CN104954137A - Method of virtual machine security certification based on domestic password technique - Google Patents
Method of virtual machine security certification based on domestic password technique Download PDFInfo
- Publication number
- CN104954137A CN104954137A CN201510339583.5A CN201510339583A CN104954137A CN 104954137 A CN104954137 A CN 104954137A CN 201510339583 A CN201510339583 A CN 201510339583A CN 104954137 A CN104954137 A CN 104954137A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- resource pool
- safety certification
- digital certificate
- certification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method of virtual machine security certification based on a domestic password technique, which belongs to the field of technical security of computers. According to the method, on the basis of cloud computing, a security certification resource pool is set, a trusted root certificate is issued by a national electronic certification system, a digital certificate is issued to each virtual machine by the security certification resource pool, and the binding with the digital certificate is realized through a driver in a virtual machine operating system, so that encryption transmission and integrity verification of interactive data information between virtual machines as well as the virtual machine and a terminal user are realized, security applications to identity authentication, access control and data encryption transmission are satisfied, identity cheat, illegal resource access and transmission data leakage are prevented, and the identity reality is distinguished. The method is a most effective scheme for solving cloud computing security and has the advantages of convenience and easiness in use.
Description
Technical field
The present invention discloses a kind of method of secure virtual machine certification, belongs to computer technology security fields, the method for specifically a kind of secure virtual machine certification based on domestic cryptographic technique.
Background technology
Widely using of cloud computing and virtual technology, effectively can save the input of physical hardware devices, make full use of the hardware resource of physical hardware devices, thus reaches energy-conservation, reduces discharging and the object of raising efficiency.Under cloud computing environment, be reached for user by generating and manage virtual machine one by one application service is provided.Cloud computing provides service by disposing a large amount of virtual machines, information exchange between its virtual machine and virtual machine all adopts and expressly exchanges, but but can not confirm that each virtual machine is genuine and believable simultaneously, and lack necessary safety certification control measures at present, when terminal use uses the resource in service or virtual machine, also can not set up effective access control mechanisms, identity cannot confirm, data clear text has a series of safety problems such as potential safety hazard when transmitting directly to cause the service of cloud computing to exist.Alternately credible for what ensure between cloud computing inside and outside, promote cloud computing safety management ability, prevent illegally stealing of cloud computing resources, the invention provides a kind of method of the secure virtual machine certification based on domestic cryptographic technique, based on domestic cryptographic technique, in conjunction with digital certificate, reliable computing technology, set up the safety certification resource pool being applicable to cloud computing application demand, meet authentication, the safety applications of access control and Data Encryption Transmission, solve the authentication of each virtual machine in cloud computing environment, access control and Data Encryption Transmission problem, prevent identity from palming off, and illegal resource access and transmission the divulging a secret of data, identity reality is differentiated, it is the most effective scheme solving cloud computing safety, and facilitate easy-to-use.
Summary of the invention
The present invention is directed to current terminal use use service or virtual machine in resource time, effective access control mechanisms can not be set up, there is identity and cannot confirm in the service of cloud computing, the a series of safety problems such as potential safety hazard are had during data clear text transmission, a kind of method of the secure virtual machine certification based on domestic cryptographic technique is provided, based on domestic cryptographic technique, in conjunction with digital certificate, reliable computing technology, set up the safety certification resource pool being applicable to cloud computing application demand, meet authentication, the safety applications of access control and Data Encryption Transmission, solve the authentication of each virtual machine in cloud computing environment, access control and Data Encryption Transmission problem.
The concrete scheme that the present invention proposes is:
Based on a method for the secure virtual machine certification of domestic cryptographic technique, by setting up the safety certification resource pool based on cloud computing, safety certification is carried out to virtual machine; Safety certification resource pool is made up of layers of physical devices and middleware layer, and layers of physical devices realizes basic function by equipment, and middleware layer realizes the certification of digital certificate, the function of key encryption and decryption, and layers of physical devices is communicated by middleware layer with virtual machine;
National Electrical authentication system signs and issues trusted root certificate to safety certification resource pool, safety certification resource pool reallocation digital certificate is to virtual machine, for carrying out authentication, coded communication with other virtual machines or terminal use, when carrying out information exchange with other virtual machines or terminal use, adopt the identity of digital certificate identification both sides, that fails to be verified can not access; When carrying out information exchange, by safety certification resource pool for virtual machine provides authentication, access control and Data Encryption Transmission service.
The process that described virtual machine signs and issues data certificate is: virtual machine is set up with safety certification resource pool and communicated, the title of virtual machine is supplied to safety certification resource pool, safety certification resource pool distributes the digital certificate of virtual machine, realizes automatically loading importing by the driving be arranged in VME operating system.
Described virtual machine and other virtual machines carry out authentication, the exchange of advanced row digital certificate, then each via the trusted root certificate checking in safety certification resource pool exchange whether the digital certificate of virtual machine that obtains distribute with trusted root certificate consistent.
Described virtual machine and other virtual machines or terminal use's coded communication, all mutual data messages, all adopt Digital Envelope Technology and digital signature technology, realize encrypted transmission and the completeness check of information.
The process that described virtual machine and other virtual machines are encrypted communication is: the virtual machine both sides of communication generate private key and symmetric key, reception clear data is generated first eap-message digest by first virtual machine, first data signature is generated after utilizing the encrypted private key of self, simultaneously clear data utilizes generating ciphertext data after symmetric key encryption, utilizes the digital certificate of second virtual machine that symmetric key encryption is generated digital envelope; It is symmetric key that digital envelope utilizes the private key of second virtual machine to decipher, then the encrypt data of reception utilizes symmetric key decryption for clear data by second virtual machine, regeneration second eap-message digest, first digit signature utilizes the digital certificate of first virtual machine to decipher first eap-message digest and second eap-message digest contrasts, and unanimously then passes through.
The trusted root certificate of described safety certification resource pool comprises the title of the cloud computing at place, the information of domain name; The digital certificate of virtual machine comprises the name information of virtual machine.
Described safety certification resource pool supports domestic cryptographic algorithm, comprises SM1, SM2, SM3, SM4.
Usefulness of the present invention is: the present invention is based on cloud computing, safety certification resource pool is set, National Electrical authentication system signs and issues trusted root certificate, and safety certification resource pool is each virtual machine signs and issues digital certificate, the binding with digital certificate is realized by the driver in VME operating system, make between virtual machine and virtual machine, between virtual machine and terminal use, all mutual data messages, all adopt Digital Envelope Technology and digital signature technology, realize encrypted transmission and the completeness check of information, ensure that the information third party of transmission can't see, also ensure that the information transmitted is not lost simultaneously, meet authentication, the safety applications of access control and Data Encryption Transmission, solve the authentication of each virtual machine in cloud computing environment, access control and Data Encryption Transmission problem, prevent identity from palming off, and illegal resource access and transmission the divulging a secret of data, identity reality is differentiated, it is the most effective scheme solving cloud computing safety, and facilitate easy-to-use.
Accompanying drawing explanation
The composition block schematic illustration of Fig. 1 safety certification resource pool of the present invention;
Fig. 2 virtual machine digital certificate of the present invention signs and issues schematic flow sheet;
Authentication schematic diagram between Fig. 3 virtual machine of the present invention;
Data Encryption Transmission and signature sign test schematic diagram between virtual machine in Fig. 4 safety certification resource pool of the present invention.
Embodiment
The present invention will be further described by reference to the accompanying drawings.
Based on a method for the secure virtual machine certification of domestic cryptographic technique, by setting up the safety certification resource pool based on cloud computing, wherein safety certification resource pool supports domestic cryptographic algorithm, comprises SM1, SM2, SM3, SM4, carries out safety certification to virtual machine; Safety certification resource pool is made up of layers of physical devices and middleware layer, and layers of physical devices realizes basic function by equipment, and middleware layer realizes the certification of digital certificate, the function of key encryption and decryption, and layers of physical devices is communicated by middleware layer with virtual machine;
National Electrical authentication system signs and issues trusted root certificate to safety certification resource pool, safety certification resource pool reallocation digital certificate is to virtual machine, for carrying out authentication, coded communication with other virtual machines or terminal use, when carrying out information exchange with other virtual machines or terminal use, adopt the identity of digital certificate identification both sides, that fails to be verified can not access; When carrying out information exchange, by safety certification resource pool for virtual machine provides authentication, access control and Data Encryption Transmission service.The trusted root certificate of safety certification resource pool comprises the title of the cloud computing at place, the information of domain name; The digital certificate of virtual machine comprises the name information of virtual machine.
Wherein the process of virtual machine distribute data certificate is: virtual machine is set up with safety certification resource pool and communicated, the title of virtual machine is supplied to safety certification resource pool, safety certification resource pool distributes the digital certificate of virtual machine, realizes automatically loading importing by the driving be arranged in VME operating system;
Virtual machine and other virtual machines carry out authentication, the exchange of advanced row digital certificate, then each via the trusted root certificate checking in safety certification resource pool exchange whether the digital certificate of virtual machine that obtains distribute with trusted root certificate consistent.
Virtual machine and other virtual machines or terminal use's coded communication, all mutual data messages, all adopt Digital Envelope Technology and digital signature technology, realize encrypted transmission and the completeness check of information.
Concrete, with reference to virtual machine V1 in figure 4 and virtual machine 2, the process being encrypted communication is: the virtual machine both sides of communication generate private key and symmetric key, namely virtual machine V1 generates private key kv1, namely virtual machine V2 generates private key kv2, and generate symmetric key E1, wherein the digital certificate of virtual machine V1 and virtual machine V2 is Cv1 and Cv2.The clear data generating messages summary H1 that virtual machine V1 will receive, data signature S1 is generated after utilizing private key kv1 to encrypt, generating ciphertext data after clear data utilizes symmetric key E1 to encrypt simultaneously, utilize the digital certificate Cv2 of virtual machine V2 to be encrypted by symmetric key E1 and generate digital envelope; It is symmetric key E1 that digital envelope utilizes the private key kv2 of virtual machine V2 to decipher, then the encrypt data of reception utilizes symmetric key E1 to decipher by virtual machine V2 is clear data, regeneration eap-message digest H2, digital signature S1 utilizes the digital certificate kv1 decrypt of virtual machine V1 summary H1 and eap-message digest H2 to contrast, and unanimously then passes through.Ensure that the information third party of transmission can't see, also ensure that the information transmitted is not lost simultaneously.
Claims (7)
1. based on a method for the secure virtual machine certification of domestic cryptographic technique, it is characterized in that: by setting up the safety certification resource pool based on cloud computing, safety certification is carried out to virtual machine; Safety certification resource pool is made up of layers of physical devices and middleware layer, and layers of physical devices realizes basic function by equipment, and middleware layer realizes the certification of digital certificate, the function of key encryption and decryption, and layers of physical devices is communicated by middleware layer with virtual machine;
National Electrical authentication system signs and issues trusted root certificate to safety certification resource pool, safety certification resource pool reallocation digital certificate is to virtual machine, for carrying out authentication, coded communication with other virtual machines or terminal use, when carrying out information exchange with other virtual machines or terminal use, adopt the identity of digital certificate identification both sides, that fails to be verified can not access; When carrying out information exchange, by safety certification resource pool for virtual machine provides authentication, access control and Data Encryption Transmission service.
2. the method for a kind of secure virtual machine certification based on domestic cryptographic technique according to claim 1, it is characterized in that the process that described virtual machine signs and issues data certificate is: virtual machine is set up with safety certification resource pool and communicated, the title of virtual machine is supplied to safety certification resource pool, safety certification resource pool distributes the digital certificate of virtual machine, realizes automatically loading importing by the driving be arranged in VME operating system.
3. the method for a kind of secure virtual machine certification based on domestic cryptographic technique according to claim 1 and 2, it is characterized in that described virtual machine and other virtual machines carry out authentication, the exchange of advanced row digital certificate, then each via the trusted root certificate checking in safety certification resource pool exchange whether the digital certificate of the virtual machine obtained distribute with trusted root certificate consistent.
4. the method for a kind of secure virtual machine certification based on domestic cryptographic technique according to claim 1 and 2, it is characterized in that described virtual machine and other virtual machines or terminal use's coded communication, all mutual data messages, all adopt Digital Envelope Technology and digital signature technology, realize encrypted transmission and the completeness check of information.
5. the method for a kind of secure virtual machine certification based on domestic cryptographic technique according to claim 4, it is characterized in that the process that described virtual machine and other virtual machines are encrypted communication is: the virtual machine both sides of communication generate private key and symmetric key, reception clear data is generated first eap-message digest by first virtual machine, first data signature is generated after utilizing the encrypted private key of self, simultaneously clear data utilizes generating ciphertext data after symmetric key encryption, utilizes the digital certificate of second virtual machine that symmetric key encryption is generated digital envelope; It is symmetric key that digital envelope utilizes the private key of second virtual machine to decipher, then the encrypt data of reception utilizes symmetric key decryption for clear data by second virtual machine, regeneration second eap-message digest, first digit signature utilizes the digital certificate of first virtual machine to decipher first eap-message digest and second eap-message digest contrasts, and unanimously then passes through.
6. the method for a kind of secure virtual machine certification based on domestic cryptographic technique according to claim 5, is characterized in that the trusted root certificate of described safety certification resource pool comprises the title of the cloud computing at place, the information of domain name; The digital certificate of virtual machine comprises the name information of virtual machine.
7. the method for a kind of secure virtual machine certification based on domestic cryptographic technique according to claim 6, is characterized in that described safety certification resource pool supports domestic cryptographic algorithm, comprises SM1, SM2, SM3, SM4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510339583.5A CN104954137A (en) | 2015-06-18 | 2015-06-18 | Method of virtual machine security certification based on domestic password technique |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510339583.5A CN104954137A (en) | 2015-06-18 | 2015-06-18 | Method of virtual machine security certification based on domestic password technique |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104954137A true CN104954137A (en) | 2015-09-30 |
Family
ID=54168515
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510339583.5A Pending CN104954137A (en) | 2015-06-18 | 2015-06-18 | Method of virtual machine security certification based on domestic password technique |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104954137A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302417A (en) * | 2016-08-05 | 2017-01-04 | 浪潮(北京)电子信息产业有限公司 | A kind of virtualization information transmission method and system |
| CN107249002A (en) * | 2017-07-20 | 2017-10-13 | 云南电网有限责任公司电力科学研究院 | A kind of method, system and device for improving intelligent electric energy meter security |
| CN107273735A (en) * | 2017-06-29 | 2017-10-20 | 济南浪潮高新科技投资发展有限公司 | A kind of terminal device virtual secure key method and device |
| CN111190700A (en) * | 2019-12-31 | 2020-05-22 | 北京同舟医联网络科技有限公司 | Cross-domain security access and resource control method for virtualization device |
| CN112311547A (en) * | 2019-07-26 | 2021-02-02 | 南方电网科学研究院有限责任公司 | Terminal security authentication method and device based on domestic cryptographic technology |
| CN112636927A (en) * | 2020-12-28 | 2021-04-09 | 郑州信大先进技术研究院 | KPI (Key performance indicator) double-certificate-based cloud platform encryption method |
| CN113515330A (en) * | 2020-04-10 | 2021-10-19 | 南方电网科学研究院有限责任公司 | Cloud desktop security authentication method and system based on domestic password technology |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051643A (en) * | 2013-01-22 | 2013-04-17 | 西安邮电大学 | Method and system for dynamically establishing secure connection of virtual host in cloud computing environment |
| CN103270516A (en) * | 2010-08-18 | 2013-08-28 | 安全第一公司 | Systems and methods for securing virtual machine computing environments |
-
2015
- 2015-06-18 CN CN201510339583.5A patent/CN104954137A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103270516A (en) * | 2010-08-18 | 2013-08-28 | 安全第一公司 | Systems and methods for securing virtual machine computing environments |
| CN103051643A (en) * | 2013-01-22 | 2013-04-17 | 西安邮电大学 | Method and system for dynamically establishing secure connection of virtual host in cloud computing environment |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302417A (en) * | 2016-08-05 | 2017-01-04 | 浪潮(北京)电子信息产业有限公司 | A kind of virtualization information transmission method and system |
| CN107273735A (en) * | 2017-06-29 | 2017-10-20 | 济南浪潮高新科技投资发展有限公司 | A kind of terminal device virtual secure key method and device |
| CN107249002A (en) * | 2017-07-20 | 2017-10-13 | 云南电网有限责任公司电力科学研究院 | A kind of method, system and device for improving intelligent electric energy meter security |
| CN107249002B (en) * | 2017-07-20 | 2021-02-23 | 云南电网有限责任公司电力科学研究院 | Method, system and device for improving safety of intelligent electric energy meter |
| CN112311547A (en) * | 2019-07-26 | 2021-02-02 | 南方电网科学研究院有限责任公司 | Terminal security authentication method and device based on domestic cryptographic technology |
| CN111190700A (en) * | 2019-12-31 | 2020-05-22 | 北京同舟医联网络科技有限公司 | Cross-domain security access and resource control method for virtualization device |
| CN111190700B (en) * | 2019-12-31 | 2023-08-29 | 北京安盛联合科技有限公司 | Cross-domain security access and resource control method for virtualized equipment |
| CN113515330A (en) * | 2020-04-10 | 2021-10-19 | 南方电网科学研究院有限责任公司 | Cloud desktop security authentication method and system based on domestic password technology |
| CN113515330B (en) * | 2020-04-10 | 2024-04-26 | 南方电网科学研究院有限责任公司 | Cloud desktop security authentication method and system based on domestic cryptographic technology |
| CN112636927A (en) * | 2020-12-28 | 2021-04-09 | 郑州信大先进技术研究院 | KPI (Key performance indicator) double-certificate-based cloud platform encryption method |
| CN112636927B (en) * | 2020-12-28 | 2022-08-16 | 郑州信大先进技术研究院 | KPI (Key performance indicator) double-certificate-based cloud platform encryption method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104954137A (en) | Method of virtual machine security certification based on domestic password technique | |
| CN107358441B (en) | Payment verification method and system, mobile device and security authentication device | |
| CN101789865B (en) | Dedicated server used for encryption and encryption method | |
| CN107852404A (en) | Secret communication is mutually authenticated | |
| CN107465689A (en) | The key management system and method for virtual credible platform module under cloud environment | |
| CN102394749B (en) | Line protection method, system, information safety equipment and application equipment for data transmission | |
| CN102024123B (en) | Method and device for importing mirror image of virtual machine in cloud calculation | |
| EP3001598B1 (en) | Method and system for backing up private key in electronic signature token | |
| CN102025503B (en) | Data security implementation method in cluster environment and high-security cluster | |
| CN103580855B (en) | Usbkey management method based on sharing technology | |
| CN105790938A (en) | System and method for generating safety unit key based on reliable execution environment | |
| CN103297403A (en) | Method and system for achieving dynamic password authentication | |
| CN103067160A (en) | Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD) | |
| CN103186720B (en) | A kind of digital copyright management method, equipment and system | |
| CN106953732B (en) | Key management system and method for chip card | |
| CN101938354B (en) | Key distribution method based on modular exponentiation and application thereof | |
| CN104052606A (en) | Digital signature, signature authentication device and digital signature method | |
| CN107104795B (en) | Method, framework and system for injecting RSA key pair and certificate | |
| CN104424446A (en) | Safety verification and transmission method and system | |
| CN102025744A (en) | Import and export system of virtual machine image in cloud computing | |
| CN102833075A (en) | Identity authentication and digital signature method based on three-layered overlapping type key management technology | |
| CN105357197A (en) | Identity authentication and authority management system and method for cloud computing platform | |
| CN103916363A (en) | Communication security management method and system for encryption machine | |
| CN103580868A (en) | Secure transmission method of electronic official document secure transmission system | |
| CN103188219A (en) | Method, equipment and system for digital right management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150930 |