CN109462611A - A kind of integrity certification method and device - Google Patents

A kind of integrity certification method and device Download PDF

Info

Publication number
CN109462611A
CN109462611A CN201811607136.3A CN201811607136A CN109462611A CN 109462611 A CN109462611 A CN 109462611A CN 201811607136 A CN201811607136 A CN 201811607136A CN 109462611 A CN109462611 A CN 109462611A
Authority
CN
China
Prior art keywords
equipment
measurement value
comprehensive measurement
request message
response message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811607136.3A
Other languages
Chinese (zh)
Other versions
CN109462611B (en
Inventor
雷昭燕
兰晓成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201811607136.3A priority Critical patent/CN109462611B/en
Publication of CN109462611A publication Critical patent/CN109462611A/en
Application granted granted Critical
Publication of CN109462611B publication Critical patent/CN109462611B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the present invention provides a kind of integrity certification method and device.In the embodiment of the present invention, the first equipment sends the first request message for obtaining comprehensive measurement value to the second equipment.Second equipment carries the comprehensive measurement value and measurement number of the second equipment in the first response message of response.First equipment is sent to the second equipment for obtaining second request message for measuring time several log recordings.Second equipment carries the several log recordings of the measurement time in the second response message of response.Second equipment verifies the integrality of the second equipment according to the several log recordings of the measurement time and comprehensive measurement value of acquisition.In the embodiment of the present invention, the interaction times between equipment are less, can effectively promote the efficiency of integrity certification.

Description

A kind of integrity certification method and device
Technical field
The present invention relates to network communication technology field more particularly to a kind of integrity certification method and devices.
Background technique
Trust computing is by establishing a kind of specific integrity measurement mechanism, whether to verify the network equipment by malice generation Code attack.The verification process is also known as integrity certification.
The network equipment measures the program code run in this equipment, and measurement relevant information is advertised to opposite end and is set It is standby, so that opposite equip. verifies the integrality of this equipment.
The information interactive process of integrity certification is as shown in Figure 1.Here, it is with the integrality that equipment 12 verifies equipment 11 Example, the interactive process include:
Step 101, the metrics logs of 12 request equipment 11 of equipment;
Step 102, equipment 11 returns to the metrics logs of this equipment to equipment 12, is denoted as L1;
Step 103, the comprehensive measurement value of 12 request equipment 11 of equipment;
Step 104, equipment 11 returns to the comprehensive measurement value of this equipment to equipment 12;
Step 105, the metrics logs of 12 request equipment 11 of equipment;
Step 106, equipment 11 returns to the metrics logs of this equipment to equipment 12, is denoted as L2.
After completing above-mentioned interaction, equipment 12 compares log recording in the quantity (being denoted as N2) and L1 of log recording in L2 Quantity (is denoted as N1).If N2 is greater than N1, when illustrating that equipment 12 obtains L1, equipment 11 is still being measured.That is, executing step 102 to during step 104, and equipment 11 may generate new log recording.
Equipment 12 is calculated according to log recordings all in L1, if calculated result and the comprehensive measurement value one got It causes, illustrates that the integrality of equipment 11 is normal.It is adjacent with the last item log recording in L1 next from being obtained in L2 if inconsistent Article log recording (i.e. the N1+1 articles log recording), calculates N1+1 log recording preceding in L2.If calculated result still with The comprehensive measurement value of acquisition is inconsistent, continues to take preceding N1+2 log recording in L2 to be calculated, and so on.If calculated result It is consistent with comprehensive measurement value, then stop calculating, it was demonstrated that the integrality of equipment 11 is normal.If until the log recording in all L2 is equal It participates in calculating, can not still get the calculated result inconsistent with comprehensive measurement value, then prove the complete sexual abnormality of equipment 11.
It is excessively complicated to can be seen that the process from above-mentioned integrity certification process, causes integrity certification inefficient.
Summary of the invention
The present invention in order to solve the problems, such as the inefficient of existing integrity certification, propose a kind of integrity certification method and Device, to promote the efficiency of integrity certification.
For achieving the above object, the present invention provides the following technical scheme that
In a first aspect, the present invention provides a kind of integrity certification method, it is applied to the first equipment, which comprises
The first request message is sent to the second equipment to be verified, first request message is set for obtaining described second Standby comprehensive measurement value;
Receive the first response message that second equipment is responded according to first request message, the first response report Text includes the comprehensive measurement value and measurement number of second equipment;
The second request message is sent to second equipment, second request message is several for obtaining the measurement time Log recording;
Receive the second response message that second equipment is responded according to second request message, the second response report Text includes the several log recordings of the measurement time that second equipment is obtained from the metrics logs;
Time several log recordings and the comprehensive measurement value are measured according to described, verifies the complete of second equipment Property.
Second aspect, the present invention provide a kind of integrity certification method, are applied to the second equipment, which comprises
If receiving the first request message for being used to obtain comprehensive measurement value of the first equipment transmission, comprehensive measurement value is obtained And measurement number;
To first equipment send the first response message, first response message include the comprehensive measurement value and The measurement number;
If receiving second for obtaining the several log recordings of the measurement time that first equipment is sent requests report Text, it is described before obtaining to measure time several log recordings from the metrics logs;
The second response message is sent to first equipment, second response message includes the measurement number obtained A log recording, so that first equipment measures time several log recordings and the comprehensive measurement value, verifying according to described The integrality of second equipment.
The third aspect, the present invention provide a kind of integrity certification device, are applied to the first equipment, and described device includes:
Transmission unit, for sending the first request message to the second equipment to be verified, first request message is used for Obtain the comprehensive measurement value of second equipment;
Receiving unit, the first response message responded for receiving second equipment according to first request message, First response message includes the comprehensive measurement value and measurement number of second equipment;
The transmission unit is also used to send the second request message to second equipment, and second request message is used In the several log recordings of the acquisition measurement time;
The receiving unit is also used to receive the second response that second equipment is responded according to second request message Message, second response message include the several logs of the measurement time that second equipment is obtained from the metrics logs Record;
Authentication unit verifies described for measuring time several log recordings and the comprehensive measurement value according to described The integrality of two equipment.
Fourth aspect, the present invention provide a kind of integrity certification device, are applied to the second equipment, and described device includes:
Integrity measurement unit is added in metrics logs for generating the log recording including single metric, and to Credible platform unit pushes the single metric;
The credible platform unit, for updating comprehensive measurement value, and cumulative metrics number according to the single metric;
Platform credible service unit, if for receiving asking for obtaining the first of comprehensive measurement value for the first equipment transmission Message is sought, obtains comprehensive measurement value and measurement number from the credible platform unit;The first response report is sent to the first equipment Text, first response message include the comprehensive measurement value and the measurement number;If receiving the first equipment hair That send is used to obtain second request message for measuring time several log recordings, obtains preceding institute from the integrity measurement unit State the several log recordings of measurement time;The second response message is sent to first equipment, second response message includes obtaining The measurement time several log recordings so that first equipment is according to time several log recordings and described comprehensive measured Right magnitude verifies the integrality of second equipment.
In the embodiment of the present invention it can be seen from above description, the first equipment only needs to obtain a next day from the second equipment Will record, can be realized the integrity verification to the second equipment.Acquisition in compared to the prior art log recording twice, can be big The big interaction times reduced between equipment, effectively promote the efficiency of integrity certification.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is the information exchange process of existing integrity certification;
Fig. 2 is a kind of integrity certification method flow diagram shown in the embodiment of the present invention;
Fig. 3 is the implementation process of the step 205 shown in the embodiment of the present invention;
Fig. 4 is another integrity certification method flow diagram shown in the embodiment of the present invention;
Fig. 5 is the measurement more new technological process of the second equipment shown in the embodiment of the present invention;
Fig. 6 is the information exchange process of integrity certification provided in an embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram of integrity certification device shown in the embodiment of the present invention;
Fig. 8 is the structural schematic diagram of another integrity certification device shown in the embodiment of the present invention.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistented with the present invention.On the contrary, they be only with it is such as appended The example of device and method being described in detail in claims, some aspects of the invention are consistent.
It is only to be not intended to limit the invention merely for for the purpose of describing particular embodiments in terminology used in the present invention. It is also intended in the present invention and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the scope of the invention, negotiation information can also be referred to as the second information, and similarly, the second information, which can also be referred to as, assists Quotient's information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
The embodiment of the present invention provides a kind of integrity certification method, and in this method, the first equipment is only needed from the second equipment A log recording is obtained, the integrity verification to the second equipment can be realized.The interaction times between equipment can be greatly reduced, Effectively promote the efficiency of integrity certification.
It is with reference to the accompanying drawing and specific real in order to keep the purposes, technical schemes and advantages of the embodiment of the present invention clearer It applies example and detailed description is executed to the embodiment of the present invention:
It referring to fig. 2, is a kind of flow chart of integrity certification method provided in an embodiment of the present invention.The process is applied to the One equipment.For example, first equipment can be server, integrity verification is carried out to the client device of access server.
Here, the name that the first equipment only carries out for ease of description, is not intended to limit.
As shown in Fig. 2, the process can comprise the following steps that
Step 201, the first equipment sends the first request message to the second equipment to be verified.
In the embodiment of the present invention, the second equipment can be client device, switching equipment etc..The present invention does not limit this It is fixed.
Second equipment measures multiple programs of local runtime, for example, obtaining each program by Hash operation (i.e. the metric obtained for each program is known as single and measured corresponding cryptographic Hash by metric, the embodiment of the present invention Value).And the comprehensive measurement value of this equipment record is updated using single metric.
As one embodiment, the second equipment can be using the credible chip for itself including, for example, TPM (Trust Platform Modle, credible platform module) chip realize comprehensive measurement value update.Specifically, TPM chip gets single After metric, it is directly extended to PCR (Platform Configuration Register, the platform configuration deposit of TPM chip Device) in.It should be noted that so-called extension is usually carried out to the value in PCR with the single metric newly obtained or operation, obtain To the value in new PCR.That is newest spreading result (i.e. comprehensive measurement value) is recorded in PCR always.
When the first equipment needs to verify the integrality of the second equipment, the first equipment generates the first request message.This first Request message is used to obtain the comprehensive measurement value of the second equipment.
First equipment sends the first request message to the second equipment.
Here, the name that the second equipment, the first request message only carry out for ease of description, is not intended to limit.
Step 202, the first equipment receives the first response message that the second equipment is responded according to the first request message.
After second equipment receives the first request message in step 201, the first request message is parsed, determines One equipment needs to obtain the comprehensive measurement value of this equipment (the second equipment).
Second equipment obtains the current comprehensive measurement value of this equipment and measurement number.
Here, it should be noted that the second equipment all can when updating comprehensive measurement value according to single metric each time Cumulative metrics number.
Second equipment generates the first response message, which includes the comprehensive measurement value and degree of the second equipment Measure number.
Second equipment sends the first response message to the first equipment.
Here, the name that the first response message only carries out for ease of description, is not intended to limit.
Step 203, the first equipment sends the second request message to the second equipment.
After first equipment receives the first response message in step 202, the first response message is parsed, obtains the The comprehensive measurement value and measurement number for the second equipment for including in one response message.
First equipment is according to the measurement number got, it may be determined that the comprehensive measurement value currently got is the second equipment base It is obtained in the several single metrics of measurement time.Therefore, the first equipment generates the second request message, which is used for It obtains and measures number log recording in the second equipment (each log recording includes a single metric).
First equipment sends the second request message to the second equipment.
Here, the name that the second request message only carries out for ease of description, is not intended to limit.
Step 204, the first equipment receives the second response message that the second equipment is responded according to the second request message.
After second equipment receives the second request message in step 203, the second request message is parsed, determines One equipment, which needs to obtain, measures number log recording in this equipment (the second equipment).
Second equipment adds log recording into metrics logs according to measurement sequence.For example, the second equipment is according to from program 1 Sequence to program 5 is measured.Firstly, measuring procedure 1, obtains single metric 1, comprehensive measurement value is that Z1 (is equal to measurement Value 1), cumulative metrics number is 1, and the 1st article of log recording is added in metrics logs, is denoted as M1;Measuring procedure 2, obtains list Secondary metric 2, comprehensive measurement value be Z2 (for example, Z2 be Z1 and single metric 2 or operation result), cumulative metrics number is 2, and the 2nd article of log recording is added in metrics logs, it is denoted as M2;And so on.That is, comprehensive measurement value is by according to one Determine the single metric that measurement sequence obtains to determine.The order of addition of log recording is (i.e. in the measurement sequence correspondence metric log Vertical sequence).Therefore, the second equipment obtains the several log recordings of preceding measurement time in metrics logs.
Second equipment generates the second response message, which includes that the second equipment is obtained from metrics logs It is preceding to measure time several log recordings.
Second equipment sends the second response message to the first equipment.
Here, the name that the second response message only carries out for ease of description, is not intended to limit.
Step 205, the first equipment is verified second and is set according to the several log recordings of measurement time and comprehensive measurement value of acquisition Standby integrality.
After first equipment receives the second response message in step 204, the second response message is parsed, obtains the The several log recordings of measurement time that two response messages include.
First equipment according to measurement time several log recordings of acquisition and the comprehensive measurement value obtained by step 202, Verify the integrality of the second equipment.Specific verification process is described below, and wouldn't repeat here.
So far, process shown in Fig. 2 is completed.
It can be seen that in embodiments of the present invention by process shown in Fig. 2, the first equipment only needs to obtain from the second equipment Log recording, can be realized the integrity verification to the second equipment.Acquisition log twice note in compared to the prior art Record, can greatly reduce the interaction times between equipment, effectively promote the efficiency of integrity certification.
The process of the integrality of first the second equipment of device authentication in step 205 is described below.Referring to Fig. 3, it is A kind of implementation process shown in the embodiment of the present invention.
As shown in figure 3, the process can comprise the following steps that
Step 301, the first equipment measures number single metric from acquisition in time several log recordings is measured.
As previously mentioned, the primary measurement of the every completion of the second equipment, adds a corresponding log recording (packet in metrics logs Include single metric).Therefore, the first equipment can get measurement time from the several log recordings of measurement time that the second equipment returns Several single metrics.
Step 302, the first equipment utilization preset algorithm is calculated time several single metrics are measured.
Here, preset algorithm is identical as the second equipment calculating algorithm of comprehensive measurement value.
For example, the TPM chip that the second equipment includes uses or the value of operation extension PCR, that is, the single that will be obtained each time Value in metric and PCR carries out or operation, obtains the value (comprehensive measurement value) of new PCR, then the first equipment is using same Or operation mode is calculated time several single metrics are measured.
Step 303, the first equipment judges whether calculated result and the comprehensive measurement value obtained by step 202 are consistent, if Unanimously, 304 are gone to step;If inconsistent, 305 are gone to step.
Step 304, the first equipment determines that the integrality of the second equipment is normal.
Step 305, the first equipment determines the complete sexual abnormality of the second equipment.
As previously mentioned, the first equipment is that the second equipment is based on measurement number by the comprehensive measurement value that step 202 is got What a single metric obtained.
If the metrics logs of the second equipment are tampered, calculated result that the first equipment is obtained by step 302 with from the The comprehensive measurement value that two equipment obtain is inconsistent, it was demonstrated that the complete sexual abnormality of the second equipment;It is on the contrary, it was demonstrated that the second equipment it is complete Property is normal.
So far, process shown in Fig. 3 is completed.
The integrity verification to the second equipment is realized by process shown in Fig. 3.
It referring to fig. 4, is the flow chart of another integrity certification method provided in an embodiment of the present invention.The process is applied to Second equipment.
As shown in figure 4, the process can comprise the following steps that
Step 401, if receiving the first request message for being used to obtain comprehensive measurement value of the first equipment transmission, second is set It is standby to obtain comprehensive measurement value and measurement number.
In the embodiment of the present invention, the first equipment sends the first request message, the second equipment receives the mistake of the first request message Journey is identical as previous embodiment step 201, no longer repeats herein.
The process that second equipment obtains comprehensive measurement value is identical as previous embodiment step 201, no longer repeats herein.
The process that second equipment obtains measurement number is identical as previous embodiment step 202, no longer repeats herein.
Step 402, the second equipment sends the first response message to the first equipment.
First response message includes comprehensive measurement value and measurement number.
In the embodiment of the present invention, the process that the second equipment sends the first response message is identical as previous embodiment step 202, It no longer repeats herein.
Step 403, if the second request for obtaining measurement number log recording for receiving the transmission of the first equipment is reported Text, the second equipment measure time several log recordings before obtaining from metrics logs.
In the embodiment of the present invention, the first equipment sends the second request message, the second equipment receives the mistake of the second request message Journey is identical as previous embodiment step 203, no longer repeats herein.
Second equipment measures time several log recordings process before obtaining is identical as previous embodiment step 204, herein not It repeats again.
Step 404, the second equipment sends the second response message to the first equipment.
Second response message includes the several log recordings of preceding measurement time obtained.
In the embodiment of the present invention, the process that the second equipment sends the second response message is identical as previous embodiment step 204, It no longer repeats herein.
Measurement time several log recordings of first equipment according to acquisition and the comprehensive measurement value from the acquisition of the second equipment, are tested Demonstrate,prove the integrality of the second equipment.
In the embodiment of the present invention, the process and previous embodiment step 205 of the integrality of first the second equipment of device authentication It is identical, it no longer repeats herein.
So far, process shown in Fig. 4 is completed.
It can be seen that in embodiments of the present invention by process shown in Fig. 4, the first equipment only needs to obtain from the second equipment Log recording, can be realized the integrity verification to the second equipment.Acquisition log twice note in compared to the prior art Record, can greatly reduce the interaction times between equipment, effectively promote the efficiency of integrity certification.
It further include process shown in Fig. 5 before executing step 401 as one embodiment.It is real for the present invention referring to Fig. 5 Apply the measurement exemplified more new technological process.
As shown in figure 5, the process can comprise the following steps that
Step 501, when completing to measure each time, the second equipment updates comprehensive measurement value according to single metric, and tires out Meter measurement number.
In the embodiment of the present invention, the process that the second equipment updates comprehensive measurement value is identical as previous embodiment step 201, This is no longer repeated.
In the embodiment of the present invention, the process of the second equipment cumulative metrics number is identical as previous embodiment step 202, herein No longer repeat.
Step 502, the second equipment generates the log recording including single metric, and is added in metrics logs.
In the embodiment of the present invention, the process that the second equipment adds log recording is identical as previous embodiment step 204, herein No longer repeat.
So far, process shown in Fig. 5 is completed.
The update to comprehensive measurement value, measurement number and metrics logs can be realized by process shown in Fig. 5.
Method provided in an embodiment of the present invention is described below by specific embodiment:
It is the information exchange process of integrity certification provided in an embodiment of the present invention referring to Fig. 6.The interaction flow is with equipment For the integrality of 62 verifying equipment 61.
The program 1 of 61 pairs of this equipment of equipment operation carries out Hash operation, obtains single metric (being denoted as D1).Equipment 61 will D1 is recorded in the PCR of TPM chip, and cumulative metrics number is 1.Meanwhile the log recording (being denoted as R1) including D1 is generated, add It is added in metrics logs.
The program 2 of 61 pairs of this equipment of equipment operation carries out Hash operation, obtains single metric (being denoted as D2).Equipment 61 will D2 is expanded in the PCR of TPM chip, i.e., carries out to the D1 in D2 and PCR or operation, records in PCR or the result of operation (is denoted as W1), cumulative metrics number is 2.Meanwhile the log recording (being denoted as R2) including D2 is generated, it is added in metrics logs.
At this point, the metrics logs in equipment 61 are as shown in table 1.
Table 1
Step 601, equipment 62 sends the first request message to equipment 61.
First request message is used to obtain the comprehensive measurement value of equipment 61.
Equipment 61 parses the first request message, determines that equipment 62 needs to obtain the comprehensive measurement value of this equipment, then equipment 61 Current comprehensive measurement value (W1) is obtained from the PCR of TPM chip.Meanwhile obtaining current measurement number (2).
Equipment 61 generates the first response message, which includes W1 and measurement number (2).
Step 602, equipment 61 sends the first response message to equipment 62.
Equipment 62 parses the first response message, obtains W1 and measurement number (2) that the first response message includes.
Equipment 62 generates the second request message, which includes the measurement number obtained from the first response message (2)。
Step 603, equipment 62 sends the second request message to equipment 61.
If the program 3 of 61 pairs of this equipment of equipment operation at this time carries out Hash operation, single metric (being denoted as D3) is obtained, then Equipment 61 expands to D3 in the PCR of TPM chip, i.e., carries out to the value (W1) in D3 and PCR or operation, records in PCR or fortune The result (being denoted as W2) of calculation, cumulative metrics number are 3.Meanwhile the log recording (being denoted as R3) including D3 is generated, it is added to measurement In log.
At this point, the metrics logs in equipment 61 are as shown in table 2.
Table 2
Equipment 61 parses the second request message, determines that equipment 62 needs to obtain the metrics logs of this equipment, and need to obtain Log recording quantity be 2, then equipment 61 obtains preceding 2 log recordings (R1 and R2) from metrics logs shown in table 2.
Equipment 61 generates the second response message, which includes R1 and R2.
Step 604, equipment 61 sends the second response message to equipment 62.
Equipment 62 parses the second response message, obtains R1 and R2 that the second response message includes.D1 is obtained from R1 and R2 And D2 obtains W1 to D1 and D2 progress or operation.W1 is compared with the comprehensive measurement value (W1) got from equipment 61, The two is consistent, accordingly, it is determined that the integrality of equipment 61 is normal.
If the log recording in table 2 is tampered, as shown in table 3 before equipment 61 generates the second response message.
Table 3
Contrast table 2 and table 3 are it is found that the single metric of first log recording is tampered as D4.Then equipment 62 passes through the The single metric that two response messages are got is D1 and D4.Equipment 62 is carried out to D1 and D4 or operation, operation result and equipment The 61 comprehensive measurement values (W1) that are obtained based on D1 and D2 are inconsistent, accordingly, it is determined that the complete sexual abnormality of equipment 61.
So far, the description to the present embodiment is completed.
Method provided in an embodiment of the present invention is described above, below to device provided in an embodiment of the present invention into Row description:
It is a kind of structural schematic diagram of device provided in an embodiment of the present invention referring to Fig. 7.The integrity certification device application In the first equipment, which includes: transmission unit 701, receiving unit 702 and authentication unit 703, in which:
Transmission unit 701, for sending the first request message to the second equipment to be verified, first request message is used In the comprehensive measurement value for obtaining second equipment;
Receiving unit 702 is reported for receiving second equipment according to the first response that first request message is responded Text, first response message include the comprehensive measurement value and measurement number of second equipment;
The transmission unit 701 is also used to send the second request message, second request message to second equipment For obtaining the several log recordings of the measurement time;
The receiving unit 702 is also used to receive second equipment is responded according to second request message second Response message, second response message include that second equipment measurement that obtains from the metrics logs time is several Log recording;
Authentication unit 703, for measuring time several log recordings and the comprehensive measurement value according to described, described in verifying The integrality of second equipment.
As one embodiment, the authentication unit 703 is specifically used for measuring in time several log recordings from described, obtain Take the several single metrics of the measurement time;Time several single metrics of measuring are calculated using preset algorithm, In, the preset algorithm is identical as the algorithm that second equipment calculates the comprehensive measurement value;Judge calculated result with it is described Whether comprehensive measurement value is consistent;If the calculated result is consistent with the comprehensive measurement value, the complete of second equipment is determined Property is normal.
As one embodiment, the authentication unit 703, if being also used to the calculated result and the comprehensive measurement value not Unanimously, the complete sexual abnormality of second equipment is determined.
So far, the description of Fig. 7 shown device is completed.
In the embodiment of the present invention, the first equipment only needs to obtain a log recording from the second equipment, can be realized to the The integrity verification of two equipment.Acquisition in compared to the prior art log recording twice, can greatly reduce the friendship between equipment Mutual number effectively promotes the efficiency of integrity certification.
Referring to Fig. 8, for the structural schematic diagram of another device provided in an embodiment of the present invention.The integrity certification device is answered For the second equipment, which includes: integrity measurement unit 801, credible platform unit 802 and platform credible service unit 803, in which:
Integrity measurement unit 801 is added in metrics logs for generating the log recording including single metric, And the single metric is pushed to credible platform unit 802;
The credible platform unit 802, for updating comprehensive measurement value, and cumulative metrics according to the single metric Number;
Platform credible service unit 803, if for receive the transmission of the first equipment for obtaining the of comprehensive measurement value One request message obtains comprehensive measurement value and measurement number from the credible platform unit 802;First is sent to the first equipment Response message, first response message include the comprehensive measurement value and the measurement number;If receiving described first What equipment was sent is used to obtain second request message for measuring time several log recordings, from the integrity measurement unit 801 obtain the several log recordings of the preceding measurement time;The second response message, the second response report are sent to first equipment Text includes the several log recordings of the measurement time obtained, so that first equipment measures time several log recordings according to described And the comprehensive measurement value, verify the integrality of second equipment.
So far, the description of Fig. 8 shown device is completed.
In the embodiment of the present invention, the first equipment only needs to obtain a log recording from the second equipment, can be realized to the The integrity verification of two equipment.Acquisition in compared to the prior art log recording twice, can greatly reduce the friendship between equipment Mutual number effectively promotes the efficiency of integrity certification.
The foregoing is merely the preferred embodiments of the embodiment of the present invention, are not intended to limit the invention, all in this hair Within the spirit and principle of bright embodiment, any modification, equivalent substitution, improvement and etc. done should be included in protection of the present invention Within the scope of.

Claims (9)

1. a kind of integrity certification method is applied to the first equipment, which is characterized in that the described method includes:
The first request message is sent to the second equipment to be verified, first request message is for obtaining second equipment Comprehensive measurement value;
Receive the first response message that second equipment is responded according to first request message, the first response message packet Include the comprehensive measurement value and measurement number of second equipment;
The second request message is sent to second equipment, second request message is for obtaining the several logs of the measurement time Record;
Receive the second response message that second equipment is responded according to second request message, the second response message packet Include the several log recordings of the measurement time that second equipment is obtained from metrics logs;
Time several log recordings and the comprehensive measurement value are measured according to described, verifies the integrality of second equipment.
2. the method as described in claim 1, which is characterized in that the log recording includes single metric, described according to institute The several log recordings of measurement time and the comprehensive measurement value are stated, the integrality of second equipment is verified, comprising:
It is measured in time several log recordings from described, obtains the several single metrics of the measurement time;
Time several single metrics measured are calculated using preset algorithm, wherein the preset algorithm and described the The algorithm that two equipment calculate the comprehensive measurement value is identical;
Judge whether calculated result and the comprehensive measurement value are consistent;
If the calculated result is consistent with the comprehensive measurement value, determine that the integrality of second equipment is normal.
3. method according to claim 2, which is characterized in that the method also includes:
If the calculated result and the comprehensive measurement value are inconsistent, the complete sexual abnormality of second equipment is determined.
4. a kind of integrity certification method is applied to the second equipment, which is characterized in that the described method includes:
If receive the transmission of the first equipment for obtaining the first request message of comprehensive measurement value, obtain comprehensive measurement value and Measure number;
The first response message is sent to first equipment, first response message includes the comprehensive measurement value and described Measure number;
If receiving the second request message for being used to obtain the several log recordings of the measurement time that first equipment is sent, from It is described before obtaining to measure time several log recordings in the metrics logs;
The second response message is sent to first equipment, second response message includes the measurement time several days obtained Will record, so that first equipment measures time several log recordings and the comprehensive measurement value according to described, described in verifying The integrality of second equipment.
5. method as claimed in claim 4, which is characterized in that before the acquisition comprehensive measurement value and measurement number, also Include:
When completing to measure each time, the comprehensive measurement value, and cumulative metrics number are updated according to single metric;
The log recording including the single metric is generated, and is added in the metrics logs.
6. a kind of integrity certification device, it is applied to the first equipment, which is characterized in that described device includes:
Transmission unit, for sending the first request message to the second equipment to be verified, first request message is for obtaining The comprehensive measurement value of second equipment;
Receiving unit, the first response message responded for receiving second equipment according to first request message are described First response message includes the comprehensive measurement value and measurement number of second equipment;
The transmission unit is also used to send the second request message to second equipment, and second request message is for obtaining Take the several log recordings of the measurement time;
The receiving unit is also used to receive second equipment and is reported according to the second response that second request message is responded Text, second response message include the several log notes of the measurement time that second equipment is obtained from the metrics logs Record;
Authentication unit, for measuring time several log recordings and the comprehensive measurement value according to described, verifying described second is set Standby integrality.
7. device as claimed in claim 6, it is characterised in that:
The authentication unit is specifically used for measuring in time several log recordings from described, obtains the several single degree of the measurement time Magnitude;Time several single metrics measured are calculated using preset algorithm, wherein the preset algorithm and described the The algorithm that two equipment calculate the comprehensive measurement value is identical;Judge whether calculated result and the comprehensive measurement value are consistent;If institute It states that calculated result is consistent with the comprehensive measurement value, determines that the integrality of second equipment is normal.
8. device as claimed in claim 7, it is characterised in that:
The authentication unit determines second equipment if being also used to the calculated result and the comprehensive measurement value is inconsistent Complete sexual abnormality.
9. a kind of integrity certification device, it is applied to the second equipment, which is characterized in that described device includes:
Integrity measurement unit is added in metrics logs for generating the log recording including single metric, and to credible Platform unit pushes the single metric;
The credible platform unit, for updating comprehensive measurement value, and cumulative metrics number according to the single metric;
Platform credible service unit, if the first request report for obtaining comprehensive measurement value for receiving the transmission of the first equipment Text obtains comprehensive measurement value and measurement number from the credible platform unit;The first response message, institute are sent to the first equipment Stating the first response message includes the comprehensive measurement value and the measurement number;If receiving the use that first equipment is sent In obtaining second request message for measuring time several log recordings, the preceding measurement is obtained from the integrity measurement unit Secondary several log recordings;The second response message is sent to first equipment, second response message includes the described of acquisition Time several log recordings are measured, so that first equipment measures time several log recordings and the comprehensive measurement according to described Value verifies the integrality of second equipment.
CN201811607136.3A 2018-12-27 2018-12-27 Integrity certification method and device Active CN109462611B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811607136.3A CN109462611B (en) 2018-12-27 2018-12-27 Integrity certification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811607136.3A CN109462611B (en) 2018-12-27 2018-12-27 Integrity certification method and device

Publications (2)

Publication Number Publication Date
CN109462611A true CN109462611A (en) 2019-03-12
CN109462611B CN109462611B (en) 2021-06-29

Family

ID=65614998

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811607136.3A Active CN109462611B (en) 2018-12-27 2018-12-27 Integrity certification method and device

Country Status (1)

Country Link
CN (1) CN109462611B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101477602A (en) * 2009-02-10 2009-07-08 浪潮电子信息产业股份有限公司 Remote proving method in trusted computation environment
WO2011109959A1 (en) * 2010-03-11 2011-09-15 西安西电捷通无线网络通信股份有限公司 Platform identification implementation method and system suitable for trusted connection architecture
CN105608386A (en) * 2016-03-11 2016-05-25 成都三零嘉微电子有限公司 Trusted computing terminal integrity measuring and proving method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101477602A (en) * 2009-02-10 2009-07-08 浪潮电子信息产业股份有限公司 Remote proving method in trusted computation environment
WO2011109959A1 (en) * 2010-03-11 2011-09-15 西安西电捷通无线网络通信股份有限公司 Platform identification implementation method and system suitable for trusted connection architecture
CN105608386A (en) * 2016-03-11 2016-05-25 成都三零嘉微电子有限公司 Trusted computing terminal integrity measuring and proving method and device

Also Published As

Publication number Publication date
CN109462611B (en) 2021-06-29

Similar Documents

Publication Publication Date Title
CN110505046B (en) Multi-data provider encrypted data cross-platform zero-knowledge verification method, device and medium
CN103501303B (en) Active remote attestation method for measurement of cloud platform virtual machine
US20210304201A1 (en) Transaction verification method and apparatus, storage medium, and electronic device
CN110134424A (en) Firmware upgrade method and system, server, smart machine, readable storage medium storing program for executing
US11909728B2 (en) Network resource access control methods and systems using transactional artifacts
JP2002175009A (en) Method for generating digital signature, and method for verifying digital signature
US11496290B2 (en) Blockchain network and finalization method therefor
US20090094452A1 (en) Efficient Certified Email Protocol
CN110532806A (en) Bidding documents management method, system and computer readable storage medium
CN110414961A (en) Prevent transfer account method, device, equipment and the storage medium of the track transactions side of producing
CN109634615A (en) Dissemination method, verification method and the device of application installation package
CN111815321A (en) Transaction proposal processing method, device, system, storage medium and electronic device
EP3920464A1 (en) Method for storing transaction that represents asset transfer to distributed network and program for the same
CN110517029A (en) Method, apparatus, equipment and block catenary system of the block chain across chain transaction verification
CN110599175A (en) Block processing method and related equipment
CN107979599A (en) Data Encrypting Transmission System
CN116112187A (en) Remote proving method, device, equipment and readable storage medium
CN110096511B (en) Data consistency verification method, device, equipment and medium based on private chain
US20230318857A1 (en) Method and apparatus for producing verifiable randomness within a decentralized computing network
CN111259452A (en) Data management method based on block chain and related device
CN111445250B (en) Block chain key testing method and device
CN109462611A (en) A kind of integrity certification method and device
CN110034922A (en) Request processing method, processing unit and requests verification method, verifying device
CN114362958B (en) Intelligent home data security storage auditing method and system based on blockchain
JP5651611B2 (en) Key exchange device, key exchange system, key exchange method, program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant