Background technology
In computer realm of today, the application of Intel Virtualization Technology more and more widely.The virtual computer components that are meant are moving on the virtual basis rather than on the real basis.Intel Virtualization Technology can enlarge the capacity of hardware, simplify the process that reconfigures of software, can on a platform, move a plurality of operating systems simultaneously, and application program can move in separate space and be independent of each other, to significantly improve the operating efficiency of computer.
Xen is the virtualization product of increasing income.The Xen virtualized environment is made of Xen Hypervisor, Domain U (being divided into partly virtual and fully virtualized again), Domain 0.Xen Hypervisor is core and the basis of Xen, concerning virtual machine, Xen Hypervisor is abstract hardware layer, and virtual machine moves on XenHypervisor, Xen Hypervisor is responsible for the scheduling and the Memory Allocation of virtual machine, and the execution of control virtual machine.Domain U is the virtualized product of Xen, is can be for the virtual machine of user's use.Domain U divides two types: fully virtualized virtual machine and half virtual virtual machine, " half virtual virtual machine " is meant that the virtual server of having revised operating system in order to be suitable for Xen, " fully virtualized virtual machine " are meant the virtual server of operation unmodified operating system.Domain 0 is the franchise virtual machine of Xen, is a special Linux kernel who revised, and Domain 0 is for the special virtual machine of Domain U service, does not generally use for the user.
Dynamic migration is also named thermophoresis, exactly a virtual machine is moved on the target physical server from a source physical server.After migration was finished, virtual machine is smoothness run still, and the user can not perceive any difference.For the Xen product, the dynamic migration of Xen virtual machine is meant moves to certain the Domain U on the physical server of source on the target physical server.
The Xen community that increases income provides a series of Virtual Machine Manager and control tool, comprises xl, xm, xend, libxenctl etc., and xm wherein is an order line Virtual Machine Manager instrument, and it provides the function of dynamic migration.As Fig. 1, as follows based on the dynamic migration method of the Xen virtual machine of xm:
The first, between source physical server 10 and target physical server 20, set up network and be connected.Source physical server 10 and target physical server 20 may be connected on the same switch simultaneously, also may middlely cross over complicated network environment, even need to cross over Internet.
The second, by network, certain Domain U virtual machine 11 state and information (this state and information are referred to as data) at this moment of Xen is moved on the target physical server 20 from source physical server 10.The information of Domain U virtual machine 11 is meant Domain U virutal machine memory information, and virutal machine memory information is the main body of transfer of data.For example, one is used the virtual machine of 2G internal memory just to need to transmit the information of 2G size.The state of Domain U virtual machine 11 comprises virtual machine configuration and equipment state.
The 3rd, suspend the Domain U virtual machine 11 in (hang-up) source physical server 10, and the migration information that Domain U virtual machine 11 changes in carrying out second step process.Before this third step, Domain U virtual machine 11 is keeping running status always, though second step has been sent to the total data of Domain U virtual machine 11 on the target physical server 20, but, in the second step implementation, Domain U virtual machine 11 may have been revised its information again.Therefore, this third step is taked Domain U virtual machine 11 measures in first time-out (hang-up) the source physical server 10, guaranteeing that the Domain U virtual machine 11 in the source physical server 10 no longer changes its information, and then the information transfer that the Domain U virtual machine 11 in the source physical server 10 is changed in the second step implementation is in target physical server 20.Because second step can not continue the long time (approximately 1-3 minute, relevant with memory size), thereby Domain U virutal machine memory change in information amount can be very not big yet, so the time of this third step cost yet very short (general 200-600 millisecond).
The 4th, recover the Domain U virtual machine 21 in the target physical server 20.After the total data of the Domain U virtual machine 11 in the source physical server 10 (all states and information) is moved in the target physical server 20 veritably, forms new Domain U virtual machine 21 (being in suspended state) in target physical server 20, just can recover the Domain U virtual machine 21 of hang-up in the target physical server 20, so Domain U virtual machine 21 just moves on target physical server 20.
In practice, for example, when hardware need be safeguarded, just dynamic migration method that can be by above-mentioned Xen virtual machine based on xm with the Domain U virtual machine (vm) migration that needs in the physical server of source to safeguard to standby machine (being the target physical server), after maintenance is finished, it is moved back on the original source physical server, this transition process can make the still normally operation after recovery of all system services and application program again, and the user can not perceive because the interruption that hardware maintenance causes.And for example, when high availability heartbeat detects certain physical server and breaks down, just dynamic migration method that can be by above-mentioned Xen virtual machine based on xm all the virtual machine dynamic migrations on this physical server that breaks down to another normal physical server, thereby guarantee virtual machine can be because of the mistake of bottom physical hardware the machine of delaying.
As from the foregoing, the dynamic migration method of above-mentioned Xen virtual machine based on xm can make between a plurality of physical servers realizes load balancing, and the Domain U virtual machine (vm) migration of realizing by the dynamic migration method of above-mentioned Xen virtual machine can not impact user's work.But, from practice, can find, owing to may cross over complicated network environment between source physical server and the target physical server, or even Internet, and their network service between the two is without any encryption measures, thereby just can there be following two kinds of potential safety hazards in the Domain U virtual machine (vm) migration of realizing based on the dynamic migration method of above-mentioned Xen virtual machine:
First kind, the data of migration are monitored.The prison hearer is by the network between monitoring source and target physical server, the just total data that can obtain to transmit in the transition process.If the user is in store confidential data (such as user's bank card password) on virtual machine, so,, thereby produce great potential safety hazard just the network service of not encrypting might cause user's confidential data to be revealed.In addition, the prison hearer also may understand virtual machine internal program characteristics and leak by analyzing the data of monitoring, and virtual machine is attacked.
Second kind, the data of migration are modified.The hacker can not only monitor the network between source and target physical server, can also revise the data of transmitting between them.The hacker can be by revising the data that transmit, in virtual machine, insert Bug, and then control whole virtual machine, all data of virtual machine, behavior are exposed in hacker's eye fully, the hacker can collect security information or confidential information from the running environment of virtual machine, releasing virus makes the paralysis of virtual machine running environment, causes serious potential safety hazard.
Summary of the invention
The object of the present invention is to provide a kind of Xen secure virtual machine dynamic migration method, this method can prevent to supervise the data that the hearer steals transmission, guarantees the safety of transmission data.
To achieve these goals, the present invention has adopted following technical scheme:
A kind of Xen secure virtual machine dynamic migration method, it is characterized in that: it comprises the steps:
Step 1: on the physical server of source,, adopt symmetric encipherment algorithm to generate key based on ssl protocol;
Step 2: on the target physical server,, adopt rivest, shamir, adelman to generate PKI and private key, give this source physical server by Network Transmission with the PKI that generates based on ssl protocol;
Step 3: on the physical server of source, utilize the PKI that receives, give this target physical server by Network Transmission with encrypted secret key to secret key encryption;
Step 4: on the target physical server, utilize private key that encrypted secret key is decrypted, obtain key;
Step 5: on the physical server of source, utilize key that transmission object is encrypted, the transmission object of encrypting is transferred on the target physical server;
Step 6: after the target physical server receives the transmission object of encryption, the transmission object of this encryption is decrypted, thereby finishes the migration of transmission object from the source physical server to the target physical server.
Advantage of the present invention is:
In the process of the Domain U virtual machine of the inventive method in dynamic migration Xen, between source and target physical server, utilize ssl protocol to set up a kind of safe communication mechanism, thereby prevented that effectively the prison hearer from stealing the data of transmission, guaranteed the transmission security of migration data.In addition, the inventive method has been introduced data integrity verifying mechanism, thereby has prevented that effectively the hacker from distorting the data of transmission.
Embodiment
Ssl protocol (abbreviation of Secure Socket Layer, secure socket layer protocol) can provide a kind of secret transmission mechanism on Internet.Ssl protocol has been specified a kind of mechanism that the Information Security layering is provided between application protocol (as HTTP, Telenet, NMTP, FTP etc.) and ICP/IP protocol, it provides data encryption, server authentication, message integrity and optional client authentication for TCP/IP connects.Xen secure virtual machine dynamic migration method of the present invention is set up a kind of safe communication mechanism based on ssl protocol between source physical server and target physical server.
Xen secure virtual machine dynamic migration method of the present invention is carried out in Domain 0 virtual machine.Describe the present invention below.
As shown in Figure 2, Xen secure virtual machine dynamic migration method of the present invention comprises the steps one to six:
Step 1: on the physical server of source,, adopt symmetric encipherment algorithm to generate key based on ssl protocol;
Step 2: on the target physical server, based on ssl protocol, adopt rivest, shamir, adelman to generate PKI and private key, the PKI that generates is transferred to this source physical server with plaintext form (or other form) by network (based on ICP/IP protocol, following networking transmission is all based on ICP/IP protocol);
Step 3: on the physical server of source, utilize the PKI that receives, give this target physical server by Network Transmission with encrypted secret key to secret key encryption;
Step 4: on the target physical server, utilize private key that encrypted secret key is decrypted, obtain key;
Step 5: on the physical server of source, utilize key that transmission object is encrypted, the transmission object of encrypting is transferred on the target physical server;
Step 6: after the target physical server receives the transmission object of encryption, the transmission object of this encryption is decrypted, thereby finishes the migration of transmission object from the source physical server to the target physical server.
In step 1 of the present invention, used symmetric encipherment algorithm.Symmetric encipherment algorithm (claiming the encrypted private key algorithm again) is the cryptographic algorithm that same key is used in a kind of encryption and decryption.The characteristics of symmetric encipherment algorithm are that algorithm is open, amount of calculation is little, enciphering rate is fast, encryption efficiency is high.Because the inventive method is wanted the data volume of dynamic migration bigger (being generally the data of several GB sizes), and the process need of migration is finished as early as possible, so the inventive method has adopted this encryption efficiency height, the fast symmetric encipherment algorithm of enciphering rate to come transmission object is encrypted.If there is not key,, also can't decipher even if the prison hearer has stolen transmission object in the network transport process.
In step 2 of the present invention, used rivest, shamir, adelman.Rivest, shamir, adelman is to generate two different fully but a pair of key---PKI and private keys coupling fully can only decipher with private key with the data of public key encryption, if there is not private key, does not also decipher even if obtained ciphered data.Rivest, shamir, adelman is than slow thousands of times of symmetrical cryptographic algorithm, but aspect communication security, rivest, shamir, adelman but has the advantage (because private key has only deciphering person oneself to hold, can not transmit, so there is any potential safety hazard hardly) that symmetric encipherment algorithm is difficult to reach on network.Therefore, Communication Security Problem in view of the symmetric encipherment algorithm existence, in the methods of the invention, in order to guarantee the safety of key, the target physical server generates PKI and private key by rivest, shamir, adelman, and the PKI that generates is sent to the source physical server, thereby the PKI that the source physical server utilizes this rivest, shamir, adelman to generate is encrypted key, the private key that this rivest, shamir, adelman generates has only the target physical server to hold, and this private key can not transmit in network, therefore, other people can't obtain this private key.After will being sent to the target physical server from the source physical server by the transmission object of secret key encryption, have only the target physical server to decipher encrypted secret key by private key, obtain utilizing the key of deciphering that the transmission object of encrypting is decrypted behind the key, even and if the prison hearer has obtained encrypted secret key, because of there not being the private key of decruption key, also can't obtain key, guaranteed the transmission safety of key thus, and then guaranteed the safety of transmission object, prevented that the prison hearer from stealing the data of transmission.
In actual applications, can the total data (state and the information of Domain U virtual machine) of the Domain U virtual machine on the physical server of source be moved on the target physical server from the source physical server once by the invention described above method shown in Fig. 2, that is to say that the transmission object in the step 5 can be the total data of the Domain U virtual machine on the physical server of source.In addition, also can the total data in the Domain U virtual machine on the physical server of source be moved on the target physical server from the source physical server in batch by the invention described above method shown in Fig. 2, the a part of data of each migration, that is to say that the transmission object in the step 5 can be the partial data of the Domain U virtual machine on the physical server of source.Carry out step 5 and six, finish the migration of a part of data, therefore, step 5 and six need repeat repeatedly, stops when finishing until the total data migration of Domain U virtual machine.
The inventive method shown in Fig. 2 utilizes the mode of rivest, shamir, adelman and symmetric encipherment algorithm collaborative work to guarantee the data transmission security of Domain U virtual machine in the dynamic migration process, solved the network monitoring person and stolen data problem, eliminated because the potential safety hazard that data leak caused.
In order further to solve hacker's altered data problem on the basis of stealing data problem solution network monitoring person, the present invention has introduced data integrity verifying mechanism, has proposed following safe dynamic migration method, as shown in Figure 3:
Steps A: on the physical server of source,, adopt symmetric encipherment algorithm to generate key based on ssl protocol;
Step B: on the target physical server,, adopt rivest, shamir, adelman to generate PKI and private key, give this source physical server with plaintext form (or other form) by Network Transmission with the PKI that generates based on ssl protocol;
Step C: on the physical server of source, utilize the PKI that receives, give this target physical server by Network Transmission with encrypted secret key to secret key encryption;
Step D: on the target physical server, utilize private key that encrypted secret key is decrypted, obtain key;
Step e: add the cryptographic Hash step, be specially:, calculate the cryptographic Hash of data to be transmitted by hash algorithm; These data to be transmitted add that himself corresponding cryptographic Hash is as transmission object;
Step F: on the physical server of source, utilize key that transmission object is encrypted, the transmission object of encrypting is transferred on the target physical server;
Step G: after the target physical server receives the transmission object of encryption, the transmission object of this encryption is decrypted, thereby finishes the migration of transmission object from the source physical server to the target physical server;
Step H: checking procedure is specially: the data and the cryptographic Hash that extract transmission from the transmission object of deciphering; By hash algorithm, calculate the cryptographic Hash of data of this transmission of extraction; Cryptographic Hash that calculates and the cryptographic Hash that extracts are compared, obtain the cryptographic Hash comparative result; If being two cryptographic Hash, the cryptographic Hash comparative result equates that then the notification source physical server this time transmits successfully; If the cryptographic Hash comparative result is that two cryptographic Hash are unequal, the transmission object of encrypting in the step F that then retransfers (may cause loading error occurring by unstable networks, therefore take retransmission mechanism); If retransfer, after the cryptographic Hash that the cryptographic Hash that sends and Practical Calculation are gone out compares, the cryptographic Hash comparative result still is that two cryptographic Hash are unequal, then notification source physical server data may be distorted in transport process, abandon continuing to transmit data (just stopping whole dynamic migration).
In step e, used hash algorithm.Hash algorithm can be mapped as the binary value of random length the less binary value of regular length, this less binary value is cryptographic Hash, cryptographic Hash is the unique and extremely compact numeric representation form of one piece of data, if one section plaintext of hash and even only change a word of this section plaintext, cryptographic Hash subsequently all will produce different values, it is impossible finding two different data of same cryptographic Hash, therefore, the inventive method uses hash algorithm to finish the verification of data integrity.
In actual applications, can the total data of the Domain U virtual machine on the physical server of source be moved on the target physical server from the source physical server once by the invention described above method shown in Fig. 3, that is to say that the data to be transmitted in the step e can be the total data of the Domain U virtual machine on the physical server of source.In addition, also can the total data in the Domain U virtual machine on the physical server of source be moved on the target physical server from the source physical server in batch by the invention described above method shown in Fig. 3, data block of each migration, the specific implementation method is: the data block that the total data in the Domain U virtual machine on the physical server of source is divided into a plurality of preseting lengths (is considered the computational efficiency and the data transmission efficiency of hash algorithm, the length of data block can be set at 4KB, certainly, also can be set at other length, for example 1KB, 2KB, 1MB, 2MB etc.), once move a data block; For step e, the data to be transmitted in this step refer to a data block; Carry out a step e to H, finish the migration of a data block, therefore, want the total data in the Domain U virtual machine has been moved, will repeat repeatedly step e to H, the total data in Domain U virtual machine (i.e. all data blocks) migration finishes or target physical server notification source physical server is abandoned stopping when continuation transmits data.
In the measure that the transmission data are encrypted, the inventive method shown in Fig. 3 has been taked data integrity verifying mechanism again, guaranteed that data can not distorted by the hacker in the network migration process, eliminated the potential safety hazard that causes by distorting the virtual machine internal data, for example, security information or confidential information leakage, virus release, the paralysis of virtual machine running environment etc.
In the present invention, symmetric encipherment algorithm can be any in 3DES algorithm, aes algorithm, DES algorithm, Blowfish algorithm, CAST algorithm, IDEA algorithm, RC2 algorithm or the RC5 algorithm.Rivest, shamir, adelman can be any in RSA public key algorithm, DH algorithm or the DSA algorithm.Hash algorithm can be any in SHA-1 algorithm, MD4 algorithm, MD5 algorithm, SHA-256 algorithm, SHA-384 algorithm or the SHA-512 algorithm, and cryptographic Hash can place the head or the afterbody of data to be transmitted (data block) to constitute transmission object.
Above-mentioned is preferred embodiment of the present invention and the know-why used thereof; for a person skilled in the art; under the situation that does not deviate from the spirit and scope of the present invention; any based on conspicuous changes such as the equivalent transformation on the technical solution of the present invention basis, simple replacements, all belong within the protection range of the present invention.