CN115146310A - Verification method and system for application container mirror image layer measurement list - Google Patents
Verification method and system for application container mirror image layer measurement list Download PDFInfo
- Publication number
- CN115146310A CN115146310A CN202210761993.9A CN202210761993A CN115146310A CN 115146310 A CN115146310 A CN 115146310A CN 202210761993 A CN202210761993 A CN 202210761993A CN 115146310 A CN115146310 A CN 115146310A
- Authority
- CN
- China
- Prior art keywords
- mirror image
- container mirror
- container
- hash value
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
Abstract
The invention discloses a verification method and a verification system for an application container mirror image layer measurement list.A container server can generate a verification request corresponding to a target container mirror image requested to be downloaded by a client; after the first data set is sent to a container mirror image remote warehouse, a first data set is obtained, wherein the first data set comprises first encryption information, an identity certificate and a container mirror image layer measurement list, the container mirror image layer measurement list is a measurement list constructed based on a Merck tree and comprises a measurement aggregation value of a mirror image platform and a mirror image layer hash value of each container mirror image; determining whether a container mirror layer metric list in the first data set is complete; and if the measurement result of the container mirror image layer measurement list is the same as the hash value in the target database, determining that the mirror image layer of the target container mirror image is complete. Through the container mirror image layer metric list, information leakage of a remote mirror image warehouse base platform and a mirror image file is reduced in a remote certification process, and verification efficiency is improved.
Description
Technical Field
The present invention relates to the field of information processing technology, in particular to a verification method and a system for an application container mirror image layer quantity list.
Background
The container serves as a standard software unit which packages the code and corresponding dependency files, so that the application program can be quickly, reliably and conveniently transferred from one computing environment to another computing environment and directly run in the new computing environment. The container technology is also a general term as with other virtualization technologies, and the current container technologies include Docker, socket, LXC, warden and the like, and the Docker container technology performs the same container packaging standard and becomes the current mainstream container technology.
The read-only container mirror layer and the read-writable container mirror layer constitute respective container instances, the trusted container mirror is the basis for implementing a trusted container instance of a worker node. The development and deployment of the containerized application service depend on a base container image in a remote warehouse, and in order to realize the containerized application service with high security, the credibility and integrity of the base container image need to be remotely verified. However, the current trusted remote attestation scheme aiming at container mirroring has the problems of privacy disclosure and low verification efficiency.
Disclosure of Invention
Aiming at the problems, the invention provides a verification method and a verification system for an application container mirror image layer measurement list, which solve the problems of privacy disclosure and low verification efficiency in the trusted remote certification process of container mirror images.
In order to achieve the purpose, the invention provides the following technical scheme:
a verification method for an application container mirror layer metric list comprises the following steps:
in response to receiving request information for downloading the container mirror image sent by a client, analyzing the request information and determining a target container mirror image;
generating a verification request corresponding to the target container mirror image;
in response to sending the verification request to a container mirror image remote warehouse, receiving a first data set sent by the container mirror image remote warehouse, wherein the first data set comprises first encryption information, an identity certificate and a container mirror image layer metric list, and the first encryption information is information for signing a calculation result of a top hash value and a random number of a Mercker tree corresponding to the target container mirror image through an identity certificate private key; the container mirror image layer measurement list is a measurement list constructed based on a Merckel tree, and comprises a measurement aggregation value of a mirror image platform and a mirror image layer hash value of each container mirror image;
based on the first data set, performing hash calculation again according to the Mercker tree to obtain a top hash value, and performing hash calculation by using a random number and the top hash value to obtain a calculation result;
if the calculation result is the same as the top hash value in the first data set, determining that a container mirror image layer measurement list in the first data set is complete;
and if the measurement result of the container mirror image layer measurement list is the same as the hash value in the target database, determining that the mirror image layer of the target container mirror image is complete, so that the target container mirror image passes the verification.
Optionally, the method further comprises:
adding a trusted computing platform module to a container mirror image remote warehouse for storing container mirror images so as to realize measurement protection of the container mirror images and a system;
and adding a container mirror image trusted verification module to the container server so as to start a remote verification mechanism for the container mirror image through the trusted verification module and generate a verification request corresponding to the target container.
Alternatively, the method further comprises the following steps:
in response to the starting of a host where the container mirror image remote warehouse is located, measuring the configuration information through the trusted computing platform module, and computing to obtain a measurement aggregation value of the mirror image platform;
and performing hash calculation on the mirror image layer of the container mirror image remote warehouse through the trusted computing platform module to obtain a mirror image layer hash value of each container mirror image, and filling the mirror image hash value of each container mirror image into a Merkel tree measurement list corresponding to the container mirror image.
Optionally, the method further comprises:
determining the number of hash subtree branches corresponding to the Merckel tree according to the number of container images in a container image remote warehouse, so that each container image corresponds to one hash subtree;
determining a measurement aggregation value of a mirror image platform based on configuration information of the mirror image platform, and storing the measurement aggregation value into a container mirror image layer measurement list, so that the measurement aggregation value forms leaf nodes of a Merckel tree;
analyzing the dependency information of the container mirror image layer and determining the attribution information of the container mirror image;
and based on the attribution information, filling the mirror image layer hash value of each container mirror image into a corresponding container mirror image measurement list subtree to obtain a container mirror image layer measurement list.
Alternatively, the method further comprises the following steps:
calculating the path node hash value of the Mercker tree according to the re-hashing to obtain the top hash value of the uppermost layer corresponding to the Mercker tree;
storing the top hash value in a destination register.
Optionally, the method further comprises:
generating a platform identity key pair by a trusted computing platform module of the container mirror remote repository;
the method comprises the steps of collecting platform information and an identity public key of a mirror image platform, and signing the identity public key through an endorsement secret key private key;
and encrypting the signed public key and the endorsement certificate and then sending the encrypted public key and the endorsement certificate to a trusted third party.
Optionally, the identification certificate in the first data set is sent to the container mirror repository after the authentication endorsement certificate passes through by the trusted third party.
Optionally, the method further comprises:
and if the measurement result of the container mirror image layer measurement list is different from the hash value in the target database, determining the modified leaf node position based on the comparison of the hash values of the sub-trees of the Mercker tree.
Optionally, the obtaining a top hash value by re-hashing according to a mercker tree based on the first data set, and performing hash calculation using a random number and the top hash value to obtain a calculation result includes:
in response to receiving a first set of data, verifying an identification credential in the first set of data;
and if the verification is passed, performing hash calculation again according to the Merckel tree to obtain a top hash value, and performing hash calculation by using the random number and the top hash value to obtain a calculation result.
A verification system for an application container mirror level metric list, comprising:
the analysis unit is used for responding to the received request information of downloading the container mirror image sent by the client, analyzing the request information and determining a target container mirror image;
the generating unit is used for generating a verification request corresponding to the target container mirror image;
a receiving unit, configured to receive, in response to sending the verification request to a container mirror image remote repository, a first data set sent by the container mirror image remote repository, where the first data set includes first encryption information, an identity certificate, and a container mirror image layer metric list, where the first encryption information is information obtained by signing, by an identity certificate private key, a calculation result of a top hash value and a random number of a mercker tree corresponding to the target container mirror image; the container mirror image layer measurement list is a measurement list constructed based on a Merckel tree, and comprises a measurement aggregation value of a mirror image platform and a mirror image layer hash value of each container mirror image;
the computing unit is used for carrying out hash computation again according to the Mercker tree to obtain a top hash value based on the first data set, and carrying out hash computation by using a random number and the top hash value to obtain a computation result;
a first determining unit, configured to determine that a container mirror layer metric list in the first data set is complete if the calculation result is the same as the top hash value in the first data set;
a second determining unit, configured to determine that a mirror layer of the target container mirror is complete if a measurement result of the container mirror layer metric list is the same as a hash value in a target database, so that the target container mirror passes verification.
Compared with the prior art, the invention provides a verification method and a verification system for an application container mirror image layer measurement list, wherein a container server side can generate a verification request corresponding to a target container mirror image requested to be downloaded by a client side; after the container mirror image is sent to a container mirror image remote warehouse, a first data set sent by the container mirror image remote warehouse is received, the first data set comprises first encryption information, an identity certificate and a container mirror image layer metric list, the container mirror image layer metric list is a metric list constructed based on a Merck tree, and the container mirror image layer metric list comprises a metric aggregation value of a mirror image platform and a mirror image layer hash value of each container mirror image; determining whether a container mirror layer metric list in the first data set is complete; and if the measurement result of the container mirror image layer measurement list is the same as the hash value in the target database, determining that the mirror image layer of the target container mirror image is complete. By constructing the Merkle tree-based container mirror image layer metric list for the container mirror image, information leakage of a remote mirror image warehouse base platform and a mirror image file is reduced in a remote certification process, and verification efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of a verification method for an application container mirror layer metric list according to an embodiment of the present invention;
fig. 2 is an interaction diagram of an application system according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an application scenario provided in the embodiment of the present invention;
FIG. 4 is a diagram illustrating a container mirror layer metric list according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a Merkle tree according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a verification system for a metric list of an application container mirror layer according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first" and "second," and the like in the description and claims of the present invention and in the above-described drawings, are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not set forth for a listed step or element but may include steps or elements not listed.
The embodiment of the invention provides a verification method for an application container mirror image layer measurement list, which reduces information leakage of a remote mirror image warehouse base platform and a mirror image file in a remote certification stage and improves verification efficiency by constructing a container mirror image layer measurement list based on a Merkle (Merkle) tree for a container mirror image layer.
Referring to fig. 1, a schematic flowchart of a verification method for an application container mirror layer metric list according to an embodiment of the present invention may include the following steps:
s101, responding to the received request information of the downloading container mirror image sent by the client, analyzing the request information to obtain the target container mirror image.
For convenience of description, the container technology in the embodiments of the present invention refers to a Docker container technology, wherein the container mirror described is a Docker container mirror, i.e., refers to a container mirror based on the Docker technology. The client is a Docker client, a user may send request information (such as a request instruction) for downloading the container mirror image through the Docker client, and the Docker server may perform analysis after receiving the request information to obtain a target container mirror image corresponding to the request information, that is, the target container mirror image requested to be downloaded by the user.
The container mirror image is obtained from a public or private mirror image warehouse, the container instance is generated by the container mirror image, and the corresponding container instance can be ensured to be safe only if the high-security and credible container mirror image is realized. Where the trustworthiness of the container image is the basis for the security of the container instance, the trustworthiness and integrity of the target container image needs to be verified.
S102, generating a verification request corresponding to the target container mirror image.
After determining the target container mirror image which needs to be downloaded by the client, the Docker server will adjust the target container mirror image in the container mirror image remote warehouse, that is, generate a verification request corresponding to the target container mirror image.
S103, responding to the verification request sent to the container mirror image remote warehouse, and receiving a first data set sent by the container mirror image remote warehouse.
After the server side sends the verification request to the container mirror image remote warehouse, the container mirror image remote warehouse is used as a challenger and needs to provide information corresponding to the target container mirror image, so that the integrity and the credibility of the target mirror image can be verified according to the information.
The first data set is information corresponding to the target container mirror image and provided by the container mirror image remote warehouse. The method specifically comprises first encryption information, an identity certificate and a container mirror image layer metric list, wherein the first encryption information is information obtained by signing a calculation result of a top hash value and a random number of a Mercker tree corresponding to a target container mirror image through an identity certificate private key; the container mirror layer metric list is a metric list constructed based on a merkel tree, and the container mirror layer metric list comprises a metric aggregation value of a mirror platform and a mirror layer hash value of each container mirror.
And S104, based on the first data set, performing hash calculation again according to the Mercker tree to obtain a top hash value, and performing hash calculation by using a random number and the top hash value to obtain a calculation result.
S105, if the calculation result is the same as the top hash value in the first data set, determining that the container mirror image layer metric list in the first data set is complete.
S106, if the measurement result of the container mirror image layer measurement list is the same as the hash value in the target database, determining that the mirror image layer of the target container mirror image is complete, so that the target container mirror image is verified.
In one embodiment, a platform identity key pair is generated by a trusted computing platform module of a container mirroring remote repository; the method comprises the steps of collecting platform information and an identity public key of a mirror image platform, and signing the identity public key through an endorsement secret key private key; and encrypting the signed public key and the endorsement certificate and then sending the encrypted public key and the endorsement certificate to a trusted third party.
Correspondingly, the identification certificate in the first data set is sent to the container mirror image warehouse after the authentication endorsement certificate passes through by the trusted third party.
Further, if the measurement result of the container mirror layer measurement list is not the same as the hash value in the target database, the modified leaf node position is determined based on comparing the hash values of the sub-trees of the merkel tree.
In one embodiment, the re-hashing according to a merkel tree based on the first data set to obtain a top hash value, and performing a hash calculation using a random number and the top hash value to obtain a calculation result includes:
in response to receiving a first set of data, verifying an identification credential in the first set of data;
and if the verification is passed, performing hash calculation again according to the Mercker tree to obtain a top hash value, and performing hash calculation by using the random number and the top hash value to obtain a calculation result.
Referring to fig. 2, an application system interaction diagram provided in the embodiment of the present application is shown. The application system comprises a trusted third party, which serves as a server of a challenger and serves as a Docker container mirror repository of a challenged. The remote warehouse of the container mirror generates a platform Identity Key (AIK) Key pair through a TPM (trusted platform Module), then collects relevant platform information and AIK keys, signs an AIK public Key by using an Endorsement Key (EK) private Key, and sends the AIK public Key together with an EK certificate provided by a TPM manufacturer to a trusted third party through session Key encryption. And the trusted third party verifies the validity of the EK certificate and the platform information compliance, after the EK certificate and the platform information compliance are verified, the trusted third party signs the AIK public key by using the self-signing key and sends the AIK certificate to the container mirror image remote warehouse.
And when the server side encrypts the generated random number nonce and a complete and lucky verification request aiming at the target container mirror to the container mirror remote warehouse. After the container mirror image remote warehouse receives and decrypts the verification request, a trusted software protocol stack is called to read the PCR 15 Value (Mercker Tree Top Hash value), PCR 15 And carrying out Hash calculation with the random number nonce, using an AIK private key to sign after obtaining a result, and sending the result to the server after encrypting the result together with the AIK certificate and the mirror image layer metric list.
And the server side verifies the validity, validity and authenticity of the AIK certificate after decryption to obtain a verification result. If the certificate is true and valid, the challenger performs Hash calculation again according to the Merkle tree to obtain the ToP Hash value, performs Hash calculation on the obtained result and the nonce value, and compares PCR (polymerase chain reaction) with each other 15 And (6) obtaining the result.
If the results are the same, the measurement list of the mirror image layer of the container is complete, and the integrity of the mirror image layer can be judged by comparing the measurement result with the Hash value of a target database (such as a fingerprint database); and if the results are not the same, the container mirror layer metric list is tampered, and the modified leaf node position can be judged by comparing the Hash results of the subtrees.
It can be seen that, in the remote certification, it is not necessary to send the measurement results of other files of the platform to be verified, the container measurement list contains the measurement information of the container mirror layer, and the measurement integrity verification of the mirror layer does not need all leaf node result values, but only needs the path node and the ToP Hash value signed by TPM. .
Referring to fig. 3, a schematic diagram of an application scenario provided in the embodiment of the present application is shown, where a Docker client is connected to a Docker server through an intermediate interface, and the Docker client can generate request information for downloading a container image and send the request information to the Docker server. The Docker server may drive each Docker container. The Docker server side bears the role of the challenger, can generate a verification request of the corresponding target container and sends the verification request to the Docker container mirror image library, so that the Docker container mirror image library bears the role of the challenger and provides related information of the target container mirror image to verify the credibility and integrity of the target container mirror image.
In order to implement a container remote attestation framework designed for a Docker container, a challenge function module needs to be added to a Docker container server, that is, a function of challenging the integrity of a mirror image in a container mirror image remote warehouse can be initiated, so as to implement verification of the container mirror image remote attestation framework. The method further comprises the following steps:
adding a trusted computing platform module to a container mirror image remote warehouse for storing container mirror images so as to realize measurement protection of the container mirror images and a system;
and adding a container mirror image trusted verification module to the container server, and generating a verification request corresponding to the target container by starting a remote verification mechanism of the container mirror image through the trusted verification module.
Specifically, a TPM is added to a container mirror remote warehouse for storing container mirrors to perform measurement protection on the container mirrors and the system. A trusted verification module for container mirror image is added in a Docker server of a container architecture to play the role of a challenger so as to generate a verification request corresponding to a target container. After a user sends an instruction for downloading the container mirror image to the Docker server through the Docker client, the Docker server triggers a remote verification mechanism for the container mirror image after receiving and analyzing the instruction, and the credibility and integrity of the container mirror image are verified before the container mirror image is obtained.
Further, the trusted measurement may be performed on the container mirror repository based on the trusted platform module, that is, the method further includes:
in response to the starting of a host where the container mirror image remote warehouse is located, measuring the configuration information through the trusted computing platform module, and computing to obtain a measurement aggregation value of the mirror image platform;
and performing hash calculation on the mirror image layer of the container mirror image remote warehouse through the trusted computing platform module to obtain a mirror image layer hash value of each container mirror image, and filling the mirror image hash value of each container mirror image into a Merkel tree measurement list corresponding to the container mirror image.
Specifically, the host of the container mirror remote repository may be embedded in a trusted platform module to complete the initial trusted metrics configuration. After a host where the mirror image warehouse is located is started, a trust measurement root in the TPM finishes trust measurement on hardware, a BIOS and an operating system, and the trust measurement is finished through a formula boot _ aggregate = Hash ( 0 ||PCR 1 )...)PCR 7 ...) the Hash aggregation value is expanded, and the measurement aggregation value boot _ aggregate of the mirror image platform is calculated. The Platform Configuration Register (PCR) is one of the components of the trusted Platform module, and is responsible for storing the metric value (i.e., the hash value). And (3) performing hash calculation on the mirror layers of the mirror warehouse by operating the TPM to obtain hash values of all the mirror layers, and filling the hash values of all the mirror layers into a measurement list based on a Merkle tree.
The embodiment of the invention also provides a method for constructing a container mirror layer metric list, which comprises the following steps:
determining the number of hash subtree branches corresponding to the Merckel tree according to the number of container images in a container image remote warehouse, so that each container image corresponds to one hash subtree;
determining a measurement aggregation value of a mirror image platform based on configuration information of the mirror image platform, and storing the measurement aggregation value into a container mirror image layer measurement list, so that the measurement aggregation value forms a leaf node of a Merck tree;
analyzing the dependency information of the container mirror image layer and determining the attribution information of the container mirror image;
and based on the attribution information, filling the mirror image layer hash value of each container mirror image into a corresponding container mirror image measurement list subtree to obtain a container mirror image layer measurement list.
Specifically, referring to fig. 4, a schematic diagram of a container mirror image layer metric list provided in an embodiment of the present application is shown. Designing corresponding hash subtree branches according to the number of container images in the remote image warehouse system,each container image corresponds to a hash sub-tree. Since the bottom system platform of the container mirror image warehouse is a security foundation of the upper container mirror image, for this reason, a system trust chain needs to be continued, platform measurement information is configured for each mirror image sub-tree, and an obtained measurement aggregation value boot _ aggregate value of the mirror image platform is put into a container mirror image measurement list to form leaf nodes of the Merkle tree, which is shown in fig. 5 and is a structural schematic diagram of the Merkle tree provided by the embodiment of the present application. And analyzing the dependence information of the container mirror image layer through a mirror image analyzer, wherein the first layer is a container mirror image subtree from ToP to bottom except the Top Hash. The first layer of path nodes are of a multi-fork structure, namely A 1 ~A m Mirror the container. Each subtree comprises a complete container mirror layer and a platform information aggregation value respectively, and a mirror image A is assumed 1 The mirror image with n layers is contained, and each path node of the lower layer can only contain 1 or 2 child nodes except for the first layer. Leaf node L 0 For the platform information metric value boot _ aggregate, L 1 ~L n Is A 1 Mirrored mirror layer hash values.
Further, calculating the path node hash value of the Merckel tree according to re-hashing to obtain the top hash value of the uppermost layer corresponding to the Merckel tree; storing the top hash value in a destination register.
I.e. computing the path node Hash value of the Merkle Hash tree by re-hashing, obtaining the ToP layer ToP Hash value, and putting the result into the corresponding register PCR 15 In (1).
In the embodiment of the present invention, based on a metric verification method of an Integrity Measurement Architecture (IMA), all target files that satisfy a metric policy need to be traversed each time. The measurement list is bulky and cannot quickly and effectively locate the attacked specific image layer and how many image layers are damaged. The container mirror layer measurement list based on Merkle tree design eliminates measurement information irrelevant to the challenger verification request, and based on unbalanced binary tree recombination, when needing to verify C in FIG. 5 1 When the value of the value is complete, only the complete and true B is needed to be obtained 2 And C 2 Or C is 2 、L 0 、A 1 Verification can be achieved.
Merkle trees with different heights can be constructed according to different container images and the number of container image layers, and the adaptation capability is strong. When the number of container mirror images and mirror images is large, the unbalanced Merkle tree can be transformed to construct a B + tree; when the container mirror image and the mirror image number are small, and the requirements on safety and privacy are high, a balanced binary Merkle tree can be constructed.
By expanding PCR 15 Deposit the ToP Hash result, have not been able to be changed by the tamper, and in view of the credibility of the mirror warehouse platform foundation system, add the aggregate value boot _ aggregate of PCR0-PCR7 to the container mirror subtree when constructing the container mirror metric list.
In an embodiment of the present invention, a verification system for a metric list of an application container mirror layer is further provided, referring to fig. 6, where the verification system includes:
the system comprises an analysis unit 10, a storage unit and a processing unit, wherein the analysis unit is used for responding to received request information of downloading container mirror images sent by a client, analyzing the request information and determining target container mirror images;
a generating unit 20, configured to generate a verification request corresponding to the target container image;
a receiving unit 30, configured to receive, in response to sending the verification request to a container mirror image remote repository, a first data set sent by the container mirror image remote repository, where the first data set includes first encryption information, an identity certificate, and a container mirror image layer metric list, where the first encryption information is information obtained by signing, by an identity certificate private key, a calculation result of a top hash value and a random number of a mercker tree corresponding to the target container mirror image; the container mirror image layer measurement list is a measurement list constructed based on a Merckel tree, and comprises a measurement aggregation value of a mirror image platform and a mirror image layer hash value of each container mirror image;
the calculation unit 40 is configured to perform hash calculation again according to the mercker tree to obtain a top hash value based on the first data set, and perform hash calculation using a random number and the top hash value to obtain a calculation result;
a first determining unit 50, configured to determine that a container mirror layer metric list in the first data set is complete if the calculation result is the same as the top hash value in the first data set;
a second determining unit 60, configured to determine that the mirror layer of the target container mirror is complete if the measurement result of the container mirror layer metric list is the same as the hash value in the target database, so that the verification of the target container mirror is passed.
In one embodiment, the apparatus further comprises:
the system comprises a first adding unit, a second adding unit and a third adding unit, wherein the first adding unit is used for adding a trusted computing platform module into a container mirror image remote warehouse for storing container mirror images so as to realize measurement protection of the container mirror images and a system;
and the second adding unit is used for adding a container mirror image trusted verification module to the container server so as to generate a verification request corresponding to the target container by starting a remote verification mechanism for the container mirror image through the trusted verification module.
In one embodiment, the apparatus further comprises:
the aggregation value calculation unit is used for responding to the starting of a host where the container mirror image remote warehouse is located, measuring the configuration information through the trusted calculation platform module, and calculating to obtain a measurement aggregation value of the mirror image platform;
and the hash value calculation unit is used for performing hash calculation on the mirror layer of the container mirror image remote warehouse through the trusted calculation platform module to obtain a mirror layer hash value of each container mirror image, and filling the mirror layer hash value of each container mirror image into a measurement list of a Merckel tree corresponding to the container mirror image.
In one embodiment, the apparatus further comprises a metric list construction unit configured to:
determining the number of branches of a hash subtree corresponding to the Mercker tree according to the number of container images in a container image remote warehouse, so that each container image corresponds to one hash subtree;
determining a measurement aggregation value of a mirror image platform based on configuration information of the mirror image platform, and storing the measurement aggregation value into a container mirror image layer measurement list, so that the measurement aggregation value forms leaf nodes of a Merckel tree;
analyzing the dependency information of the container mirror image layer and determining the attribution information of the container mirror image;
and based on the attribution information, filling the mirror image layer hash value of each container mirror image into a corresponding container mirror image measurement list subtree to obtain a container mirror image layer measurement list.
Optionally, the apparatus further comprises:
the recalculation unit is used for calculating the path node hash value of the Merckel tree according to the recalculation to obtain the top hash value of the uppermost layer corresponding to the Merckel tree;
a storage unit to store the top hash value in a destination register.
Further, the apparatus further comprises:
the key generation unit is used for generating a platform identity key pair through a trusted computing platform module of the container mirror image remote warehouse;
the system comprises a collecting unit, a signature unit and a verification unit, wherein the collecting unit is used for collecting platform information and an identity public key of a mirror image platform and signing the identity public key through an endorsement secret key private key;
and the sending unit is used for encrypting the signed public key and the endorsement certificate and then sending the encrypted public key and the endorsement certificate to the trusted third party.
Optionally, the identification certificate in the first data set is sent to the container mirror repository after the authentication endorsement certificate passes through by the trusted third party.
In one embodiment, the apparatus further comprises:
a third determining unit, configured to determine a modified leaf node position based on comparing hash values of subtrees of the merkel tree if a measurement result of the container mirror layer metric list is different from a hash value in a target database.
Further, the computing unit is specifically configured to:
in response to receiving a first set of data, verifying an identification credential in the first set of data;
and if the verification is passed, performing hash calculation again according to the Merckel tree to obtain a top hash value, and performing hash calculation by using the random number and the top hash value to obtain a calculation result.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A verification method for an application container mirror layer metric list is characterized by comprising the following steps:
in response to receiving request information for downloading the container mirror image sent by a client, analyzing the request information and determining a target container mirror image;
generating a verification request corresponding to the target container mirror image;
in response to sending the verification request to a container mirror image remote warehouse, receiving a first data set sent by the container mirror image remote warehouse, wherein the first data set comprises first encryption information, an identity certificate and a container mirror image layer metric list, and the first encryption information is information for signing a calculation result of a top hash value and a random number of a Mercker tree corresponding to the target container mirror image through an identity certificate private key; the container mirror image layer measurement list is a measurement list constructed based on a Merckel tree, and comprises a measurement aggregation value of a mirror image platform and a mirror image layer hash value of each container mirror image;
based on the first data set, performing hash calculation again according to the Mercker tree to obtain a top hash value, and performing hash calculation by using a random number and the top hash value to obtain a calculation result;
if the calculation result is the same as the top hash value in the first data set, determining that a container mirror image layer measurement list in the first data set is complete;
if the measurement result of the container mirror layer measurement list is the same as the hash value in the target database, determining that a mirror layer of the target container mirror is complete such that verification of the target container mirror is passed.
2. The method of claim 1, further comprising:
adding a trusted computing platform module to a container mirror image remote warehouse for storing container mirror images so as to realize measurement protection of the container mirror images and a system;
and adding a container mirror image trusted verification module to the container server, and generating a verification request corresponding to the target container by starting a remote verification mechanism of the container mirror image through the trusted verification module.
3. The method of claim 2, wherein the first and second light sources are selected from the group consisting of, characterized in that the method further comprises:
in response to the starting of a host where the container mirror image remote warehouse is located, measuring the configuration information through the trusted computing platform module, and computing to obtain a measurement aggregation value of a mirror image platform;
and performing hash calculation on the mirror image layer of the container mirror image remote warehouse through the trusted computing platform module to obtain a mirror image layer hash value of each container mirror image, and filling the mirror image hash value of each container mirror image into a metric list of a Mercker tree corresponding to the container mirror image.
4. The method of claim 1, further comprising:
determining the number of branches of a hash subtree corresponding to the Mercker tree according to the number of container images in a container image remote warehouse, so that each container image corresponds to one hash subtree;
determining a measurement aggregation value of a mirror image platform based on configuration information of the mirror image platform, and storing the measurement aggregation value into a container mirror image layer measurement list, so that the measurement aggregation value forms a leaf node of a Merck tree;
analyzing the dependency information of the container mirror image layer and determining the attribution information of the container mirror image;
and based on the attribution information, filling the mirror image layer hash value of each container mirror image into a corresponding container mirror image measurement list subtree to obtain a container mirror image layer measurement list.
5. The method of claim 4, further comprising:
calculating the hash value of the path node of the Merckel tree according to the re-hashing to obtain the top hash value of the uppermost layer corresponding to the Merckel tree;
storing the top hash value in a destination register.
6. The method of claim 2, further comprising:
generating a platform identity key pair by a trusted computing platform module of the container mirror remote repository;
the method comprises the steps of collecting platform information and an identity public key of a mirror image platform, and signing the identity public key through an endorsement secret key private key;
and encrypting the signed public key and the endorsement certificate and then sending the encrypted public key and the endorsement certificate to a trusted third party.
7. The method of claim 6, wherein the identification certificate in the first data set is sent to a container mirror repository by the trusted third party after verifying that an endorsement certificate passes.
8. The method of claim 1, further comprising:
and if the measurement result of the container mirror image layer measurement list is different from the hash value in the target database, determining the modified leaf node position based on the comparison of the hash values of the sub-trees of the Mercker tree.
9. The method of claim 1, wherein the re-hashing according to a merkel tree based on the first data set to obtain a top hash value and performing a hash calculation using a random number and the top hash value to obtain a calculation result comprises:
in response to receiving a first set of data, verifying an identification credential in the first set of data;
and if the verification is passed, performing hash calculation again according to the Merckel tree to obtain a top hash value, and performing hash calculation by using the random number and the top hash value to obtain a calculation result.
10. A verification system for a metric list using a container mirror layer, comprising:
the analysis unit is used for responding to the received request information of downloading the container mirror image sent by the client, analyzing the request information and determining a target container mirror image;
the generating unit is used for generating a verification request corresponding to the target container mirror image;
a receiving unit, configured to receive, in response to sending the verification request to a container mirror image remote repository, a first data set sent by the container mirror image remote repository, where the first data set includes first encryption information, an identity certificate, and a container mirror image layer metric list, where the first encryption information is information obtained by signing, by an identity certificate private key, a calculation result of a top hash value and a random number of a mercker tree corresponding to the target container mirror image; the container mirror image layer measurement list is a measurement list constructed based on a Merckel tree, and comprises a measurement aggregation value of a mirror image platform and a mirror image layer hash value of each container mirror image;
the computing unit is used for carrying out hash calculation again according to the Merckel tree based on the first data set to obtain a top hash value, and carrying out hash calculation by using a random number and the top hash value to obtain a calculation result;
a first determining unit, configured to determine that a container mirror layer metric list in the first data set is complete if the calculation result is the same as the top hash value in the first data set;
a second determining unit, configured to determine that a mirror layer of the target container mirror is complete if a measurement result of the container mirror layer metric list is the same as the hash value in the target database, so that the target container mirror passes verification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210761993.9A CN115146310A (en) | 2022-06-30 | 2022-06-30 | Verification method and system for application container mirror image layer measurement list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210761993.9A CN115146310A (en) | 2022-06-30 | 2022-06-30 | Verification method and system for application container mirror image layer measurement list |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115146310A true CN115146310A (en) | 2022-10-04 |
Family
ID=83409729
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210761993.9A Pending CN115146310A (en) | 2022-06-30 | 2022-06-30 | Verification method and system for application container mirror image layer measurement list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115146310A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117119456A (en) * | 2023-10-24 | 2023-11-24 | 国网智能电网研究院有限公司 | 5G MEC multi-container remote certification method, system, device and medium |
-
2022
- 2022-06-30 CN CN202210761993.9A patent/CN115146310A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117119456A (en) * | 2023-10-24 | 2023-11-24 | 国网智能电网研究院有限公司 | 5G MEC multi-container remote certification method, system, device and medium |
| CN117119456B (en) * | 2023-10-24 | 2024-01-23 | 国网智能电网研究院有限公司 | 5G MEC multi-container remote certification method, system, device and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11449819B2 (en) | Blockchain-based authentication and authorization | |
| CN109313690B (en) | Self-contained encrypted boot policy verification | |
| CN108140093B (en) | Migrating secrets using a hardware root of trust for a device | |
| CN102271042B (en) | Certificate authorization method, system, universal serial bus (USB) Key equipment and server | |
| Tate et al. | Multi-user dynamic proofs of data possession using trusted hardware | |
| US6581093B1 (en) | Policy validation in a LDAP directory | |
| Liu et al. | Enabling secure and privacy preserving identity management via smart contract | |
| WO2008026086A2 (en) | Attestation of computing platforms | |
| GB2399906A (en) | Delegating authority | |
| WO2021114614A1 (en) | Application program secure startup method and apparatus, computer device, and storage medium | |
| CN114065176A (en) | Secure operation device, secure operation method, verifier, and device verification method | |
| WO2010005071A1 (en) | Password authenticating method | |
| Patel et al. | DAuth: A decentralized web authentication system using Ethereum based blockchain | |
| JP2017531951A (en) | Method, device, terminal and server for security check | |
| CN110069946A (en) | A kind of Security Index system based on SGX | |
| Pereira et al. | Formal analysis of the FIDO 1. x protocol | |
| CN110188545B (en) | Data encryption method and device based on chained database | |
| JP2020071880A (en) | Device attestation techniques | |
| CN115146310A (en) | Verification method and system for application container mirror image layer measurement list | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| Lee et al. | Privacy-preserving identity management system | |
| US20050246539A1 (en) | Trusted signature with key access permissions | |
| CN117155549A (en) | Key distribution method, key distribution device, computer equipment and storage medium | |
| JP2022020604A (en) | Decentralized electronic contract certification platform | |
| CN111460523A (en) | Data integrity verification method and device and computer-readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |