CN103747036B - Trusted security enhancement method in desktop virtualization environment - Google Patents
Trusted security enhancement method in desktop virtualization environment Download PDFInfo
- Publication number
- CN103747036B CN103747036B CN201310716776.9A CN201310716776A CN103747036B CN 103747036 B CN103747036 B CN 103747036B CN 201310716776 A CN201310716776 A CN 201310716776A CN 103747036 B CN103747036 B CN 103747036B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- tcm
- credible
- user terminal
- measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention relates to a trusted security enhancement method in a desktop virtualization environment. The method comprises the following steps that: a thin client and a server are started and automatically carry out trusted measurement and trust chain transferring from bottom-layer hardware to upper-layer application software; thin client trusted access and platform bidirectional remote attestation is carried out; and after the successful access authentication, remote desktop connection software is started and the thin client obtains a desktop of a server virtual machine and carries out access and operation. According to the invention, the integrity and confidentiality principles of the terminal platform and communication transmission in the desktop virtualization environment can be fully considered; and techniques like physical trust root-based trust link transfer technique, the trusted BIOS measurement technique, the trusted platform access and remote attestation technique and the like can be utilized comprehensively. Therefore, defects of the traditional desktop virtualization safety protection measure can be overcome; and the management difficulty of the virtual data center can be effectively reduced and the security can be improved.
Description
Technical field
The invention belongs to technical field of network security, the credible and secure enhancing under more particularly to a kind of desktop virtual environment
Method.
Background technology
In recent years, use of the desktop virtual technology with server- based computing plus thin-client changes traditional PC
Distributed Calculation use pattern, desktop or client operating system are isolated with original physical hardware, realize
More flexible application.The desktop virtual technology of customer-centric can be configured and managed to user rather than equipment
Reason, effectively improves the efficiency of deployment and management user's desktop environment.
But, while the live and work given people in desktop virtual technology brings convenient, also expose many peaces
Full hidden danger, traditional Security mechanism and strategy in the new security challenge brought in itself in face of Intel Virtualization Technology,
It is extremely difficult to the predetermined objective of defense, it is impossible to the effectively unauthorized access and invasion of blocking attacker.
Credible and secure protection correlative technology field is being virtualized, the patent of Application No. 200580041663.7 discloses one
The method and system for setting up the connection between data server and middleware server is planted, in order to ensure the peace of connection
Entirely, it defines multiple trust attributes related to trusted context between middleware server and database server, by letter
The matching of attribute is appointed to set up secure connection.Although the method ensure that certain connection safety on transmission link,
Lack the platform authentication and integrated authentication to connecting both sides, therefore it is difficult to ensure that the End-to-End Security of data transfer.Application number
Patent for 200580020738.3 discloses a kind of method of the safety virtualization for providing credible platform module, is containing physics
Virtual TPM is created in the processing system of TPM (Trusted Platform Module, credible platform module), virtual TPM clothes
Business can store the key for the virtual TPM in physics TPM, while the virtual TPM service can be provided using virtual TPM
The physical TPM features of emulation.Although the method strengthens virtual platform security in itself and integrality, due to
The method is only for single device, it is impossible to is applied to the front and back end data transfer demands under desktop virtual environment, therefore has
Certain application limitation.
In sum, from the angle of end-to-end information transfer, also there is following safety problem in current desktop virtualization:
Server and the credible startup of terminal device:Conventional security safeguard procedures cannot verify each component in equipment start-up course
Integrality, when hardware, firmware, virtual machine monitor, operating system and application program any one be tampered all can be direct
Threaten the safety of whole platform.Especially when virtual machine monitor is tampered or kidnaps, because it has privilege very high,
The security model of whole virtual machine architecture can be destroyed, the safety prevention measure in virtual machine also can all fail.
Network access security and platform authentication:The diversity of accessing user terminal to network increases end-to-end communication information quilt
The possibility that malice is forged, stolen, distorting.Meanwhile, the virtualization of the isomerism, data center of access network and user terminal,
The characteristics such as the multiplexing and resource-sharing of memory space reduce the examination ability to user behavior.
The content of the invention
In order to solve the above problems, the present invention proposes the credible and secure Enhancement Method under a kind of desktop virtual environment.Borrow
This occupation mode for depending on server handling ability to realize data access and application treatment of thin client is helped, to a certain degree
The upper potential safety hazard for mitigating sensitive data resource in terminal, obtains safer remote application and data access capabilities.
To achieve these goals, the present invention uses following technical scheme.
According to the application model of desktop virtualization, desktop virtualization infrastructure is divided into front end thin client and rear end number
According to two, center part.Front end thin client is used to realize and be deployed in the virtual machine connection of data center server, and carries out
Remote desktop is shown, normal office is operated and other Operational Visits;Back end data center exists in the form of server, Xiang Yong
Family provides resources of virtual machine, memory source, storage resource etc., and provides certain function of safety protection interface.Body of the invention
System structure is as shown in figure 1, mainly include three parts:Startup that front end thin client is credible, back-end server is credible to start peace
Platform is credible access authentication.By thin client be embedded in credible password module (Trusted Cryptography Module,
TCM), realize that the safety of user terminal itself can using the method under the trust computing framework such as integrity measurement, transitive trust
Letter;The access authentication of remote terminal is solved using credible access and remote proving technology, using the encryption of reliable hardware module
Method realizes the safeguard protection to transmitting data;By building trusted servers, virtual credible crypto module (vTCM) is introduced, it is real
Existing trusted users terminal security is accessed, and improves Initiative Defense ability of the desktop virtual environment in face of malicious attack.
A kind of credible and secure Enhancement Method under desktop virtual environment, comprises the following steps:
Step 1:Start thin client and server, both are carried out by bottom hardware to the credible of upper application software automatically
Measurement and transitive trust.
The purpose for carrying out credible measurement and transitive trust is the security for ensureing platform itself.
Step 2:Access that thin client is credible and platform bidirectional remote are proved.
The purpose of this step is to ensure that challenger and both integralities of proof side.
Step 3:After access authentication success, start Remote desk process software, thin client obtains server virtual machine
Desktop and conduct interviews and operate.
The present invention takes into full account the integrality and secrecy principle of terminal platform and communications under desktop virtual environment,
Transitive trust technology of the comprehensive utilization based on physics root of trust, credible BIOS measurement technologies, credible platform are accessed and long-range card
Bright technology etc., compensate for the deficiency that conventional desktop virtualizes safety prevention measure, effectively reduce the management of virtual data center
Difficulty simultaneously improves its security.Compared with prior art, the present invention has advantages below:
(1) by the credible measurement and transitive trust of thin client and server, improve the security of platform itself;
(2) credible and secure virtual machine platform is constructed by virtual TCM so that guest virtual machine can share physics TCM
Security function and attribute;
(3) by introducing credible access authentication, there is provided the approach that integrality is mutually proved between platform, it can and platform
Self-security is effectively combined and further ensures that end-to-end transmission safety.
Brief description of the drawings
Fig. 1 is architectural framework schematic diagram of the invention;
Fig. 2 is the main flow chart of the method for the invention;
Fig. 3 is the credible Booting sequence figure of thin client;
Fig. 4 is the credible Booting sequence figure of server;
Fig. 5 proves flow chart for credible access and remote platform.
Specific embodiment
The invention will be further described with reference to the accompanying drawings and examples.
The main flow chart of the method for the invention is as shown in Fig. 2 comprise the following steps:
Step 1:Thin client and server carries out credible startup.
Credible password module TCM is selected as the root of trust of whole platform, for whole platform provides most basic credible meter
Calculate service.TCM can well solve BIOS in transitive trust mechanism and can illegally be distorted, cannot ensure as root of trust
The believable problem of root of trust.The credible Booting sequence of thin client is as shown in figure 3, method is as follows:
(1) under the mechanism of action of trust chain, control is passed into TCM first after system power-up, BIOS is measured by TCM
Integrality, and by measured integrity measurement storage to the register of TCM.Now, TCM is by this measured value and stores
BIOS original measurement values be compared, if unanimously, control is transmitted to BIOS by TCM;If it is inconsistent, BIOS is entered
Row recovers and measures again, until measuring successfully.
(2) integrality of BIOS measurement hardware and operating system loading program, by the register of measured value storage to TCM
In.With the hardware and operating system loading program original measurement value of storage be compared this measured value by TCM, if unanimously,
Control is transmitted to operating system loading program by TCM;If it is inconsistent, halt system starts.
(3) integrality of operating system loading program metric operations system, by metric storage to the register of TCM.
With the operating system original measurement value of storage be compared this measured value by TCM, if unanimously, control is transmitted to behaviour by TCM
Make system;If it is inconsistent, operating system is recovered and is measured again, until measuring successfully.
(4) operating system is measured to the integrality of crucial application software, by the register of metric storage to TCM
In.With the crucial application software original measurement value of storage be compared this measured value by TCM, if unanimously, TCM is by control
It is transmitted to crucial application software;If it is inconsistent, crucial application software is recovered and is measured again, until measuring successfully.
In virtual environment, the transmission of trust chain has new characteristic, more complicated.In the credible startup of above-mentioned thin client
On the basis of increased the trusted mechanism of virtual Domain, introduce virtual TCM modules (vTCM).The credible Booting sequence of server is such as
Shown in Fig. 4, method is as follows:
(1) after server power-up, TCM chips start first as root of trust, and carry out integrity measurement to credible BIOS,
The cryptographic Hash result of measurement is stored on the register of TCM chips, and with deposit in TCM chip secure storage regions
The original cryptographic Hash of BIOS is compared.If it does, then control is passed to credible BIOS by TCM, system loads BIOS starts;
If it does not match, credible BIOS is recovered and measurement is re-started, until measuring successfully.
(2) after credible BIOS obtains control, key hardware information and operating system loading program to platform are entered
Row integrity measurement, the cryptographic Hash result of measurement is stored on the register of TCM chips, and with deposit in TCM chip secures
The original cryptographic Hash of key hardware and operating system loading program in storage region is compared.If it does, then thinking to close
Key hardware information and operating system loading program are credible, and control is handed into operating system loading program;If it does not match,
Halt system starts.
(3) after operating system loading program acquisition control, to the image file and critical data of virtual machine monitor
Integrity measurement is carried out, the cryptographic Hash result of measurement is stored on the register of TCM chips, and pacified with TCM chips are deposited in
The cryptographic Hash of virtual machine monitor image file and critical data in full storage region is compared.If it does, then thinking
Virtual machine monitor image file and critical data are credible, and virtual machine monitor is given by control, and virtual machine monitor is carried out
Start;If it does not match, virtual machine monitor and critical data are recovered and is measured again, until measuring successfully.
(4) after virtual machine monitor obtains control, authentication module is called to be based on USBKey to active user first
Authentication is carried out, then identifying user authority calls control of authority module to carry out control of authority, and communication control module is according to power
Limit carries out Control on Communication, and image file and critical data to managing virtual machine carries out integrity measurement, the Hash that will be measured
Value result is stored on the register of TCM chips, and with deposit in the management virtual machine image in TCM chip secure storage regions
The cryptographic Hash of file is compared.If it does, then thinking that management virtual machine image file is credible, it is empty to give management by control
Plan machine, management virtual machine is started;If it does not match, management virtual machine is recovered and measured again, until measurement
Success.
(5) before management virtual machine control guest virtual machine starts, management virtual machine carries out integrality to guest virtual machine
Measurement, the cryptographic Hash result of measurement is stored on the register of vTCM, and with deposit in the visitor in vTCM secure storage sections
Virtual machine original cryptographic Hash in family compares.If it does, then thinking that guest virtual machine is credible, guest virtual machine is given by control,
Guest virtual machine is started;If it does not match, guest virtual machine is recovered and is measured again, until measuring successfully.
(6) after guest virtual machine starts, when virtual Domain runs application software, guest virtual machine operating system is to application
The integrality of software is measured, by metric storage on the register of vTCM, and with deposit in vTCM secure storage sections
In the original cryptographic Hash of application software compare.If it does, then thinking that application software is credible, give application software by control and enter
Journey;If it does not match, application software is recovered and is measured again, until measuring successfully.
So far, (1)~(6) process more than, on the basis of TCM chips and platform are interactive, completes credible peace
The foundation step by step and transmission of full virtual machine platform trusting relationship, when the part of low level authenticate to higher leveled part it is credible when,
Low level part can just be delivered to trust state on higher leveled part, and credible and secure virtual machine is based on this trust chain
The credibility of root of trust extend to the mechanism of transmission the virtual computation environmental of platform.
Step 2:Thin client and server carries out credible access and remote platform to be proved.
Credible Access Control Technique mainly solves the problems, such as the credible access of terminal device in network environment, is connect in terminal device
Whether before entering network, it is necessary to check its access strategy for meeting the network, such as whether user identity legal, platform status whether
Whether safety, completeness of platform possess, and suspicious or problematic terminal device will be isolated or limit network insertion scope, directly
It is modified or taking corresponding safety measure to it.Access process is as shown in figure 5, method is as follows:
(1) platform identity certification is carried out.
User terminal sends network insertion request message, and request management virtual machine opens certification;
After management virtual machine receives certification request, response message is sent to user terminal, notify beginning of shaking hands;
User terminal starts session process, to management virtual machine transmission client sessions ID, secure transfer protocol version number, pressure
Compression algorithm, encryption suite and initial random number;
After management virtual machine receives conversation message, to user terminal requests certification, management virtual machine certificate and card are sent
The information such as book request;
User terminal carries out platform identity certification to management virtual machine, if certification success, it is true that client sends acknowledgement frame
Recognize the response to managing virtual machine, if verification process occurs exception, lead to the failure, user terminal sends report to management virtual machine
Alert information, the reason for illustrate authentification failure;
Management virtual machine is authenticated after receiving above-mentioned response to user terminal platform identity.If authentification failure, management
Virtual machine sends warning message to user terminal, and type of error during authentification failure is included in this warning message;Certification success is then
Transmission is shaken hands completion message to user terminal, opens authenticating user identification.
(2) Platform integrity authentication is carried out.
On the basis of platform identity certification is successful, user terminal and management virtual machine set up connection of shaking hands again, as
Platform integrity authentication interface channel;
Management virtual machine sends to user terminal will carry out the bulleted list of integrity measurement;
User terminal is responded, and is sent comprising the integrity measurement required in integrity measurement list to management virtual machine
Information and signing messages;
The integrity information that management virtual machine is received after response bag to user terminal verifies, is verified rear line
Terminal sends and is proved to be successful message;
After user terminal receives success message, the bulleted list that carry out integrity measurement is sent to management virtual machine;
Management virtual machine is responded, and is sent comprising the integrity measurement required in integrity measurement list to user terminal
Information and signing messages;
The integrity information that user terminal receives after response bag to managing virtual machine verifies, is verified backward management
Virtual machine sends and is proved to be successful message.
(3) virtual machine integrated authentication is carried out.
After Platform integrity authentication success, user terminal sends Remote desk process and asks to guest virtual machine, both sides
Foundation is shaken hands connection;
User terminal initiates integrality verification request to guest virtual machine, and being sent via management virtual machine client virtual machine will
Carry out the bulleted list of integrity measurement;
Management virtual machine carries out integrity verification to guest virtual machine, and success rear line terminal sends and includes integrality degree
The integrity measurement information and signing messages required in amount list;
User terminal confirmed after receiving, and secure communication is set up and guest virtual machine between, carries out Remote desk process
Operation.
Step 3:Connect it is credible enter certification success after, user terminal start Remote desk process software, with USBKey and use
Name in an account book password obtains authentication of the guest virtual machine to user, and User logs in guest virtual machine after certification success completes thin visitor
Family machine is remotely accessed to virtual data center, thus starts routine office work operation and related service is accessed.
Claims (4)
1. the credible and secure Enhancement Method under a kind of desktop virtual environment, it is characterised in that comprise the following steps:
Step 1:Start thin client and server, both are carried out by the credible measurement of bottom hardware to upper application software automatically
And transitive trust;
The credible startup method of thin client is as follows:
(1) under the mechanism of action of trust chain, control is passed into credible password module i.e. TCM first after system power-up, by
TCM measures the integrality of BIOS, and by measured integrity measurement storage to the register of TCM;TCM is by this measured value
BIOS original measurement values with storage are compared, if unanimously, control is transmitted to BIOS by TCM;If it is inconsistent, will
BIOS is recovered and is measured again, until measuring successfully;
(2) integrality of BIOS measurement hardware and operating system loading program, by measured value storage to the register of TCM;TCM
This measured value is compared with the hardware and operating system loading program original measurement value of storage, if unanimously, TCM will be controlled
Power processed is transmitted to operating system loading program;If it is inconsistent, halt system starts;
(3) integrality of operating system loading program metric operations system, by measured value storage to the register of TCM;TCM will
This measured value is compared with the operating system original measurement value of storage, if unanimously, control is transmitted to operation system by TCM
System;If it is inconsistent, operating system is recovered and is measured again, until measuring successfully;
(4) operating system is measured to the integrality of crucial application software, by measured value storage to the register of TCM;TCM
This measured value is compared with the crucial application software original measurement value of storage, if unanimously, control is transmitted to pass by TCM
Key application software;If it is inconsistent, crucial application software is recovered and is measured again, until measuring successfully;
The credible startup method of server is as follows:
(1) after server power-up, TCM chips start first as root of trust, and carry out integrity measurement to credible BIOS, by degree
The cryptographic Hash result of amount is stored on the register of TCM chips, and former with the BIOS deposited in TCM chip secure storage regions
Beginning cryptographic Hash is compared;If it does, then control is passed to credible BIOS by TCM, system loads BIOS starts;If no
Matching, then recovered credible BIOS and re-started measurement, until measuring successfully;
(2) after credible BIOS obtains control, key hardware information and operating system loading program to platform have been carried out
Whole property measurement, the cryptographic Hash result of measurement is stored on the register of TCM chips, and is stored with TCM chip secures are deposited in
The original cryptographic Hash of key hardware information and operating system loading program in region is compared;If it does, then thinking to close
Key hardware information and operating system loading program are credible, and control is handed into operating system loading program;If it does not match,
Halt system starts;
(3) after operating system loading program obtains control, image file and critical data to virtual machine monitor are carried out
Integrity measurement, the cryptographic Hash result of measurement is stored on the register of TCM chips, and is deposited with TCM chip secures are deposited in
The cryptographic Hash of virtual machine monitor image file and critical data in storage area domain is compared;If it does, then thinking virtual
Machine monitor image file and critical data are credible, and virtual machine monitor is given by control, and virtual machine monitor is started;
If it does not match, virtual machine monitor and critical data are recovered and is measured again, until measuring successfully;
(4) after virtual machine monitor obtains control, call authentication module that active user is carried out based on USBKey first
Then authentication, identifying user authority calls control of authority module to carry out control of authority, and communication control module enters according to authority
Row Control on Communication, and to manage virtual machine image file and critical data carry out integrity measurement, will measure cryptographic Hash knot
Fruit be stored on the register of TCM chips, and with deposit in the management virtual machine image file in TCM chip secure storage regions
Cryptographic Hash be compared;If it does, then thinking that management virtual machine image file is credible, it is virtual to give management by control
Machine, management virtual machine is started;If it does not match, management virtual machine is recovered and measured again, until measuring into
Work(;
(5) before management virtual machine control guest virtual machine starts, management virtual machine carries out integrity measurement to guest virtual machine,
The cryptographic Hash result of measurement is stored on the virtual credible crypto module i.e. register of vTCM, and is deposited safely with vTCM is deposited in
The original cryptographic Hash of guest virtual machine in storage area domain compares;If it does, then thinking that guest virtual machine is credible, control is given
Guest virtual machine, guest virtual machine is started;If it does not match, guest virtual machine is recovered and is measured again, directly
To measuring successfully;
(6) after guest virtual machine starts, when virtual Domain runs application software, guest virtual machine operating system is to application software
Integrality measured, by metric storage on the register of vTCM, and with deposit in vTCM secure storage sections
The original cryptographic Hash of application software compares;If it does, then thinking that application software is credible, application software process is given by control;
If it does not match, application software is recovered and is measured again, until measuring successfully;
Step 2:Access that thin client is credible and platform bidirectional remote prove that method is as follows:
(1) platform identity certification is carried out;
(2) Platform integrity authentication is carried out;
(3) virtual machine integrated authentication is carried out;
Step 3:After access authentication success, start Remote desk process software, thin client obtains the table of server virtual machine
Face simultaneously conducts interviews and operates.
2. the credible and secure Enhancement Method under a kind of desktop virtual environment according to claim 1, it is characterised in that institute
State step 2 carry out platform identity certification method it is as follows:
User terminal sends network insertion request message, and request management virtual machine opens certification;
After management virtual machine receives certification request, response message is sent to user terminal, notify beginning of shaking hands;
User terminal starts session process, is calculated to management virtual machine transmission client sessions ID, secure transfer protocol version number, compression
Method, encryption suite and initial random number;
After management virtual machine receives conversation message, to user terminal requests certification, send management virtual machine certificate and certificate please
Seek information;
User terminal carries out platform identity certification to management virtual machine, if certification success, client sends and confirms frame acknowledgment pair
The response of virtual machine is managed, if verification process occurs exception, is led to the failure, user terminal sends alarm signal to management virtual machine
Breath, the reason for illustrate authentification failure;
Management virtual machine is authenticated after receiving above-mentioned response to user terminal platform identity;If authentification failure, management is virtual
Machine sends warning message to user terminal, and type of error during authentification failure is included in this warning message;Certification success then sends
Shake hands completion message to user terminal, open authenticating user identification.
3. the credible and secure Enhancement Method under a kind of desktop virtual environment according to claim 1, it is characterised in that institute
State step 2 carry out Platform integrity authentication method it is as follows:
On the basis of platform identity certification is successful, user terminal and management virtual machine set up connection of shaking hands again, used as platform
Integrated authentication interface channel;
Management virtual machine sends to user terminal will carry out the bulleted list of integrity measurement;
User terminal is responded, and the integrality degree required in the bulleted list comprising integrity measurement is sent to management virtual machine
Amount information and signing messages;
The integrity information that management virtual machine is received after response bag to user terminal verifies, is verified rear line terminal
Transmission is proved to be successful message;
After user terminal receives success message, the bulleted list that carry out integrity measurement is sent to management virtual machine;
Management virtual machine is responded, and the integrality degree required in the bulleted list comprising integrity measurement is sent to user terminal
Amount information and signing messages;
The integrity information that user terminal receives after response bag to managing virtual machine verifies, is verified backward management virtual
Machine sends and is proved to be successful message.
4. the credible and secure Enhancement Method under a kind of desktop virtual environment according to claim 1, it is characterised in that institute
State step 2 carry out virtual machine integrated authentication method it is as follows:
After Platform integrity authentication success, user terminal sends Remote desk process and asks to guest virtual machine, and both sides set up
Shake hands connection;
User terminal initiates integrality verification request to guest virtual machine, sends and to carry out via management virtual machine client virtual machine
The bulleted list of integrity measurement;
Management virtual machine carries out integrity verification to guest virtual machine, and success rear line terminal is sent comprising integrity measurement row
The integrity measurement information and signing messages required in table;
User terminal confirmed after receiving, and secure communication is set up and guest virtual machine between, carries out Remote desk process operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310716776.9A CN103747036B (en) | 2013-12-23 | 2013-12-23 | Trusted security enhancement method in desktop virtualization environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310716776.9A CN103747036B (en) | 2013-12-23 | 2013-12-23 | Trusted security enhancement method in desktop virtualization environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103747036A CN103747036A (en) | 2014-04-23 |
| CN103747036B true CN103747036B (en) | 2017-05-24 |
Family
ID=50504023
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310716776.9A Active CN103747036B (en) | 2013-12-23 | 2013-12-23 | Trusted security enhancement method in desktop virtualization environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103747036B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108243006A (en) * | 2017-12-04 | 2018-07-03 | 山东超越数控电子股份有限公司 | A kind of credible redundant code server based on domestic TCM chips |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104200156A (en) * | 2014-08-27 | 2014-12-10 | 山东超越数控电子有限公司 | Trusted cryptosystem based on Loongson processor |
| CN105656842A (en) * | 2014-11-12 | 2016-06-08 | 江苏威盾网络科技有限公司 | Method for ensuring secure intranet environment |
| CN104468573B (en) * | 2014-12-09 | 2019-01-01 | 国家电网公司 | A kind of credible cloud terminal installation |
| CN104601555A (en) * | 2014-12-30 | 2015-05-06 | 中国航天科工集团第二研究院七〇六所 | Trusted security control method of virtual cloud terminal |
| CN106570402A (en) * | 2015-10-13 | 2017-04-19 | 深圳市中电智慧信息安全技术有限公司 | Encryption module and process trusted measurement method |
| CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | VTPM-based method for constructing virtual trusted platform |
| CN107657170B (en) * | 2016-07-25 | 2020-12-01 | 北京计算机技术及应用研究所 | Trusted loading starting control system and method supporting intelligent repair |
| CN106341416B (en) * | 2016-09-29 | 2019-07-09 | 中国联合网络通信集团有限公司 | A kind of access method at multi-stage data center and multi-stage data center |
| CN108632214B (en) * | 2017-03-20 | 2022-02-22 | 中兴通讯股份有限公司 | Method and device for realizing moving target defense |
| CN107196755A (en) * | 2017-03-28 | 2017-09-22 | 山东超越数控电子有限公司 | A kind of VPN device safe starting method and system |
| CN109840430B (en) * | 2017-11-28 | 2023-05-02 | 中国科学院沈阳自动化研究所 | Safety processing unit of PLC and bus arbitration method thereof |
| CN110647740B (en) * | 2018-06-27 | 2023-12-05 | 复旦大学 | Container trusted starting method and device based on TPM |
| CN108989651A (en) * | 2018-09-05 | 2018-12-11 | 深圳市中科智库互联网信息安全技术有限公司 | Credible video camera |
| CN109634619B (en) * | 2018-11-23 | 2022-05-10 | 试金石信用服务有限公司 | Trusted execution environment implementation method and device, terminal device and readable storage medium |
| CN109766702B (en) * | 2019-01-11 | 2021-02-05 | 北京工业大学 | Whole-process trusted start inspection method based on virtual machine state data |
| CN110990120B (en) * | 2019-11-28 | 2023-08-29 | 同济大学 | Inter-partition communication method and device for virtual machine monitor, storage medium and terminal |
| CN111125666B (en) * | 2019-12-25 | 2021-01-12 | 四川英得赛克科技有限公司 | Trusted control method and system based on trusted computing system |
| CN111831609B (en) * | 2020-06-18 | 2024-01-02 | 中国科学院数据与通信保护研究教育中心 | Method and system for unified management and distribution of binary metric values in virtualized environments |
| CN113824683A (en) * | 2021-08-13 | 2021-12-21 | 中国光大银行股份有限公司 | Trusted domain establishing method and device and data system |
| CN116340956B (en) * | 2023-05-25 | 2023-08-08 | 国网上海能源互联网研究院有限公司 | Trusted protection optimization method and device for electric embedded terminal equipment |
| CN116956364B (en) * | 2023-09-21 | 2024-02-09 | 中航国际金网(北京)科技有限公司 | Virtualized product integrity verification method, device and system and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599025A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | Safety virtualization method of trusted crypto module |
| CN101957900A (en) * | 2010-10-26 | 2011-01-26 | 中国航天科工集团第二研究院七○六所 | Credible virtual machine platform |
| CN102136043A (en) * | 2010-01-22 | 2011-07-27 | 中国长城计算机深圳股份有限公司 | Computer system and measuring method thereof |
| CN103441986A (en) * | 2013-07-29 | 2013-12-11 | 中国航天科工集团第二研究院七〇六所 | Data resource security control method in thin client mode |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7590867B2 (en) * | 2004-06-24 | 2009-09-15 | Intel Corporation | Method and apparatus for providing secure virtualization of a trusted platform module |
-
2013
- 2013-12-23 CN CN201310716776.9A patent/CN103747036B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599025A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | Safety virtualization method of trusted crypto module |
| CN102136043A (en) * | 2010-01-22 | 2011-07-27 | 中国长城计算机深圳股份有限公司 | Computer system and measuring method thereof |
| CN101957900A (en) * | 2010-10-26 | 2011-01-26 | 中国航天科工集团第二研究院七○六所 | Credible virtual machine platform |
| CN103441986A (en) * | 2013-07-29 | 2013-12-11 | 中国航天科工集团第二研究院七〇六所 | Data resource security control method in thin client mode |
Non-Patent Citations (1)
| Title |
|---|
| 一个基于TPM芯片的可信网络接入模型;陈志浩 等;《信息网络安全》;20081130;全文 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108243006A (en) * | 2017-12-04 | 2018-07-03 | 山东超越数控电子股份有限公司 | A kind of credible redundant code server based on domestic TCM chips |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103747036A (en) | 2014-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103747036B (en) | Trusted security enhancement method in desktop virtualization environment | |
| Chen et al. | A security awareness and protection system for 5G smart healthcare based on zero-trust architecture | |
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| CN105379223B (en) | Manage the method and apparatus to the access of ERM | |
| CN104247329B (en) | The safety of the device of cloud service is asked to be remedied | |
| US8452954B2 (en) | Methods and systems to bind a device to a computer system | |
| CN110768791B (en) | Data interaction method, node and equipment with zero knowledge proof | |
| CN113014539B (en) | Internet of things equipment safety protection system and method | |
| US20120324545A1 (en) | Automated security privilege setting for remote system users | |
| CN113014444B (en) | Internet of things equipment production test system and safety protection method | |
| CN103828292A (en) | Out-of-band remote authentication | |
| CN112765684B (en) | Block chain node terminal management method, device, equipment and storage medium | |
| CN105099705B (en) | A kind of safety communicating method and its system based on usb protocol | |
| US20210320790A1 (en) | Terminal registration system and terminal registration method | |
| CN113726726B (en) | Electric power Internet of things credible immune system based on edge calculation and measurement method | |
| CN107196932A (en) | Managing and control system in a kind of document sets based on virtualization | |
| CN115001841A (en) | Identity authentication method, identity authentication device and storage medium | |
| CN112733129A (en) | Trusted access method for out-of-band management of server | |
| CN113869901B (en) | Key generation method, key generation device, computer-readable storage medium and computer equipment | |
| KR102081875B1 (en) | Methods for secure interaction between users and mobile devices and additional instances | |
| CN109639695A (en) | Dynamic identity authentication method, electronic equipment and storage medium based on mutual trust framework | |
| CN111651740B (en) | Trusted platform sharing system for distributed intelligent embedded system | |
| Noor et al. | Decentralized Access Control using Blockchain Technology for Application in Smart Farming | |
| Niemi et al. | Platform attestation in consumer devices | |
| CN113965342A (en) | Trusted network connection system and method based on domestic platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |