CN106533694A - Method and system for implementation of Openstack token access protection mechanism - Google Patents
Method and system for implementation of Openstack token access protection mechanism Download PDFInfo
- Publication number
- CN106533694A CN106533694A CN201610959011.1A CN201610959011A CN106533694A CN 106533694 A CN106533694 A CN 106533694A CN 201610959011 A CN201610959011 A CN 201610959011A CN 106533694 A CN106533694 A CN 106533694A
- Authority
- CN
- China
- Prior art keywords
- token
- memcache
- openstack
- sgx
- memecache
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a system for implementation of an Openstack token access protection mechanism. The method comprises the steps of storing a token list of Openstack in a memcache according to a storage mode of the memcache; and then encrypting the token list by utilizing a protection mechanism of SGX (Software Guard Extensions). Through the SGX mechanism, the token information is encrypted by computer hardware and the access authority of the token information is controlled, so that the token information only can be read and modified at an appointed physical resource (such as a server), and the security of the token information is accordingly ensured.
Description
Technical field
A kind of the present invention relates to cloud computing operation and the security technology area in storing process, more particularly to Openstack
The realization method and system of token access protection mechanism.
Background technology
Openstack is a cloud computing management platform project increased income, it is allowed to which enterprise or ISP create, operation
The cloud computing of oneself and storage facility, specifically include five important composition parts:Nova (calculates service), Swift (storage clothes
Business), Glance (mirroring service), Keystone (authentication service) and Horizon (UI services).Wherein, Keystone is all
Openstack components certification and access strategy service are provided, it relies on itself REST (based on Identity API) system and enters
Row work, is mainly authenticated and mandate to (but not limited to) Swift, Glance, Nova etc., by action message source person
The legitimacy of request is identified.
Keystone adopts two kinds of authorizations, a kind of to be based on usemame/password, and another kind is based on token (token).Cause
For user name, password and tenant names are more directly perceived, so for terminal use, seldom directly can be carried out with Token
Operation, but for the operation such as automatic test, (application programming connects to need to directly invoke every api of Openstack
Mouthful), a large amount of orders are dependent on the token of associated user to complete, therefore, the token for obtaining user means to obtain
The mandate of Openstack items api.
However, can all produce a new token during managing Openstack every time being verified so that
The token tables in Keystone storehouses can rise to dozens or even hundreds of GB, for DB Backup afterwards brings inconvenience.In order to
It is that token is stored in memecached preferably to manage one of token tables, conventional solution.
Memcache is a high performance distributed memory target cache system, for Dynamic Web Applications mitigating number
Load according to storehouse.It reduces the number of times of reading database by data cached in internal memory and object, so as to improve dynamic, data
Storehouse drives the speed of website.This is a set of open-source software, is issued with BSD license authorized agreements.
But Memcache lacks enough security mechanisms in itself realization so that data may be by undelegated user
Access or intercept and capture, therefore leaking data may be caused in which is applied to token storing processs.
Software protecting extended instruction (Software Guard Extensions, SGX) is the new process of Intel exploitations
Device technology, can provide a believable space in calculating platform, and the trusted computing base TCB that safety applications are relied on is reduced to
CPU and safety applications itself are only included, incredible complex operations system OS and monitor of virtual machine VMM are excluded in safe edge
Outside boundary, so as to ensure the confidentiality and integrity of user's key code and data.This mode is not to recognize and isolate flat
All Malwares on platform, but the safety operation of legal software is encapsulated in an enclave (confidence space), protect
Which is not attacked by Malware, and the software of privilege or non-privileged cannot all access enclave, that is to say, that once software
With data in the enclave, even if operating system or cannot also affect inside enclave with VMM (Hypervisor)
Code and data.The secure border of Enclave only includes CPU and its own.
The content of the invention
Lack the technical deficiency of safety guarantee during token (token) table is stored for memcache, the present invention is provided
A kind of Openstack token accesses based on software protecting extended instruction (Software Guard Extensions, SGX)
The realization method and system of protection mechanism, improves the safety of the token tables stored with memcache.
A kind of implementation method of Openstack token accesses protection mechanism, will according to the memory module of memcache
The token tables of Openstack are stored in memcache, recycle the protection mechanism of software protecting extended instruction to token tables
It is encrypted.
Openstack is the cloud computing management platform project increased income in, it is allowed to which enterprise or ISP create, operation
The cloud computing of oneself and storage facility;Memcache is high performance distributed memory target cache system in;Token refers to
The token of Openstack.
In the method for the invention, when openstack tokens are protected, by SGX mechanism by computer hardware to token
Information is encrypted, and its access rights is controlled so that can only be in specified physical resource (server etc.) enterprising line number
According to reading and modification, so as to ensure that the safety of token information.
Preferably, the implementation method of Openstack token access protection mechanisms, comprises the following steps:
(1) token tables are stored in memcache, are that memcache distributes credible sky by software protecting extended instruction
Between, and generate the key to verify confidence space access rights;
(2), when updating token tables every time, after memcache is updated the data, data are initiated to SGX drivers and update request,
After the checking of key, will update the data and backup in confidence space.
It is further preferred that token tables are stored in memcache, comprise the following steps:
The token fields of (a) editor/etc/keystone/keystone.conf:
Driver=keystone.token.backends.memcache.Token, the driving of token fields is changed
For memecache;
B () restarts keystone, and start memcache, the token tables of distributed storage is carried out by memcache
Management.
It is further preferred that in step (1), be that memcache distributes confidence space by software protecting extended instruction, and
The key to verify confidence space access rights is generated, is specifically included:
(1-1) data upload:The certificate of memecache is generated, memecache and its certificate are uploaded to into process space
In;
(1-2) SGX drivers prepare:Line parameter survey is entered by SGX drivers to the memecache that uploads and its certificate
Amount, is confidence space distribution address space and page, while obtaining the certificate information of memecache and passing to SGX hardware
Processor;
(1-3) foundation of confidence space:SGX drivers create confidence space according to the parameter of measurement, and by memecache
On data message copy in confidence space, data in delete processing space afterwards;
(1-4) generation of key:SGX hardware processors according to the certificate information of memecache and SGX hardware processors from
The characteristic of body generates the access key of confidence space, and confidence space is encrypted by key.
Abbreviations of the SGX for software protecting extended instruction.
The certificate information of memecache includes the cryptographic Hash of memecache certificates and private key.
Present invention also offers a kind of system of Openstack token accesses protection mechanism, including:
The token tables stored with the storage mode of openstack are carried out distributed depositing by memcache memory modules
Store up and using memcache as driving;
SGX encrypting modules, generate confidence space based on software protecting extended instruction, to store, operate memcache to deposit
Token data in storage module, and generate the key to verify confidence space access rights.
Described SGX encrypting modules include user's space, SGX drivers and SGX hardware processors,
User's space, including for loading the process space of memecache and its certificate and for dividing for memecache
The confidence space matched somebody with somebody;
SGX drivers, carry out parameter measurement and distribute confidence space for which, while obtaining memecache to memecache
Certificate information and pass it to SGX hardware processors;
SGX hardware processors, verify to the integrity of the certificate and confidence space of memecache, according to
The cryptographic Hash of the cryptographic Hash and its own characteristic of the certificate of memecache generates the access key of confidence space, and passes through
Key is encrypted to confidence space.
Described SGX drivers belong to operating system;SGX hardware processors belong to hardware architecture.
Key is to be intersected to generate by client memecache and physical machine hardware information, it is ensured that the peace of subsequent verifying step
Full property and effectiveness.
Compared with prior art, beneficial effects of the present invention are:
Token information is encrypted by computer hardware by SGX mechanism, its access rights is controlled so that
Token information can only be read out and be changed on specified physical resource (server etc.), so as to ensure that token information
Safety.
Description of the drawings
Fig. 1 is the Row control schematic diagram of the implementation method of the Openstack token access protection mechanisms of the present invention;
Fig. 2 (a) is data upload stage operation principle schematic diagram;
Fig. 2 (b) is software protecting extended instruction driver preparatory stage operation principle schematic diagram;
Fig. 2 (c) is confidence space establishment stage operation principle schematic diagram;
Fig. 2 (d) is key generation phase operation principle schematic diagram.
Specific embodiment
With reference to the accompanying drawings and examples the present invention is described in further detail.
The present invention is realized by 2 software modules:Memcache memory modules and SGX encrypting modules, its Row control
As shown in Figure 1.
The effect of memcache memory modules is that the token tables that will be stored with the storage mode of openstack are carried out
Distributed storage, and using memcache as driving.Comprise the following steps that:
(1) the Token fields of editor/etc/keystone/keystone.conf:
Driver=keystone.token.backends.memcache.Token, drives it and is revised as
memecache;
(2) restart keystone, and start memcache, the token tables of distributed storage are carried out by memcache
Management.
The effect of SGX encrypting modules is to generate confidence space to store, operate corresponding data, and is generated to authentication-access
The key of authority.Its operation principle is specific as follows:
(1) the data upload stage:As shown in Fig. 2 (a), create memcache and generate its certificate, wherein, memcache cards
Letter breath includes its cryptographic Hash and private key, and memcache and certificate are uploaded in process space;
(2) the SGX drivers preparatory stage:As shown in figure (b), SGX drivers carry out parameter measurement to uploading data, to
Distribute address space and page for confidence space, at the same SGX drivers obtain the certificate information that memcache generates and by its
Pass to bottom SGX hardware processors;
(3) confidence space data establishment stage:As shown in figure (c), the ginseng that basis is carried out by SGX drivers to memcache
Number measurement, creates confidence space, and data message on memcache is copied in confidence space, afterwards in delete processing space
Data.The integrity of certificate and confidence space is verified by SGX hardware processors;
(4) key generation phase:As figure (d) shown in, SGX hardware processors according to cryptographic Hash in certificate and SGX hardware at
The cryptographic Hash of reason device unique characteristics data generates confidence space and accesses key, and confidence space is encrypted by key, it
The data that will be accessed in confidence space afterwards must obtain this key, so that the memcache data stored in confidence space are obtained
To protection.
When updating token tables every time, after memcache is updated the data, data are initiated to SGX drivers and update request, passed through
After the checking of key, will update the data and backup in confidence space.
Claims (6)
1. a kind of implementation method of Openstack token accesses protection mechanism, it is characterised in that according to the storage mould of memcache
Formula is stored in the token tables of Openstack in memcache, recycles the protection mechanism pair of software protecting extended instruction
Token tables are encrypted.
2. the implementation method of Openstack token accesses protection mechanism according to claim 1, it is characterised in that include
Following steps:
(1) token tables are stored in memcache, are that memcache distributes confidence space by software protecting extended instruction,
And generate key to verify confidence space access rights;
(2), when updating token tables every time, after memcache is updated the data, data are initiated to SGX drivers and updates request, passed through
After the checking of key, will update the data and backup in confidence space.
3. the implementation method of Openstack token accesses protection mechanism according to claim 2, it is characterised in that will
Token tables are stored in memcache, are comprised the following steps:
The token fields of (a) editor/etc/keystone/keystone.conf:
Driver=keystone.token.backends.memcache.Token, the driving of token fields is revised as
memecache;
B () restarts keystone, and start memcache, the token tables of distributed storage is managed by memcache.
4. the implementation method of the Openstack token access protection mechanisms according to Claims 2 or 3, it is characterised in that step
Suddenly, in (1), it is that memcache distributes confidence space by software protecting extended instruction, and generates to verify that confidence space is accessed
The key of authority, specifically includes:
(1-1) data upload:The certificate of memecache is generated, memecache and its certificate are uploaded in process space;
(1-2) SGX drivers prepare:Parameter measurement is carried out to the memecache that uploads and its certificate by SGX drivers, is
Confidence space distributes address space and page, while obtaining the certificate information of memecache and passing to SGX hardware handles
Device;
(1-3) foundation of confidence space:SGX drivers create confidence space according to the parameter of measurement, and by memecache
Data message is copied in confidence space, afterwards the data in delete processing space;
(1-4) generation of key:SGX hardware processors are according to the certificate information of memecache and SGX hardware processors itself
Characteristic generates the access key of confidence space, and confidence space is encrypted by key.
5. the implementation method of Openstack token accesses protection mechanism according to claim 4, it is characterised in that
The certificate information of memecache applications includes cryptographic Hash and the private key of memecache Application Certificates.
6. a kind of system of Openstack token accesses protection mechanism, it is characterised in that include:
The token tables stored with the storage mode of openstack are carried out distributed storage simultaneously by memcache memory modules
Using memcache as driving;
SGX encrypting modules, generate confidence space based on software protecting extended instruction, to store, operate memcache storage moulds
Token data in block, and generate the key to verify confidence space access rights.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610959011.1A CN106533694B (en) | 2016-11-03 | 2016-11-03 | The realization method and system of Openstack token access protection mechanism |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610959011.1A CN106533694B (en) | 2016-11-03 | 2016-11-03 | The realization method and system of Openstack token access protection mechanism |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106533694A true CN106533694A (en) | 2017-03-22 |
CN106533694B CN106533694B (en) | 2019-04-23 |
Family
ID=58325881
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610959011.1A Active CN106533694B (en) | 2016-11-03 | 2016-11-03 | The realization method and system of Openstack token access protection mechanism |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106533694B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107506652A (en) * | 2017-07-13 | 2017-12-22 | 浙江大学 | CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism |
CN107919954A (en) * | 2017-10-20 | 2018-04-17 | 浙江大学 | A kind of block chain user key guard method and device based on SGX |
CN108418691A (en) * | 2018-03-08 | 2018-08-17 | 湖南大学 | Dynamic network identity identifying method based on SGX |
CN109446759A (en) * | 2018-10-29 | 2019-03-08 | 大唐高鸿信安(浙江)信息科技有限公司 | A kind of software interface guard method and device |
CN111159018A (en) * | 2019-12-17 | 2020-05-15 | 浙江大学 | Software protection extended instruction SGX-based online fuzzy test system and method |
WO2021165784A1 (en) * | 2020-02-18 | 2021-08-26 | International Business Machines Corporation | Safeguarding cryptographic keys |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160182508A1 (en) * | 2014-12-23 | 2016-06-23 | Timothy J. Gresham | Identity attestation of a minor via a parent |
-
2016
- 2016-11-03 CN CN201610959011.1A patent/CN106533694B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160182508A1 (en) * | 2014-12-23 | 2016-06-23 | Timothy J. Gresham | Identity attestation of a minor via a parent |
Non-Patent Citations (2)
Title |
---|
FELIX SCHUSTER等: "VC3: Trustworthy Data Analytics in the Cloud using SGX", 《2015 IEEE SYMPOSIUM ON SECURITY AND PRIVACY》 * |
魏兴伟: "OpenStack对象存储的安全性分析与改进", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107506652A (en) * | 2017-07-13 | 2017-12-22 | 浙江大学 | CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism |
CN107919954A (en) * | 2017-10-20 | 2018-04-17 | 浙江大学 | A kind of block chain user key guard method and device based on SGX |
CN107919954B (en) * | 2017-10-20 | 2019-05-14 | 浙江大学 | A kind of block chain user key guard method and device based on SGX software protecting extended instruction |
CN108418691B (en) * | 2018-03-08 | 2020-10-27 | 湖南大学 | Dynamic network identity authentication method based on SGX |
CN108418691A (en) * | 2018-03-08 | 2018-08-17 | 湖南大学 | Dynamic network identity identifying method based on SGX |
CN109446759A (en) * | 2018-10-29 | 2019-03-08 | 大唐高鸿信安(浙江)信息科技有限公司 | A kind of software interface guard method and device |
CN109446759B (en) * | 2018-10-29 | 2021-02-09 | 大唐高鸿信安(浙江)信息科技有限公司 | Software interface protection method and device |
CN111159018A (en) * | 2019-12-17 | 2020-05-15 | 浙江大学 | Software protection extended instruction SGX-based online fuzzy test system and method |
CN111159018B (en) * | 2019-12-17 | 2021-06-22 | 浙江大学 | Software protection extended instruction SGX-based online fuzzy test system and method |
WO2021165784A1 (en) * | 2020-02-18 | 2021-08-26 | International Business Machines Corporation | Safeguarding cryptographic keys |
GB2608068A (en) * | 2020-02-18 | 2022-12-21 | Ibm | Safeguarding cryptographic keys |
US11652626B2 (en) | 2020-02-18 | 2023-05-16 | International Business Machines Corporation | Safeguarding cryptographic keys from modification or deletion |
GB2608068B (en) * | 2020-02-18 | 2024-05-29 | Ibm | Safeguarding cryptographic keys |
Also Published As
Publication number | Publication date |
---|---|
CN106533694B (en) | 2019-04-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11693951B2 (en) | Method and apparatus for applying application context security controls for software containers | |
CN106533694A (en) | Method and system for implementation of Openstack token access protection mechanism | |
US8700898B1 (en) | System and method for multi-layered sensitive data protection in a virtual computing environment | |
JP6484255B2 (en) | Host attestation, including trusted execution environment | |
EP2907071B1 (en) | Secure data handling by a virtual machine | |
US9720723B2 (en) | Protected guests in a hypervisor controlled system | |
US9396006B2 (en) | Distributing and verifying authenticity of virtual macahine images and virtual machine image reposiroty using digital signature based on signing policy | |
US8549313B2 (en) | Method and system for integrated securing and managing of virtual machines and virtual appliances | |
CN109565444A (en) | Safe public cloud | |
US20120297183A1 (en) | Techniques for non repudiation of storage in cloud or shared storage environments | |
CN107506652A (en) | CephFS metadata of distributed type file system accesses the realization method and system of protection mechanism | |
US20140006776A1 (en) | Certification of a virtual trusted platform module | |
US20100169667A1 (en) | Protecting content on client platforms | |
US11693952B2 (en) | System and method for providing secure execution environments using virtualization technology | |
JP2009521033A (en) | How to authenticate a computer system application | |
US20180373646A1 (en) | Cache unit useful for secure execution | |
EP3292495B1 (en) | Cryptographic data | |
WO2022271373A1 (en) | Secure computing mechanism | |
US20210294910A1 (en) | Systems and methods for protecting a folder from unauthorized file modification | |
CN113468610A (en) | Decentralized trusted access control framework and operation method thereof | |
Samuel et al. | Enhanced security and authentication mechanism in cloud transactions using HMAC | |
WO2021101516A1 (en) | Software containers | |
Kiyomoto et al. | LMM: A common component for software license management on cloud | |
US20230208654A1 (en) | Establishing a Trust Relationship in a Hybrid Cloud Management and Management Service Environment | |
Ozga | Hardening High-Assurance Security Systems with Trusted Computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |