CN103532985A - Communication method, equipment and system between virtual machines - Google Patents

Communication method, equipment and system between virtual machines Download PDF

Info

Publication number
CN103532985A
CN103532985A CN201310535533.5A CN201310535533A CN103532985A CN 103532985 A CN103532985 A CN 103532985A CN 201310535533 A CN201310535533 A CN 201310535533A CN 103532985 A CN103532985 A CN 103532985A
Authority
CN
China
Prior art keywords
virtual machine
user
message
key
machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310535533.5A
Other languages
Chinese (zh)
Other versions
CN103532985B (en
Inventor
田新雪
马书惠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201310535533.5A priority Critical patent/CN103532985B/en
Publication of CN103532985A publication Critical patent/CN103532985A/en
Application granted granted Critical
Publication of CN103532985B publication Critical patent/CN103532985B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a communication method, equipment and system between virtual machines. A first physical machine receives a message sent by a source virtual machine which belongs to a first user through a first virtual network card, a loading part is encrypted by the first virtual network card by applying a first secret key configured for the first user, and then the message is sent to a virtualization management platform; the virtualization management platform applies the first secret key corresponding to the first user to decrypt the message, then applies a second secret key corresponding to a second user to whom a target virtual machine belongings for encryption, and sends the message to a target physical machine according to second identification information; the target physical machine sends the message to a second virtual network card corresponding to the target virtual machine; and the second virtual network card applies a built-in second secret key to decrypt the message and sends to the target virtual machine. By means of the communication method, equipment and system between the virtual machines, communication security between the virtual machines of different tenants is improved, and the message is protected from being attacked by malicious users.

Description

Communication means between virtual machine, equipment and system
Technical field
The embodiment of the present invention relates to communication technical field, relates in particular to communication means, equipment and system between a kind of virtual machine.
Background technology
Owing to having a plurality of tenants in the heart in the virtual-machine data of processing at cloud, for fear of communication message, between virtual machine, in mutual process, by malicious user, monitored, therefore, a kind of technical scheme being encrypted when mutual carrying out message communication between same tenant's virtual machine has been proposed, the key having due to same tenant is identical, thereby guaranteed that the communication message between same tenant's virtual machine just only has this tenant to identify, improved the ability of monitoring risk of taking precautions against.
But, along with the diversified demand of communication service, between different tenants, also need to communicate alternately, but existing encipherment scheme is because two different tenants' key is completely different, therefore between different tenants, cannot communicate mutual.If key is carried out alternately between different tenants, also can increase the risk to other disabled users by Key Exposure, to the safety of other message communication, also can constitute a threat to.
Summary of the invention
For the above-mentioned defect of prior art, the embodiment of the present invention provides communication means, equipment and the system between a kind of virtual machine.
One aspect of the present invention provides the communication means between a kind of virtual machine, comprising:
The first physical machine receives the message of the source virtual machine transmission that belongs to first user by the first Microsoft Loopback Adapter, the heading of described message comprises the first identification information of described source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by described the first Microsoft Loopback Adapter and is encrypted, wherein, described the first key is that virtual machine monitor is described first user configuration in advance, wherein, described target virtual machine is not the virtual machine that is deployed in described the first physical machine and belongs to described first user;
The user's registration information of described the first physical machine inquiry pre-stored, if judgement knows that described source virtual machine and described target virtual machine are not attributed to same user, described message is sent to virtual management platform, so that user key acquisition of information first key corresponding with described first user of described virtual management platform inquiry pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, applying described the second key is encrypted the loading section after deciphering again, and the message after processing is sent to the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that applying after built-in described the second key is decrypted processing to described message, described the second Microsoft Loopback Adapter sends to described target virtual machine.
The present invention provides the communication means between a kind of virtual machine on the other hand, comprising:
Virtual management platform receives the message that the first physical machine sends, wherein, the heading of described message comprises the first identification information of source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by the first Microsoft Loopback Adapter in described the first physical machine and is encrypted, wherein, described the first key is that virtual machine monitor is in advance for the first user of described source virtual machine ownership configures, wherein, described message is that described the first physical machine is determined after described source virtual machine and described target virtual machine are not attributed to same user and sent to described virtual management platform according to the user's registration information of pre-stored,
User key acquisition of information first key corresponding with described first user of described virtual management platform inquiry pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, then apply the loading section of described the second key after to deciphering and be encrypted;
Described virtual management platform sends to the message after processing in the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that described the second Microsoft Loopback Adapter is applied after built-in described the second key is decrypted processing to described message, send to described target virtual machine.
Another aspect of the invention provides a kind of the first physical machine, comprising:
The first receiver module, for receive the message of the source virtual machine transmission that belongs to first user by the first Microsoft Loopback Adapter, the heading of described message comprises the first identification information of described source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by described the first Microsoft Loopback Adapter and is encrypted, wherein, described the first key is that virtual machine monitor is described first user configuration in advance, wherein, described target virtual machine is not the virtual machine that is deployed in described the first physical machine and belongs to described first user,
The first sending module, for inquiring about the user's registration information of pre-stored, if judgement knows that described source virtual machine and described target virtual machine are not attributed to same user, described message is sent to virtual management platform, so that user key acquisition of information first key corresponding with described first user of described virtual management platform inquiry pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, applying described the second key is encrypted the loading section after deciphering again, and the message after processing is sent to the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that applying after built-in described the second key is decrypted processing to described message, described the second Microsoft Loopback Adapter sends to described target virtual machine.
Further aspect of the present invention provides a kind of virtual management platform, comprising:
The second receiver module, the message sending for receiving the first physical machine, wherein, the heading of described message comprises the first identification information of source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by the first Microsoft Loopback Adapter in described the first physical machine and is encrypted, wherein, described the first key is that virtual machine monitor is in advance for the first user of described source virtual machine ownership configures, wherein, described message is that described the first physical machine is determined after described source virtual machine and described target virtual machine are not attributed to same user and sent to described virtual management platform according to the user's registration information of pre-stored,
Processing module, for inquiring about user key acquisition of information first key corresponding with described first user of pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, then apply the loading section of described the second key after to deciphering and be encrypted;
The second sending module, for the message after processing being sent to the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that described the second Microsoft Loopback Adapter is applied after built-in described the second key is decrypted processing to described message, send to described target virtual machine.
The present invention provides the communication system between a kind of virtual machine on the other hand, comprising: the first above-mentioned physical machine, and virtual management platform, and target physical machine, wherein, described target physical machine can be described the first physical machine or other physical machine.
Communication means between the virtual machine that the embodiment of the present invention provides, equipment and system, the first physical machine receives the message of the source virtual machine transmission that belongs to first user by the first Microsoft Loopback Adapter, the heading of this message comprises the first identification information of source virtual machine and the second identification information of target virtual machine, the loading section of this message is applied the first built-in key by the first Microsoft Loopback Adapter and is encrypted, this first key is that virtual machine monitor is first user configuration in advance, then the first physical machine is inquired about the user's registration information of pre-stored, if judgement knows that source virtual machine and target virtual machine are not attributed to same user, this message is sent to virtual management platform, user key information application first key corresponding with first user of virtual management platform inquiry pre-stored is decrypted after processing the loading section of message, application second key corresponding with the second user of target virtual machine ownership is encrypted the loading section after deciphering again, and the message after processing is sent to the target physical machine at target virtual machine place according to the routing iinformation of the second identification information inquiry pre-stored, target physical machine is according to the virtual machine user information of the local storage of the second identification information inquiry, message is sent on the second Microsoft Loopback Adapter corresponding with target virtual machine, the second Microsoft Loopback Adapter is applied after the second built-in key is decrypted processing to message and is sent to target virtual machine.Thereby realized the fail safe of communicating by letter between different tenants' virtual machine, avoided message to be attacked by malicious user.
Accompanying drawing explanation
The flow chart of the communication means between the virtual machine that Fig. 1 provides for the embodiment of the present invention;
The flow chart of the communication means between another virtual machine that Fig. 2 provides for the embodiment of the present invention;
The structural representation of first physical machine that Fig. 3 provides for the embodiment of the present invention;
The structural representation of the virtual management platform that Fig. 4 provides for the embodiment of the present invention;
The structural representation of the communication system between the virtual machine that Fig. 5 provides for the embodiment of the present invention.
Embodiment
The flow chart of the communication means between the virtual machine that Fig. 1 provides for the embodiment of the present invention, as shown in Figure 1, the method comprises:
Step 100, the first physical machine receives the message of the source virtual machine transmission that belongs to first user by the first Microsoft Loopback Adapter, the heading of described message comprises the first identification information of described source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by described the first Microsoft Loopback Adapter and is encrypted, wherein, described the first key is that virtual machine monitor is described first user configuration in advance, wherein, described target virtual machine is not the virtual machine that is deployed in described the first physical machine and belongs to described first user,
The first Microsoft Loopback Adapter corresponding to all virtual machine configurations of renting in the first physical machine for first user in the first physical machine, the pre-stored identification information that is deployed in the first physical machine and belongs to all virtual machines of first user on the first Microsoft Loopback Adapter, this first Microsoft Loopback Adapter is for the treatment of being deployed in the first physical machine and belonging to the virtual machine of first user and the communication interaction between other virtual machines.
Particularly, the source virtual machine that belongs to first user in the first physical machine need to communicate when mutual with target virtual machine, the first Microsoft Loopback Adapter to correspondence sends message, the heading of this message comprises the first identification information of source virtual machine and the second identification information of target virtual machine, after the message that the first Microsoft Loopback Adapter reception sources virtual machine sends, according to pre-stored being deployed in the first physical machine and belonging to the identification information of all virtual machines of first user of the second identification information inquiry of target virtual machine, if the second identification information that does not comprise target virtual machine is known in judgement, determine that target virtual machine is not the virtual machine that is deployed in the first physical machine and belongs to first user, target virtual machine may be for being deployed in other physical machine and being attributed to the virtual machine of first user so, or be the virtual machine that is deployed in the first physical machine or in other physical machine and belongs to other users, now, the first Microsoft Loopback Adapter application is built-in, virtual machine monitor is in advance for the first key of first user configuration is encrypted the loading section of this message, and the message after encryption is sent to the first physical machine.
It should be noted that, after the message that the first Microsoft Loopback Adapter reception sources virtual machine sends, according to pre-stored being deployed in the first physical machine and belonging to the identification information of all virtual machines of first user of the second identification information inquiry of target virtual machine, if the second identification information that wherein comprises target virtual machine is known in judgement, determine that target virtual machine is also the virtual machine that is deployed in the first physical machine and belongs to first user, source virtual machine need not be through different physical machine from the communication between target virtual machine, the possibility of divulging a secret is lower, the first Microsoft Loopback Adapter directly forwards the packet to target virtual machine, no longer be encrypted, this part is not the technical problem to be solved in the present invention, only make a brief description and illustrate.
Step 101, the user's registration information of described the first physical machine inquiry pre-stored, if judgement knows that described source virtual machine and described target virtual machine are not attributed to same user, described message is sent to virtual management platform, so that user key acquisition of information first key corresponding with described first user of described virtual management platform inquiry pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, applying described the second key is encrypted the loading section after deciphering again, and the message after processing is sent to the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that applying after built-in described the second key is decrypted processing to described message, described the second Microsoft Loopback Adapter sends to described target virtual machine.
The first physical machine is resolved and is obtained the first identification information of source virtual machine and the second identification information of target virtual machine in heading the message receiving by the first Microsoft Loopback Adapter, then inquire about the user's registration information of pre-stored, wherein, it is all that user's registration information comprises that each user rents, be deployed in the identification information of the virtual machine in each physical machine, this user's registration information is that each user registers in advance on registrar, after registration completes, registrar sends to each physical machine by user's registration information, so that each physical machine is in local storing user's registered information.If the first physical machine judgement knows that source virtual machine and target virtual machine are not attributed to same user, this message is sent to virtual management platform, the message that virtual management platform sends the first physical machine is resolved and is obtained the first identification information of source virtual machine and the second identification information of target virtual machine in heading, then inquire about the user key information of pre-stored, wherein, user key information comprises that virtual machine monitor is the pre-configured counterpart keys of each user, virtual management platform therefrom obtains first key corresponding with the first user of source virtual machine ownership, and second key corresponding with the second user of target virtual machine ownership, and apply this first key the loading section of message is decrypted to processing, and then apply this second key to deciphering after loading section be encrypted, and according to the routing iinformation of the second identification information inquiry pre-stored of target virtual machine know the second identification information with target virtual machine corresponding be the IP address of target physical machine, then according to the IP address of target physical machine, the message after encryption is sent to target physical machine.When target physical machine receives after the encryption message that virtual management platform returns, according to the virtual machine user information of the local storage of the second identification information inquiry of target virtual machine in heading, message is sent on the second Microsoft Loopback Adapter corresponding with target virtual machine, the second Microsoft Loopback Adapter be all virtual machines of renting on target physical machine by the second user on target physical machine the Microsoft Loopback Adapter of correspondence configuration, in the second Microsoft Loopback Adapter, being built-in with virtual machine monitor is second user configured the second key in advance, the function of the second Microsoft Loopback Adapter is identical with the effect of the first Microsoft Loopback Adapter in above-mentioned steps, repeat no more herein.Thereby when the second Microsoft Loopback Adapter receives after the message of the encryption that target physical machine sends, apply the second built-in key this message is decrypted to processing, and the message after decryption processing is sent to target virtual machine.It should be noted that, target physical machine can be the first above-mentioned physical machine, be that source virtual machine and target virtual machine are all deployed in the first physical machine, target physical machine also can be for other physical machine of being different from the first physical machine be such as the second physical machine, be that source virtual machine is deployed in the first physical machine, target deploying virtual machine is in the second physical machine.
Communication means between the virtual machine that the present embodiment provides, the first physical machine receives the message of the source virtual machine transmission that belongs to first user by the first Microsoft Loopback Adapter, the heading of this message comprises the first identification information of source virtual machine and the second identification information of target virtual machine, the loading section of this message is applied the first built-in key by the first Microsoft Loopback Adapter and is encrypted, this first key is that virtual machine monitor is first user configuration in advance, then the first physical machine is inquired about the user's registration information of pre-stored, if judgement knows that source virtual machine and target virtual machine are not attributed to same user, this message is sent to virtual management platform, user key information application first key corresponding with first user of virtual management platform inquiry pre-stored is decrypted after processing the loading section of message, application second key corresponding with the second user of target virtual machine ownership is encrypted the loading section after deciphering again, and the message after processing is sent to the target physical machine at target virtual machine place according to the routing iinformation of the second identification information inquiry pre-stored, target physical machine is according to the virtual machine user information of the local storage of the second identification information inquiry, message is sent on the second Microsoft Loopback Adapter corresponding with target virtual machine, the second Microsoft Loopback Adapter is applied after the second built-in key is decrypted processing to message and is sent to target virtual machine.Thereby realized the fail safe of communicating by letter between different tenants' virtual machine, avoided message to be attacked by malicious user.
The flow chart of the communication means between another virtual machine that Fig. 2 provides for the embodiment of the present invention, as shown in Figure 2, the method specifically comprises:
Step 200, virtual management platform receives the message that the first physical machine sends, wherein, the heading of described message comprises the first identification information of source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by the first Microsoft Loopback Adapter in described the first physical machine and is encrypted, wherein, described the first key is that virtual machine monitor is in advance for the first user of described source virtual machine ownership configures, wherein, described message is that described the first physical machine is determined after described source virtual machine and described target virtual machine are not attributed to same user and sent to described virtual management platform according to the user's registration information of pre-stored,
Step 201, user key acquisition of information first key corresponding with described first user of described virtual management platform inquiry pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, then apply the loading section of described the second key after to deciphering and be encrypted;
Step 202, described virtual management platform sends to the message after processing in the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that described the second Microsoft Loopback Adapter is applied after built-in described the second key is decrypted processing to described message, send to described target virtual machine.
It should be noted that, target physical machine in the present embodiment can be the first above-mentioned physical machine, be that source virtual machine and target virtual machine are all deployed in the first physical machine, target physical machine also can be for other physical machine of being different from the first physical machine be such as the second physical machine, be that source virtual machine is deployed in the first physical machine, target deploying virtual machine is in the second physical machine.
The concrete handling process of each step in communication means between the virtual machine that the present embodiment provides, can be referring to the embodiment of the method shown in above-mentioned Fig. 1, and it realizes principle and technique effect is similar, repeats no more herein.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can complete by the relevant hardware of program command, aforesaid program can be stored in a user terminal read/write memory medium, this program, when carrying out, is carried out the step that comprises said method embodiment; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
The structural representation of first physical machine that Fig. 3 provides for the embodiment of the present invention, as shown in Figure 3, this first physical machine comprises: the first receiver module 11 and the first sending module 12, wherein, the first receiver module 11 is for receiving the message of the source virtual machine transmission that belongs to first user by the first Microsoft Loopback Adapter, the heading of described message comprises the first identification information of described source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by described the first Microsoft Loopback Adapter and is encrypted, wherein, described the first key is that virtual machine monitor is described first user configuration in advance, wherein, described target virtual machine is not the virtual machine that is deployed in described the first physical machine and belongs to described first user, the first sending module 12 is for inquiring about the user's registration information of pre-stored, if judgement knows that described source virtual machine and described target virtual machine are not attributed to same user, described message is sent to virtual management platform, so that user key acquisition of information first key corresponding with described first user of described virtual management platform inquiry pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, applying described the second key is encrypted the loading section after deciphering again, and the message after processing is sent to the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that applying after built-in described the second key is decrypted processing to described message, described the second Microsoft Loopback Adapter sends to described target virtual machine.
It should be noted that, target physical machine in the present embodiment can be the first above-mentioned physical machine, be that source virtual machine and target virtual machine are all deployed in the first physical machine, target physical machine also can be for other physical machine of being different from the first physical machine be such as the second physical machine, be that source virtual machine is deployed in the first physical machine, target deploying virtual machine is in the second physical machine.
Function and the handling process of each module in the first physical machine that the present embodiment provides, can be referring to the embodiment of the method shown in above-mentioned Fig. 1, and it realizes principle and technique effect is similar, repeats no more herein.
The structural representation of the virtual management platform that Fig. 4 provides for the embodiment of the present invention, as shown in Figure 4, this virtual management platform comprises: the second receiver module 21, processing module 22 and the second sending module 23, wherein, the message that the second receiver module 21 sends for receiving the first physical machine, wherein, the heading of described message comprises the first identification information of source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by the first Microsoft Loopback Adapter in described the first physical machine and is encrypted, wherein, described the first key is that virtual machine monitor is in advance for the first user of described source virtual machine ownership configures, wherein, described message is that described the first physical machine is determined after described source virtual machine and described target virtual machine are not attributed to same user and sent to described virtual management platform according to the user's registration information of pre-stored, processing module 22 is for inquiring about user key acquisition of information first key corresponding with described first user of pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, then apply the loading section of described the second key after to deciphering and be encrypted, the second sending module 23 is for sending to the message after processing in the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that described the second Microsoft Loopback Adapter is applied after built-in described the second key is decrypted processing to described message, send to described target virtual machine.
It should be noted that, target physical machine in the present embodiment can be the first above-mentioned physical machine, be that source virtual machine and target virtual machine are all deployed in the first physical machine, target physical machine also can be for other physical machine of being different from the first physical machine be such as the second physical machine, be that source virtual machine is deployed in the first physical machine, target deploying virtual machine is in the second physical machine.
Function and the handling process of each module in the virtual management platform that the present embodiment provides, can be referring to the embodiment of the method shown in above-mentioned Fig. 2, and it realizes principle and technique effect is similar, repeats no more herein.
The structural representation of the communication system between the virtual machine that Fig. 5 provides for the embodiment of the present invention, as shown in Figure 5, this system comprises: the first physical machine 1, virtual management platform 2, and target physical machine, wherein, the first physical machine 1 and virtual management platform 2 the first physical machine and the virtual management platform for providing in the above embodiment of the present invention, target physical machine can be the first above-mentioned physical machine 1, be that source virtual machine and target virtual machine are all deployed in the first physical machine 1 (not shown), target physical machine also can be for other physical machine of being different from the first physical machine be such as the second physical machine 3, be that source virtual machine is deployed in the first physical machine 1, target deploying virtual machine is in the second physical machine 3 (as shown in Figure 5).
Finally it should be noted that: above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (7)

1. the communication means between virtual machine, is characterized in that, comprising:
The first physical machine receives the message of the source virtual machine transmission that belongs to first user by the first Microsoft Loopback Adapter, the heading of described message comprises the first identification information of described source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by described the first Microsoft Loopback Adapter and is encrypted, wherein, described the first key is that virtual machine monitor is described first user configuration in advance, wherein, described target virtual machine is not the virtual machine that is deployed in described the first physical machine and belongs to described first user;
The user's registration information of described the first physical machine inquiry pre-stored, if judgement knows that described source virtual machine and described target virtual machine are not attributed to same user, described message is sent to virtual management platform, so that user key acquisition of information first key corresponding with described first user of described virtual management platform inquiry pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, applying described the second key is encrypted the loading section after deciphering again, and the message after processing is sent to the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that applying after built-in described the second key is decrypted processing to described message, described the second Microsoft Loopback Adapter sends to described target virtual machine.
2. the communication means between virtual machine according to claim 1, is characterized in that, described target physical machine comprises described the first physical machine and other physical machine.
3. the communication means between virtual machine, is characterized in that, comprising:
Virtual management platform receives the message that the first physical machine sends, wherein, the heading of described message comprises the first identification information of source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by the first Microsoft Loopback Adapter in described the first physical machine and is encrypted, wherein, described the first key is that virtual machine monitor is in advance for the first user of described source virtual machine ownership configures, wherein, described message is that described the first physical machine is determined after described source virtual machine and described target virtual machine are not attributed to same user and sent to described virtual management platform according to the user's registration information of pre-stored,
User key acquisition of information first key corresponding with described first user of described virtual management platform inquiry pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, then apply the loading section of described the second key after to deciphering and be encrypted;
Described virtual management platform sends to the message after processing in the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that described the second Microsoft Loopback Adapter is applied after built-in described the second key is decrypted processing to described message, send to described target virtual machine.
4. the communication means between virtual machine according to claim 3, is characterized in that, described target physical machine comprises described the first physical machine and other physical machine.
5. first physical machine, is characterized in that, comprising:
The first receiver module, for receive the message of the source virtual machine transmission that belongs to first user by the first Microsoft Loopback Adapter, the heading of described message comprises the first identification information of described source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by described the first Microsoft Loopback Adapter and is encrypted, wherein, described the first key is that virtual machine monitor is described first user configuration in advance, wherein, described target virtual machine is not the virtual machine that is deployed in described the first physical machine and belongs to described first user,
The first sending module, for inquiring about the user's registration information of pre-stored, if judgement knows that described source virtual machine and described target virtual machine are not attributed to same user, described message is sent to virtual management platform, so that user key acquisition of information first key corresponding with described first user of described virtual management platform inquiry pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, applying described the second key is encrypted the loading section after deciphering again, and the message after processing is sent to the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that applying after built-in described the second key is decrypted processing to described message, described the second Microsoft Loopback Adapter sends to described target virtual machine.
6. a virtual management platform, is characterized in that, comprising:
The second receiver module, the message sending for receiving the first physical machine, wherein, the heading of described message comprises the first identification information of source virtual machine and the second identification information of target virtual machine, the loading section of described message is applied the first built-in key by the first Microsoft Loopback Adapter in described the first physical machine and is encrypted, wherein, described the first key is that virtual machine monitor is in advance for the first user of described source virtual machine ownership configures, wherein, described message is that described the first physical machine is determined after described source virtual machine and described target virtual machine are not attributed to same user and sent to described virtual management platform according to the user's registration information of pre-stored,
Processing module, for inquiring about user key acquisition of information first key corresponding with described first user of pre-stored, and second key corresponding with the second user of described target virtual machine ownership, and apply described the first key the loading section of described message is decrypted after processing, then apply the loading section of described the second key after to deciphering and be encrypted;
The second sending module, for the message after processing being sent to the target physical machine at described target virtual machine place according to the routing iinformation of described the second identification information inquiry pre-stored, so that described target physical machine is according to the virtual machine user information of the local storage of described the second identification information inquiry, described message is sent on the second Microsoft Loopback Adapter corresponding with described target virtual machine, so that described the second Microsoft Loopback Adapter is applied after built-in described the second key is decrypted processing to described message, send to described target virtual machine.
7. the communication system between virtual machine, is characterized in that, comprising: the first physical machine as claimed in claim 5, virtual management platform as claimed in claim 6, and target physical machine, wherein, described target physical machine comprises described the first physical machine and other physical machine.
CN201310535533.5A 2013-11-01 2013-11-01 Communication means, equipment and system between virtual machine Active CN103532985B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310535533.5A CN103532985B (en) 2013-11-01 2013-11-01 Communication means, equipment and system between virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310535533.5A CN103532985B (en) 2013-11-01 2013-11-01 Communication means, equipment and system between virtual machine

Publications (2)

Publication Number Publication Date
CN103532985A true CN103532985A (en) 2014-01-22
CN103532985B CN103532985B (en) 2016-08-24

Family

ID=49934664

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310535533.5A Active CN103532985B (en) 2013-11-01 2013-11-01 Communication means, equipment and system between virtual machine

Country Status (1)

Country Link
CN (1) CN103532985B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105389513A (en) * 2015-11-26 2016-03-09 华为技术有限公司 Trusted execution method and apparatus for virtual trusted platform module (vTPM)
CN105471697A (en) * 2015-12-18 2016-04-06 国云科技股份有限公司 Self-adapting network communication encryption method based on XEN virtual machine
CN106533882A (en) * 2016-11-18 2017-03-22 杭州迪普科技股份有限公司 Message processing method and device
CN113162835A (en) * 2021-02-26 2021-07-23 北京百度网讯科技有限公司 Method, device, equipment and storage medium for accessing service resource
CN114244515A (en) * 2022-02-25 2022-03-25 中瓴智行(成都)科技有限公司 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment
CN114285675A (en) * 2022-03-07 2022-04-05 杭州优云科技有限公司 Message forwarding method and device
WO2023169271A1 (en) * 2022-03-07 2023-09-14 阿里巴巴(中国)有限公司 Data storage method and data processing device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7260820B1 (en) * 2001-04-26 2007-08-21 Vm Ware, Inc. Undefeatable transformation for virtual machine I/O operations
CN101957900A (en) * 2010-10-26 2011-01-26 中国航天科工集团第二研究院七○六所 Credible virtual machine platform
US20110246786A1 (en) * 2010-03-30 2011-10-06 Dor Laor Mechanism for Automatically Encrypting and Decrypting Virtual Disk Content Using a Single User Sign-On
CN102609643A (en) * 2012-01-10 2012-07-25 道里云信息技术(北京)有限公司 Dynamic cryptography protection for virtual machines and key management method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7260820B1 (en) * 2001-04-26 2007-08-21 Vm Ware, Inc. Undefeatable transformation for virtual machine I/O operations
US20110246786A1 (en) * 2010-03-30 2011-10-06 Dor Laor Mechanism for Automatically Encrypting and Decrypting Virtual Disk Content Using a Single User Sign-On
CN101957900A (en) * 2010-10-26 2011-01-26 中国航天科工集团第二研究院七○六所 Credible virtual machine platform
CN102609643A (en) * 2012-01-10 2012-07-25 道里云信息技术(北京)有限公司 Dynamic cryptography protection for virtual machines and key management method thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
秦中元等: "虚拟机系统安全综述", 《计算机应用研究》, 31 May 2012 (2012-05-31) *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105389513A (en) * 2015-11-26 2016-03-09 华为技术有限公司 Trusted execution method and apparatus for virtual trusted platform module (vTPM)
CN105389513B (en) * 2015-11-26 2018-10-12 华为技术有限公司 A kind of credible execution method and apparatus of virtual credible platform module vTPM
CN105471697A (en) * 2015-12-18 2016-04-06 国云科技股份有限公司 Self-adapting network communication encryption method based on XEN virtual machine
CN106533882A (en) * 2016-11-18 2017-03-22 杭州迪普科技股份有限公司 Message processing method and device
CN106533882B (en) * 2016-11-18 2019-12-06 杭州迪普科技股份有限公司 Message processing method and device
CN113162835A (en) * 2021-02-26 2021-07-23 北京百度网讯科技有限公司 Method, device, equipment and storage medium for accessing service resource
CN113162835B (en) * 2021-02-26 2022-08-09 北京百度网讯科技有限公司 Method, device, equipment and storage medium for accessing service resource
CN114244515A (en) * 2022-02-25 2022-03-25 中瓴智行(成都)科技有限公司 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment
CN114285675A (en) * 2022-03-07 2022-04-05 杭州优云科技有限公司 Message forwarding method and device
CN114285675B (en) * 2022-03-07 2022-07-12 杭州优云科技有限公司 Message forwarding method and device
WO2023169271A1 (en) * 2022-03-07 2023-09-14 阿里巴巴(中国)有限公司 Data storage method and data processing device

Also Published As

Publication number Publication date
CN103532985B (en) 2016-08-24

Similar Documents

Publication Publication Date Title
CN103532985A (en) Communication method, equipment and system between virtual machines
US11615411B2 (en) POS system with white box encryption key sharing
CN105007577B (en) A kind of virtual SIM card parameter management method, mobile terminal and server
US7879111B2 (en) System and method for RFID transfer of MAC, keys
CN101605137B (en) Safe distribution file system
US20160277933A1 (en) Secure Data Communication system between IoT smart devices and a Network gateway under Internet of Thing environment
CN102726027A (en) Secret key transmission method and device during pre-boot under full-disk encryption of virtual machine
CN103067158A (en) Encryption and decryption method, terminal device, gateway device and key management system
CN111971929B (en) Secure distributed key management system
CN111131416A (en) Business service providing method and device, storage medium and electronic device
WO2015186829A1 (en) Transmission node, reception node, communication network system, message creation method, and computer program
CN115348076B (en) Equipment security authentication method and system based on attribute encryption and related devices thereof
CN105262773A (en) A verification method and apparatus for an IOT system
US11671246B2 (en) Data provisioning device for provisioning a data processing entity
CN106789024A (en) A kind of remote de-locking method, device and system
EP3282639B1 (en) Method for operating server and client, server, and client apparatus
CN108289074A (en) User account login method and device
CN103607449A (en) Method, device and system for enterprise internal network physical machine to visit cloud storage virtual machine
CN103595534A (en) Data encryption and decryption system supporting device revoking operation and implementing method
CN103560948A (en) Communication method, device and system between virtual machines
CN102404363B (en) A kind of access method and device
CN106712934B (en) Identification information generation method and device
CN103873245A (en) Virtual machine system data encryption method and apparatus
CN102822840B (en) Use management system and use management method
CN107066874B (en) Method and device for interactively verifying information between container systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant