CN103279703A - Method for building desktop cloud virtual trust safety wall - Google Patents
Method for building desktop cloud virtual trust safety wall Download PDFInfo
- Publication number
- CN103279703A CN103279703A CN2013102237360A CN201310223736A CN103279703A CN 103279703 A CN103279703 A CN 103279703A CN 2013102237360 A CN2013102237360 A CN 2013102237360A CN 201310223736 A CN201310223736 A CN 201310223736A CN 103279703 A CN103279703 A CN 103279703A
- Authority
- CN
- China
- Prior art keywords
- virtual
- trust
- desktop
- safety wall
- wall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a method for building a desktop cloud virtual trust safety wall. A TCM serves as a trust root, a safety wall trust chain and a basic trust chain together form a two-dimensional trust chain, the virtual trust safety wall can move along with virtual desktops synchronously, the two-dimensional trust chain is built, and a trust relationship can be expanded to a whole desktop cloud system from the trust root through the two-dimensional trust chain. By means of a virtual trust safety wall system structure, on the basis of a trust computing basis platform, a virtual trust safety wall is built for each virtual desktop, and a desktop visit method high in safety and instantaneity is provided for business application. For enhancing the safety of desktop cloud, the two-dimensional trust chain is formed by the safety wall trust chain and the basis trust chain, and the trust relationship is expanded to the whole desktop cloud system from the trust root. Aiming at dynamic characteristics of the cloud environment, the virtual trust safety wall has the capability of moving along with the virtual desktops dynamically, and the aim of 'safe service' can be achieved.
Description
Technical field
The present invention and computer desktop cloud field are specially a kind of method that makes up desktop cloud virtual credible safety wall.
Background technology
Nineteen eighty-three, U.S. Department of Defense formulated first " trusted computer system interpretational criteria " TCSEC in the world.The concept of trusted computer and trusted computing base TCB is proposed in TCSEC for the first time, and the basis of TCB as security of system.1999, famous IT enterprises such as IBM, HP, Intel, Microsoft initiated to have set up the TCPA of credible calculating platform alliance.The domestic application product that also has trusted servers, credible and secure gateway etc. to be correlated with.And carried out the application of experimental at state's net DianKeYuan, present credible calculating has become a new trend of world's information security field, and has proposed the theory of " safety i.e. service ".
At present, the desktop cloud is to visit cross-platform application program by client or other any equipment that links to each other with network.The desktop cloud changed in the past disperse, desktop system environment independently, dispose by concentrating, the IT personnel just can finish all management maintenance work in data center.User's desktop environment of desktop cloud all be trustship in the data center of enterprise, the local terminal is a display device.Along with userbase increases, the management of magnanimity virtual desktop environmentAL safety becomes stern challenge.Conventional security Software deployment mode automaticity is low, and user's desktop security granularity is extensive, the managerial personnel's individual sexual demand of different tissues, different user IT safety management that becomes more meticulous that is difficult to follow up.
Summary of the invention
Technical matters solved by the invention is to provide a kind of virtual credible safety wall of each virtual desktop structure that is, make safety wall possess the ability with the desktop dynamic migration, realize the target of " safety i.e. service ", be suitable for the application that enterprise operation monitoring etc. is had relatively high expectations to security and real-time, to solve the shortcoming in the above-mentioned background technology.
Technical matters solved by the invention realizes by the following technical solutions:
A kind of method that makes up desktop cloud virtual credible safety wall, be trusted root with TCM among the present invention, safety wall trust chain and basic trust chain are formed two-dimentional trust chain together, and realize that the virtual credible safety wall is with the synchronous migration of virtual desktop, make up two-dimentional trust chain, by two-dimentional trust chain trusting relationship is expanded to whole desktop cloud system from root of trust.
In the present invention, described basic trust chain comprises: TCM trusted root, BIOS, MBR, OS Loader, OS Kernel, Service/Application, virtual secure wall coil reason center.
In the present invention, described safety wall trust chain comprises: be root with virtual secure wall coil reason center, negative direction is pointed to the desktop access service, positive dirction is at first pointed to the virtual secure wall, is pointed to the application of desktop access service and virtual desktop again, by two-dimentional trust chain trusting relationship is expanded to whole desktop cloud system from root of trust.
Among the present invention, the virtual credible safety wall is with the synchronous migration of virtual desktop, and when the load of desktop cloud changes, along with the migration of virtual desktop, the virtual credible safety wall will move synchronously.
Virtual credible safety wall architecture comprises credible basic platform, virtual credible safety wall administrative center and virtual credible safety wall three parts:
1), credible basic platform:
Be trusted root with TCM, make up two-dimentional trust chain, basic trust chain comprises: TCM trusted root, BIOS, MBR, OS Loader, OS Kernel, Service/Application, virtual secure wall coil reason center; The safety wall trust chain comprises: virtual secure wall coil reason center, virtual secure wall, desktop access service and virtual desktop are used;
2), virtual credible safety wall administrative center
Between desktop cloud center and cloud terminal, dispose virtual credible safety wall administrative center and come the managing virtual desktop security, virtual secure wall coil reason center arranges service, file storage and the service of transmission encryption and decryption by the establishment of virtual secure wall, migration and the service of cancellation, safety wall trust chain management service, condition monitoring and log services, user security, for realizing functions such as safety wall generation and migration, user's visit, data storage, data transmission, the monitoring of user's usage behavior;
3), virtual credible safety wall
The robotization of virtual credible safety wall is distributed in each virtual desktop environment, real-time encryption and decryption engine with safety wall administrative center is core, by active encryption technology and concerning security matters access control technology enterprise's confidential data is isolated from the outside, and the trusting relationship of foundation and desktop access service and virtual desktop.Also to collect the log information of desktop environment, the safe action instruction that execution safety wall administrative center sends.
In the present invention: the foundation of safety wall trust chain: the safety wall trust chain expands to whole desktop cloud system to trusting relationship from root of trust, and credible password module is used the safety wall trust chain that forms for the desktop cloud makes up by virtual secure wall coil reason center, virtual secure wall, desktop access service and virtual desktop.At first in safety wall administrative center, by the trusting relationship of safety wall trust chain management service foundation from virtual secure wall coil reason center to the virtual secure wall; Next, set up trusting relationship and the trusting relationship from the virtual secure wall to virtual desktop from the virtual secure wall to the desktop access service respectively.At last, safety wall trust chain and basic trust chain form two-dimentional trust chain together, and like this by the level metric one-level, the first level verification one-level when under attack and destroy integrity, can realize self-protection, self-management and self-recovery.Again with two-dimentional trust chain as safety supports, by safety wall is carried out security configuration and management, the customization security baseline forms a firm Prevention-Security system.
Among the present invention, the migration of virtual credible safety wall: when the load of desktop cloud changes, along with the migration of virtual desktop, the virtual credible safety wall will move synchronously.At first, safety wall administrative center will export to an intermediate file at the configuration information of fortune virtual secure wall A; Next, generate a virtual secure wall B and import the configuration information of intermediate file, set up trusting relationship and the trusting relationship from virtual secure wall B to virtual desktop from virtual secure wall B to the desktop access service simultaneously respectively; Load with virtual secure wall A at last switches on the virtual secure wall B, and nullifies virtual secure wall A and corresponding trusting relationship.Because the starting point of safety wall trust chain is the virtual secure wall, so the trusting relationship that trust chain is set up can be kept getting off.
Beneficial effect
The present invention proposes a kind of virtual credible safety wall architecture, on the basis of trusted computing base plinth platform, for each virtual desktop makes up a virtual credible safety wall, can provide a kind of security and real-time very high desktop access means for service application.For strengthening the security of desktop cloud, form two-dimentional trust chain together by safety wall trust chain and basic trust chain, trusting relationship is expanded to whole desktop cloud system from root of trust.At the dynamic perfromance in the cloud environment, make the virtual credible safety wall possess the ability with the virtual desktop dynamic migration, realize the target of " safety i.e. service ".
Description of drawings
Fig. 1 is a kind of synoptic diagram that makes up the method for desktop cloud virtual credible safety wall.
Embodiment
For technological means, creation characteristic that the present invention is realized, reach purpose and effect is easy to understand, below in conjunction with concrete diagram, further set forth the present invention.
A kind of method that makes up desktop cloud virtual credible safety wall, be trusted root with TCM among the present invention, safety wall trust chain and basic trust chain are formed two-dimentional trust chain together, and realize that the virtual credible safety wall is with the synchronous migration of virtual desktop, make up two-dimentional trust chain, by two-dimentional trust chain trusting relationship is expanded to whole desktop cloud system from root of trust.
In the present invention, described basic trust chain comprises: TCM trusted root, BIOS, MBR, OS Loader, OS Kernel, Service/Application, virtual secure wall coil reason center.
In the present invention, described safety wall trust chain comprises: be root with virtual secure wall coil reason center, negative direction is pointed to the desktop access service, positive dirction is at first pointed to the virtual secure wall, is pointed to the application of desktop access service and virtual desktop again, by two-dimentional trust chain trusting relationship is expanded to whole desktop cloud system from root of trust.
Among the present invention, the virtual credible safety wall is with the synchronous migration of virtual desktop, and when the load of desktop cloud changes, along with the migration of virtual desktop, the virtual credible safety wall will move synchronously.
Virtual credible safety wall architecture comprises credible basic platform, virtual credible safety wall administrative center and virtual credible safety wall three parts:
1), credible basic platform:
Be trusted root with TCM, make up two-dimentional trust chain, basic trust chain comprises: TCM trusted root, BIOS, MBR, OS Loader, OS Kernel, Service/Application, virtual secure wall coil reason center; The safety wall trust chain comprises: virtual secure wall coil reason center, virtual secure wall, desktop access service and virtual desktop are used;
2), virtual credible safety wall administrative center
Between desktop cloud center and cloud terminal, dispose virtual credible safety wall administrative center and come the managing virtual desktop security, virtual secure wall coil reason center arranges service, file storage and the service of transmission encryption and decryption by the establishment of virtual secure wall, migration and the service of cancellation, safety wall trust chain management service, condition monitoring and log services, user security, for realizing functions such as safety wall generation and migration, user's visit, data storage, data transmission, the monitoring of user's usage behavior;
3), virtual credible safety wall
The robotization of virtual credible safety wall is distributed in each virtual desktop environment, real-time encryption and decryption engine with safety wall administrative center is core, by active encryption technology and concerning security matters access control technology enterprise's confidential data is isolated from the outside, and the trusting relationship of foundation and desktop access service and virtual desktop.Also to collect the log information of desktop environment, the safe action instruction that execution safety wall administrative center sends.
In the present invention: the foundation of safety wall trust chain: the safety wall trust chain expands to whole desktop cloud system to trusting relationship from root of trust, and credible password module is used the safety wall trust chain that forms for the desktop cloud makes up by virtual secure wall coil reason center, virtual secure wall, desktop access service and virtual desktop.At first in safety wall administrative center, by the trusting relationship of safety wall trust chain management service foundation from virtual secure wall coil reason center to the virtual secure wall; Next, set up trusting relationship and the trusting relationship from the virtual secure wall to virtual desktop from the virtual secure wall to the desktop access service respectively.At last, safety wall trust chain and basic trust chain form two-dimentional trust chain together, and like this by the level metric one-level, the first level verification one-level when under attack and destroy integrity, can realize self-protection, self-management and self-recovery.Again with two-dimentional trust chain as safety supports, by safety wall is carried out security configuration and management, the customization security baseline forms a firm Prevention-Security system.
Among the present invention, the migration of virtual credible safety wall: when the load of desktop cloud changes, along with the migration of virtual desktop, the virtual credible safety wall will move synchronously.At first, safety wall administrative center will export to an intermediate file at the configuration information of fortune virtual secure wall A; Next, generate a virtual secure wall B and import the configuration information of intermediate file, set up trusting relationship and the trusting relationship from virtual secure wall B to virtual desktop from virtual secure wall B to the desktop access service simultaneously respectively; Load with virtual secure wall A at last switches on the virtual secure wall B, and nullifies virtual secure wall A and corresponding trusting relationship.Because the starting point of safety wall trust chain is the virtual secure wall, so the trusting relationship that trust chain is set up can be kept getting off.
More than show and described ultimate principle of the present invention and principal character and advantage of the present invention; the technician of the industry should understand; the present invention is not restricted to the described embodiments; that describes in above-described embodiment and the instructions just illustrates principle of the present invention; without departing from the spirit and scope of the present invention; the present invention also has various changes and modifications; these changes and improvements all fall in the claimed scope of the invention, and the claimed scope of the present invention is defined by appending claims and equivalent thereof.
Claims (4)
1. method that makes up desktop cloud virtual credible safety wall, it is characterized in that: be trusted root with TCM among the present invention, safety wall trust chain and basic trust chain are formed two-dimentional trust chain together, and realize that the virtual credible safety wall is with the synchronous migration of virtual desktop, make up two-dimentional trust chain, by two-dimentional trust chain trusting relationship is expanded to whole desktop cloud system from root of trust.
2. a kind of method that makes up desktop cloud virtual credible safety wall according to claim 1, it is characterized in that: described basic trust chain comprises: TCM trusted root, BIOS, MBR, OS Loader, OS Kernel, Service/Application, virtual secure wall coil reason center.
3. a kind of method that makes up desktop cloud virtual credible safety wall according to claim 1, it is characterized in that: described safety wall trust chain comprises: be root with virtual secure wall coil reason center, negative direction is pointed to the desktop access service, positive dirction is at first pointed to the virtual secure wall, is pointed to the application of desktop access service and virtual desktop again, by two-dimentional trust chain trusting relationship is expanded to whole desktop cloud system from root of trust.
4. a kind of method that makes up desktop cloud virtual credible safety wall according to claim 1, it is characterized in that: the virtual credible safety wall is with the synchronous migration of virtual desktop, when the load of desktop cloud changes, along with the migration of virtual desktop, the virtual credible safety wall will move synchronously.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310223736.0A CN103279703B (en) | 2013-06-07 | 2013-06-07 | A kind of method for building desktop cloud virtual trust safety wall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310223736.0A CN103279703B (en) | 2013-06-07 | 2013-06-07 | A kind of method for building desktop cloud virtual trust safety wall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103279703A true CN103279703A (en) | 2013-09-04 |
| CN103279703B CN103279703B (en) | 2018-02-02 |
Family
ID=49062218
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310223736.0A Active CN103279703B (en) | 2013-06-07 | 2013-06-07 | A kind of method for building desktop cloud virtual trust safety wall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103279703B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656915A (en) * | 2015-10-30 | 2017-05-10 | 深圳市中电智慧信息安全技术有限公司 | Cloud security server based on trusted computing |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414335A (en) * | 2008-11-27 | 2009-04-22 | 武汉大学 | Test system for credible PC trust chain based on minimum test collection |
| US20090204718A1 (en) * | 2008-02-08 | 2009-08-13 | Lawton Kevin P | Using memory equivalency across compute clouds for accelerated virtual memory migration and memory de-duplication |
| CN101916207A (en) * | 2010-08-28 | 2010-12-15 | 华为技术有限公司 | Energy saving method, device and system under desktop virtual environment |
| US20100318609A1 (en) * | 2009-06-15 | 2010-12-16 | Microsoft Corporation | Bridging enterprise networks into cloud |
| CN101957900A (en) * | 2010-10-26 | 2011-01-26 | 中国航天科工集团第二研究院七○六所 | Credible virtual machine platform |
| CN102143158A (en) * | 2011-01-13 | 2011-08-03 | 北京邮电大学 | Data anti-leakage method based on trusted platform module (TPM) |
| CN103118030A (en) * | 2013-02-22 | 2013-05-22 | 浪潮电子信息产业股份有限公司 | Desktop cloud based identity authentication method |
| CN103139221A (en) * | 2013-03-07 | 2013-06-05 | 中国科学院软件研究所 | Dependable virtual platform and construction method thereof, data migration method among platforms |
-
2013
- 2013-06-07 CN CN201310223736.0A patent/CN103279703B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090204718A1 (en) * | 2008-02-08 | 2009-08-13 | Lawton Kevin P | Using memory equivalency across compute clouds for accelerated virtual memory migration and memory de-duplication |
| CN101414335A (en) * | 2008-11-27 | 2009-04-22 | 武汉大学 | Test system for credible PC trust chain based on minimum test collection |
| US20100318609A1 (en) * | 2009-06-15 | 2010-12-16 | Microsoft Corporation | Bridging enterprise networks into cloud |
| CN101916207A (en) * | 2010-08-28 | 2010-12-15 | 华为技术有限公司 | Energy saving method, device and system under desktop virtual environment |
| CN101957900A (en) * | 2010-10-26 | 2011-01-26 | 中国航天科工集团第二研究院七○六所 | Credible virtual machine platform |
| CN102143158A (en) * | 2011-01-13 | 2011-08-03 | 北京邮电大学 | Data anti-leakage method based on trusted platform module (TPM) |
| CN103118030A (en) * | 2013-02-22 | 2013-05-22 | 浪潮电子信息产业股份有限公司 | Desktop cloud based identity authentication method |
| CN103139221A (en) * | 2013-03-07 | 2013-06-05 | 中国科学院软件研究所 | Dependable virtual platform and construction method thereof, data migration method among platforms |
Non-Patent Citations (6)
| Title |
|---|
| DAWEI ZHANG ET.AL: "A portable TPM based on USB key", 《CCS"10 PROCEEDING OF THE 17TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY》 * |
| 夏荣: "基于桌面云的统一身份认证架构研究", 《技术研究》 * |
| 孙晶晶,蔡勉,赵阳: "基于可信计算的云用户安全模型", 《计算机安全》 * |
| 易涛: "云计算虚拟安全技术研究", 《信息安全与通信保密》 * |
| 李生智: "可信虚拟域迁移技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 郑兴艳: "安全虚拟桌面系统的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656915A (en) * | 2015-10-30 | 2017-05-10 | 深圳市中电智慧信息安全技术有限公司 | Cloud security server based on trusted computing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103279703B (en) | 2018-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Puthal et al. | Cloud computing features, issues, and challenges: a big picture | |
| Jing et al. | A brief survey on the security model of cloud computing | |
| Savu | Cloud computing: Deployment models, delivery models, risks and research challenges | |
| Liu | Research on cloud computing security problem and strategy | |
| CN102244684B (en) | EFI (Extensible Firmware Interface) trusted Cloud chain guiding method based on USBKey | |
| TW201337626A (en) | Non-intrusive method and apparatus for automatically dispatching security rules in cloud environment | |
| Sharma et al. | Cloud computing: Different approach & security challenge | |
| CN108809975B (en) | Internal and external network isolation system and method for realizing internal and external network isolation | |
| CN107704308B (en) | Virtual platform vTPM management system, trust chain construction method and device, and storage medium | |
| CN103685441B (en) | A kind of remote desktop control system based on Loongson terminal | |
| CN105574415A (en) | Security management method of virtual machine based on trust root | |
| CN102882932A (en) | Information safety virtual experimental system based on cloudy server | |
| Kumar et al. | Improved service delivery and cost effective framework for e-governance in India | |
| Bassi et al. | Cloud computing data security–background and benefits | |
| CN103279703A (en) | Method for building desktop cloud virtual trust safety wall | |
| Al-Zoubi et al. | An Ethereum Private Network for Data Management in Blockchain of Things Ecosystem. | |
| Abazari et al. | Exploring the effects of virtual machine placement on the transmission of infections in cloud | |
| Rathod et al. | Secure live vm migration in cloud computing: A survey | |
| Šimon et al. | A mobile botnet model based on P2P grid | |
| Okunade | Security Architecture for Thin Client Network | |
| Kumar et al. | Virtualization backbone of cloud computing-analysis | |
| Xu et al. | Research on trusted computing technology for embedded real-time operation system | |
| Owoseni et al. | DESIGN OF GOVERNMENT CLOUD NETWORK FOR A DEVELOPING ECONOMY: A CASE STUDY ONDO STATE | |
| Behzadi et al. | A new framework for classification of distributed denial of service (DDOS) attack in cloud computing by machine learning techniques | |
| Wu et al. | Automatically constructing trusted cluster computing environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Liu Xianming Inventor after: Zhu Xuewen Inventor after: Cai Zhimin Inventor after: Wang Guohuan Inventor after: Tao Zhenwen Inventor after: Sun Xin Inventor after: Zhong Hua Inventor after: Sun Huiqin Inventor after: Pan Li Inventor after: Sun Kexuan Inventor before: Liu Xianming Inventor before: Zhong Hua Inventor before: Sun Huiqin Inventor before: Pan Li Inventor before: Sun Kexuan Inventor before: Zhu Xuewen |
|
| CB03 | Change of inventor or designer information | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20170930 Address after: 330029 No. 666 Hubin East Road, Qingshan Lake District, Jiangxi, Nanchang Applicant after: INFORMATION AND COMMUNICATION BRANCH OF STATE GRID JIANGXI ELECTRIC POWER COMPANY Applicant after: State Grid Corporation of China Address before: 330029, Nanchang Province, Jiangxi Province, 66 Hubin East Road, Jiangxi province power company dispatch building 808 room Applicant before: Information Communication Branch, Jiangxi Electric Power Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |