CN102882966A - Internal data transmission method for cloud computing system - Google Patents
Internal data transmission method for cloud computing system Download PDFInfo
- Publication number
- CN102882966A CN102882966A CN2012103653797A CN201210365379A CN102882966A CN 102882966 A CN102882966 A CN 102882966A CN 2012103653797 A CN2012103653797 A CN 2012103653797A CN 201210365379 A CN201210365379 A CN 201210365379A CN 102882966 A CN102882966 A CN 102882966A
- Authority
- CN
- China
- Prior art keywords
- server
- cloud computing
- computing system
- data transmission
- transmission method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention relates to an internal data transmission method for a cloud computing system. The internal data transmission method includes that all servers in the cloud computing system are subjected to secret key synchronizing, a secret key synchronizing process is started at the beginning of running of the servers; when the first server is communicated with the second server, whether available marks are locked or not is judged through a communication process of the first server, and vectors are read if the available marks are not locked, and then the communication process utilizes symmetrical encryption information; and when the second server receives information, the second server judges whether the available marks are locked or not firstly and reads self vectors if not. By the internal data transmission method for the cloud computing system, safety of the cloud computing system can be effectively improved.
Description
Technical field
The invention belongs to areas of information technology, relate in particular to a kind of internal data transmission method of cloud computing system.
Background technology
Cloud computing is a kind of according to user's request, the computation schema by the Network Capture computational resource expediently, these resources can be from shared, a configurable resource pool, and can obtain rapidly and discharge, it provides a brand-new the Internet commerce services model, namely the user can by network with as required, the mode of easily expansion rents required service.Cloud computing technology utilizes the transmittability of high speed internet, the resources such as calculating, storage, software, service are transplanted in the extensive high-performance computer of managing concentratedly the Internet, personal computer, the virtual machine from the personal computer that disperses or server, are used these resources thereby make user's picture use electric power.The pattern of employing cloud computing can improve the availability of computational efficiency and resource.At present the cloud computing field mainly is divided into SaaS(Software-as-a-Service) software namely serves; PaaS(Plartform-as-a-Service) platform is namely served and IaaS(Infrastructure-as-a-Service) infrastructure namely serves.
The fail safe of network information transfer is the important component part of cloud system safety, also is the part that the most easily is subject to malicious attack, and it is very necessary that the data in the Internet Transmission are carried out safeguard protection, and one of effective method is encrypted data exactly.Accept user's request from the user interactions interface, before this segment data communication all belongs to the communication of cloud inside to interface to user's return data.Improve the intercommunicating fail safe of cloud, for the safety of whole cloud computing system, and provide the believable computing environment of user all to have very important significance.The existing method in cloud computing field all can not satisfy more tight security requirement at present, therefore be badly in need of wanting a kind of new internal data transmission method, thus the intercommunicating fail safe of Effective Raise cloud computing system.
Summary of the invention
In view of above-mentioned, the objective of the invention is to propose a kind of internal data transmission method of cloud computing system, the technology that is encrypted for the data communication of cloud computing system inside, but the fail safe of Effective Raise cloud computing.
For solving the problems of the technologies described above, the present invention adopts following technical scheme:
A kind of external data transmission method of cloud computing system is characterized in that: all carried out key synchronization on the Servers-all of the method in system, from the server operation, started the key synchronization process;
When first server will be communicated by letter with second server, the communication process of first server judged whether available sign is locked, if then do not read vector, then communication process uses symmetric cryptography information.
After second server receives information, judge first whether available sign is locked, if lock does not then read the vector of oneself.
Preferably, network transfer delay must the less-than operation interval.
Preferably, when running into the server failure shutdown or restarting, the key synchronization process need to regain the vector value of current system.
Preferably, be that each station server installs digital certificate, be equipped with PKI-private key pair.
Above-mentioned cloud computing system internal data transmission method can be so that the server that uses in the cloud platform obtains higher speed, but and the fail safe of Effective Raise cloud computing.
Description of drawings
In order to be illustrated more clearly in the technical scheme in the embodiment of the invention, the accompanying drawing of required use was done to introduce simply during the below will describe embodiment, obviously, accompanying drawing in the following describes only is part embodiment of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is SSCMIC model support composition of the present invention;
Fig. 2 is ciphering process schematic diagram of the present invention;
Fig. 3 is decrypting process schematic diagram of the present invention.
Embodiment
The internal data transmission method of the cloud computing system of technical solution of the present invention is a kind of novel internal data transfer system.Accept user's request from the user interactions interface, before this segment data communication all belongs to the communication of cloud inside to interface to user's return data.Improve the intercommunicating fail safe of cloud, for the safety of whole cloud computing system, and provide the believable computing environment of user all to have very important significance.
One of difference of cloud computing and grid is that server nodes all in the cloud computing all can be come by unified service provider control and management.So, the service provider carries out a certain particular arrangement with regard to having the ability to all servers, based on this point, has designed a kind of intercommunicating simple and safe traffic model of cloud (SSCMIC) that is applicable to.The SSCMIC model framework as shown in Figure 1.This model does not need extra hardware, and the process of a KeySyn of machine operation that only need to be in cloud is come synchronisation key, and the exploitativeness of coded communication mechanism is strong.In the SSCMIC model, transmission over networks all will be data through encrypting, by choosing the high cryptographic algorithm of intensity, can strengthen the fail safe in the transmission, reach the purpose of protected data.
No matter use the service mode (SaaS/PaaS/IaaS) of which kind of cloud computing, data security all is important.Cloud user and cloud service provide the commercial city must avoid loss of data and stolen, when using public cloud, are the communication mechanisms of not encrypting for the threat of the data maximum in the transmission.On the other hand, for the requirement of speed, so that rivest, shamir, adelman is also inadvisable under the condition of big data quantity transmission.
The encryption key of DSE arithmetic is identical with decruption key, although perhaps not identical, can derive at an easy rate another by wherein any one.DSE arithmetic has very high encryption strength, can reach the analysis and the attack that stand more senior decoding strength.The unified controlling mechanism that cloud service provider adopts can guarantee that key can be by safe and reliable approach transmission.Therefore, the SSCMIC Model Selection is based on the mechanism of symmetric cryptography.
In the encryption system, one time key is very desirable state, but in view of cloud be large-scale distributed system, between each server communication obviously be asynchronous, and be that every a pair of server all relates to one dynamically the key of change is obviously impossible, the present invention proposes synchronisation key and flows this solution.Key in the synchronisation key stream satisfies following two conditions: the one, and irregularities can improve the difficulty of dictionary attack like this; The 2nd, frequent change, the covert expressly sample that reduces increases the difficulty that analyzes key, can greatly increase the difficulty that cracks like this, improves Security of the system.
All add a system process KeySyn on the Servers-all in cloud and carry out key synchronization.At the beginning of the server operation, start key synchronization process KeySyn.This process is possessed a vectorial r(Kp, Kn, Tc) and available sign V.
The K0 of each server is the same, and every time through Δ T, KeySyn carries out once-through operation to Kn, and upgrades Kp and Tc.Shown in the following false code of the treatment step of process KeySyn:
Begin:
Kp=?K0?;
LOOP:
Lock(V);
Kp=?Kn;
Kn=R(?Kn);
Tc=ChangeTime(?Tc);
Unlock(V);
Wait(ΔT);
gotoLOOP;
End;
R(x wherein) be a kind of irreversible operation, if its inverse function non-availability is i.e. y=R(x), in the situation that known x is easy to calculate y, but known y can't obtain x.Hash operation satisfies this condition very much, and also is irregularities by the result that Hash operation obtains, also so that first condition that key proposes before satisfying, so can consider to realize function R(x with Hash operation).
Simultaneously in force, need the necessary less-than operation interval of assurance network transfer delay, to arrive in information exchanging process, the once constraint of variation occurs at most in key.In fact, in actual application environment, for specific application service group, do not need high frequency ground to change frequency fully, so Δ T can be set〉〉 the Max(T time delay).
So, vectorial r(Kp, Kn, Tc) be the cipher key carrier of dynamic synchronization key stream, for communication process provides encrypting and decrypting required key information.
When server C1 will be when server C2 communicates by letter, the communication process p1 of C1 judges whether available sign V is locked, if then do not read vectorial r(Kp, Kn, Tc) in Kn, Tc.Then communication process p1 uses Kn enciphered message (using symmetric cryptography herein), and Tc is placed first two the byte D of information, expressly transmits.Ciphering process as shown in Figure 2, this process represents with following false code:
Begin:
while(!V);
rn=Get_r();
Kn=?rn?Kn;
D=?rn?Tc;
CryptMsg=Crypt(Msg,?K?n);
SendMsg(D+CryptMsg);
End;
After server C2 receives information, judge first whether available sign V is locked, if lock does not then read the vectorial r(K p of oneself, Kn, Tc), first two bytes in Tc and the information are compared.If consistent, then use the information content of K n deciphering back; If Tc〉D, then use K p decrypt.Decrypting process is shown in Fig. 4 .3.This process represents with following false code:
Begin:
ReceiveMsg((D+CryptMsg);
while(!V);
rn=Get_r();
K?n=?rn?K?n;
K?p=?rn?K?p;
Tc=?rn?Tc;
if(D>=?Tc)
DecryMsg=DeCry(Msg,?K?n);
else
DecryMsg=DeCry(Msg,?K?p);
End;
When running into the server failure shutdown or restarting, the KeySyn process need to regain the r vector value of current system, and the present invention has designed two kinds of methods.
(1) KeySyn need to possess a Counter Value N, and this numerical value is used for recording current K n value, and computing obtains through how many times R (x) by K0.After server is restarted, to management server inquiry N value and the Tc of cloud system, draw thus complete r(Kp, Kn, Tc immediately) vector value.This method has guaranteed that the key in the r vector do not propagate in network.
(2) be that each station server installs digital certificate, be equipped with PKI-private key pair.With reference to credible calculating group TCG[40] standard of the chip of the design credible platform module (TPM) that proposes, be bundled on the hardware product now.TPM comprises one and approvedly can unique identification TPM(refers to physical host) private key (EK), and some encryptions that can not revise function.Corresponding manufacturer signs corresponding public keys, with the correctness of assurance chip and the validity of key.Build the special server of similar CA in cloud system inside, be used for the server-assignment digital certificate to cloud inside.Server is to the r vector value of the management server direct access inquiry current system of cloud system, send to request server behind the private key of management server usefulness oneself and the public key encryption r vector of request server, request server uses the private key of oneself and the PKI deciphering of management server directly to obtain the r vector.This method adopts is the fail safe that the method for asymmetric encryption guarantees the r vector.Coded communication can improve the fail safe of data, also can consume regular hour and resource simultaneously, reduces the efficient of communication.
Be Intel P7350 dominant frequency 2.0GHZ at CPU, the CPU number is set as 1, and internal memory is set as the enciphering rate of three kinds of symmetric encipherment algorithms commonly used that test obtains on the Linux virtual machine of 512M, and wherein rower is entitled as and encrypts used data block size, unit is byte, and data unit is M/s.The result can find out from the symmetric encipherment algorithm velocity test, DES algorithm for encryption speed average out to 43M/S, and the 3DES that fail safe is higher and the speed of IDEA have all surpassed 15M/S.The allocation of computer that test is used is far below common server, and the server that uses in the cloud platform can obtain higher speed.Existing family broadband speeds is generally 4M/S, and the local area network (LAN) Speed display is 100M/S, but actual transfer rate generally can not exceed 10M/S yet.So under normal circumstances, the enciphering rate of 15M/S can't produce obvious restricted influence to data communication.Therefore, the SSCMIC model of the present invention's proposition is effective and feasible.
Here description of the invention and application all is illustrative and schematic, is not to be to want with scope restriction of the present invention in the above-described embodiments.Here the distortion of disclosed embodiment and change is fully possible, and for those those of ordinary skill in the art, the various parts of the replacement of embodiment and equivalence all are known.In the situation that do not break away from the scope of the invention and spirit, can carry out other distortion and change to disclosed embodiment here.
Claims (4)
1. the external data transmission method of a cloud computing system is characterized in that: all carried out key synchronization on the Servers-all of the method in system, from the server operation, started the key synchronization process;
When first server will be communicated by letter with second server, the communication process of first server judged whether available sign is locked, if then do not read vector, then communication process uses symmetric cryptography information;
After second server receives information, judge first whether available sign is locked, if lock does not then read the vector of oneself.
2. the method for claim 1, wherein network transfer delay must the less-than operation interval.
3. method as claimed in claim 1 or 2 wherein ought run into server failure and shut down or restart, and the key synchronization process need to regain the vector value of current system.
4. method as claimed in claim 3 wherein is that each station server is installed digital certificate, is equipped with PKI-private key pair.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012103653797A CN102882966A (en) | 2012-09-27 | 2012-09-27 | Internal data transmission method for cloud computing system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012103653797A CN102882966A (en) | 2012-09-27 | 2012-09-27 | Internal data transmission method for cloud computing system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102882966A true CN102882966A (en) | 2013-01-16 |
Family
ID=47484108
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012103653797A Pending CN102882966A (en) | 2012-09-27 | 2012-09-27 | Internal data transmission method for cloud computing system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102882966A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010007127A1 (en) * | 1999-12-10 | 2001-07-05 | Staring Antonius A.M. | Synchronization of session keys |
| CN1469272A (en) * | 2002-06-10 | 2004-01-21 | ��彡 | Digital content issuing system and digital content issuing method |
| CN101976317A (en) * | 2010-11-05 | 2011-02-16 | 北京世纪互联工程技术服务有限公司 | Virtual machine image safety method in private cloud computing application |
| CN102075542A (en) * | 2011-01-26 | 2011-05-25 | 中国科学院软件研究所 | Cloud computing data security supporting platform |
-
2012
- 2012-09-27 CN CN2012103653797A patent/CN102882966A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010007127A1 (en) * | 1999-12-10 | 2001-07-05 | Staring Antonius A.M. | Synchronization of session keys |
| CN1469272A (en) * | 2002-06-10 | 2004-01-21 | ��彡 | Digital content issuing system and digital content issuing method |
| CN101976317A (en) * | 2010-11-05 | 2011-02-16 | 北京世纪互联工程技术服务有限公司 | Virtual machine image safety method in private cloud computing application |
| CN102075542A (en) * | 2011-01-26 | 2011-05-25 | 中国科学院软件研究所 | Cloud computing data security supporting platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3210335B1 (en) | Efficient start-up for secured connections and related services | |
| CN111448779B (en) | System, device and method for hybrid secret sharing | |
| WO2014069778A1 (en) | Id-based encryption and decryption method, and apparatus for executing same | |
| CN105656859B (en) | Tax control equipment software safety online upgrading method and system | |
| CN103401678A (en) | Method for ensuring data transmission safety of Internet of things | |
| CN102024123B (en) | Method and device for importing mirror image of virtual machine in cloud calculation | |
| CN101005357A (en) | Method and system for updating certification key | |
| KR20040033159A (en) | Method for cryptographing wireless data and apparatus thereof | |
| CN102025744A (en) | Import and export system of virtual machine image in cloud computing | |
| CN107204997A (en) | The method and apparatus for managing cloud storage data | |
| Seo et al. | Encryption key management for secure communication in smart advanced metering infrastructures | |
| CN107070642B (en) | Heterogeneous resource pool multiplexing technology for multi-brand cipher machine | |
| CN108632251A (en) | Authentic authentication method based on cloud computing data service and its Encryption Algorithm | |
| Hahn et al. | Efficient IoT management with resilience to unauthorized access to cloud storage | |
| CN104125239A (en) | Network authentication method and system based on data link encryption transmission | |
| CN113259722B (en) | Secure video Internet of things key management method, device and system | |
| CN102984146A (en) | Data management method for cloud computing | |
| US20210336781A1 (en) | Network device, method for security and computer readable storage medium | |
| CN103873257A (en) | Secrete key updating, digital signature and signature verification method and device | |
| KR102609578B1 (en) | Apparatus, method and computer program for managing quantum cryptography key | |
| CN105871926A (en) | USB (universal serial bus) equipment security sharing method and system based on desktop virtualization | |
| Li et al. | A Proxy Re-Encryption Scheme Based on Elliptic Curve Group. | |
| CN102118311A (en) | Data transmission method | |
| CN112020037A (en) | Domestic communication encryption method suitable for rail transit | |
| CN110557591B (en) | Network camera, video encryption transmission system and video encryption method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130116 |