the user uses the cloud platform service safely, protect the privacy of the user and greatly improve the verification efficiency of the virtual machine.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a group verification method and system for cloud infrastructure trusted equipment.
Background
With the development of cloud computing technology, more and more enterprises deploy their systems on cloud platforms, but a large number of enterprises still do not trust the security of the cloud platforms, and it is considered that the deployment of their systems on the cloud platforms reveals the secret data of the enterprises, and causes losses to the entire enterprises. The credible verification technology can guarantee the integrity of data stored on the cloud platform and the correctness of an execution program on the cloud platform, so that the privacy information of a cloud platform user can be guaranteed.
The existing virtual Platform trust verification needs to meet the requirement of hierarchical connection, each virtual machine needs to be verified, and the lower performance of a Trusted Platform Module (TPM) becomes a bottleneck in the certification process, so that only the remote certification of a limited number of virtual machines can be supported. How to enable a user to safely use the cloud platform service and protect the privacy of the user is a problem to be solved urgently.
Disclosure of Invention
The invention provides a group verification method and a group verification system for trusted equipment of cloud infrastructure, which are used for solving the defects that users are difficult to safely use cloud platform services and protect the privacy of the users in the prior art, realizing that the users safely use the cloud platform services, protecting the privacy of the users and greatly improving the verification efficiency of virtual machines.
The invention provides a group verification method of cloud infrastructure trusted equipment, which comprises the following steps: acquiring Platform Configuration Register (PCR) information and a measurement log of a target client, wherein the PCR information of a plurality of virtual machines is set on the target client and comprises a PCR value of an equipment starting stage, a PCR value of an operating system running stage and a PCR value of a virtual machine running stage, and the measurement log comprises an integrity measurement structure IMA measurement log and a virtual machine measurement log of the target client; verifying whether the PCR value of the equipment starting stage is correct or not through a white list of the target client during registration, verifying whether the PCR value of the operating system operating stage is correct or not through the IMA measurement log, and verifying whether the PCR value of the virtual machine operating stage is correct or not through the virtual machine measurement log; and if the PCR value of the equipment starting stage, the PCR value of the operating system running stage and the PCR value of the virtual machine running stage are correct, judging that the target client is credible.
According to the group verification method of the cloud infrastructure trusted device provided by the invention, whether the PCR value of the device in the starting stage is correct is verified through a white list of a target client during registration, and the method comprises the following steps: acquiring a white list provided by the target client during registration; generating a first PCR value according to the white list; and verifying whether the PCR value of the equipment starting stage is correct or not by verifying whether the PCR value of the equipment starting stage is the same as the first PCR value or not.
According to the group verification method of the cloud infrastructure trusted device provided by the invention, whether the PCR value of the operating system in the operating stage is correct is verified through the IMA measurement log, and the group verification method comprises the following steps: simulating a PCR extension operation by replaying the IMA measurement log to obtain a second PCR value; and verifying whether the PCR value of the operating system running stage is correct or not by verifying whether the PCR value of the operating system running stage is the same as the second PCR value or not.
According to the group verification method of the cloud infrastructure trusted device provided by the invention, whether the PCR value of the virtual machine in the running stage is correct is verified through the virtual machine measurement log, and the method comprises the following steps: simulating PCR extension operation by replaying the virtual machine measurement log to obtain a third PCR value; and verifying whether the PCR value of the virtual machine operation stage is correct or not by verifying whether the PCR value of the virtual machine operation stage is the same as the third PCR value or not.
According to the group verification method of the cloud infrastructure trusted device provided by the invention, the method for acquiring the platform configuration register PCR information and the measurement log of the target client comprises the following steps: receiving PCR information and a measurement log periodically sent by the target client; or after sending a verification information acquisition request to the target client, receiving the PCR information and the measurement log sent by the target client.
According to the group verification method of the cloud infrastructure trusted device provided by the present invention, after acquiring the PCR information and the measurement log of the target client, and before verifying whether the PCR value of the device at the start stage is correct through the white list of the target client during registration, and verifying whether the PCR value of the operating system at the operating stage is correct through the IMA measurement log, and verifying whether the PCR value of the virtual machine at the operating stage is correct through the virtual machine measurement log, the method further includes: performing signature verification on the PCR information and first package data of the measurement log, and judging whether the first package data is the same as historical package data or not according to a signature verification result; and ending if the first packed data is the same as the historical packed data.
The invention also provides a group verification system of the cloud infrastructure trusted device, which comprises the following steps: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring PCR information and a measurement log of a target client, the PCR information comprises a PCR value of an equipment starting stage, a PCR value of an operating system running stage and a PCR value of a virtual machine running stage, and the measurement log comprises an integrity measurement structure IMA measurement log and a virtual machine measurement log of the target client; the control processing module is used for verifying whether the PCR value of the equipment starting stage is correct through a white list of the target client during registration, verifying whether the PCR value of the operating system operating stage is correct through the IMA measurement log, and verifying whether the PCR value of the virtual machine operating stage is correct through the virtual machine measurement log; if the PCR value of the equipment starting stage, the PCR value of the operating system running stage and the PCR value of the virtual machine running stage are correct, the target client is judged to be credible; and the target client is provided with a plurality of virtual machines.
According to the group verification system of the cloud infrastructure trusted device provided by the invention, the acquisition module is further used for acquiring a white list provided by the target client during registration; and the control processing module is used for generating a first PCR value according to the white list and verifying whether the PCR value of the equipment starting stage is the same as the first PCR value or not so as to verify whether the PCR value of the equipment starting stage is correct or not.
According to the group verification system of the cloud infrastructure trusted device provided by the invention, the control processing module is used for obtaining a second PCR value by replaying the IMA measurement log simulation PCR extension operation, and verifying whether the PCR value of the operating system operating phase is the same as the second PCR value so as to verify whether the PCR value of the operating system operating phase is correct.
According to the group verification system of the cloud infrastructure trusted device provided by the invention, the control processing module is used for simulating PCR extension operation to obtain a third PCR value by replaying the virtual machine measurement log, and verifying whether the PCR value of the virtual machine operation stage is the same as the third PCR value so as to verify whether the PCR value of the virtual machine operation stage is correct.
According to the group verification system of the cloud infrastructure trusted device provided by the invention, the acquisition module is used for receiving PCR information and measurement logs periodically sent by the target client; or after sending a verification information acquisition request to the target client, receiving the PCR information and the measurement log sent by the target client.
According to the group verification system of the cloud infrastructure trusted device, the control processing module is further used for performing signature verification on the PCR information and the first package data of the measurement log, and judging whether the first package data is the same as the historical package data or not according to a signature verification result; and if the first packed data is the same as the historical packed data, ending the verification.
The method and the system for verifying the group of the trusted device of the cloud infrastructure, provided by the invention, have the advantages that the PCR information and the measurement log of the target client are obtained, a plurality of virtual machines on the target client are used as a trusted device group, the PCR value of the PCR information in the device starting process, the PCR value of the operating system in the operating stage and the PCR value of the virtual machine in the operating stage can be verified based on the measurement log and a white list provided by the target client during registration, and if the verification is passed, the target client is considered to be trusted. The method and the system can ensure that the user uses the cloud platform service safely, protect the privacy of the user and greatly improve the verification efficiency of the virtual machine.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the following briefly introduces the drawings needed for the embodiments or the prior art descriptions, and obviously, the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flow chart of a group verification method for a cloud infrastructure trusted device provided by the present invention;
FIG. 2 is a schematic diagram of the operation of the group verification method for the trusted devices of the cloud infrastructure provided by the present invention;
fig. 3 is a block diagram of a group verification apparatus for a cloud infrastructure trusted device according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be appreciated that reference throughout this specification to "an embodiment" or "one embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrase "in an embodiment" or "in one embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In the description of the present invention, it is to be understood that the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it is to be noted that, unless otherwise explicitly specified or limited, the term "connected" is to be interpreted broadly, e.g. as either directly or indirectly through intervening media. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
The group authentication method of the cloud infrastructure trusted device of the present invention is described below with reference to fig. 1.
As shown in fig. 1, the group verification method for a cloud infrastructure trusted device of the present invention includes:
s1: and acquiring PCR information and a measurement log of the target client. The target client is provided with a plurality of virtual machines, and the virtual machines form a cloud infrastructure trusted device group. The PCR information comprises a PCR value of a device starting stage, a PCR value of an operating system running stage and a PCR value of a virtual machine running stage, and the measurement log comprises an integrity measurement structure IMA measurement log and a virtual machine measurement log of the target client.
In this embodiment, the PCR values of the device boot phase, the PCR values of the operating system runtime phase and the PCR values of the virtual machine runtime phase, as well as the IMA metric log and the virtual machine metric log, are collected by the target client.
The target client periodically sends the server package information including the PCR information and the metric log, so that the server can discover the change of the credible state of some credible devices in real time, and the periodic report avoids the server waiting for the most time-consuming operation of generating the reference in the credible verification. In addition, after the server can also send a verification information acquisition instruction to the target client, the target client feeds back packaging information comprising PCR information and a measurement log to the server, and the requirement of verification instantaneity is met.
S2: and verifying whether the PCR value of the equipment starting stage is correct or not through a white list of the target client during registration, verifying whether the PCR value of the operating system operating stage is correct or not through an IMA measurement log, and verifying whether the PCR value of the virtual machine operating stage is correct or not through a virtual machine measurement log.
S3: and if the PCR value of the equipment starting stage, the PCR value of the operating system running stage and the PCR value of the virtual machine running stage are correct, judging that the target client is credible.
Specifically, after the server comprises PCR information and a measurement log, a white list provided by the target client during registration is obtained, the white list is operated to obtain a first PCR value, the first PCR value is compared with a PCR value in an equipment starting stage, if the PCR value in the equipment starting stage is the same as the first PCR value, verification is continued, and if the PCR value in the equipment starting stage is not the same as the first PCR value, the target client is judged to be unreliable. In addition, the target server obtains a second PCR value by replaying IMA measurement log simulation PCR extension operation, the second PCR value is compared with the PCR value of the operating system running stage, if the PCR values of the operating system running stage are the same, verification is continued, and otherwise, the target client is judged to be not credible. In addition, the target server also simulates PCR extension operation through replaying the virtual machine measurement log to obtain a third PCR value, the third PCR value is compared with the PCR value of the virtual machine running stage, if the PCR value of the virtual machine running stage is the same as the third PCR value, verification is passed, and otherwise, the target client is judged to be not credible.
In an embodiment of the present invention, between step S1 and step S2, the method further includes: and performing signature verification on the PCR information and the first package data of the measurement log to obtain a random number. The server compares the obtained random number with the random number in the first package data to judge freshness and prevent replay attack.
Fig. 2 is a working schematic diagram of a group verification method for a cloud infrastructure trusted device provided by the present invention. As shown in FIG. 2, the target server includes a plurality of virtual machines, in this example 4 virtual machines, but is not limited to 4 virtual machines. The client's IMG tag may intercept a plurality of virtual machine information to generate a metric log that is stored in storage vML. The PCR of the TPM stores PCR values of the target client in different stages. Illustratively, bits 0 to 7 of the PCR store the PCR value for the device boot phase, bits 10 of the PCR store the PCR value for the operating system runtime phase, and bits 12 of the PCR store the PCR value for the virtual machine runtime phase. The IMA metric log is stored in storage device aML. And when the system time reaches the time point that the target server periodically sends the PCR information and the measurement log, or the server sends a verification information acquisition request to the target client, the target client packs the PCR information and the measurement log through the trusted agent and then sends the packed PCR information and measurement log to the server. And after receiving the packaging information, the server verifies the certificate and verifies the PCR value in the packaging information, the certificate is judged to be credible after verification is passed, and then the certificate is stored in a database, and a verification result can be displayed through a webpage.
The group authentication apparatus of the cloud infrastructure trusted device provided by the present invention is described below, and the group authentication apparatus of the cloud infrastructure trusted device described below and the group authentication method of the cloud infrastructure trusted device described above may be referred to in correspondence with each other.
Fig. 3 is a block diagram of a group verification apparatus for a cloud infrastructure trusted device according to the present invention. As shown in fig. 3, the group verification apparatus for a cloud infrastructure trusted device provided by the present invention includes: an acquisition module 310 and a control processing module 320.
The obtaining module 310 is configured to obtain PCR information and a metric log of a target client. The PCR information comprises a PCR value of a device starting stage, a PCR value of an operating system running stage and a PCR value of a virtual machine running stage, and the measurement log comprises an integrity measurement structure IMA measurement log and a virtual machine measurement log of the target client. And a plurality of virtual machines are arranged on the target client, and the plurality of virtual machines form a trusted equipment group. The control processing module 320 is configured to verify whether the PCR value at the device start stage is correct through a white list of the target client during registration, verify whether the PCR value at the operating system operating stage is correct through an IMA measurement log, and verify whether the PCR value at the virtual machine operating stage is correct through a virtual machine measurement log; and if the PCR value of the equipment starting stage, the PCR value of the operating system running stage and the PCR value of the virtual machine running stage are correct, judging that the target client is credible.
In an embodiment of the present invention, the obtaining module 310 is further configured to obtain a white list provided by the target client at the time of registration. The control processing module 320 is configured to generate a first PCR value according to the white list, and verify whether the PCR value of the device start-up phase is the same as the first PCR value, so as to verify whether the PCR value of the device start-up phase is correct.
In an embodiment of the present invention, the control processing module 320 is configured to obtain the second PCR value by replaying the IMA metric log to simulate the PCR extension operation, and verify whether the PCR value of the operating system running stage is the same as the second PCR value to verify whether the PCR value of the operating system running stage is correct.
In an embodiment of the present invention, the control processing module 320 is configured to simulate the PCR extension operation by replaying the virtual machine metric log to obtain a third PCR value, and verify whether the PCR value of the virtual machine running stage is the same as the third PCR value, so as to verify whether the PCR value of the virtual machine running stage is correct.
In an embodiment of the present invention, the obtaining module 310 is configured to receive PCR information and a metric log periodically sent by a target client; or after sending a verification information acquisition request to the target client, receiving the PCR information and the measurement log sent by the target client.
In an embodiment of the present invention, the control processing module 320 is further configured to perform signature verification on the first package data of the PCR information and the measurement log, and determine whether the first package data is the same as the history package data according to a signature verification result; if the first packed data is the same as the history packed data, the verification is ended.
It should be noted that, a specific implementation manner of the group verification apparatus for a cloud infrastructure trusted device in the embodiment of the present invention is similar to a specific implementation manner of the group verification method for a cloud infrastructure trusted device in the embodiment of the present invention, and specific reference is specifically made to the description of the group verification method portion for a cloud infrastructure trusted device, and details are not repeated in order to reduce redundancy.
In addition, other configurations and functions of the group verification apparatus for cloud infrastructure trusted devices according to the embodiments of the present invention are known to those skilled in the art, and are not described in detail in order to reduce redundancy.
In an embodiment of the invention, the processor may be an integrated circuit chip having signal processing capability. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The processor reads the information in the storage medium and completes the steps of the method in combination with the hardware.
The above-described system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A group verification method for a cloud infrastructure trusted device, comprising:
acquiring Platform Configuration Register (PCR) information and a measurement log of a target client, wherein the target client is provided with a plurality of virtual machines, the PCR information comprises a PCR value of an equipment starting stage, a PCR value of an operating system running stage and a PCR value of a virtual machine running stage, and the measurement log comprises an integrity measurement structure IMA measurement log and a virtual machine measurement log of the target client;
verifying whether the PCR value of the equipment starting stage is correct or not through a white list of the target client during registration, verifying whether the PCR value of the operating system operating stage is correct or not through the IMA measurement log, and verifying whether the PCR value of the virtual machine operating stage is correct or not through the virtual machine measurement log;
and if the PCR value of the equipment starting stage, the PCR value of the operating system running stage and the PCR value of the virtual machine running stage are correct, judging that the target client is credible.
2. The group verification method of the cloud infrastructure trusted device of claim 1, wherein verifying whether the PCR values of the device boot phase are correct through a white list of target clients at registration time comprises:
acquiring a white list provided by the target client during registration;
generating a first PCR value according to the white list;
and verifying whether the PCR value of the equipment starting stage is correct or not by verifying whether the PCR value of the equipment starting stage is the same as the first PCR value or not.
3. The group verification method of a cloud infrastructure trusted device as claimed in claim 1, wherein verifying whether the PCR value of the operating system runtime phase is correct by said IMA metric log comprises:
simulating a PCR extension operation by replaying the IMA measurement log to obtain a second PCR value;
and verifying whether the PCR value of the operating system running stage is correct or not by verifying whether the PCR value of the operating system running stage is the same as the second PCR value or not.
4. The group verification method for the cloud infrastructure trusted devices according to claim 1, wherein verifying whether the PCR values of the virtual machine operation phases are correct through the virtual machine metric log includes:
simulating PCR extension operation by replaying the virtual machine measurement log to obtain a third PCR value;
and verifying whether the PCR value of the virtual machine operation stage is correct or not by verifying whether the PCR value of the virtual machine operation stage is the same as the third PCR value or not.
5. The group verification method of the cloud infrastructure trusted devices of any one of claims 1 to 4, wherein obtaining Platform Configuration Register (PCR) information and a metric log of a target client comprises:
receiving PCR information and a measurement log periodically sent by the target client; or
And after sending a verification information acquisition request to the target client, receiving the PCR information and the measurement log sent by the target client.
6. The group verification method of a cloud infrastructure trusted device according to claim 5, wherein after obtaining the PCR information and the metric log of the target client, and before verifying whether the PCR value of the device boot phase is correct through a white list of the target client at the time of registration, verifying whether the PCR value of the operating system operation phase is correct through the IMA metric log, and verifying whether the PCR value of the virtual machine operation phase is correct through the virtual machine metric log, further comprising:
performing signature verification on the PCR information and first package data of the measurement log, and judging whether the first package data is the same as historical package data or not according to a signature verification result;
and ending if the first packed data is the same as the historical packed data.
7. A group verification system for a cloud infrastructure trusted device, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring PCR information and a measurement log of a target client, the PCR information comprises a PCR value of an equipment starting stage, a PCR value of an operating system running stage and a PCR value of a virtual machine running stage, and the measurement log comprises an integrity measurement structure IMA measurement log and a virtual machine measurement log of the target client;
the control processing module is used for verifying whether the PCR value of the equipment starting stage is correct through a white list of the target client during registration, verifying whether the PCR value of the operating system operating stage is correct through the IMA measurement log, and verifying whether the PCR value of the virtual machine operating stage is correct through the virtual machine measurement log; if the PCR value of the equipment starting stage, the PCR value of the operating system running stage and the PCR value of the virtual machine running stage are correct, the target client is judged to be credible;
and the target client is provided with a plurality of virtual machines.
8. The cloud infrastructure trusted device group verification system of claim 7, wherein said obtaining module is further configured to obtain a white list provided by said target client at registration; and the control processing module is used for generating a first PCR value according to the white list and verifying whether the PCR value of the equipment starting stage is the same as the first PCR value or not so as to verify whether the PCR value of the equipment starting stage is correct or not.
9. The group verification system of a cloud infrastructure trusted device of claim 7, wherein said control processing module is configured to obtain a second PCR value by replaying said IMA measurement log to simulate a PCR extension operation, and to verify whether the PCR value of said operating system runtime phase is correct by verifying whether the PCR value of said operating system runtime phase is the same as said second PCR value.
10. The cloud infrastructure trusted device group verification system of claim 7, wherein the control processing module is configured to simulate a PCR extension operation by replaying the virtual machine metric log to obtain a third PCR value, and verify whether the PCR value of the virtual machine runtime phase is the same as the third PCR value to verify whether the PCR value of the virtual machine runtime phase is correct.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110379713.3A CN113315805A (en) | 2021-04-08 | 2021-04-08 | Group verification method and system for cloud infrastructure trusted device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110379713.3A CN113315805A (en) | 2021-04-08 | 2021-04-08 | Group verification method and system for cloud infrastructure trusted device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113315805A true CN113315805A (en) | 2021-08-27 |
Family
ID=77372006
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110379713.3A Pending CN113315805A (en) | 2021-04-08 | 2021-04-08 | Group verification method and system for cloud infrastructure trusted device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113315805A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113901473A (en) * | 2021-09-10 | 2022-01-07 | 苏州浪潮智能科技有限公司 | Method, device and equipment for safely starting server and readable medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101477602A (en) * | 2009-02-10 | 2009-07-08 | 浪潮电子信息产业股份有限公司 | Remote proving method in trusted computation environment |
| US20130219183A1 (en) * | 2012-02-22 | 2013-08-22 | International Business Machines Corporation | VALlDATING A SYSTEM WITH MULTIPLE SUBSYSTEMS USING TRUSTED PLATFORM MODULES AND VIRTUAL PLATFORM MODULES |
| CN103501303A (en) * | 2013-10-12 | 2014-01-08 | 武汉大学 | Active remote attestation method for measurement of cloud platform virtual machine |
| CN103905461A (en) * | 2014-04-14 | 2014-07-02 | 北京工业大学 | Cloud service behavior trustworthiness attestation method and system based on trusted third party |
| CN103973680A (en) * | 2014-04-29 | 2014-08-06 | 神华集团有限责任公司 | Method and system for verifying integrity of cloud computing platform, client terminal and remote terminal |
| CN104715183A (en) * | 2013-12-13 | 2015-06-17 | 中国移动通信集团公司 | Trusted verifying method and equipment used in running process of virtual machine |
| CN107545184A (en) * | 2017-08-17 | 2018-01-05 | 大唐高鸿信安(浙江)信息科技有限公司 | The credible measurement system and method for cloud main frame |
| CN108322306A (en) * | 2018-03-17 | 2018-07-24 | 北京工业大学 | A kind of cloud platform reliable journal auditing method towards secret protection based on trusted third party |
| CN109063473A (en) * | 2018-07-02 | 2018-12-21 | 芜湖通全电子电器科技创业有限公司 | A kind of convenient household safety monitoring device and method based on computer network |
| CN111352702A (en) * | 2020-03-06 | 2020-06-30 | 苏州浪潮智能科技有限公司 | Method, device, equipment and storage medium for determining credible state of virtual data center |
| CN111433774A (en) * | 2017-12-08 | 2020-07-17 | 西门子股份公司 | Method and validation device for integrity validation of a system |
-
2021
- 2021-04-08 CN CN202110379713.3A patent/CN113315805A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101477602A (en) * | 2009-02-10 | 2009-07-08 | 浪潮电子信息产业股份有限公司 | Remote proving method in trusted computation environment |
| US20130219183A1 (en) * | 2012-02-22 | 2013-08-22 | International Business Machines Corporation | VALlDATING A SYSTEM WITH MULTIPLE SUBSYSTEMS USING TRUSTED PLATFORM MODULES AND VIRTUAL PLATFORM MODULES |
| US20150006883A1 (en) * | 2012-02-22 | 2015-01-01 | International Business Machines Corporation | VALlDATING A SYSTEM WITH MULTIPLE SUBSYSTEMS USING TRUSTED PLATFORM MODULES AND VIRTUAL PLATFORM MODULES |
| CN103501303A (en) * | 2013-10-12 | 2014-01-08 | 武汉大学 | Active remote attestation method for measurement of cloud platform virtual machine |
| CN104715183A (en) * | 2013-12-13 | 2015-06-17 | 中国移动通信集团公司 | Trusted verifying method and equipment used in running process of virtual machine |
| CN103905461A (en) * | 2014-04-14 | 2014-07-02 | 北京工业大学 | Cloud service behavior trustworthiness attestation method and system based on trusted third party |
| CN103973680A (en) * | 2014-04-29 | 2014-08-06 | 神华集团有限责任公司 | Method and system for verifying integrity of cloud computing platform, client terminal and remote terminal |
| CN107545184A (en) * | 2017-08-17 | 2018-01-05 | 大唐高鸿信安(浙江)信息科技有限公司 | The credible measurement system and method for cloud main frame |
| CN111433774A (en) * | 2017-12-08 | 2020-07-17 | 西门子股份公司 | Method and validation device for integrity validation of a system |
| CN108322306A (en) * | 2018-03-17 | 2018-07-24 | 北京工业大学 | A kind of cloud platform reliable journal auditing method towards secret protection based on trusted third party |
| CN109063473A (en) * | 2018-07-02 | 2018-12-21 | 芜湖通全电子电器科技创业有限公司 | A kind of convenient household safety monitoring device and method based on computer network |
| CN111352702A (en) * | 2020-03-06 | 2020-06-30 | 苏州浪潮智能科技有限公司 | Method, device, equipment and storage medium for determining credible state of virtual data center |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113901473A (en) * | 2021-09-10 | 2022-01-07 | 苏州浪潮智能科技有限公司 | Method, device and equipment for safely starting server and readable medium |
| CN113901473B (en) * | 2021-09-10 | 2023-11-03 | 苏州浪潮智能科技有限公司 | Method, device, equipment and readable medium for safely starting server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104715183B (en) | A kind of trust authentication method and apparatus during virtual machine operation | |
| CN111222176B (en) | Block chain-based cloud storage possession proving method, system and medium | |
| CN111182525B (en) | Method and device for storing data | |
| CN109960903A (en) | A kind of method, apparatus, electronic equipment and storage medium that application is reinforced | |
| CN112019493A (en) | Identity authentication method, identity authentication device, computer device, and medium | |
| AU2014226162A1 (en) | Configuration and verification by trusted provider | |
| CN111159000B (en) | Server performance test method, device, equipment and storage medium | |
| WO2017005276A1 (en) | Virtual machine integrity | |
| CN110839002A (en) | Cloud account opening, authentication and access method and device | |
| CN113315805A (en) | Group verification method and system for cloud infrastructure trusted device | |
| CN114900316A (en) | Block chain-based rapid identity authentication method and system for Internet of things equipment | |
| CN114546837A (en) | Interface test method, device, equipment and storage medium | |
| CN110166471A (en) | A kind of portal authentication method and device | |
| CN113448681B (en) | Registration method, equipment and storage medium of virtual machine monitor public key | |
| CN114021106A (en) | Remote authentication method, device and system for credibility measurement | |
| CN109213572A (en) | A kind of confidence level based on virtual machine determines method and server | |
| CN111400771A (en) | Target partition checking method and device, storage medium and computer equipment | |
| CN115391801A (en) | Method and device for updating encryption module in block chain system and related products | |
| CN112732676B (en) | Block chain-based data migration method, device, equipment and storage medium | |
| WO2018233638A1 (en) | Method and apparatus for determining security state of ai software system | |
| CN109302381B (en) | Radius attribute extension method, device, electronic equipment and computer readable medium | |
| KR101946620B1 (en) | Method and server for generating a block of data comprising signature of the server | |
| CN113360172A (en) | Application deployment method and device, computer equipment and storage medium | |
| CN111488306A (en) | Attack and defense architecture system and construction method thereof | |
| CN110311917A (en) | Host measure and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210827 |