CN104717235A - Virtual machine resource detection method - Google Patents

Virtual machine resource detection method Download PDF

Info

Publication number
CN104717235A
CN104717235A CN201310674591.6A CN201310674591A CN104717235A CN 104717235 A CN104717235 A CN 104717235A CN 201310674591 A CN201310674591 A CN 201310674591A CN 104717235 A CN104717235 A CN 104717235A
Authority
CN
China
Prior art keywords
virtual machine
configuration information
service provider
cloud service
provider server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310674591.6A
Other languages
Chinese (zh)
Other versions
CN104717235B (en
Inventor
卢永忠
韩臻
刘刚
刘丰
纪方
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
MINISTRY OF RAILWAYS INFORMATION TECHNOLOGY CENTER
Original Assignee
MINISTRY OF RAILWAYS INFORMATION TECHNOLOGY CENTER
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by MINISTRY OF RAILWAYS INFORMATION TECHNOLOGY CENTER filed Critical MINISTRY OF RAILWAYS INFORMATION TECHNOLOGY CENTER
Priority to CN201310674591.6A priority Critical patent/CN104717235B/en
Publication of CN104717235A publication Critical patent/CN104717235A/en
Application granted granted Critical
Publication of CN104717235B publication Critical patent/CN104717235B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0882Utilisation of link capacity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/151Emulated environment, e.g. virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a virtual machine resource detection method. The method comprises steps: a resource request is sent to a cloud service provider server at any client according to a demand list; when a responsive virtual machine resource is received, real configuration information of the virtual machine corresponding to UUID carried in the virtual machine resource forwarded by a management platform is acquired; and the real configuration information is used for determining credibility of the virtual machine resource to which the cloud service provider server responds, and credibility of the virtual machine resource to which the cloud service provider server responds can be determined.

Description

A kind of resources of virtual machine detection method
Technical field
The present invention relates to communication technical field, particularly a kind of resources of virtual machine detection method.
Background technology
Cloud computing (cloud computing) is the increase of related service based on the Internet, use and delivery mode, is usually directed to provide dynamically easily expansion by the Internet and is often virtualized resource.Cloud is the one metaphor saying of network, the Internet.Past often represents telecommunications network with cloud in the drawings, is also used for afterwards representing the abstract of the Internet and underlying infrastructure.
Narrow sense cloud computing refers to payment and the using forestland of IT infrastructure, obtains resource requirement by network in the mode as required, easily expanded; Broad sense cloud computing refers to payment and the using forestland of service, obtains required service by network in the mode as required, easily expanded.It is relevant with software, the Internet that this service can be IT, may also be other services.It means that computing capability also be can be used as a kind of commodity and circulated by the Internet.
Trust computing is the study hotspot in current information security field, and the problem that proves is one of of paramount importance problem of trust computing.Because credible based on proof, only have proof could to break the wall of mistrust in incredible environment relation.
Developing rapidly of domestic and international reliable computing technology also impels for proving deepening continuously of Study on Problems, scope involved by these research work widely, from computing platform to application program, from overall architecture to concrete agreement, all involved in the research of credible proof from upper system to bottom hardware.
The concept of the remote proving (remote attestation) that TCG proposes makes to become forward position hot issue in information security field for the research of the problem of proof.In TCG specification, prove that (attestation) is one of three foundation characteristics of credible calculating platform.The present invention has expanded believable concept, meets the credible proof between virtual machine and user.
In cloud computing service, user charges use cloud computing service, but for the quality of serving, the authenticity of the configuration information of virtual machine, cannot obtain.
Summary of the invention
In view of this, the invention provides a kind of resources of virtual machine detection method, the credibility of the resources of virtual machine that cloud service provider server responds can be confirmed.
For solving the problems of the technologies described above, technical scheme of the present invention is achieved in that
A kind of resources of virtual machine detection method, be applied in the system comprising cloud service provider server, management platform and multiple client, described cloud service provider server configures multiple virtual machine; Described management platform receive signature that described cloud service provider server sends and the configuration information of each virtual machine after encryption time, checking, decipher and store; Described method comprises:
Arbitrary described client is when inventory initiates resource request to described cloud service provider server according to demand, and described resource request is transmitted to described cloud service provider server by described management platform;
This client receives the forwarding of described management platform, during the resources of virtual machine that described cloud service provider server responds according to the resource request received, the UUID carried in the resources of virtual machine according to response obtains the configuration information of the virtual machine of the correspondence stored in described management platform;
This client uses the demand inventory sending resource request to mate by preset rules with the configuration information of acquisition, if the match is successful, determines that the resources of virtual machine responded is credible; Otherwise, determine that the resources of virtual machine responded is insincere.
In sum, the present invention by any client according to demand inventory to cloud service provider server initiate resource request, and when receiving the resources of virtual machine of response, the real deployment information of the virtual machine that the UUID carried in the described resources of virtual machine that acquisition management platform forwards is corresponding, the credibility of the resources of virtual machine using this real deployment information determination cloud service provider server to respond, can confirm the credibility of the resources of virtual machine that cloud service provider server responds.
Accompanying drawing explanation
Fig. 1 is resources of virtual machine detection method schematic flow sheet in the specific embodiment of the invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearly understand, to develop simultaneously embodiment referring to accompanying drawing, scheme of the present invention is described in further detail.
A kind of resources of virtual machine detection method is proposed in the embodiment of the present invention, be applied to and comprise cloud service provider server, in the system of management platform and multiple client, cloud service provider server is signed by the configuration information of each virtual machine by configuration, after encryption, management platform is sent to store, any client according to demand inventory to cloud service provider server initiate resource request, and when receiving the resources of virtual machine of response, obtain general unique identifier (the Universally Unique Identifier carried in the described resources of virtual machine of management platform forwarding, the real deployment information of UUID) corresponding virtual machine, the credibility of the resources of virtual machine using this real deployment information determination cloud service provider server to respond.By the method, can confirm that whether the resources of virtual machine that cloud service provider server responds is credible.
During the specific embodiment of the invention, management platform can be that cloud service provider end increases an equipment and realizes management platform function within the system, also can be utilize cloud service provider end certain station server existing to realize.
Cloud service provider server configures multiple virtual machine; Configures physical machine trusted agent on cloud service provider server, and each virtual machine configuring virtual machine trusted agent respectively for configuring.
Cloud service provider server obtains the configuration information of each virtual machine of configuration by the physics trusted agent of configuration, calls hardware trusted platform (TPM) signature function and is signed by the configuration information of each virtual machine; Verified the configuration information of the virtual machine of corresponding physical machine trusted agent signature by each virtual machine trusted agent of configuration and carry out configuration information application, calling virtual credible and appoint platform (vTPM) signature function sign and send to management platform after being encrypted by the configuration information of being signed by vTPM signature function.
User password can be used to be encrypted as key when encrypting.
Management platform receive signature that described cloud service provider server sends and the configuration information of each virtual machine after encryption time, checking, decipher and store.
Configure 3 virtual machines with cloud service provider server, be respectively virtual machine 1, virtual machine 2 and virtual machine 3 for example.Cloud service provider server configures a physical machine trusted agent, and is 3 virtual machines configuring virtual machine trusted agent virtual machine trusted agent 1, virtual machine trusted agent 2 and virtual machine trusted agents 3 respectively.
The configuration information of all virtual machines can be carried out same treatment by cloud service provider server, and with one of them virtual machine, the process as the configuration information of virtual machine 1 is that example is to illustrate processing procedure.
Cloud service provider server obtains the configuration information P of virtual machine 1 by the physical machine trusted agent of configuration, and calls hardware TPM signature function and signed by P, and the P after signature is P 1, namely use the signature key AIK of TPM psignature configuration information P, and the configuration information after signature is sent to virtual machine 1.
The virtual machine trusted agent of virtual machine 1 receives P 1, and verify that physical machine is signed, and configuration information P is applied; Call the vTPM signature function of virtual machine 1 and the P that signs 1, use the configuration information after vTPM signature function signature to be designated as P 2.Call encryption function encryption, key is user password, to P 2configuration information after encryption is designated as P 3.And by P 3send to management platform.
Management platform receives the P that cloud service provider sends 3time, certifying signature, and decryption information P 3obtain actual disposition information P and store.
Cloud service provider server, when perceiving the configuration information change of arbitrary virtual machine, obtains the configuration information of this virtual machine change by the physics trusted agent of configuration, and calls the configuration information signature that this virtual machine changes by hardware TPM signature function; And verified the configuration information of the change that described physical machine trusted agent is signed by the virtual machine trusted agent configured for this virtual machine after, the configuration information of described change is applied, calls the vTPM signature function signature for this virtual machine configures and send to management platform after being encrypted by the configuration information of the change by described vTPM signature function signature;
When described management platform receives the configuration information of change after the encryption that described cloud service provider server sends, use and verify and the configuration information of the corresponding virtual machine of the configuration information update storage of change after deciphering.
The configuration information perceiving virtual machine 1 cloudlike service provider server is changed, and change part is set to P x, call physical machine TPM signature function and the P that signs by physical machine trusted agent x, use the signature key AIK of TPM pthe configuration information P of signature change xafter, be designated as P x1.
The virtual machine trusted agent of virtual machine 1 receives P x1, and verify that physical machine is signed, the configuration information P of apply changes x, call vTPM signature function and the P that signs x1, use the configuration information of vTPM signature function signature to be designated as P x2; And call encryption function encryption P x2, key is user password, by the configuration information P of the change after encryption x3send to management platform.
Management platform receives P x3, certifying signature, and decryption information P x3obtain the configuration information P of change x.When certifying signature, checking TPM signature and vTPM signature, after being verified, use the configuration information P of user key deciphering change x3obtain P x, and use the configuration information P of change x3upgrade the configuration information of the local virtual machine 1 stored.
Be resources of virtual machine detection method schematic flow sheet in the specific embodiment of the invention see Fig. 1, Fig. 1.Concrete steps are:
Step 101, any client is when inventory initiates resource request to described cloud service provider server according to demand, and described resource request is transmitted to described cloud service provider server by described management platform.
Any client is when there being resource to need, and just can initiate resource request to cloud service provider, the resource needed for client is as 2 CPU, a hard disk etc., and these demands form a needs inventory.
As client by local web page, can send request, after management platform receives, be transmitted to cloud service provider server.
When cloud service provider server receives the resource request of this client, to distribute for this client according to the content of resource request and respond resources of virtual machine.
Step 102, this client receives the forwarding of described management platform, during the resources of virtual machine that cloud service provider server responds according to the resource request received, the UUID carried in the resources of virtual machine according to response obtains the configuration information of the virtual machine of the correspondence stored in described management platform.
Management platform receives cloud service provider when being the resources of virtual machine of client end response, is transmitted to this client, and is shown on the client by web page.
Carry UUID at cloud service provider server wherein when responding resources of virtual machine, which virtual machine is mark be.Client obtains the configuration information of corresponding virtual machine to management platform by web interface according to this UUID.
The configuration information of the virtual machine obtained is the real configuration information of virtual machine, and this configuration information utilizes TPM and vPTM to sign to configuration information, ensures the authenticity of configuration information, in transmitting procedure, adopts encryption technology, ensures the confidentiality of configuration information.
Step 103, this client uses the demand inventory sending resource request to mate by preset rules with the configuration information of acquisition, if the match is successful, determines that the resources of virtual machine responded is credible; Otherwise, determine that the resources of virtual machine responded is insincere.
When specific implementation, the preset rules of carrying out mating can be exact matching, also can be the coupling of certain limit, and as being two CPU in inventory, and to show this virtual machine in the configuration information of this virtual machine be 3 CPU, also thinks that the match is successful.The resource needs that the resources of virtual machine that can provide can meet client are the match is successful standard.
In sum, the present invention by any client according to demand inventory to cloud service provider server initiate resource request, and when receiving the resources of virtual machine of response, the real deployment information of the virtual machine that the UUID carried in the described resources of virtual machine that acquisition management platform forwards is corresponding, the credibility of the resources of virtual machine using this real deployment information determination cloud service provider server to respond, can confirm the credibility of the resources of virtual machine that cloud service provider server responds.
Real configuration information, when specific implementation, by trusted agent, is sent to management platform by the present invention; In the transmitting procedure of configuration information, utilize TPM and vTPM to sign to configuration information, ensure the authenticity of configuration information, in transmitting procedure, adopt encryption technology, ensure the confidentiality of configuration information.In cloud computing service system, the client that cloud user uses is unfixed, may be notebook computer, panel computer or even mobile phone, so the computing capability of client is limited, invention increases management platform, management platform can certifying signature, and deciphers the configuration information of virtual machine, reduces the calculating of client.
The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (4)

1. a resources of virtual machine detection method, is characterized in that, be applied in the system comprising cloud service provider server, management platform and multiple client, described cloud service provider server configures multiple virtual machine; Described management platform receive signature that described cloud service provider server sends and the configuration information of each virtual machine after encryption time, checking, decipher and store; Described method comprises:
Arbitrary described client is when inventory initiates resource request to described cloud service provider server according to demand, and described resource request is transmitted to described cloud service provider server by described management platform;
This client receives the forwarding of described management platform, during the resources of virtual machine that described cloud service provider server responds according to the resource request received, the general unique identifier UUID carried in the resources of virtual machine according to response obtains the configuration information of the virtual machine of the correspondence stored in described management platform;
This client uses the demand inventory sending resource request to mate by preset rules with the configuration information of acquisition, if the match is successful, determines that the resources of virtual machine responded is credible; Otherwise, determine that the resources of virtual machine responded is insincere.
2. method according to claim 1, is characterized in that, configures physical machine trusted agent on described cloud service provider server, and each virtual machine configuring virtual machine trusted agent respectively for configuring;
Described cloud service provider server obtains the configuration information of each virtual machine of configuration by the physics trusted agent of configuration, calls hardware trusted platform TPM signature function and is signed by the configuration information of each virtual machine; Verified the configuration information of the virtual machine of corresponding physical machine trusted agent signature by each virtual machine trusted agent of configuration and carry out configuration information application, calling virtual credible and appoint platform vTPM signature function sign and send to management platform after being encrypted by the configuration information of being signed by vTPM signature function.
3. method according to claim 2, is characterized in that, is describedly encrypted by the configuration information of being signed by vTPM signature function, comprising:
The configuration information that user password is signed as double secret key by vTPM signature function is encrypted.
4. according to the method in claim 2 or 3, it is characterized in that, described method comprises further:
Described cloud service provider server, when perceiving the configuration information change of arbitrary virtual machine, obtains the configuration information of this virtual machine change by the physics trusted agent of configuration, and calls the configuration information signature that this virtual machine changes by hardware TPM signature function; And verified the configuration information of the change that described physical machine trusted agent is signed by the virtual machine trusted agent configured for this virtual machine after, the configuration information of described change is applied, calls the vTPM signature function signature for this virtual machine configures and send to management platform after being encrypted by the configuration information of the change by described vTPM signature function signature;
When described management platform receives the configuration information of change after the encryption that described cloud service provider server sends, use and verify and the configuration information of the corresponding virtual machine of the configuration information update storage of change after deciphering.
CN201310674591.6A 2013-12-11 2013-12-11 A kind of resources of virtual machine detection method Active CN104717235B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310674591.6A CN104717235B (en) 2013-12-11 2013-12-11 A kind of resources of virtual machine detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310674591.6A CN104717235B (en) 2013-12-11 2013-12-11 A kind of resources of virtual machine detection method

Publications (2)

Publication Number Publication Date
CN104717235A true CN104717235A (en) 2015-06-17
CN104717235B CN104717235B (en) 2018-01-02

Family

ID=53416195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310674591.6A Active CN104717235B (en) 2013-12-11 2013-12-11 A kind of resources of virtual machine detection method

Country Status (1)

Country Link
CN (1) CN104717235B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059801A (en) * 2016-05-24 2016-10-26 北京哈工大计算机网络与信息安全技术研究中心 Virtual machine credible evidence collection method and virtual machine credible evidence collection device based on cloud computing platform network
CN110321678A (en) * 2019-06-19 2019-10-11 北京信安世纪科技股份有限公司 A kind of control method of virtual system, device, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform
WO2012084837A1 (en) * 2010-12-21 2012-06-28 International Business Machines Corporation Virtual machine validation
WO2012083771A1 (en) * 2010-12-24 2012-06-28 中兴通讯股份有限公司 Cloud computing system and method
CN103200020A (en) * 2012-01-04 2013-07-10 中兴通讯股份有限公司 Resource allocating method and resource allocating system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012084837A1 (en) * 2010-12-21 2012-06-28 International Business Machines Corporation Virtual machine validation
WO2012083771A1 (en) * 2010-12-24 2012-06-28 中兴通讯股份有限公司 Cloud computing system and method
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform
CN103200020A (en) * 2012-01-04 2013-07-10 中兴通讯股份有限公司 Resource allocating method and resource allocating system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059801A (en) * 2016-05-24 2016-10-26 北京哈工大计算机网络与信息安全技术研究中心 Virtual machine credible evidence collection method and virtual machine credible evidence collection device based on cloud computing platform network
CN110321678A (en) * 2019-06-19 2019-10-11 北京信安世纪科技股份有限公司 A kind of control method of virtual system, device, equipment and medium
CN110321678B (en) * 2019-06-19 2021-08-31 北京信安世纪科技股份有限公司 Control method, device, equipment and medium of virtual system

Also Published As

Publication number Publication date
CN104717235B (en) 2018-01-02

Similar Documents

Publication Publication Date Title
TWI575969B (en) Methods for establishing a secure communication channel
CN109756447B (en) Security authentication method and related equipment
EP3742696A1 (en) Identity management method, equipment, communication network, and storage medium
CN111737366B (en) Private data processing method, device, equipment and storage medium of block chain
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
US8719573B2 (en) Secure peer discovery and authentication using a shared secret
EP4318286A1 (en) Secure multi-party computation
CN109714185B (en) Strategy deployment method, device and system of trusted server and computing system
CN106788989B (en) Method and equipment for establishing secure encrypted channel
CN109905350B (en) Data transmission method and system
US20220103361A1 (en) Enforcing a Segmentation Policy Using Cryptographic Proof of Identity
US11831753B2 (en) Secure distributed key management system
CN106713302B (en) Operating system updating method and device
JP6805654B2 (en) Software update system
CN109981576B (en) Key migration method and device
CN112822177B (en) Data transmission method, device, equipment and storage medium
KR20190079186A (en) Method for security communication in Network Functional Virtualization and System thereof
EP3720042B1 (en) Method and device for determining trust state of tpm, and storage medium
CN109905252B (en) Method and device for establishing virtual network function instance
KR20120019986A (en) Mobile terminal interlocking resource, method for interlocking resource in mobile terminal, and between web server and terminal
CN110213346B (en) Encrypted information transmission method and device
CN104717235A (en) Virtual machine resource detection method
CN112437436B (en) Identity authentication method and device
CN115086951A (en) Message transmission system, method and device
CN113452513B (en) Key distribution method, device and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant