CN117119456B - 5G MEC multi-container remote certification method, system, device and medium - Google Patents
5G MEC multi-container remote certification method, system, device and medium Download PDFInfo
- Publication number
- CN117119456B CN117119456B CN202311380052.1A CN202311380052A CN117119456B CN 117119456 B CN117119456 B CN 117119456B CN 202311380052 A CN202311380052 A CN 202311380052A CN 117119456 B CN117119456 B CN 117119456B
- Authority
- CN
- China
- Prior art keywords
- mec
- container
- remote
- node
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012795 verification Methods 0.000 claims abstract description 188
- 238000012545 processing Methods 0.000 claims description 35
- 238000010200 validation analysis Methods 0.000 claims description 9
- 238000005259 measurement Methods 0.000 claims description 5
- 239000003795 chemical substances by application Substances 0.000 description 110
- SVDVJBWDBYSQLO-UHFFFAOYSA-N 5-(4-hydroxy-3-methoxyphenyl)-5-phenylimidazolidine-2,4-dione Chemical compound C1=C(O)C(OC)=CC(C2(C(NC(=O)N2)=O)C=2C=CC=CC=2)=C1 SVDVJBWDBYSQLO-UHFFFAOYSA-N 0.000 description 30
- 101000937642 Homo sapiens Malonyl-CoA-acyl carrier protein transacylase, mitochondrial Proteins 0.000 description 30
- 102100027329 Malonyl-CoA-acyl carrier protein transacylase, mitochondrial Human genes 0.000 description 30
- 230000015654 memory Effects 0.000 description 24
- 238000010586 diagram Methods 0.000 description 13
- 230000001419 dependent effect Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003752 polymerase chain reaction Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention relates to the technical field of multi-access edge computing and discloses a 5G MEC multi-container remote proving method, a system, a device and a medium. Further, a multi-container proving tree is generated through the 5G MEC containers, remote proving tasks originally belonging to the MEC manager are issued to each MEC host by utilizing the generated multi-container proving tree, and remote proving is carried out on each 5G MEC container by utilizing an MEC verification agent in each host, so that the burden of the MEC manager is reduced, and the time complexity of executing the remote proving tasks can be reduced.
Description
Technical Field
The invention relates to the technical field of mobile edge computing, in particular to a 5G MEC multi-container remote proving method, a system, a device and a medium.
Background
5G MEC (Multi-Access Edge Computing ) typically employs a micro-service architecture that divides an application into smaller, inter-dependent services that run in a 5G MEC container, so there are cases where the running of a certain MEC application depends on other MEC services. Thus, MEC systems need to support remote attestation of multiple 5G MEC containers simultaneously to provide high quality of service and user experience.
However, if the applications and services that the user needs to access at the same time depend on each other, remote attestation of all 5G MEC containers needs to be completed to respond to the user's resource request, and in this case, if the 5G MEC containers are remotely attested one by one, the response time of the service is increased, and the service delay is increased. And one MEC manager is generally used for managing a plurality of MEC hosts, at this time, all remote certification tasks are executed by the MEC verification agents on the MEC manager, which not only increases the time delay of the service, but also causes overload of the MEC verification agents, thereby affecting the stability and reliability of the whole MEC system.
Disclosure of Invention
In view of this, the present invention provides a 5G MEC multi-container remote attestation method, system, apparatus, and medium, to solve the problem that remote attestation tasks are all dependent on the execution of the MEC verification agent on the MEC manager, which not only increases the time delay of the service, but also causes the load of the MEC verification agent to be too heavy, thereby affecting the stability and reliability of the whole MEC system.
In a first aspect, the present invention provides a 5G MEC multi-container remote attestation method for a 5G MEC multi-container remote attestation system, the system comprising a MEC manager and a plurality of MEC hosts, the MEC manager comprising a MEC verification agent, each MEC host comprising a 5G MEC container and a MEC host verification agent; the 5G MEC multi-container remote attestation method comprises the following steps:
the MEC verification agent acquires a preset multi-container identification list and a plurality of 5G MEC containers; based on a preset multi-container identification list and a plurality of 5G MEC containers, generating a multi-container proving tree through MEC verification agent processing; the MEC verification agent performs remote certification on each 5G MEC container in the plurality of MEC hosts based on the multi-container certification tree to obtain a remote certification result of each 5G MEC container.
According to the 5G MEC multi-container remote proving method, the MEC host verification agent is added to the user layer of each MEC host to remotely proving the 5G MEC container in each MEC host, so that the problem that all remote proving tasks are dependent on the MEC verification agent on the MEC manager to be executed is solved, service time delay is reduced, and stability and reliability of an MEC system are improved. Further, a multi-container proving tree is generated through the 5G MEC containers, remote proving tasks originally belonging to the MEC manager are issued to each MEC host by utilizing the generated multi-container proving tree, and remote proving is carried out on each 5G MEC container by utilizing an MEC verification agent in each host, so that the burden of the MEC manager is reduced, and the time complexity of executing the remote proving tasks can be reduced.
In an alternative embodiment, based on a preset multi-container identification list and a plurality of 5G MEC containers, generating a multi-container attestation tree through MEC verification proxy processing includes:
traversing the preset multi-container identification list by using the MEC verification agent to obtain the container identification of each 5G MEC container in the plurality of 5G MEC containers; the MEC verification agent selects one 5G MEC container to be verified from a plurality of 5G MEC containers; and taking the 5G MEC container to be verified as a root node, and generating a multi-container certification tree through MEC verification agent processing based on each container identifier and a preset container remote certification list.
According to the invention, the 5G MEC container is used as a node, and a corresponding multi-container proving tree is generated, so that a basis is provided for realizing remote proving of a plurality of 5G MEC containers by using the multi-container proving tree.
In an alternative embodiment, taking a 5G MEC container to be verified as a root node, generating a multi-container certification tree based on each container identifier and a preset container remote certification list through MEC verification proxy processing, including:
based on each container identifier, searching first remote certification information of the 5G MEC container corresponding to each container identifier in a preset container remote certification list by using an MEC verification agent; determining at least one second remote proving information which does not meet preset conditions in each first remote proving information by using a preset judging method; performing physical platform remote certification on the MEC host where each 5G MEC container corresponding to the second remote certification information is located by using an MEC verification agent to obtain at least one MEC host remotely certified by the physical platform; and taking the 5G MEC container to be verified as a root node, and taking the 5G MEC container corresponding to each MEC host remotely proven by the physical platform as a child node to generate a multi-container proving tree.
The invention takes the 5G MEC container as a node and generates the corresponding multi-container proving tree, thereby providing a basis for realizing the remote proving of a plurality of 5G MEC containers by using the multi-container proving tree.
In an alternative embodiment, the node information of each node in the multi-container attestation tree includes a MEC host identity and a 5G MEC container identity and each parent node in the multi-container attestation tree performs 5G MEC container remote attestation on child nodes; the MEC verification agent remotely attests each 5G MEC container in the plurality of MEC hosts based on the multi-container attestation tree to obtain a remote attestation result for each 5G MEC container, comprising:
remote attestation of a root node in a multi-container attestation tree using an MEC verification agent; after the remote certification is finished, the MEC verification agent sends the multi-container certification tree to an MEC host corresponding to the root node; an MEC host verification agent in the MEC host verifies and remotely proves each child node corresponding to the root node according to the multi-container proof tree; when verification fails, repeatedly adding the child nodes into an untrusted node list, acquiring at least one child verification tree from a multi-container verification tree based on each child node, and sending each child verification tree to an MEC host corresponding to the child node to perform verification and remote verification until the child node is a leaf node, obtaining a remote verification result of each child node, wherein each child node represents a 5G MEC container, and the remote verification result comprises the untrusted node list of the child node; each remote attestation result is uploaded to the MEC verification proxy based on the multi-container attestation tree.
The invention utilizes the generated multi-container proving tree to issue the remote proving task which originally belongs to the MEC manager to each MEC host and utilizes the MEC verification agent in each host to remotely proving each 5G MEC container, thereby reducing the burden of the MEC manager, reducing the time complexity of executing the remote proving task and further not influencing the stability and reliability of the whole MEC system.
In an alternative embodiment, uploading each remote attestation result to the MEC verification proxy based on a multi-container attestation tree, comprising:
when the node in the multi-container proving tree is not a root node and the node is a non-leaf node, processing an untrusted node list corresponding to the non-leaf node to obtain a first remote proving result containing a signature abstract, the untrusted node list and a public key certificate, and uploading the first remote proving result to a father node corresponding to the non-leaf node; when each non-leaf node in the multi-container proving tree receives the remote proving result of each corresponding child node, verifying the public key certificate contained in the remote proving result to obtain a public key certificate verification result; verifying the remote proving result of each child node based on each public key certificate verification result; when the remote proving results are real and complete, merging the untrusted node list contained in each remote proving result with the untrusted node list corresponding to the non-leaf node to obtain a second remote proving result of the non-leaf node; repeating the steps of processing an untrusted node list corresponding to a non-leaf node when the node in the multi-container proving tree is not a root node and the node is a non-leaf node, obtaining a first remote proving result containing a signature abstract, the untrusted node list and a public key certificate, uploading the first remote proving result to a father node corresponding to the non-leaf node, merging the untrusted node list contained in each remote proving result with the untrusted node list corresponding to the non-leaf node when the remote proving result is real and complete, obtaining a second remote proving result of the non-leaf node until the node is the root node, and obtaining a plurality of first remote proving results and a plurality of second remote proving results; the method includes sending a plurality of first remote attestation results and a plurality of second remote attestation junctions to the MEC validation agent.
After the remote proving result of each sub-node is obtained, all the remote proving results can be sequentially uploaded to the corresponding MEC verification agent through the multi-container proving tree.
In an alternative embodiment, the method further comprises:
after receiving each remote proving result, the MEC manager corresponding to the MEC verification agent verifies each remote proving result and records each remote proving result.
The invention verifies each received remote proving result in the MEC manager, further records the remote proving result of each node, and provides basis for subsequent use.
In a second aspect, the present invention provides a 5G MEC multi-container remote attestation system for performing the 5G MEC multi-container remote attestation method of the first aspect or any of its corresponding embodiments described above; the 5G MEC multi-container remote attestation system includes: a MEC manager and a plurality of MEC hosts; the MEC manager includes a MEC authentication agent, each MEC host including a 5G MEC container and a MEC host authentication agent, the 5G MEC container and the MEC host authentication agent being integrated at a user layer of the MEC host.
According to the 5G MEC multi-container remote proving system provided by the invention, the MEC host verification agent is added to the user layer of each MEC host to remotely proving the 5G MEC container in each MEC host, so that the problem that all remote proving tasks are dependent on the execution of the MEC verification agent on the MEC manager is solved, the service time delay is reduced, and the stability and reliability of the MEC system are improved.
In an alternative embodiment, the MEC manager further comprises a privacy certificate authority; each MEC host also comprises a virtual trusted platform module manager, a measurement agent and a trusted platform module, wherein the virtual trusted platform module manager and the measurement agent are integrated in the kernel layer of the MEC host, and the trusted platform module is integrated in the hardware layer of the MEC host.
In a third aspect, the invention provides a 5G MEC multi-container remote attestation apparatus for a 5G MEC multi-container remote attestation system, the system comprising a MEC manager and a plurality of MEC hosts, the MEC manager comprising a MEC verification agent, each MEC host comprising a 5G MEC container and a MEC host verification agent; the 5G MEC multi-container remote attestation device comprises:
the acquisition module is used for acquiring a preset multi-container identification list and a plurality of 5G MEC containers by the MEC verification agent; the processing module is used for generating a multi-container proving tree through MEC verification agent processing based on a preset multi-container identification list and a plurality of 5G MEC containers; and the remote proving module is used for remotely proving each 5G MEC container in the MEC hosts based on the multi-container proving tree by the MEC verification agent to obtain a remote proving result of each 5G MEC container.
In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon computer instructions for causing a computer to perform the 5G MEC multi-container remote attestation method of the first aspect or any of its corresponding embodiments described above.
In a fifth aspect, the present invention provides a computer device comprising: the system comprises a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions, so that the 5G MEC multi-container remote certification method according to the first aspect or any corresponding embodiment is executed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a conventional MEC application dependency topology according to embodiments of the present invention;
fig. 2 is a block diagram of a conventional 5G MEC multi-container remote attestation system, according to an embodiment of the present invention;
FIG. 3 is a flow diagram of a conventional 5G MEC multi-container remote attestation method, according to an embodiment of the present invention;
fig. 4 is a flow diagram of another conventional 5G MEC multi-container remote attestation method, according to an embodiment of the present invention;
Fig. 5 is a schematic diagram of 5G MEC container certification tree generation according to an embodiment of the invention;
fig. 6 is a flow diagram of yet another 5G MEC multi-container remote attestation method, according to an embodiment of the invention;
fig. 7 is a schematic diagram of a remote certification task issuing procedure based on MCAT according to an embodiment of the present invention;
fig. 8 is a block diagram of an MEC system architecture after modification of the MEC host according to an embodiment of the invention;
fig. 9 is a schematic diagram of an MCAT-based multi-container remote attestation initialization phase in accordance with an embodiment of the present invention;
fig. 10 is a schematic diagram of MCAT-based remote attestation result upload, according to an embodiment of the present invention;
FIG. 11 is a block diagram of the construction of an XX apparatus according to an embodiment of the invention;
fig. 12 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The conventional MEC application dependency topology is shown in fig. 1, and the MEC system topology has a plurality of MEC hosts running different application services provided by 5G MEC containers, where in the existing MEC architecture, APIs for communication between the MEC hosts are specified, and the hosts can be interconnected through interfaces. An MEC application is running on MEC host 1, the running of which depends on the services provided by the containers in MEC host 1, MEC host 2 and MEC host 3. Moreover, MEC is an open platform, where multiple users access multiple applications and services simultaneously, so the MEC system needs to support remote attestation of multiple 5G MEC containers simultaneously to provide high quality services and user experience.
Further, the remote attestation for the 5G MEC container needs to be split into two parts, remote attestation for the underlying host physical platform and remote attestation for the top container itself, and since the vTPM (Virtualizing the Trusted Platform Module, virtual trusted platform module) is a virtual device that is emulated at the software layer and the TPM (Trusted Platform Module ) is a hardware device, the vTPM requires more computing resources to emulate the behavior of the TPM, the Quote operation of the vTPM is typically more time consuming than the Quote operation of the TPM. The present invention therefore focuses on remote attestation of the 5G MEC container itself.
In accordance with an embodiment of the present invention, there is provided a 5G MEC multi-container remote attestation method embodiment, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown herein.
In this embodiment, a 5G MEC multi-container remote attestation method is provided for a 5G MEC multi-container remote attestation system, as shown in fig. 2, the 5G MEC multi-container remote attestation system 2 includes a MEC manager 21 and a plurality of MEC hosts 22. Where MEC manager 21 includes MEC verification agent 211, each MEC host 22 includes 5G MEC container 221 and MEC host verification agent 222.
Fig. 3 is a flow chart of a 5G MEC multi-container remote attestation method according to an embodiment of the invention, as shown in fig. 3, the flow comprising the steps of:
in step S301, the MEC verification agent obtains a preset multi-container identification list and a plurality of 5G MEC containers.
Wherein, presetting a multi-container identification listIncluding the container identification of each 5G MEC container 221 that needs to be remotely certified.
Step S302, based on a preset multi-container identification list and a plurality of 5G MEC containers, generating a multi-container proving tree through MEC verification agent processing.
Specifically, MEC verification agent 211 identifies the list according to a preset multi-container identificationA multi-container attestation tree MCAT (MEC Container Attestation Tree, MCAT) is generated for a plurality of multi-container remote attestation tasks.
In step S303, the MEC verification agent performs remote attestation on each 5G MEC container in the plurality of MEC hosts based on the multi-container attestation tree, to obtain a remote attestation result of each 5G MEC container.
Specifically, with the generated multi-container attestation tree, remote attestation tasks that originally belong to the MEC manager 21 are issued to the respective MEC hosts 22 and each 5G MEC container 221 is remotely attested with the MEC verification agent 222 in each MEC host 22, reducing the burden on the MEC manager 21 and enabling a reduction in the time complexity of performing remote attestation tasks.
According to the 5G MEC multi-container remote proving method, the MEC host verification agent is added to the user layer of each MEC host to remotely proving the 5G MEC container in each MEC host, so that the problem that all remote proving tasks are dependent on the MEC verification agent on the MEC manager to execute is solved, service time delay is reduced, and stability and reliability of an MEC system are improved. Further, a multi-container proving tree is generated through the 5G MEC containers, remote proving tasks originally belonging to the MEC manager are issued to each MEC host by utilizing the generated multi-container proving tree, and remote proving is carried out on each 5G MEC container by utilizing an MEC verification agent in each host, so that the burden of the MEC manager is reduced, and the time complexity of executing the remote proving tasks can be reduced.
In this embodiment, a 5G MEC multi-container remote attestation method is provided for a 5G MEC multi-container remote attestation system, as shown in fig. 2, the 5G MEC multi-container remote attestation system 2 includes a MEC manager 21 and a plurality of MEC hosts 22. Wherein the MEC manager 21 comprises MEC verification agents 22, each MEC host 22 comprising a 5G MEC container 221 and a MEC host verification agent 222.
Fig. 4 is a flowchart of a 5G MEC multi-container remote attestation method, as shown in fig. 4, according to an embodiment of the present invention, the flowchart including the steps of:
in step S401, the MEC verification agent obtains a preset multi-container identification list and a plurality of 5G MEC containers. Please refer to step S301 in the embodiment shown in fig. 3 in detail, which is not described herein.
Step S402, based on a preset multi-container identification list and a plurality of 5G MEC containers, generating a multi-container proving tree through MEC verification agent processing.
Specifically, the step S402 includes:
step S4021, traversing the preset multi-container identifier list by using the MEC verification agent to obtain the container identifier of each 5G MEC container in the plurality of 5G MEC containers.
Specifically, traversing the preset multi-container identification list with MEC verification agent 211 may result in a container identification for each 5G MEC container 221.
In step S4022, the MEC verification agent selects a 5G MEC container to be verified from the plurality of 5G MEC containers.
Specifically, MEC verification agent 211 randomly selects one 5G MEC container to be verified among the plurality of 5G MEC containers 221.
Step S4023, taking the 5G MEC container to be verified as a root node, and generating a multi-container certification tree through MEC verification agent processing based on each container identifier and a preset container remote certification list.
Specifically, the selected 5G MEC container to be verified is used as the root node of the multi-container proving tree MCAT. Further, based on each container identification and the preset container remote attestation list, a corresponding multi-container attestation tree MCA may be generated through MEC verification proxy processing.
In some alternative embodiments, step S4023 described above includes:
step a1, based on each container identifier, searching first remote attestation information of the 5G MEC container corresponding to each container identifier in a preset container remote attestation list by using an MEC verification agent.
And a step a2 of determining at least one second remote proving information which does not meet the preset condition in each first remote proving information by using a preset judging method.
And a3, performing physical platform remote certification on the MEC host where the 5G MEC container corresponding to each piece of second remote certification information is located by using an MEC verification agent to obtain at least one MEC host remotely certified by the physical platform.
And a4, taking the 5G MEC container to be verified as a root node, and taking the 5G MEC container corresponding to each MEC host remotely proven by the physical platform as a child node to generate a multi-container proving tree.
First, presetting a multi-container identification list according to traversalThe obtained container identifier of each 5G MEC container 221 may find the first remote attestation information of the corresponding 5G MEC container 221 in the preset container remote attestation list.
Secondly, judging whether the first remote proving information is successful and within the validity period, and if the first remote proving information is successful and within the validity period, selecting the corresponding container identifier from a preset multi-container identifier listIs removed.
If the first remote attestation information is unsuccessful or fails, the MEC verification proxy 211 is used to perform a physical platform remote attestation on the MEC host 22 where the 5G MEC container 221 corresponding to the container identifier corresponding to the first remote attestation information is located, and after the attestation is passed, the corresponding container is added to the multi-container attestation tree MACT, as shown in fig. 5, where the information of each node in the MCAT includes the MEC host identifier and the container identifier. Where New represents the New child node added.
Specifically, each node in the MCAT represents a 5G MEC container, and the links between the nodes represent the cooperative relationship of the parent node and the child node.
In step S403, the MEC verification agent performs remote attestation on each 5G MEC container in the plurality of MEC hosts based on the multi-container attestation tree, to obtain a remote attestation result for each 5G MEC container. Please refer to step S303 in the embodiment shown in fig. 3 in detail, which is not described herein.
According to the 5G MEC multi-container remote proving method, the 5G MEC containers are used as nodes, corresponding multi-container proving trees are generated, further, remote proving tasks originally belonging to an MEC manager are issued to each MEC host by utilizing the generated multi-container proving trees, remote proving is carried out on each 5G MEC container by utilizing an MEC verification agent in each host, burden of the MEC manager is reduced, and time complexity of executing the remote proving tasks can be reduced.
In this embodiment, a 5G MEC multi-container remote attestation method is provided for a 5G MEC multi-container remote attestation system, as shown in fig. 2, the 5G MEC multi-container remote attestation system 2 includes a MEC manager 21 and a plurality of MEC hosts 22. Wherein the MEC manager 21 comprises MEC verification agents 22, each MEC host 22 comprising a 5G MEC container 221 and a MEC host verification agent 222. Specifically, the 5G MEC container 221 and MEC host validation agent 222 are integrated at the user layer of the MEC host 22.
Fig. 6 is a flowchart of a 5G MEC multi-container remote attestation method, as shown in fig. 6, according to an embodiment of the invention, the flowchart including the steps of:
in step S601, the MEC verification agent obtains a preset multi-container identification list and a plurality of 5G MEC containers. Please refer to step S301 in the embodiment shown in fig. 3 in detail, which is not described herein.
Step S602, based on a preset multi-container identification list and a plurality of 5G MEC containers, generating a multi-container proving tree through MEC verification agent processing. Please refer to step S402 in the embodiment shown in fig. 4 in detail, which is not described herein.
In step S603, the MEC verification agent performs remote attestation on each 5G MEC container in the plurality of MEC hosts based on the multi-container attestation tree, to obtain a remote attestation result for each 5G MEC container.
Specifically, the step S603 includes:
step S6031, remote attestation is performed on the root node in the multi-container attestation tree by using the MEC verification agent.
Specifically, MEC verification agent 211 verifies the root node in the tree for multiple containersRemote certification is performed and the results recorded.
In step S6032, when the remote attestation is finished, the MEC verification agent sends the multi-container attestation tree to the MEC host corresponding to the root node.
Specifically, after the remote attestation is completed, MEC verification agent 211 sends the multi-container attestation tree MCAT to the root node The MEC host 22 where it resides.
In step S6033, the MEC host verification agent in the MEC host verifies and remotely proves each child node corresponding to the root node according to the multi-container proof tree.
The parent node in the multi-container proving tree MCAT performs 5G MEC container remote proving on child nodes, and the node information of each node comprises MEC host identification and 5G MEC container identification.
Specifically, the root nodeThe MEC host authentication proxy 222 in the MEC host 22 authenticates and remotely authenticates its child nodes based on the received MCAT.
Step S6034, when verification fails, repeatedly adding the child nodes into an untrusted node list, acquiring at least one child verification tree in a multi-container verification tree based on each child node, and sending each child verification tree to an MEC host corresponding to the child node to perform verification and remote verification until the child node is a leaf node, and obtaining a remote verification result of each child node.
Wherein each child node characterizes a 5G MEC container and the remote attestation result includes a list of untrusted nodes of the child node.
Specifically, if the verification fails, the node is added to the list of untrusted nodes. Two root nodes are extracted from the multi-container proving tree MCAT The left child node and the right child node of the (a) are child verification trees of the root node, and the child verification trees are sent to the corresponding child nodes. As shown in FIG. 7, ->Tree1 and Tree2 are sent to node 1 and node 2, respectively. The child verification tree of the node represents a verification tree which is extracted from the MCAT and takes the child node as a root node.
Further, multiple containersRepeating the above steps for each child node of the verification tree received in the verification tree MCATI.e. verifying the child nodes, extracting the child verification tree, and sending the child verification tree to the child nodes until the child nodes are leaf nodes, and obtaining the remote certification result of each child node.
As shown in fig. 7, after the node 1 remotely proves the node 3 and the node 4, the Tree1 is split into the Tree3 and the Tree4 and sent to the node 3 and the node 4 respectively, and the node 2 cannot split and send the sub verification Tree any more because the sub node 5 and the sub node 6 are leaf nodes.
Further, the remote attestation result includes a list of untrusted nodes of the child node.
Step S6035, uploading each remote attestation result to the MEC verification proxy based on the multi-container attestation tree.
Specifically, the non-leaf nodes in the multi-container attestation tree MCAT report the remote attestation results of their child verification trees to their parent nodes, so all remote attestation results can be uploaded to the corresponding MEC verification agents sequentially through the multi-container attestation tree MCAT.
In step S6036, after receiving each remote attestation result, the MEC manager corresponding to the MEC verification agent verifies each remote attestation result and records each remote attestation result.
Specifically, the MEC manager 21 verifies each remote attestation result received and records the remote attestation results of all nodes.
In some alternative embodiments, step S6035 includes:
and b1, when the node in the multi-container proving tree is not a root node and the node is a non-leaf node, processing an untrusted node list corresponding to the non-leaf node to obtain a first remote proving result containing a signature abstract, the untrusted node list and a public key certificate, and uploading the first remote proving result to a father node corresponding to the non-leaf node.
And b2, after each non-leaf node in the multi-container proving tree receives the remote proving result of each corresponding child node, verifying the public key certificate contained in the remote proving result to obtain a public key certificate verification result.
And b3, verifying the remote proving result of each child node based on each public key certificate verification result.
And b4, when the remote proving result is real and complete, merging the untrusted node list contained in each remote proving result with the untrusted node list corresponding to the non-leaf node to obtain a second remote proving result of the non-leaf node.
And b5, repeating the steps of processing the untrusted node list corresponding to the non-leaf node when the node in the multi-container proving tree is not a root node and the node is a non-leaf node, obtaining a first remote proving result comprising a signature abstract, the untrusted node list and a public key certificate, uploading the first remote proving result to a father node corresponding to the non-leaf node until the untrusted node list contained in each remote proving result is combined with the untrusted node list corresponding to the non-leaf node when the remote proving result is real and complete, obtaining a second remote proving result of the non-leaf node until the node is the root node, and obtaining a plurality of first remote proving results and a plurality of second remote proving results.
Step b6, transmitting the plurality of first remote attestation results and the plurality of second remote attestation junctions to the MEC verification proxy.
In particular, if the node is non-Firstly, generating a digest for an untrusted node list corresponding to the non-leaf node, then signing the digest by using a private key, and then uploading the signed digest, the untrusted node list and a public key certificate as a first remote proof result to a father node corresponding to the non-leaf node. Wherein the list of untrusted nodes may be empty.
Further, after the non-leaf node in the multi-container proving tree MCAT receives the remote proving result returned by each child node, the received child node public key certificate is firstly verified, and the public key certificate is used for verifying the authenticity and the integrity of the remote proving result. If the remote proving result is real and complete, merging the list of the unreliable nodes in the remote proving result with the list of the remote proving result, and obtaining a second remote proving result corresponding to the non-leaf node.
Further, repeating steps b1 to b4 until the obtained non-leaf node isAnd when the remote certification (a plurality of first remote certification results and a plurality of second remote certification results) results are transmitted to the MEC manager, and after verification by the MEC manager, the remote certification results of all nodes are recorded.
According to the 5G MEC multi-container remote proving method, the MEC host verification agent is added to the user layer of each MEC host to remotely proving the 5G MEC container in each MEC host, so that the problem that all remote proving tasks are dependent on the MEC verification agent on the MEC manager to execute is solved, service time delay is reduced, and stability and reliability of an MEC system are improved. Further, a multi-container proving tree is generated through the 5G MEC containers, remote proving tasks originally belonging to the MEC manager are issued to each MEC host by utilizing the generated multi-container proving tree, and remote proving is carried out on each 5G MEC container by utilizing an MEC verification agent in each host, so that the burden of the MEC manager is reduced, and the time complexity of executing the remote proving tasks can be reduced. And meanwhile, all remote proving results are sequentially uploaded to the corresponding MEC verification agents through the multi-container proving tree, each received remote proving result is verified by using an MEC manager where the MEC verification agents are located, and the remote proving result of each node is further recorded, so that a basis is provided for subsequent use.
In this embodiment, a 5G MEC multi-container remote attestation system is provided for executing the 5G MEC multi-container remote attestation method provided by the foregoing embodiment of the present invention. Fig. 2 is a block diagram of a 5G MEC multi-container remote attestation system according to an embodiment of the present invention, as shown in fig. 2, the 5G MEC multi-container remote attestation system 2 includes a MEC manager 21 and a MEC host 22.
Wherein the number of MEC hosts 22 may be one or more.
Further, the MEC manager 21 includes a MEC verification agent 211 and a privacy certificate authority 212; included in each MEC host 22 are a 5G MEC container 221, a MEC host validation agent 222, a certificate agent 223, a MEC remote attestation agent 224, a virtual trusted platform module manager 225, a metrics agent 226, and a trusted platform module 227.
Specifically, the 5G MEC container 221, MEC host validation agent 222, certificate agent 223, and MEC remote attestation agent 224 are integrated at the user layer of the MEC host 22.
Further, the virtual trusted platform module manager 225 and the metrics agent 226 are integrated at the kernel layer of the MEC host 22; the trusted platform module 227 is integrated at the hardware layer of the MEC host 22.
According to the 5G MEC multi-container remote proving system, the MEC host verification agent is added to the user layer of each MEC host to remotely proving the 5G MEC container in each MEC host, so that the problem that all remote proving tasks are dependent on the MEC verification agent on the MEC manager to execute is solved, service time delay is reduced, and stability and reliability of the MEC system are improved.
In one example, a 5G MEC container proof tree (MEC Container Attestation Tree, MCAT) generation method is provided, as shown in fig. 5.
Specifically, each node in the MCAT represents a 5G MEC container, the child verification tree of the node represents the verification tree extracted in the MCAT and taking the child node as the root node, the connection line between the nodes represents the cooperative relationship between the father node and the child node, i.e. the father node performs 5G MEC container remote attestation on the child node, and the non-leaf node reports the remote attestation result of the child verification tree to the father node.
Further, to enable MCAT-based completion of batch remote attestation of 5G MEC containers, a MEC system architecture as shown in fig. 8 is proposed, where PCA (Privacy Certification Authority) represents a privacy certificate authority.
Specifically, an MEC host validation agent is added to the user layer of each MEC host, and each MEC host validation agent maintains a list of untrusted containers and can remotely authenticate the container. The MEC host uses the integrity metrics architecture to measure the MEC host validation agent, extending the measurement values to PCRs in the TPM.
Further, the MCAT-based multi-container remote attestation method is mainly divided into three phases: an initialization stage, a remote certification task issuing stage and a remote certification result uploading stage.
(1) Initialization phase
The list of container identifications corresponding to a plurality of containers needing remote certification is. MEC authentication agent according to->MCAT is generated for the multi-container remote attestation task as shown in fig. 9.
Specifically, the MEC verification agent first selects a 5G MEC container to be verified as the root node of the MCATSubsequent traversal +.>And searching remote proving information corresponding to the 5G MEC container according to the container identification, removing the remote proving result from the list if the successful remote proving result exists and the result is still in the validity period, and if the successful remote proving result does not exist or the result fails, performing physical platform remote proving on a host computer where the container is located, and adding the corresponding container into the MCAT after the remote proving is passed. The information of each node in the MCAT includes MEC host identification, container identification, and corresponding vPCR reference value.
(2) Remote certification task issuing stage
In this stage, the nodes in the MCAT cooperatively execute the remote certification task, and after each node finishes executing its own remote certification task, the remote certification task is issued to the child nodes by extracting the subtrees, as shown in fig. 7.
Specifically, the specific steps of the remote certification task issuing stage are as follows:
Step1: MEC authentication proxy pairRemote attestation is performed and the results recorded, and then the MCAT is sent to the MEC host at the site. />And the MEC host verification agent in the host verifies the child node according to the received MCAT, and if the verification fails, the node is added into the list of the untrusted nodes. Two plants were then extracted from MCAT to be +.>The left child node and the right child node of the (a) are child verification trees of the root node, and the child verification trees are sent to the corresponding child nodes. As shown in fig. 7, tree1 and Tree2 are transmitted to node 1 and node 2, respectively.
Step2: repeating Step1 for each node of the received sub-verification tree in the MCATThe operation of (1) is to verify the child node, extract the child verification Tree, and send the child verification Tree to the child node until the child node is a leaf node, as shown in fig. 7, after the node 1 remotely proves the node 3 and the node 4, splitting the Tree1 into the Tree3 and the Tree4, and sending the Tree3 and the Tree4 to the node 3 and the node 4 respectively, while the node 2 cannot split and send the child verification Tree any more because the child node 5 and the child node 6 are leaf nodes.
(3) Remote attestation result upload stage
At this stage, each non-leaf node in the MCAT reports the remote attestation result from the bottom up to the parent node, as shown in fig. 10.
Specifically, the specific steps of the remote proof result uploading stage are as follows:
step1: if the node is notFirstly, generating a digest for the list of the unreliable nodes, then signing the digest by using a private key, and then uploading the signed digest, the list of the unreliable nodes and a public key certificate to a father node as a remote proving result, wherein the list of the unreliable nodes can be empty.
Step2: after receiving the remote proof result returned by each sub-node, the non-leaf node in the MCAT firstly verifies the received sub-node public key certificate, and verifies the authenticity and the integrity of the remote proof result by using the public key certificate. If the remote attestation result is true and complete, the list of untrusted nodes in the remote attestation result is merged with the own list. If the non-leaf node is a non-leaf node, then go to Step3, otherwise go to Step1.
Step3: the non-leaf nodes send all remote proof results to the MEC manager, and after verification by the MEC manager, the remote proof results of all the nodes are recorded.
In this embodiment, a 5G MEC multi-container remote proving device is further provided, and the device is used to implement the foregoing embodiments and preferred embodiments, and is not described herein. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides a 5G MEC multi-container remote attestation apparatus for a 5G MEC multi-container remote attestation system, as shown in fig. 2, the 5G MEC multi-container remote attestation system 2 includes a MEC manager 21 and a plurality of MEC hosts 22. Wherein the MEC manager 21 comprises MEC verification agents 22, each MEC host 22 comprising a 5G MEC container 221 and a MEC host verification agent 222. Specifically, the 5G MEC container 221 and MEC host validation agent 222 are integrated at the user layer of the MEC host 22. As shown in fig. 11, includes:
an obtaining module 701, configured to obtain a preset multi-container identifier list and a plurality of 5G MEC containers by the MEC verification agent.
The processing module 702 is configured to generate a multi-container certificate tree based on a preset multi-container identifier list and a plurality of 5G MEC containers through MEC verification proxy processing.
The remote attestation module 703 is configured to remotely attest, by the MEC verification agent, each 5G MEC container in the plurality of MEC hosts based on the multi-container attestation tree, and obtain a remote attestation result of each 5G MEC container.
In some alternative embodiments, the processing module 702 includes:
and the traversing unit is used for traversing the preset multi-container identification list by utilizing the MEC verification agent to obtain the container identification of each 5G MEC container in the plurality of 5G MEC containers.
And the selecting unit is used for selecting one 5G MEC container to be verified from the plurality of 5G MEC containers by the MEC verification agent.
And the processing unit is used for taking the 5G MEC container to be verified as a root node, and generating a multi-container certification tree through MEC verification agent processing based on each container identifier and a preset container remote certification list.
In some alternative embodiments, the processing unit includes:
and the searching subunit is used for searching the first remote attestation information of the 5G MEC container corresponding to each container identifier in the preset container remote attestation list by utilizing the MEC verification agent based on each container identifier.
And the judging subunit is used for determining at least one second remote proving information which does not meet the preset condition in each first remote proving information by utilizing a preset judging method.
And the remote authentication subunit is used for performing physical platform remote authentication on the MEC host where the 5G MEC container corresponding to each second remote authentication information is located by using the MEC authentication agent, and obtaining at least one MEC host which is remotely authenticated through the physical platform.
The generating subunit is configured to generate a multi-container certification tree by using a 5G MEC container to be verified as a root node and using a 5G MEC container corresponding to each MEC host remotely certified by a physical platform as a child node.
In some alternative embodiments, the remote attestation module 703 includes:
and the remote proving unit is used for remotely proving the root node in the multi-container proving tree by using the MEC verification agent.
And the sending unit is used for sending the multi-container proving tree to the MEC host corresponding to the root node by the MEC authentication agent after the remote proving is finished.
And the verification and remote certification unit is used for verifying and remotely certifying each child node corresponding to the root node by the MEC host verification agent in the MEC host according to the multi-container certification tree.
And the repeating unit is used for repeatedly adding the child nodes into the unreliable node list after verification failure, acquiring at least one child verification tree from the multi-container proving tree based on each child node, and sending each child verification tree to the MEC host corresponding to the child node for verification and remote proving until the child node is a leaf node, obtaining a remote proving result of each child node, wherein each child node represents a 5G MEC container, and the remote proving result comprises the unreliable node list of the child node.
And the uploading unit is used for uploading each remote proving result to the MEC verification agent based on the multi-container proving tree.
In some alternative embodiments, the uploading unit comprises:
And the processing subunit is used for processing the untrusted node list corresponding to the non-leaf node when the node in the multi-container proving tree is not a root node and the node is the non-leaf node, obtaining a first remote proving result containing the signature abstract, the untrusted node list and the public key certificate, and uploading the first remote proving result to the father node corresponding to the non-leaf node.
And the verification subunit is used for verifying the public key certificate contained in the remote proving result after each non-leaf node in the multi-container proving tree receives the remote proving result of each corresponding sub-node, so as to obtain a public key certificate verification result.
And the merging subunit is used for merging the untrusted node list contained in each remote proving result with the untrusted node list corresponding to the non-leaf node when the remote proving result is real and complete, so as to obtain a second remote proving result of the non-leaf node.
And the repeating subunit is used for repeating the steps of processing the untrusted node list corresponding to the non-leaf node when the node in the multi-container proving tree is not a root node and the node is a non-leaf node, obtaining a first remote proving result comprising a signature abstract, the untrusted node list and a public key certificate, uploading the first remote proving result to a father node corresponding to the non-leaf node until the remote proving result is real and complete, merging the untrusted node list contained in each remote proving result with the untrusted node list corresponding to the non-leaf node, obtaining a second remote proving result of the non-leaf node until the node is the root node, and obtaining a plurality of first remote proving results and a plurality of second remote proving results.
A transmitting subunit for transmitting the plurality of first remote attestation results and the plurality of second remote attestation junctions to the MEC verification proxy.
In some alternative embodiments, the remote attestation module 703 further includes:
and the verification and recording unit is used for verifying each remote proving result by the MEC manager corresponding to the MEC verification agent after receiving each remote proving result, and recording each remote proving result.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The 5G MEC multi-container remote attestation apparatus in this embodiment is presented in the form of functional units, where the units refer to ASIC (Application Specific Integrated Circuit ) circuits, processors and memories executing one or more software or fixed programs, and/or other devices that can provide the functionality described above.
The embodiment of the invention also provides computer equipment, which is provided with the 5G MEC multi-container remote proving device shown in the figure 11.
Referring to fig. 12, fig. 12 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, as shown in fig. 12, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 12.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.
Claims (9)
1. A 5G MEC multi-container remote attestation method for a 5G MEC multi-container remote attestation system, the system comprising a MEC manager and a plurality of MEC hosts, the MEC manager comprising a MEC verification agent, each of the MEC hosts comprising a 5G MEC container and a MEC host verification agent; the method comprises the following steps:
the MEC verification agent acquires a preset multi-container identification list and a plurality of 5G MEC containers;
generating a multi-container certification tree based on the preset multi-container identification list and the plurality of 5G MEC containers through the MEC verification agent processing;
the MEC verification agent performs remote certification on each 5G MEC container in the MEC hosts based on the multi-container certification tree to obtain a remote certification result of each 5G MEC container;
wherein generating a multi-container attestation tree based on the preset multi-container identification list and the plurality of 5G MEC containers through the MEC verification proxy processing includes:
Traversing a preset multi-container identification list by utilizing the MEC verification agent to obtain the container identification of each 5G MEC container in the plurality of 5G MEC containers;
the MEC verification agent selects one 5G MEC container to be verified from the plurality of 5G MEC containers;
and taking the 5G MEC container to be verified as a root node, and generating the multi-container certification tree based on each container identifier and a preset container remote certification list through processing of the MEC verification agent.
2. The method of claim 1, wherein generating the multi-container attestation tree by the MEC verification proxy processing based on each of the container identifications and a preset container remote attestation list with the 5G MEC container to be verified as a root node, comprises:
based on each container identifier, searching first remote certification information of the 5G MEC container corresponding to each container identifier in a preset container remote certification list by utilizing the MEC verification agent;
determining at least one second remote certification information which does not meet preset conditions in each piece of first remote certification information by using a preset judging method;
performing physical platform remote certification on the MEC host where the 5G MEC container corresponding to each piece of second remote certification information is located by using the MEC verification agent to obtain at least one MEC host remotely certified by the physical platform;
And taking the 5G MEC container to be verified as a root node, and taking the 5G MEC container corresponding to each MEC host remotely authenticated by the physical platform as a child node to generate the multi-container authentication tree.
3. The method of claim 1, wherein the node information for each node in the multi-container attestation tree includes a MEC host identity and a 5G MEC container identity and each parent node in the multi-container attestation tree performs 5G MEC container remote attestation on child nodes;
the MEC verification agent remotely proves each 5G MEC container in the plurality of MEC hosts based on the multi-container proof tree to obtain a remote proof result of each 5G MEC container, including:
remotely proving a root node in the multi-container proving tree by using the MEC authentication agent;
after the remote certification is finished, the MEC verification agent sends the multi-container certification tree to the MEC host corresponding to the root node;
the MEC host verification agent in the MEC host verifies and remotely proves each child node corresponding to the root node according to the multi-container proof tree;
when verification fails, repeatedly adding the child nodes into an unreliable node list, acquiring at least one child verification tree in the multi-container verification tree based on each child node, and sending each child verification tree to the MEC host corresponding to the child node to perform verification and remote verification until the child node is a leaf node, obtaining a remote verification result of each child node, wherein each child node represents one 5G MEC container, and the remote verification result comprises the unreliable node list of the child node;
Each of the remote attestation results is uploaded to the MEC verification proxy based on the multi-container attestation tree.
4. A method according to claim 3, wherein uploading each of the remote attestation results to the MEC verification proxy based on the multi-container attestation tree comprises:
when a node in the multi-container proving tree is not the root node and the node is a non-leaf node, processing the non-trusted node list corresponding to the non-leaf node to obtain a first remote proving result containing a signature abstract, the non-trusted node list and a public key certificate, and uploading the first remote proving result to a father node corresponding to the non-leaf node;
when each non-leaf node in the multi-container proving tree receives a remote proving result of each corresponding child node, verifying a public key certificate contained in the remote proving result to obtain a public key certificate verification result;
verifying the remote attestation result of each child node based on each public key certificate verification result;
when the remote proving results are real and complete, merging the untrusted node list contained in each remote proving result with the untrusted node list corresponding to the non-leaf node to obtain a second remote proving result of the non-leaf node;
Repeating the steps of processing the untrusted node list corresponding to the non-leaf node when the node in the multi-container proving tree is not the root node and the node is the non-leaf node, obtaining a first remote proving result comprising a signature digest, an untrusted node list and a public key certificate, uploading the first remote proving result to a father node corresponding to the non-leaf node until merging the untrusted node list contained in each remote proving result with the untrusted node list corresponding to the non-leaf node when the remote proving result is true and complete, obtaining a second remote proving result of the non-leaf node until the node is the root node, and obtaining a plurality of first remote proving results and a plurality of second remote proving results;
a plurality of the first remote attestation results and a plurality of the second remote attestation junctions are sent to the MEC validation agent.
5. A method according to claim 3, characterized in that the method further comprises:
and after receiving each remote proving result, the MEC manager corresponding to the MEC verification agent verifies each remote proving result and records each remote proving result.
6. A 5G MEC multi-container remote attestation system for performing the 5G MEC multi-container remote attestation method of any of claims 1 to 5; characterized in that the system comprises: a MEC manager and a plurality of MEC hosts;
the MEC manager includes MEC verification agents, each of the MEC hosts including a 5G MEC container and an MEC host verification agent, the 5G MEC container and MEC host verification agent being integrated at a user layer of the MEC host.
7. The system of claim 6, wherein the system further comprises a controller configured to control the controller,
the MEC manager further includes a privacy certificate authority;
each MEC host also comprises a certificate agent, a MEC remote certification agent, a virtual trusted platform module manager, a measurement agent and a trusted platform module;
the certificate agent and the MEC remote attestation agent are integrated at the user layer of the MEC host, the virtual trusted platform module manager and the measurement agent are integrated at the kernel layer of the MEC host, and the trusted platform module is integrated at the hardware layer of the MEC host.
8. A 5G MEC multi-container remote attestation apparatus for use in a 5G MEC multi-container remote attestation system, said system comprising a MEC manager and a plurality of MEC hosts, said MEC manager comprising a MEC verification agent, each said MEC host comprising a 5G MEC container and a MEC host verification agent; the device comprises:
The acquisition module is used for acquiring a preset multi-container identification list and a plurality of 5G MEC containers by the MEC verification agent;
the processing module is used for generating a multi-container proving tree based on the preset multi-container identification list and the plurality of 5G MEC containers through the MEC verification agent processing;
the remote attestation module is used for remotely attesting each 5G MEC container in the MEC hosts based on the multi-container attestation tree by the MEC verification agent to obtain a remote attestation result of each 5G MEC container;
the processing module comprises:
the traversal unit is used for traversing the preset multi-container identification list by utilizing the MEC verification agent to obtain the container identification of each 5G MEC container in the plurality of 5G MEC containers;
a selecting unit, configured to select one 5G MEC container to be verified from the plurality of 5G MEC containers by the MEC verification agent;
and the processing unit is used for taking the 5G MEC container to be verified as a root node, and generating a multi-container certification tree through MEC verification agent processing based on each container identifier and a preset container remote certification list.
9. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the 5G MEC multi-container remote attestation method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311380052.1A CN117119456B (en) | 2023-10-24 | 2023-10-24 | 5G MEC multi-container remote certification method, system, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311380052.1A CN117119456B (en) | 2023-10-24 | 2023-10-24 | 5G MEC multi-container remote certification method, system, device and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117119456A CN117119456A (en) | 2023-11-24 |
| CN117119456B true CN117119456B (en) | 2024-01-23 |
Family
ID=88798774
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311380052.1A Active CN117119456B (en) | 2023-10-24 | 2023-10-24 | 5G MEC multi-container remote certification method, system, device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117119456B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109981288A (en) * | 2019-03-26 | 2019-07-05 | 中国人民大学 | A kind of quick external method of proof of the fine granularity cloud server terminal based on aggregate signature |
| WO2022125456A1 (en) * | 2020-12-07 | 2022-06-16 | Intel Corporation | Mec federation broker and manager enabling secure cross-platform communication |
| CN115146310A (en) * | 2022-06-30 | 2022-10-04 | 中国人民解放军战略支援部队信息工程大学 | Verification method and system for application container mirror image layer measurement list |
| CN115334506A (en) * | 2022-08-08 | 2022-11-11 | 国网智能电网研究院有限公司 | User trusted access system and method for 5G edge computing node |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8782401B2 (en) * | 2012-09-26 | 2014-07-15 | Intel Corporation | Enhanced privacy ID based platform attestation |
| US10229270B2 (en) * | 2016-12-23 | 2019-03-12 | Amazon Technologies, Inc. | Host attestation |
-
2023
- 2023-10-24 CN CN202311380052.1A patent/CN117119456B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109981288A (en) * | 2019-03-26 | 2019-07-05 | 中国人民大学 | A kind of quick external method of proof of the fine granularity cloud server terminal based on aggregate signature |
| WO2022125456A1 (en) * | 2020-12-07 | 2022-06-16 | Intel Corporation | Mec federation broker and manager enabling secure cross-platform communication |
| CN115146310A (en) * | 2022-06-30 | 2022-10-04 | 中国人民解放军战略支援部队信息工程大学 | Verification method and system for application container mirror image layer measurement list |
| CN115334506A (en) * | 2022-08-08 | 2022-11-11 | 国网智能电网研究院有限公司 | User trusted access system and method for 5G edge computing node |
Non-Patent Citations (1)
| Title |
|---|
| 基于区块链边缘计算的云端数据验证方法;钟彬等;《机械与电子》;第41卷(第8期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117119456A (en) | 2023-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108549580B (en) | Method for automatically deploying Kubernets slave nodes and terminal equipment | |
| US11281457B2 (en) | Deployment of infrastructure in pipelines | |
| US10812566B2 (en) | Distributed steam processing | |
| CN111935094B (en) | Database access method, device, system and computer readable storage medium | |
| CN108683747B (en) | Resource obtaining, distributing and downloading method, device, equipment and storage medium | |
| CN109274722B (en) | Data sharing method and device and electronic equipment | |
| US10929275B2 (en) | Automatic test stack creation via production system replication | |
| WO2022166637A1 (en) | Blockchain network-based method and apparatus for data processing, and computer device | |
| US20170099280A1 (en) | Single Sign-On Method for Appliance Secure Shell | |
| CN107925877B (en) | System and method for centralized configuration and authentication | |
| KR102080156B1 (en) | Auto Recharge System, Method and Server | |
| Tate et al. | Multi-user dynamic proofs of data possession using trusted hardware | |
| CN105162775A (en) | Logging method and device of virtual machine | |
| CN111064708B (en) | Authorization authentication method and device and electronic equipment | |
| WO2021061419A1 (en) | Template-based onboarding of internet-connectible devices | |
| US9178860B2 (en) | Out-of-path, content-addressed writes with untrusted clients | |
| US10992474B2 (en) | Proactive user authentication for facilitating subsequent resource access across multiple devices | |
| CN112181599B (en) | Model training method, device and storage medium | |
| CN110889106A (en) | Configuration method, device, system and computer readable storage medium | |
| CN117119456B (en) | 5G MEC multi-container remote certification method, system, device and medium | |
| CN107172082B (en) | File sharing method and system | |
| CN112417403B (en) | Automatic system authentication and authorization processing method based on GitLab API | |
| CN111970282B (en) | Authentication method and device for heterogeneous module in system | |
| CN110968632B (en) | Method and system for unified data exchange | |
| CN113852596A (en) | Application authentication agent method and system based on Kubernetes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |