CN106533694A - Method and system for implementation of Openstack token access protection mechanism - Google Patents

Method and system for implementation of Openstack token access protection mechanism Download PDF

Info

Publication number
CN106533694A
CN106533694A CN201610959011.1A CN201610959011A CN106533694A CN 106533694 A CN106533694 A CN 106533694A CN 201610959011 A CN201610959011 A CN 201610959011A CN 106533694 A CN106533694 A CN 106533694A
Authority
CN
China
Prior art keywords
token
memcache
openstack
sgx
memecache
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610959011.1A
Other languages
Chinese (zh)
Other versions
CN106533694B (en
Inventor
王津航
陈建海
王备
何钦铭
侯文龙
程雨夏
黄步添
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201610959011.1A priority Critical patent/CN106533694B/en
Publication of CN106533694A publication Critical patent/CN106533694A/en
Application granted granted Critical
Publication of CN106533694B publication Critical patent/CN106533694B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a system for implementation of an Openstack token access protection mechanism. The method comprises the steps of storing a token list of Openstack in a memcache according to a storage mode of the memcache; and then encrypting the token list by utilizing a protection mechanism of SGX (Software Guard Extensions). Through the SGX mechanism, the token information is encrypted by computer hardware and the access authority of the token information is controlled, so that the token information only can be read and modified at an appointed physical resource (such as a server), and the security of the token information is accordingly ensured.

Description

The realization method and system of Openstack token access protection mechanisms
Technical field
A kind of the present invention relates to cloud computing operation and the security technology area in storing process, more particularly to Openstack The realization method and system of token access protection mechanism.
Background technology
Openstack is a cloud computing management platform project increased income, it is allowed to which enterprise or ISP create, operation The cloud computing of oneself and storage facility, specifically include five important composition parts:Nova (calculates service), Swift (storage clothes Business), Glance (mirroring service), Keystone (authentication service) and Horizon (UI services).Wherein, Keystone is all Openstack components certification and access strategy service are provided, it relies on itself REST (based on Identity API) system and enters Row work, is mainly authenticated and mandate to (but not limited to) Swift, Glance, Nova etc., by action message source person The legitimacy of request is identified.
Keystone adopts two kinds of authorizations, a kind of to be based on usemame/password, and another kind is based on token (token).Cause For user name, password and tenant names are more directly perceived, so for terminal use, seldom directly can be carried out with Token Operation, but for the operation such as automatic test, (application programming connects to need to directly invoke every api of Openstack Mouthful), a large amount of orders are dependent on the token of associated user to complete, therefore, the token for obtaining user means to obtain The mandate of Openstack items api.
However, can all produce a new token during managing Openstack every time being verified so that The token tables in Keystone storehouses can rise to dozens or even hundreds of GB, for DB Backup afterwards brings inconvenience.In order to It is that token is stored in memecached preferably to manage one of token tables, conventional solution.
Memcache is a high performance distributed memory target cache system, for Dynamic Web Applications mitigating number Load according to storehouse.It reduces the number of times of reading database by data cached in internal memory and object, so as to improve dynamic, data Storehouse drives the speed of website.This is a set of open-source software, is issued with BSD license authorized agreements.
But Memcache lacks enough security mechanisms in itself realization so that data may be by undelegated user Access or intercept and capture, therefore leaking data may be caused in which is applied to token storing processs.
Software protecting extended instruction (Software Guard Extensions, SGX) is the new process of Intel exploitations Device technology, can provide a believable space in calculating platform, and the trusted computing base TCB that safety applications are relied on is reduced to CPU and safety applications itself are only included, incredible complex operations system OS and monitor of virtual machine VMM are excluded in safe edge Outside boundary, so as to ensure the confidentiality and integrity of user's key code and data.This mode is not to recognize and isolate flat All Malwares on platform, but the safety operation of legal software is encapsulated in an enclave (confidence space), protect Which is not attacked by Malware, and the software of privilege or non-privileged cannot all access enclave, that is to say, that once software With data in the enclave, even if operating system or cannot also affect inside enclave with VMM (Hypervisor) Code and data.The secure border of Enclave only includes CPU and its own.
The content of the invention
Lack the technical deficiency of safety guarantee during token (token) table is stored for memcache, the present invention is provided A kind of Openstack token accesses based on software protecting extended instruction (Software Guard Extensions, SGX) The realization method and system of protection mechanism, improves the safety of the token tables stored with memcache.
A kind of implementation method of Openstack token accesses protection mechanism, will according to the memory module of memcache The token tables of Openstack are stored in memcache, recycle the protection mechanism of software protecting extended instruction to token tables It is encrypted.
Openstack is the cloud computing management platform project increased income in, it is allowed to which enterprise or ISP create, operation The cloud computing of oneself and storage facility;Memcache is high performance distributed memory target cache system in;Token refers to The token of Openstack.
In the method for the invention, when openstack tokens are protected, by SGX mechanism by computer hardware to token Information is encrypted, and its access rights is controlled so that can only be in specified physical resource (server etc.) enterprising line number According to reading and modification, so as to ensure that the safety of token information.
Preferably, the implementation method of Openstack token access protection mechanisms, comprises the following steps:
(1) token tables are stored in memcache, are that memcache distributes credible sky by software protecting extended instruction Between, and generate the key to verify confidence space access rights;
(2), when updating token tables every time, after memcache is updated the data, data are initiated to SGX drivers and update request, After the checking of key, will update the data and backup in confidence space.
It is further preferred that token tables are stored in memcache, comprise the following steps:
The token fields of (a) editor/etc/keystone/keystone.conf:
Driver=keystone.token.backends.memcache.Token, the driving of token fields is changed For memecache;
B () restarts keystone, and start memcache, the token tables of distributed storage is carried out by memcache Management.
It is further preferred that in step (1), be that memcache distributes confidence space by software protecting extended instruction, and The key to verify confidence space access rights is generated, is specifically included:
(1-1) data upload:The certificate of memecache is generated, memecache and its certificate are uploaded to into process space In;
(1-2) SGX drivers prepare:Line parameter survey is entered by SGX drivers to the memecache that uploads and its certificate Amount, is confidence space distribution address space and page, while obtaining the certificate information of memecache and passing to SGX hardware Processor;
(1-3) foundation of confidence space:SGX drivers create confidence space according to the parameter of measurement, and by memecache On data message copy in confidence space, data in delete processing space afterwards;
(1-4) generation of key:SGX hardware processors according to the certificate information of memecache and SGX hardware processors from The characteristic of body generates the access key of confidence space, and confidence space is encrypted by key.
Abbreviations of the SGX for software protecting extended instruction.
The certificate information of memecache includes the cryptographic Hash of memecache certificates and private key.
Present invention also offers a kind of system of Openstack token accesses protection mechanism, including:
The token tables stored with the storage mode of openstack are carried out distributed depositing by memcache memory modules Store up and using memcache as driving;
SGX encrypting modules, generate confidence space based on software protecting extended instruction, to store, operate memcache to deposit Token data in storage module, and generate the key to verify confidence space access rights.
Described SGX encrypting modules include user's space, SGX drivers and SGX hardware processors,
User's space, including for loading the process space of memecache and its certificate and for dividing for memecache The confidence space matched somebody with somebody;
SGX drivers, carry out parameter measurement and distribute confidence space for which, while obtaining memecache to memecache Certificate information and pass it to SGX hardware processors;
SGX hardware processors, verify to the integrity of the certificate and confidence space of memecache, according to The cryptographic Hash of the cryptographic Hash and its own characteristic of the certificate of memecache generates the access key of confidence space, and passes through Key is encrypted to confidence space.
Described SGX drivers belong to operating system;SGX hardware processors belong to hardware architecture.
Key is to be intersected to generate by client memecache and physical machine hardware information, it is ensured that the peace of subsequent verifying step Full property and effectiveness.
Compared with prior art, beneficial effects of the present invention are:
Token information is encrypted by computer hardware by SGX mechanism, its access rights is controlled so that Token information can only be read out and be changed on specified physical resource (server etc.), so as to ensure that token information Safety.
Description of the drawings
Fig. 1 is the Row control schematic diagram of the implementation method of the Openstack token access protection mechanisms of the present invention;
Fig. 2 (a) is data upload stage operation principle schematic diagram;
Fig. 2 (b) is software protecting extended instruction driver preparatory stage operation principle schematic diagram;
Fig. 2 (c) is confidence space establishment stage operation principle schematic diagram;
Fig. 2 (d) is key generation phase operation principle schematic diagram.
Specific embodiment
With reference to the accompanying drawings and examples the present invention is described in further detail.
The present invention is realized by 2 software modules:Memcache memory modules and SGX encrypting modules, its Row control As shown in Figure 1.
The effect of memcache memory modules is that the token tables that will be stored with the storage mode of openstack are carried out Distributed storage, and using memcache as driving.Comprise the following steps that:
(1) the Token fields of editor/etc/keystone/keystone.conf:
Driver=keystone.token.backends.memcache.Token, drives it and is revised as memecache;
(2) restart keystone, and start memcache, the token tables of distributed storage are carried out by memcache Management.
The effect of SGX encrypting modules is to generate confidence space to store, operate corresponding data, and is generated to authentication-access The key of authority.Its operation principle is specific as follows:
(1) the data upload stage:As shown in Fig. 2 (a), create memcache and generate its certificate, wherein, memcache cards Letter breath includes its cryptographic Hash and private key, and memcache and certificate are uploaded in process space;
(2) the SGX drivers preparatory stage:As shown in figure (b), SGX drivers carry out parameter measurement to uploading data, to Distribute address space and page for confidence space, at the same SGX drivers obtain the certificate information that memcache generates and by its Pass to bottom SGX hardware processors;
(3) confidence space data establishment stage:As shown in figure (c), the ginseng that basis is carried out by SGX drivers to memcache Number measurement, creates confidence space, and data message on memcache is copied in confidence space, afterwards in delete processing space Data.The integrity of certificate and confidence space is verified by SGX hardware processors;
(4) key generation phase:As figure (d) shown in, SGX hardware processors according to cryptographic Hash in certificate and SGX hardware at The cryptographic Hash of reason device unique characteristics data generates confidence space and accesses key, and confidence space is encrypted by key, it The data that will be accessed in confidence space afterwards must obtain this key, so that the memcache data stored in confidence space are obtained To protection.
When updating token tables every time, after memcache is updated the data, data are initiated to SGX drivers and update request, passed through After the checking of key, will update the data and backup in confidence space.

Claims (6)

1. a kind of implementation method of Openstack token accesses protection mechanism, it is characterised in that according to the storage mould of memcache Formula is stored in the token tables of Openstack in memcache, recycles the protection mechanism pair of software protecting extended instruction Token tables are encrypted.
2. the implementation method of Openstack token accesses protection mechanism according to claim 1, it is characterised in that include Following steps:
(1) token tables are stored in memcache, are that memcache distributes confidence space by software protecting extended instruction, And generate key to verify confidence space access rights;
(2), when updating token tables every time, after memcache is updated the data, data are initiated to SGX drivers and updates request, passed through After the checking of key, will update the data and backup in confidence space.
3. the implementation method of Openstack token accesses protection mechanism according to claim 2, it is characterised in that will Token tables are stored in memcache, are comprised the following steps:
The token fields of (a) editor/etc/keystone/keystone.conf:
Driver=keystone.token.backends.memcache.Token, the driving of token fields is revised as memecache;
B () restarts keystone, and start memcache, the token tables of distributed storage is managed by memcache.
4. the implementation method of the Openstack token access protection mechanisms according to Claims 2 or 3, it is characterised in that step Suddenly, in (1), it is that memcache distributes confidence space by software protecting extended instruction, and generates to verify that confidence space is accessed The key of authority, specifically includes:
(1-1) data upload:The certificate of memecache is generated, memecache and its certificate are uploaded in process space;
(1-2) SGX drivers prepare:Parameter measurement is carried out to the memecache that uploads and its certificate by SGX drivers, is Confidence space distributes address space and page, while obtaining the certificate information of memecache and passing to SGX hardware handles Device;
(1-3) foundation of confidence space:SGX drivers create confidence space according to the parameter of measurement, and by memecache Data message is copied in confidence space, afterwards the data in delete processing space;
(1-4) generation of key:SGX hardware processors are according to the certificate information of memecache and SGX hardware processors itself Characteristic generates the access key of confidence space, and confidence space is encrypted by key.
5. the implementation method of Openstack token accesses protection mechanism according to claim 4, it is characterised in that The certificate information of memecache applications includes cryptographic Hash and the private key of memecache Application Certificates.
6. a kind of system of Openstack token accesses protection mechanism, it is characterised in that include:
The token tables stored with the storage mode of openstack are carried out distributed storage simultaneously by memcache memory modules Using memcache as driving;
SGX encrypting modules, generate confidence space based on software protecting extended instruction, to store, operate memcache storage moulds Token data in block, and generate the key to verify confidence space access rights.
CN201610959011.1A 2016-11-03 2016-11-03 The realization method and system of Openstack token access protection mechanism Active CN106533694B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610959011.1A CN106533694B (en) 2016-11-03 2016-11-03 The realization method and system of Openstack token access protection mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610959011.1A CN106533694B (en) 2016-11-03 2016-11-03 The realization method and system of Openstack token access protection mechanism

Publications (2)

Publication Number Publication Date
CN106533694A true CN106533694A (en) 2017-03-22
CN106533694B CN106533694B (en) 2019-04-23

Family

ID=58325881

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610959011.1A Active CN106533694B (en) 2016-11-03 2016-11-03 The realization method and system of Openstack token access protection mechanism

Country Status (1)

Country Link
CN (1) CN106533694B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107506652A (en) * 2017-07-13 2017-12-22 浙江大学 CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism
CN107919954A (en) * 2017-10-20 2018-04-17 浙江大学 A kind of block chain user key guard method and device based on SGX
CN108418691A (en) * 2018-03-08 2018-08-17 湖南大学 Dynamic network identity identifying method based on SGX
CN109446759A (en) * 2018-10-29 2019-03-08 大唐高鸿信安(浙江)信息科技有限公司 A kind of software interface guard method and device
CN111159018A (en) * 2019-12-17 2020-05-15 浙江大学 Software protection extended instruction SGX-based online fuzzy test system and method
WO2021165784A1 (en) * 2020-02-18 2021-08-26 International Business Machines Corporation Safeguarding cryptographic keys

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160182508A1 (en) * 2014-12-23 2016-06-23 Timothy J. Gresham Identity attestation of a minor via a parent

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160182508A1 (en) * 2014-12-23 2016-06-23 Timothy J. Gresham Identity attestation of a minor via a parent

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
FELIX SCHUSTER等: "VC3: Trustworthy Data Analytics in the Cloud using SGX", 《2015 IEEE SYMPOSIUM ON SECURITY AND PRIVACY》 *
魏兴伟: "OpenStack对象存储的安全性分析与改进", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107506652A (en) * 2017-07-13 2017-12-22 浙江大学 CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism
CN107919954A (en) * 2017-10-20 2018-04-17 浙江大学 A kind of block chain user key guard method and device based on SGX
CN107919954B (en) * 2017-10-20 2019-05-14 浙江大学 A kind of block chain user key guard method and device based on SGX software protecting extended instruction
CN108418691B (en) * 2018-03-08 2020-10-27 湖南大学 Dynamic network identity authentication method based on SGX
CN108418691A (en) * 2018-03-08 2018-08-17 湖南大学 Dynamic network identity identifying method based on SGX
CN109446759A (en) * 2018-10-29 2019-03-08 大唐高鸿信安(浙江)信息科技有限公司 A kind of software interface guard method and device
CN109446759B (en) * 2018-10-29 2021-02-09 大唐高鸿信安(浙江)信息科技有限公司 Software interface protection method and device
CN111159018A (en) * 2019-12-17 2020-05-15 浙江大学 Software protection extended instruction SGX-based online fuzzy test system and method
CN111159018B (en) * 2019-12-17 2021-06-22 浙江大学 Software protection extended instruction SGX-based online fuzzy test system and method
WO2021165784A1 (en) * 2020-02-18 2021-08-26 International Business Machines Corporation Safeguarding cryptographic keys
GB2608068A (en) * 2020-02-18 2022-12-21 Ibm Safeguarding cryptographic keys
US11652626B2 (en) 2020-02-18 2023-05-16 International Business Machines Corporation Safeguarding cryptographic keys from modification or deletion
GB2608068B (en) * 2020-02-18 2024-05-29 Ibm Safeguarding cryptographic keys

Also Published As

Publication number Publication date
CN106533694B (en) 2019-04-23

Similar Documents

Publication Publication Date Title
US11693951B2 (en) Method and apparatus for applying application context security controls for software containers
CN106533694A (en) Method and system for implementation of Openstack token access protection mechanism
US8700898B1 (en) System and method for multi-layered sensitive data protection in a virtual computing environment
JP6484255B2 (en) Host attestation, including trusted execution environment
EP2907071B1 (en) Secure data handling by a virtual machine
US9720723B2 (en) Protected guests in a hypervisor controlled system
US9396006B2 (en) Distributing and verifying authenticity of virtual macahine images and virtual machine image reposiroty using digital signature based on signing policy
US8549313B2 (en) Method and system for integrated securing and managing of virtual machines and virtual appliances
CN109565444A (en) Safe public cloud
US20120297183A1 (en) Techniques for non repudiation of storage in cloud or shared storage environments
CN107506652A (en) CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism
US20140006776A1 (en) Certification of a virtual trusted platform module
US20100169667A1 (en) Protecting content on client platforms
US11693952B2 (en) System and method for providing secure execution environments using virtualization technology
JP2009521033A (en) How to authenticate a computer system application
US20180373646A1 (en) Cache unit useful for secure execution
EP3292495B1 (en) Cryptographic data
WO2022271373A1 (en) Secure computing mechanism
US20210294910A1 (en) Systems and methods for protecting a folder from unauthorized file modification
CN113468610A (en) Decentralized trusted access control framework and operation method thereof
Samuel et al. Enhanced security and authentication mechanism in cloud transactions using HMAC
WO2021101516A1 (en) Software containers
Kiyomoto et al. LMM: A common component for software license management on cloud
US20230208654A1 (en) Establishing a Trust Relationship in a Hybrid Cloud Management and Management Service Environment
Ozga Hardening High-Assurance Security Systems with Trusted Computing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant