CN108718316A - A kind of realization method and system of virtual machine encrypted message safety transfer - Google Patents

A kind of realization method and system of virtual machine encrypted message safety transfer Download PDF

Info

Publication number
CN108718316A
CN108718316A CN201810593151.0A CN201810593151A CN108718316A CN 108718316 A CN108718316 A CN 108718316A CN 201810593151 A CN201810593151 A CN 201810593151A CN 108718316 A CN108718316 A CN 108718316A
Authority
CN
China
Prior art keywords
virtual machine
module
migration
message
management system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810593151.0A
Other languages
Chinese (zh)
Other versions
CN108718316B (en
Inventor
孙晓妮
朱书杉
陈小龙
李若寒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chaoyue Technology Co Ltd
Original Assignee
Shandong Chaoyue CNC Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Chaoyue CNC Electronics Co Ltd filed Critical Shandong Chaoyue CNC Electronics Co Ltd
Priority to CN201810593151.0A priority Critical patent/CN108718316B/en
Publication of CN108718316A publication Critical patent/CN108718316A/en
Application granted granted Critical
Publication of CN108718316B publication Critical patent/CN108718316B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of realization method and systems of virtual machine encrypted message safety transfer, belong to the safe and secret field of virtual machine encrypted message migration, the technical problem to be solved in the present invention is during virtual machine (vm) migration, due to the introducing of encryption device, the migration of the encrypted messages such as the encryption device and key of virtual machine configuration cannot ensure, the technical solution used for:1. a kind of implementation method of virtual machine encrypted message safety transfer, this method is that module and transferring module are monitored in deployment in each calculate node, each inter-module is realized by message queue and is interacted in OpenStack, the information in the monitoring information queue of module moment is monitored, transferring module is triggered when listening to the successful message of virtual machine (vm) migration;After transferring module is triggered, transferring module sends out unbundlings request to key management system, and key management system calls the migration of the corresponding interface realization virtual machine encrypted message.2. the invention also discloses a kind of systems of virtual machine encrypted message safety transfer.

Description

A kind of realization method and system of virtual machine encrypted message safety transfer
Technical field
The present invention relates under cloud computing environment when virtual machine (vm) migration encrypted message safety transfer safe and secret field, specifically It is a kind of realization method and system of virtual machine encrypted message safety transfer that ground, which is said,.
Background technology
Dynamic migration of virtual machine technology refers to moving it from present physical host in the case where not interrupting virtual machine operation Move the technology on other physical hosts.Virtual machine (vm) migration process is mainly realized will maintain institute during, migration transparent to user There is the service quality etc. that network state and Application Status, transition process cannot influence other application by contention for resource to ask Topic.
In order to ensure the safety of cloud data center, realizes the authentication of cloud data center, access control, calculate, deposit Storage and the safety of Internet resources, it will usually a large amount of encryption device is introduced, and security strategy is created based on encryption device, with Meet safe and secret demand, to ensure the safe operation of cloud data center.
It is most important or before keeping migration other than the transparent completion of transition process to be ensured when virtual machine (vm) migration The consistency of state afterwards especially migrates the consistency of front and back safe condition.OpenStack self mechanisms have merely ensured that virtually The migration of its secure group rule when machine migrates, but due to the introducing of encryption device, the encryption device and key of virtual machine configuration The migration of equal encrypted messages cannot ensure.
Invention content
The technical assignment of the present invention is to provide a kind of realization method and system of virtual machine encrypted message safety transfer, to solve Certainly during virtual machine (vm) migration, due to the introducing of encryption device, the encrypted messages such as the encryption device and key of virtual machine configuration The problem of migration cannot ensure.
The present invention technical assignment realize in the following manner, a kind of realization side of virtual machine encrypted message safety transfer Method, this method are that module and transferring module are monitored in deployment in each calculate node, and each inter-module passes through message team in OpenStack Row realize interaction, monitor the information in the monitoring information queue of module moment, are touched when listening to the successful message of virtual machine (vm) migration Send out transferring module;After transferring module is triggered, transferring module sends out unbundlings request, key management system tune to key management system The migration of virtual machine encrypted message is realized with the corresponding interface.Wherein, key management system is the common key management of the prior art System.
Preferably, the specific work process for monitoring module is as follows:
(1), monitor module and persistently monitor live_migrate () method of Nova whether send virtual machine (vm) migration message:
If 1., monitor module listen in theme topic patterns send real-time migration virtual machine message, then follow the steps(2);
If 2., do not hear virtual machine (vm) migration message, go to step(1);
(2), monitor module and persistently monitor the compute_rpcapi.live_migration () method of Nova and return the result, Monitor the message whether module listens to virtual machine and host:
1., if so, thening follow the steps(3);
2., if it is not, then going to step(2);
(3), monitor module and persistently monitor the wait_for_live_migration () method of Nova and return the result, monitor mould Whether block listens to the successful message of virtual machine (vm) migration:
1., if so, monitor module trigger transferring module;
2., if it is not, then going to step(3).
Preferably, the specific work process of the transferring module is as follows:
(1), calculate node one to key management system send out unbundlings request;
(2), key management system call key recycle interface, recycling virtual machine binding encryption device key information;
(3), key management system call equipment unbind interface, unbundlings virtual machine binding original code equipment;
(4), key management system assessment calculate node two whether meet the cryptography requirements of virtual machine:
1., if satisfied, thening follow the steps(5);
(5), key management system call apparatus bound interface, bind Xinmi City's decoding apparatus for target virtual machine;
(6), key management system call key distribution interface, inject key letter for Xinmi City decoding apparatus of purpose virtual machine binding Breath completes the safety transfer of virtual machine encrypted message.
A kind of system of virtual machine encrypted message safety transfer, the system include key management system and several calculating Machine node, each calculate node, which is disposed, monitors module and transferring module, and key management system is used for administrator password information, monitors mould Block is used for the message in moment monitoring information queue, and is responsible for triggering transferring module, and transferring module is complete for calling the corresponding interface At the safety transfer of virtual machine encrypted message.
Preferably, the corresponding interface that the transferring module is called includes key recycling interface, equipment unbundlings interface, equipment Bind interface and key distribution interface.
The realization method and system of the virtual machine encrypted message safety transfer of the present invention has the following advantages:
(One), the present invention in order to ensure the safe operation of cloud data center, by password management system and be deployed in each calculating Monitoring module and transferring module cooperation on node realize the migration of virtual machine encrypted message, improve the safety of cloud data center Property;
(Two), the invention enables the encrypted messages configured when virtual machine (vm) migration dynamically to adjust, ensure that virtual machine moves with this The consistency of safe condition when shifting.
Description of the drawings
The following further describes the present invention with reference to the drawings.
Attached drawing 1 is the flow diagram for monitoring module routine;
Attached drawing 2 is the flow diagram of the transferring module course of work.
Specific implementation mode
Realization with reference to Figure of description and specific embodiment to a kind of virtual machine encrypted message safety transfer of the present invention Method and system are described in detail below.
Embodiment:
The implementation method of the virtual machine encrypted message safety transfer of the present invention, this method are that mould is monitored in deployment in each calculate node Block and transferring module, each inter-module passes through message queue and realizes interaction in OpenStack, monitors the monitoring information queue of module moment In information, trigger transferring module when listening to the successful message of virtual machine (vm) migration;After transferring module is triggered, transferring module Unbundlings request is sent out to key management system, key management system calls the migration of the corresponding interface realization virtual machine encrypted message. The migration of virtual machine can migrate manually and Autonomic Migration Framework.
As shown in Fig. 1, the specific work process for monitoring module is as follows:
(1), monitor module and persistently monitor live_migrate () method of Nova whether send virtual machine (vm) migration message:
If 1., monitor module listen in theme topic patterns send real-time migration virtual machine message, then follow the steps(2);
If 2., do not hear virtual machine (vm) migration message, go to step(1);
(2), monitor module and persistently monitor the compute_rpcapi.live_migration () method of Nova and return the result, Monitor the message whether module listens to virtual machine and host:
1., if so, thening follow the steps(3);
2., if it is not, then going to step(2);
(3), monitor module and persistently monitor the wait_for_live_migration () method of Nova and return the result, monitor mould Whether block listens to the successful message of virtual machine (vm) migration:
1., if so, monitor module trigger transferring module;
2., if it is not, then going to step(3.
As shown in Fig. 2, the specific work process of transferring module is as follows:
(1), calculate node one to key management system send out unbundlings request;
(2), key management system call key recycle interface, recycling virtual machine binding encryption device key information;
(3), key management system call equipment unbind interface, unbundlings virtual machine binding original code equipment;
(4), key management system assessment calculate node two whether meet the cryptography requirements of virtual machine:
1., if satisfied, thening follow the steps(5);
(5), key management system call apparatus bound interface, bind Xinmi City's decoding apparatus for target virtual machine;
(6), key management system call key distribution interface, inject key letter for Xinmi City decoding apparatus of purpose virtual machine binding Breath completes the safety transfer of virtual machine encrypted message.
Embodiment 2:
A kind of system of virtual machine encrypted message safety transfer based on embodiment 1, the system include key management system, calculate Machine node one and computer node two, computer node one and computer node two dispose message queue, monitor module and move Shifting formwork block, key management system are used for administrator password information, monitor module for the message in moment monitoring information queue, and bear Duty triggering transferring module, transferring module complete the safety transfer of virtual machine encrypted message for calling the corresponding interface.Transferring module The corresponding interface of calling includes key recycling interface, equipment unbundlings interface, apparatus bound interface and key distribution interface.
Computer node one and computer node two further include encryption device, virtual machine can in addition to computer bottom hardware Virtual cryptographic equipment can be distributed.
The technical personnel in the technical field can readily realize the present invention with the above specific embodiments,.But it answers Work as understanding, the present invention is not limited to above-mentioned specific implementation modes.On the basis of the disclosed embodiments, the technical field Technical staff can arbitrarily combine different technical features, to realize different technical solutions.
It is the known technology of those skilled in the art in addition to the technical characteristic described in specification.

Claims (5)

1. a kind of implementation method of virtual machine encrypted message safety transfer, which is characterized in that this method is in each calculate node Module and transferring module are monitored in deployment, and each inter-module realizes interaction by message queue in OpenStack, monitor module moment prison The information in message queue is listened, transferring module is triggered when listening to the successful message of virtual machine (vm) migration;Transferring module is triggered Afterwards, transferring module sends out unbundlings request to key management system, and key management system calls the corresponding interface to realize virtual machine password The migration of information.
2. the implementation method of virtual machine encrypted message safety transfer according to claim 1, which is characterized in that the monitoring The specific work process of module is as follows:
(1), monitor module and persistently monitor live_migrate () method of Nova whether send virtual machine (vm) migration message:
If 1., monitor module listen in theme topic patterns send real-time migration virtual machine message, then follow the steps(2);
If 2., do not hear virtual machine (vm) migration message, go to step(1);
(2), monitor module and persistently monitor the compute_rpcapi.live_migration () method of Nova and return the result, Monitor the message whether module listens to virtual machine and host:
1., if so, thening follow the steps(3);
2., if it is not, then going to step(2);
(3), monitor module and persistently monitor the wait_for_live_migration () method of Nova and return the result, monitor mould Whether block listens to the successful message of virtual machine (vm) migration:
1., if so, monitor module trigger transferring module;
2., if it is not, then going to step(3).
3. the implementation method of virtual machine encrypted message safety transfer according to claim 1, which is characterized in that the migration The specific work process of module is as follows:
(1), calculate node one to key management system send out unbundlings request;
(2), key management system call key recycle interface, recycling virtual machine binding encryption device key information;
(3), key management system call equipment unbind interface, unbundlings virtual machine binding original code equipment;
(4), key management system assessment calculate node two whether meet the cryptography requirements of virtual machine:
1., if satisfied, thening follow the steps(5);
(5), key management system call apparatus bound interface, bind Xinmi City's decoding apparatus for target virtual machine;
(6), key management system call key distribution interface, inject key letter for Xinmi City decoding apparatus of purpose virtual machine binding Breath completes the safety transfer of virtual machine encrypted message.
4. a kind of system of virtual machine encrypted message safety transfer, which is characterized in that the system include key management system and Several computer nodes, each calculate node, which is disposed, monitors module and transferring module, and key management system is used for administrator password Information monitors module for the message in moment monitoring information queue, and is responsible for triggering transferring module, and transferring module is for calling The corresponding interface completes the safety transfer of virtual machine encrypted message.
5. the system of virtual machine encrypted message safety transfer according to claim 4, which is characterized in that the transferring module The corresponding interface of calling includes key recycling interface, equipment unbundlings interface, apparatus bound interface and key distribution interface.
CN201810593151.0A 2018-06-11 2018-06-11 Method and system for realizing secure migration of virtual machine password information Active CN108718316B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810593151.0A CN108718316B (en) 2018-06-11 2018-06-11 Method and system for realizing secure migration of virtual machine password information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810593151.0A CN108718316B (en) 2018-06-11 2018-06-11 Method and system for realizing secure migration of virtual machine password information

Publications (2)

Publication Number Publication Date
CN108718316A true CN108718316A (en) 2018-10-30
CN108718316B CN108718316B (en) 2020-11-24

Family

ID=63912067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810593151.0A Active CN108718316B (en) 2018-06-11 2018-06-11 Method and system for realizing secure migration of virtual machine password information

Country Status (1)

Country Link
CN (1) CN108718316B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113495777A (en) * 2020-04-03 2021-10-12 中移动信息技术有限公司 Virtual machine online method, device, equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130191648A1 (en) * 2012-01-23 2013-07-25 Citrix Systems, Inc. Storage Encryption
CN104951688A (en) * 2014-03-24 2015-09-30 国家计算机网络与信息安全管理中心 Special data encryption method and encryption card suitable for Xen virtualized environment
CN105094964A (en) * 2014-05-20 2015-11-25 苏宁云商集团股份有限公司 Virtual machine migration method and system
CN106681802A (en) * 2015-11-06 2017-05-17 华为技术有限公司 Virtual machine migration method, device and system
CN107294710A (en) * 2017-06-30 2017-10-24 浪潮(北京)电子信息产业有限公司 A kind of key migration method and device of vTPM2.0
CN107465689A (en) * 2017-09-08 2017-12-12 大唐高鸿信安(浙江)信息科技有限公司 The key management system and method for virtual credible platform module under cloud environment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130191648A1 (en) * 2012-01-23 2013-07-25 Citrix Systems, Inc. Storage Encryption
CN104951688A (en) * 2014-03-24 2015-09-30 国家计算机网络与信息安全管理中心 Special data encryption method and encryption card suitable for Xen virtualized environment
CN105094964A (en) * 2014-05-20 2015-11-25 苏宁云商集团股份有限公司 Virtual machine migration method and system
CN106681802A (en) * 2015-11-06 2017-05-17 华为技术有限公司 Virtual machine migration method, device and system
CN107294710A (en) * 2017-06-30 2017-10-24 浪潮(北京)电子信息产业有限公司 A kind of key migration method and device of vTPM2.0
CN107465689A (en) * 2017-09-08 2017-12-12 大唐高鸿信安(浙江)信息科技有限公司 The key management system and method for virtual credible platform module under cloud environment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113495777A (en) * 2020-04-03 2021-10-12 中移动信息技术有限公司 Virtual machine online method, device, equipment and medium

Also Published As

Publication number Publication date
CN108718316B (en) 2020-11-24

Similar Documents

Publication Publication Date Title
CN110027596B (en) Rail transit train operation control system based on cloud calculates
CN102932459B (en) A kind of method of controlling security of virtual machine
CN106302074B (en) Migration method and device of virtual network function VNF
EP3534320A1 (en) Block chain-based multi-chain management method and system, electronic device, and storage medium
CN109246176B (en) Multi-controller synchronization method and device based on block chain in software defined network
US10148657B2 (en) Techniques for workload spawning
US9166862B1 (en) Distributed caching system
US9064124B1 (en) Distributed caching system
CN104951712B (en) A kind of data security protection method under Xen virtualized environment
CN108733453A (en) The operating method and system of credible cloud platform virtual credible root example
CN102369688A (en) Method for adjusting resources dynamically and scheduling device
US11068398B2 (en) Distributed caching system
CN109783192A (en) A kind of secure virtual machine migratory system
WO2017173966A1 (en) Recording control method and device
EP3206372B1 (en) Hardware resource management method, hardware resource location query method and related apparatus
EP2916522B1 (en) File transmission method and system thereof
US9390052B1 (en) Distributed caching system
CN115189896A (en) Virtual cloud password service system and method
CN107332814B (en) Request message transmission method and device
CN111092936A (en) Application service authority management method and terminal based on cloud platform
CN103019653A (en) Linux system-based kernel message delivery method
US20190342089A1 (en) Network function virtualization (nfv) hardware trusted hosted mano
CN108718316A (en) A kind of realization method and system of virtual machine encrypted message safety transfer
CN103297514A (en) Virtual machine management platform and virtual machine management method based on cloud infrastructure
CN109302324A (en) A kind of private clound monitoring and early warning method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 250104 No. 2877 Kehang Road, Sun Village Town, Jinan High-tech Zone, Shandong Province

Patentee after: Chaoyue Technology Co.,Ltd.

Address before: 250104 No. 2877 Kehang Road, Sun Village Town, Jinan High-tech Zone, Shandong Province

Patentee before: SHANDONG CHAOYUE DATA CONTROL ELECTRONICS Co.,Ltd.

CP01 Change in the name or title of a patent holder
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: An implementation method and system of virtual machine password information security migration

Effective date of registration: 20211104

Granted publication date: 20201124

Pledgee: China Merchants Bank Co.,Ltd. Jinan Branch

Pledgor: Chaoyue Technology Co.,Ltd.

Registration number: Y2021370000126

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20230413

Granted publication date: 20201124

Pledgee: China Merchants Bank Co.,Ltd. Jinan Branch

Pledgor: Chaoyue Technology Co.,Ltd.

Registration number: Y2021370000126

PC01 Cancellation of the registration of the contract for pledge of patent right