CN104717235A - Virtual machine resource detection method - Google Patents
Virtual machine resource detection method Download PDFInfo
- Publication number
- CN104717235A CN104717235A CN201310674591.6A CN201310674591A CN104717235A CN 104717235 A CN104717235 A CN 104717235A CN 201310674591 A CN201310674591 A CN 201310674591A CN 104717235 A CN104717235 A CN 104717235A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- configuration information
- service provider
- cloud service
- provider server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0882—Utilisation of link capacity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2212/00—Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
- G06F2212/15—Use in a specific computing environment
- G06F2212/151—Emulated environment, e.g. virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a virtual machine resource detection method. The method comprises steps: a resource request is sent to a cloud service provider server at any client according to a demand list; when a responsive virtual machine resource is received, real configuration information of the virtual machine corresponding to UUID carried in the virtual machine resource forwarded by a management platform is acquired; and the real configuration information is used for determining credibility of the virtual machine resource to which the cloud service provider server responds, and credibility of the virtual machine resource to which the cloud service provider server responds can be determined.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of resources of virtual machine detection method.
Background technology
Cloud computing (cloud computing) is the increase of related service based on the Internet, use and delivery mode, is usually directed to provide dynamically easily expansion by the Internet and is often virtualized resource.Cloud is the one metaphor saying of network, the Internet.Past often represents telecommunications network with cloud in the drawings, is also used for afterwards representing the abstract of the Internet and underlying infrastructure.
Narrow sense cloud computing refers to payment and the using forestland of IT infrastructure, obtains resource requirement by network in the mode as required, easily expanded; Broad sense cloud computing refers to payment and the using forestland of service, obtains required service by network in the mode as required, easily expanded.It is relevant with software, the Internet that this service can be IT, may also be other services.It means that computing capability also be can be used as a kind of commodity and circulated by the Internet.
Trust computing is the study hotspot in current information security field, and the problem that proves is one of of paramount importance problem of trust computing.Because credible based on proof, only have proof could to break the wall of mistrust in incredible environment relation.
Developing rapidly of domestic and international reliable computing technology also impels for proving deepening continuously of Study on Problems, scope involved by these research work widely, from computing platform to application program, from overall architecture to concrete agreement, all involved in the research of credible proof from upper system to bottom hardware.
The concept of the remote proving (remote attestation) that TCG proposes makes to become forward position hot issue in information security field for the research of the problem of proof.In TCG specification, prove that (attestation) is one of three foundation characteristics of credible calculating platform.The present invention has expanded believable concept, meets the credible proof between virtual machine and user.
In cloud computing service, user charges use cloud computing service, but for the quality of serving, the authenticity of the configuration information of virtual machine, cannot obtain.
Summary of the invention
In view of this, the invention provides a kind of resources of virtual machine detection method, the credibility of the resources of virtual machine that cloud service provider server responds can be confirmed.
For solving the problems of the technologies described above, technical scheme of the present invention is achieved in that
A kind of resources of virtual machine detection method, be applied in the system comprising cloud service provider server, management platform and multiple client, described cloud service provider server configures multiple virtual machine; Described management platform receive signature that described cloud service provider server sends and the configuration information of each virtual machine after encryption time, checking, decipher and store; Described method comprises:
Arbitrary described client is when inventory initiates resource request to described cloud service provider server according to demand, and described resource request is transmitted to described cloud service provider server by described management platform;
This client receives the forwarding of described management platform, during the resources of virtual machine that described cloud service provider server responds according to the resource request received, the UUID carried in the resources of virtual machine according to response obtains the configuration information of the virtual machine of the correspondence stored in described management platform;
This client uses the demand inventory sending resource request to mate by preset rules with the configuration information of acquisition, if the match is successful, determines that the resources of virtual machine responded is credible; Otherwise, determine that the resources of virtual machine responded is insincere.
In sum, the present invention by any client according to demand inventory to cloud service provider server initiate resource request, and when receiving the resources of virtual machine of response, the real deployment information of the virtual machine that the UUID carried in the described resources of virtual machine that acquisition management platform forwards is corresponding, the credibility of the resources of virtual machine using this real deployment information determination cloud service provider server to respond, can confirm the credibility of the resources of virtual machine that cloud service provider server responds.
Accompanying drawing explanation
Fig. 1 is resources of virtual machine detection method schematic flow sheet in the specific embodiment of the invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearly understand, to develop simultaneously embodiment referring to accompanying drawing, scheme of the present invention is described in further detail.
A kind of resources of virtual machine detection method is proposed in the embodiment of the present invention, be applied to and comprise cloud service provider server, in the system of management platform and multiple client, cloud service provider server is signed by the configuration information of each virtual machine by configuration, after encryption, management platform is sent to store, any client according to demand inventory to cloud service provider server initiate resource request, and when receiving the resources of virtual machine of response, obtain general unique identifier (the Universally Unique Identifier carried in the described resources of virtual machine of management platform forwarding, the real deployment information of UUID) corresponding virtual machine, the credibility of the resources of virtual machine using this real deployment information determination cloud service provider server to respond.By the method, can confirm that whether the resources of virtual machine that cloud service provider server responds is credible.
During the specific embodiment of the invention, management platform can be that cloud service provider end increases an equipment and realizes management platform function within the system, also can be utilize cloud service provider end certain station server existing to realize.
Cloud service provider server configures multiple virtual machine; Configures physical machine trusted agent on cloud service provider server, and each virtual machine configuring virtual machine trusted agent respectively for configuring.
Cloud service provider server obtains the configuration information of each virtual machine of configuration by the physics trusted agent of configuration, calls hardware trusted platform (TPM) signature function and is signed by the configuration information of each virtual machine; Verified the configuration information of the virtual machine of corresponding physical machine trusted agent signature by each virtual machine trusted agent of configuration and carry out configuration information application, calling virtual credible and appoint platform (vTPM) signature function sign and send to management platform after being encrypted by the configuration information of being signed by vTPM signature function.
User password can be used to be encrypted as key when encrypting.
Management platform receive signature that described cloud service provider server sends and the configuration information of each virtual machine after encryption time, checking, decipher and store.
Configure 3 virtual machines with cloud service provider server, be respectively virtual machine 1, virtual machine 2 and virtual machine 3 for example.Cloud service provider server configures a physical machine trusted agent, and is 3 virtual machines configuring virtual machine trusted agent virtual machine trusted agent 1, virtual machine trusted agent 2 and virtual machine trusted agents 3 respectively.
The configuration information of all virtual machines can be carried out same treatment by cloud service provider server, and with one of them virtual machine, the process as the configuration information of virtual machine 1 is that example is to illustrate processing procedure.
Cloud service provider server obtains the configuration information P of virtual machine 1 by the physical machine trusted agent of configuration, and calls hardware TPM signature function and signed by P, and the P after signature is P
1, namely use the signature key AIK of TPM
psignature configuration information P, and the configuration information after signature is sent to virtual machine 1.
The virtual machine trusted agent of virtual machine 1 receives P
1, and verify that physical machine is signed, and configuration information P is applied; Call the vTPM signature function of virtual machine 1 and the P that signs
1, use the configuration information after vTPM signature function signature to be designated as P
2.Call encryption function encryption, key is user password, to P
2configuration information after encryption is designated as P
3.And by P
3send to management platform.
Management platform receives the P that cloud service provider sends
3time, certifying signature, and decryption information P
3obtain actual disposition information P and store.
Cloud service provider server, when perceiving the configuration information change of arbitrary virtual machine, obtains the configuration information of this virtual machine change by the physics trusted agent of configuration, and calls the configuration information signature that this virtual machine changes by hardware TPM signature function; And verified the configuration information of the change that described physical machine trusted agent is signed by the virtual machine trusted agent configured for this virtual machine after, the configuration information of described change is applied, calls the vTPM signature function signature for this virtual machine configures and send to management platform after being encrypted by the configuration information of the change by described vTPM signature function signature;
When described management platform receives the configuration information of change after the encryption that described cloud service provider server sends, use and verify and the configuration information of the corresponding virtual machine of the configuration information update storage of change after deciphering.
The configuration information perceiving virtual machine 1 cloudlike service provider server is changed, and change part is set to P
x, call physical machine TPM signature function and the P that signs by physical machine trusted agent
x, use the signature key AIK of TPM
pthe configuration information P of signature change
xafter, be designated as P
x1.
The virtual machine trusted agent of virtual machine 1 receives P
x1, and verify that physical machine is signed, the configuration information P of apply changes
x, call vTPM signature function and the P that signs
x1, use the configuration information of vTPM signature function signature to be designated as P
x2; And call encryption function encryption P
x2, key is user password, by the configuration information P of the change after encryption
x3send to management platform.
Management platform receives P
x3, certifying signature, and decryption information P
x3obtain the configuration information P of change
x.When certifying signature, checking TPM signature and vTPM signature, after being verified, use the configuration information P of user key deciphering change
x3obtain P
x, and use the configuration information P of change
x3upgrade the configuration information of the local virtual machine 1 stored.
Be resources of virtual machine detection method schematic flow sheet in the specific embodiment of the invention see Fig. 1, Fig. 1.Concrete steps are:
Step 101, any client is when inventory initiates resource request to described cloud service provider server according to demand, and described resource request is transmitted to described cloud service provider server by described management platform.
Any client is when there being resource to need, and just can initiate resource request to cloud service provider, the resource needed for client is as 2 CPU, a hard disk etc., and these demands form a needs inventory.
As client by local web page, can send request, after management platform receives, be transmitted to cloud service provider server.
When cloud service provider server receives the resource request of this client, to distribute for this client according to the content of resource request and respond resources of virtual machine.
Step 102, this client receives the forwarding of described management platform, during the resources of virtual machine that cloud service provider server responds according to the resource request received, the UUID carried in the resources of virtual machine according to response obtains the configuration information of the virtual machine of the correspondence stored in described management platform.
Management platform receives cloud service provider when being the resources of virtual machine of client end response, is transmitted to this client, and is shown on the client by web page.
Carry UUID at cloud service provider server wherein when responding resources of virtual machine, which virtual machine is mark be.Client obtains the configuration information of corresponding virtual machine to management platform by web interface according to this UUID.
The configuration information of the virtual machine obtained is the real configuration information of virtual machine, and this configuration information utilizes TPM and vPTM to sign to configuration information, ensures the authenticity of configuration information, in transmitting procedure, adopts encryption technology, ensures the confidentiality of configuration information.
Step 103, this client uses the demand inventory sending resource request to mate by preset rules with the configuration information of acquisition, if the match is successful, determines that the resources of virtual machine responded is credible; Otherwise, determine that the resources of virtual machine responded is insincere.
When specific implementation, the preset rules of carrying out mating can be exact matching, also can be the coupling of certain limit, and as being two CPU in inventory, and to show this virtual machine in the configuration information of this virtual machine be 3 CPU, also thinks that the match is successful.The resource needs that the resources of virtual machine that can provide can meet client are the match is successful standard.
In sum, the present invention by any client according to demand inventory to cloud service provider server initiate resource request, and when receiving the resources of virtual machine of response, the real deployment information of the virtual machine that the UUID carried in the described resources of virtual machine that acquisition management platform forwards is corresponding, the credibility of the resources of virtual machine using this real deployment information determination cloud service provider server to respond, can confirm the credibility of the resources of virtual machine that cloud service provider server responds.
Real configuration information, when specific implementation, by trusted agent, is sent to management platform by the present invention; In the transmitting procedure of configuration information, utilize TPM and vTPM to sign to configuration information, ensure the authenticity of configuration information, in transmitting procedure, adopt encryption technology, ensure the confidentiality of configuration information.In cloud computing service system, the client that cloud user uses is unfixed, may be notebook computer, panel computer or even mobile phone, so the computing capability of client is limited, invention increases management platform, management platform can certifying signature, and deciphers the configuration information of virtual machine, reduces the calculating of client.
The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1. a resources of virtual machine detection method, is characterized in that, be applied in the system comprising cloud service provider server, management platform and multiple client, described cloud service provider server configures multiple virtual machine; Described management platform receive signature that described cloud service provider server sends and the configuration information of each virtual machine after encryption time, checking, decipher and store; Described method comprises:
Arbitrary described client is when inventory initiates resource request to described cloud service provider server according to demand, and described resource request is transmitted to described cloud service provider server by described management platform;
This client receives the forwarding of described management platform, during the resources of virtual machine that described cloud service provider server responds according to the resource request received, the general unique identifier UUID carried in the resources of virtual machine according to response obtains the configuration information of the virtual machine of the correspondence stored in described management platform;
This client uses the demand inventory sending resource request to mate by preset rules with the configuration information of acquisition, if the match is successful, determines that the resources of virtual machine responded is credible; Otherwise, determine that the resources of virtual machine responded is insincere.
2. method according to claim 1, is characterized in that, configures physical machine trusted agent on described cloud service provider server, and each virtual machine configuring virtual machine trusted agent respectively for configuring;
Described cloud service provider server obtains the configuration information of each virtual machine of configuration by the physics trusted agent of configuration, calls hardware trusted platform TPM signature function and is signed by the configuration information of each virtual machine; Verified the configuration information of the virtual machine of corresponding physical machine trusted agent signature by each virtual machine trusted agent of configuration and carry out configuration information application, calling virtual credible and appoint platform vTPM signature function sign and send to management platform after being encrypted by the configuration information of being signed by vTPM signature function.
3. method according to claim 2, is characterized in that, is describedly encrypted by the configuration information of being signed by vTPM signature function, comprising:
The configuration information that user password is signed as double secret key by vTPM signature function is encrypted.
4. according to the method in claim 2 or 3, it is characterized in that, described method comprises further:
Described cloud service provider server, when perceiving the configuration information change of arbitrary virtual machine, obtains the configuration information of this virtual machine change by the physics trusted agent of configuration, and calls the configuration information signature that this virtual machine changes by hardware TPM signature function; And verified the configuration information of the change that described physical machine trusted agent is signed by the virtual machine trusted agent configured for this virtual machine after, the configuration information of described change is applied, calls the vTPM signature function signature for this virtual machine configures and send to management platform after being encrypted by the configuration information of the change by described vTPM signature function signature;
When described management platform receives the configuration information of change after the encryption that described cloud service provider server sends, use and verify and the configuration information of the corresponding virtual machine of the configuration information update storage of change after deciphering.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310674591.6A CN104717235B (en) | 2013-12-11 | 2013-12-11 | A kind of resources of virtual machine detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310674591.6A CN104717235B (en) | 2013-12-11 | 2013-12-11 | A kind of resources of virtual machine detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104717235A true CN104717235A (en) | 2015-06-17 |
CN104717235B CN104717235B (en) | 2018-01-02 |
Family
ID=53416195
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310674591.6A Active CN104717235B (en) | 2013-12-11 | 2013-12-11 | A kind of resources of virtual machine detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104717235B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106059801A (en) * | 2016-05-24 | 2016-10-26 | 北京哈工大计算机网络与信息安全技术研究中心 | Virtual machine credible evidence collection method and virtual machine credible evidence collection device based on cloud computing platform network |
CN110321678A (en) * | 2019-06-19 | 2019-10-11 | 北京信安世纪科技股份有限公司 | A kind of control method of virtual system, device, equipment and medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102202046A (en) * | 2011-03-15 | 2011-09-28 | 北京邮电大学 | Network-operating-system-oriented trusted virtual operating platform |
WO2012084837A1 (en) * | 2010-12-21 | 2012-06-28 | International Business Machines Corporation | Virtual machine validation |
WO2012083771A1 (en) * | 2010-12-24 | 2012-06-28 | 中兴通讯股份有限公司 | Cloud computing system and method |
CN103200020A (en) * | 2012-01-04 | 2013-07-10 | 中兴通讯股份有限公司 | Resource allocating method and resource allocating system |
-
2013
- 2013-12-11 CN CN201310674591.6A patent/CN104717235B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012084837A1 (en) * | 2010-12-21 | 2012-06-28 | International Business Machines Corporation | Virtual machine validation |
WO2012083771A1 (en) * | 2010-12-24 | 2012-06-28 | 中兴通讯股份有限公司 | Cloud computing system and method |
CN102202046A (en) * | 2011-03-15 | 2011-09-28 | 北京邮电大学 | Network-operating-system-oriented trusted virtual operating platform |
CN103200020A (en) * | 2012-01-04 | 2013-07-10 | 中兴通讯股份有限公司 | Resource allocating method and resource allocating system |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106059801A (en) * | 2016-05-24 | 2016-10-26 | 北京哈工大计算机网络与信息安全技术研究中心 | Virtual machine credible evidence collection method and virtual machine credible evidence collection device based on cloud computing platform network |
CN110321678A (en) * | 2019-06-19 | 2019-10-11 | 北京信安世纪科技股份有限公司 | A kind of control method of virtual system, device, equipment and medium |
CN110321678B (en) * | 2019-06-19 | 2021-08-31 | 北京信安世纪科技股份有限公司 | Control method, device, equipment and medium of virtual system |
Also Published As
Publication number | Publication date |
---|---|
CN104717235B (en) | 2018-01-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI575969B (en) | Methods for establishing a secure communication channel | |
CN109756447B (en) | Security authentication method and related equipment | |
EP3742696A1 (en) | Identity management method, equipment, communication network, and storage medium | |
CN111737366B (en) | Private data processing method, device, equipment and storage medium of block chain | |
US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
US8719573B2 (en) | Secure peer discovery and authentication using a shared secret | |
EP4318286A1 (en) | Secure multi-party computation | |
CN109714185B (en) | Strategy deployment method, device and system of trusted server and computing system | |
CN106788989B (en) | Method and equipment for establishing secure encrypted channel | |
CN109905350B (en) | Data transmission method and system | |
US20220103361A1 (en) | Enforcing a Segmentation Policy Using Cryptographic Proof of Identity | |
US11831753B2 (en) | Secure distributed key management system | |
CN106713302B (en) | Operating system updating method and device | |
JP6805654B2 (en) | Software update system | |
CN109981576B (en) | Key migration method and device | |
CN112822177B (en) | Data transmission method, device, equipment and storage medium | |
KR20190079186A (en) | Method for security communication in Network Functional Virtualization and System thereof | |
EP3720042B1 (en) | Method and device for determining trust state of tpm, and storage medium | |
CN109905252B (en) | Method and device for establishing virtual network function instance | |
KR20120019986A (en) | Mobile terminal interlocking resource, method for interlocking resource in mobile terminal, and between web server and terminal | |
CN110213346B (en) | Encrypted information transmission method and device | |
CN104717235A (en) | Virtual machine resource detection method | |
CN112437436B (en) | Identity authentication method and device | |
CN115086951A (en) | Message transmission system, method and device | |
CN113452513B (en) | Key distribution method, device and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |