CN109981288B - Fine-grained cloud server side rapid external certification method based on aggregated signature - Google Patents

Fine-grained cloud server side rapid external certification method based on aggregated signature Download PDF

Info

Publication number
CN109981288B
CN109981288B CN201910230942.1A CN201910230942A CN109981288B CN 109981288 B CN109981288 B CN 109981288B CN 201910230942 A CN201910230942 A CN 201910230942A CN 109981288 B CN109981288 B CN 109981288B
Authority
CN
China
Prior art keywords
host
cloud service
service end
end system
group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910230942.1A
Other languages
Chinese (zh)
Other versions
CN109981288A (en
Inventor
宋元
石文昌
梁彬
秦波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Renmin University of China
Original Assignee
Renmin University of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Renmin University of China filed Critical Renmin University of China
Priority to CN201910230942.1A priority Critical patent/CN109981288B/en
Publication of CN109981288A publication Critical patent/CN109981288A/en
Application granted granted Critical
Publication of CN109981288B publication Critical patent/CN109981288B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention relates to a fine-grained cloud server side rapid external certification method based on an aggregate signature, which is characterized by comprising the following steps of: 1) the cloud service side owner host sets initial information for each cloud service side system host; 2) the cloud server side belongs to a main host and issues a credible verification permission token to an external verifier host; 3) the external verifier host generates an aggregation signature tree according to the initial information of each cloud service end system host and the issued credible verification permission token; 4) the external verifier host traverses the aggregation signature tree, and adds the first group cloud service end system host passing group verification to a trusted host resource pool in the cloud service end; 5) the external verifier host traverses the aggregated signature tree in cooperation with the group cloud service end system host in the trusted host resource pool to perform group verification task of the cloud service end and complete external verification of the cloud service end.

Description

Fine-grained cloud server side rapid external certification method based on aggregated signature
Technical Field
The invention relates to an external certification method, in particular to a fine-grained cloud server side rapid external certification method based on an aggregate signature.
Background
The external certification method is used for determining the real state of the target system and helping users except the target system to judge whether the target system is trustworthy. Specifically, the external entity determines whether the target system is authentic by means of the concept of integrity, i.e. verifies whether the actual integrity measurement result of the target system is consistent with the expectation. If the verification is passed, the integrity of the target system is good and the target system is credible for the external entity. Otherwise, it means that the integrity of the target system is destroyed and is not trusted by the external entity. The typical application scenario of the external attestation method is to judge whether a cloud service end system is trusted. In this scenario, it is preset that the external authenticator host is trusted, and there may be an untrusted host in the cloud service end system. The preset output result is that the external verifier host can master the real state of each cloud service end system host. Once the cloud service end system has the untrusted host, the external verifier host can be quickly and accurately located.
In an actual system, due to security factors, the integrity measurement result received by the external verifier host is mostly represented in a digital signature form, so that the external verifier host judges a target by verifying the digital signatureWhether the system is trusted. If multiple host nodes exist in the target system, the digital signature representing the actual state of the target system can be represented as a plurality of single signatures or as an aggregated signature. The aggregated signature is n (> 1) users Pi(1 ≦ i ≦ n) for n different messages miThe n single signatures can be aggregated into one signature, and the verifier only needs to verify the synthesized signature to confirm whether the signature is PiTo miAnd (5) signing. The aggregated signature supports the identity authentication, data integrity, non-repudiation and other security services of a plurality of users, and is a 'batch processing' and 'compression' method in the field of digital signatures.
In order to quickly prove the trusted state of each cloud service end system host, if the existing external proving method is directly adopted, the following problems occur: 1) if the traditional external certification method is adopted, the integrity measurement result of each cloud service end system host is represented as a single digital signature. In the trusted verification process, an external entity needs to verify a large number of single digital signatures one by one. The verification time of the method is linearly related to the number of host nodes to be verified of the cloud service end system, and once the number of the host nodes to be verified is large, the time required by a verification target group becomes unacceptable. 2) If the existing group external certification method is adopted, the integrity measurement result of all cloud service end system hosts is represented as an aggregate signature, and the external entity verifies the aggregate signature to judge whether the cloud service end system is credible. In the process of generating the aggregated signature, the external attestation method assumes that all host nodes to be certified can completely cooperate to generate the corresponding aggregated signature, but in some cases, such as self-distrustment or network communication problems, the required corresponding aggregated signature result may be omitted or even lost, so that an external entity may omit the credible state of some or even all host nodes. That is to say, the existing group external attestation method may not be able to attest the trusted state of each cloud service end system host node in the cloud service end at a fine granularity.
Disclosure of Invention
In view of the above problems, an object of the present invention is to provide a fine-grained cloud server rapid external attestation method based on aggregated signatures, which can rapidly prove the trusted status of each cloud server system host.
In order to achieve the purpose, the invention adopts the following technical scheme: a fine-grained cloud server side rapid external certification method based on aggregate signature is characterized by comprising the following steps: 1) the cloud service side owner host sets initial information for each cloud service side system host; 2) the cloud server side owner host issues a credible verification permission token to the external verifier host according to a token application request submitted by the external verifier host; 3) the external verifier host generates an aggregation signature tree according to the initial information of each cloud service end system host and the issued credible verification permission token; 4) the external verifier host traverses the aggregation signature tree, and adds the first group cloud service end system host passing group verification to a trusted host resource pool in the cloud service end; 5) and the external verifier host traverses the aggregated signature tree in cooperation with the group cloud service end system host in the trusted host resource pool to perform group verification task of the cloud service end and complete external verification of the cloud service end.
Preferably, the specific process of step 1) is as follows: 1.1) the cloud service side owner host sets a serial number for each cloud service side system host; 1.2) each cloud service end system host generates a key pair for signature according to the trusted architecture of the host; 1.3) the certificate authority issues a public key identity certificate for each cloud service end system host according to the number and the key pair of each cloud service end system host.
Preferably, the specific process of step 2) is as follows: 2.1) the external verifying host submits a token application request to the cloud service side owner host; 2.2) the cloud service side owner host examines the token application request submitted by the external verifier host according to the public key identity certificate and the serial number of the cloud service side system host and judges whether to issue a credible verification permission token; if the submitted token application request is consistent with the public key identity certificate and the serial number of the corresponding cloud service end system host, the cloud service end owner host issues a node integrity information collection permission token and a node integrity verification assistance permission token to the external verifier host; if the submitted token application request is inconsistent with the public key identity certificate and the number of the corresponding cloud service end system host, the cloud service end owner host does not issue the node integrity information collection permission token and the node integrity verification assistance permission token to the external verifier host.
Preferably, the token application request comprises an applicant identity certificate and application content.
Preferably, the node integrity information collection permission token comprises token holder authentication party identity information, token validity period and node integrity information collection permission token check information; the node integrity verification assisting license token comprises a white list required by integrity verification, a token validity period and node integrity verification assisting license token checking information.
Preferably, the specific process of step 3) is as follows: 3.1) the external verifier host sends an integrity information collection request to each cloud service end system host in the group, wherein the integrity information collection request comprises a node integrity information collection permission token and a random number of the certification feature; 3.2) each cloud service end system host respectively verifies whether the node integrity information collection permission token is signed by the cloud service end owner host according to the public key in the key pair; if yes, each cloud service end system host respectively generates an integrity measurement result according to the trusted architecture of the cloud service end system host; if not, rejecting the response and exiting the step; 3.3) each cloud service end system host respectively generates an integrity measurement signature result according to a private key in the key pair and the random number of the certification feature; 3.4) each cloud service end system host respectively sends an integrity information response result to an external verifier host, wherein the integrity information response result comprises an integrity measurement result, an integrity measurement signature result and a public key identity certificate of the cloud service end system host; and 3.5) the external verifier host collects the integrity information response results sent by each cloud service end system host in the group, and gathers to generate an aggregation signature tree, wherein each leaf node in the aggregation signature tree stores the integrity measurement signature results of the cloud service end system host, and each non-leaf node stores the aggregation signature results of the integrity measurements of all the leaf nodes under the leaf node.
Preferably, the specific process of step 4) is as follows: 4.1) the external verifier host traverses a certain leaf node of the aggregation signature tree, and judges whether the cloud service end system host corresponding to the leaf node is group credible or group honest by checking the aggregation signature result of the leaf node; 4.2) the external verifier host checks whether the trusted host list is empty, and if the trusted host list is empty, the step 4.1) is carried out to traverse other leaf nodes; and if not, adding all cloud service end system hosts in the current trusted host list to the trusted host resource pool.
Preferably, the specific process of step 4.1) is as follows: 4.1.1) the external verifier host traverses a certain leaf node of the aggregated signature tree by adopting an aggregated signature algorithm based on bilinear pairings, and judges whether the group cloud service end system host corresponding to the leaf node is group credible or not, wherein the group credibility verification formula is as follows:
e(g,Δi)=∏ie(pki,hi)
where e is a known bilinear map, g is a known generator, ΔiAggregate signature result, pk, of integrity metrics for group cloud service end-system hosts corresponding to leaf nodesiA public key identity certificate h of a server end system host i in the group cloud server end system hostiThe integrity reference value of a service end system host i in the group of cloud service end system hosts is obtained; if the group credibility verification formula is established, all cloud service end system hosts in the group cloud service end system host are added to the credible host list, and the step 4.2) is carried out; if the group credibility verification formula is not established, entering a step 4.1.2); 4.1.2) the external verifier host adopts a bilinear pairing-based aggregation signature algorithm to judge whether the group cloud service end system host corresponding to the leaf node is group honest, and the group honest verification formula is as follows:
e(g,Δi)=∏ie(pki,h'i)
wherein, h'iThe integrity measurement result of the cloud service end system host i in the group is obtained; if group honesty verificationIf the formula is established, judging whether the integrity measurement results of all cloud service end system hosts in the group of cloud service end system hosts are consistent with the corresponding integrity reference value; if the cloud service end system hosts are consistent with the trusted host list, adding each cloud service end system host in the group to the trusted host list; and if the cloud service end system hosts are not consistent, adding each cloud service end system host in the group to the untrusted host list.
Preferably, the specific process of step 5) is as follows: 5.1) the external verifying host checks whether an idle cloud service end system host exists in the trusted host resource pool, and if yes, the step 5.2) is carried out; if not, entering step 5.3); 5.2) the external verifier host takes unverified leaf nodes in the aggregated signature tree as group verification tasks according to a specified scheduling algorithm, and sends an auxiliary verification request to an idle cloud service end system host in a trusted host resource pool; 5.3) the idle cloud service end system host in the trusted host resource pool verifies the assistance verification request, when the node integrity verification assistance permission token in the assistance verification request is issued by the cloud service end owner host, the idle cloud service end system host in the current trusted host resource pool traverses the leaf node which is not verified in the aggregated signature tree, judges whether the cloud service end system host corresponding to the leaf node is group credible or group honest by checking the aggregated signature result of the leaf node, and sends the verification result to the external verifier host; when the node integrity verification assistance permission token in the assistance verification request is determined not to be issued by the cloud service side owner host, rejecting the response, and exiting the step; 5.4) the external verifier host marks the corresponding leaf node in the aggregated signature tree as accessed according to the verification result, and meanwhile, updates the trusted host list and the untrusted host list; 5.5) the external verifier host checks whether leaf nodes which are not verified exist in the aggregation signature tree, and if yes, the step 5.1) is carried out; if not, entering step 5.6); 5.6) the external verification side host stores all the credible cloud service end system hosts in a credible host list, stores all the untrustworthy cloud service end system hosts in an untrustworthy host list, and adds all the cloud service end system hosts in the current credible host list to a credible host resource pool; and 5.7) the external verifier host cooperates with the group cloud service end system host in the trusted host resource pool to traverse the aggregation signature tree to perform group verification task of the cloud service end, so as to complete external verification of the cloud service end.
Preferably, the verification result includes a trusted node number, an honest node number and an untrusted node number; the assistant verification request comprises a node integrity verification assistant permission token, an aggregate signature subtree to be verified, a host group identification set to be verified, a host group integrity measurement result set to be verified and an aggregate signature result of a host group to be verified.
Due to the adoption of the technical scheme, the invention has the following advantages: the invention provides a quick and fine-grained external certification method capable of optimizing a certification result on the basis of the existing external certification method, does not depend on prior knowledge such as the type of a cloud service end system, can be deployed in a common cloud service end system, can be used for carrying out quick and fine-grained analysis on integrity information on a cloud service end platform, and can be widely applied to the cloud service end platform.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a schematic flow chart of creating a trusted host resource pool in the method of the present invention.
FIG. 3 is a flow chart illustrating the scheduling of the cooperative group verification task in the method of the present invention.
Detailed Description
The present invention is described in detail below with reference to the attached drawings. It is to be understood, however, that the drawings are provided solely for the purposes of promoting an understanding of the invention and that they are not to be construed as limiting the invention.
As shown in fig. 1, the method for fast externally proving the fine-grained cloud server based on the aggregated signature provided by the present invention includes the following steps:
1) the cloud service side owner host sets initial information for each cloud service side system host, wherein the cloud service side owner host comprises three types of hosts: the system comprises a plurality of cloud service end system hosts Qi, a cloud service end owner host W and an external verifier host V, wherein the three hosts can communicate with each other, initial information of the cloud service end system hosts comprises identity information and key information (namely key pairs) required by signature, and the method specifically comprises the following steps:
1.1) the cloud service end owner host sets a serial number q for each cloud service end system hosti
1.2) each cloud service end system host generates a key pair (sk) for signature according to the trusted architecture (such as a TPM chip and trusted basic software)i,pki)。
1.3) under the support of the public key infrastructure, a certificate authority (a certificate service system provided by the certificate authority for a trusted third party in the network) responds to the request of each cloud service end system host (namely the public key pk of the key pair)iAnd number qi) Issuing a public key identity certificate cert (pki) for each cloud service end system host, wherein the public key identity certificate has the functions of: the identity of a certificate owner host is shown, and the identity is confirmed by a certain certificate authority; secondly, the receiver can obtain the public key of the certificate owner host through the public key identity certificate, so as to perform signature removal operation on the signature information of the certificate owner host and obtain the plaintext before signature.
2) The cloud service side owner host issues a credible verification permission token to the external verifier host according to a token application request submitted by the external verifier host, and the method specifically comprises the following steps:
and the external verifying host submits the identity information and the application content of the external verifying host to the cloud server side owner host and requests for applying the credible verification permission token. Once the request information is verified, the cloud service side owner host issues a trusted verification permission token to the external verifier host.
2.1) the external authentication host submits a token application request to the cloud service side owner host, wherein the token application request comprises an applicant identity certificate cert (pk)v) And application content (e.g., authentication object, token application validity period t)sEtc.).
2.2) the cloud service side owner host carries out identity certificate cert (pk) submitted by the external verifier host according to the public key identity certificate and the serial number of the cloud service side system hostv) And the content of the application for examination,judging whether to issue a credible authentication permission token to an external authenticator host, and if so, submitting an identity certificate cert (pk)v) And the application content presence identity certificate cert (pk)v) False, absence of number of verification object or token application validity period tsIf the cloud service side owner host is incorrect, the cloud service side owner host does not issue a trusted verification permission token to the external verifier host; if the submitted identity certificate cert (pk)v) And if the application content does not have the three conditions, the cloud server side owner host issues the node integrity information collection permission token T1And node integrity verification assistance permission token T2. Wherein the node integrity information collects a license token T1Including token holder verifying party identity information (public key pk)v) Token validity period texpCollecting permission token check information with node integrity information, and assisting the node integrity verification to the permission token T2The method comprises a white list H required by integrity verification and a token validity period texpAnd node integrity verification assists in granting token verification information.
3) The external verifier host generates an aggregated signature tree according to the initial information of each cloud service end system host and the issued trusted verification permission token, and specifically comprises the following steps:
3.1) the external verifier host sends an integrity information collection request to each cloud service end system host in the group, wherein the integrity information collection request comprises a node integrity information collection permission token T1And the certification characteristic random number N.
3.2) each cloud service end system host according to the key pair (sk)i,pki) Public key pk in (1)iSeparately verifying the node integrity information syndrome license token T1Whether the cloud service side host computer signs or not is judged, if yes, each cloud service side system host computer respectively generates an integrity measurement result h 'according to the trusted architecture of the cloud service side system host computer'iAnd if not, rejecting the response and exiting the step.
3.3) each cloud service end system host according to the key pair (sk)i,pki) The private key sk in (1)iAnd random numbers N for proving the feature of this time are respectively generatedIntegrity metric signature result sigmai
3.4) each cloud service end system host responds the integrity information to the result RespiRespectively sent to external verifier host, wherein the integrity information responds to the result RespiIntegrity measurement result h 'comprising cloud service end system host'iIntegrity metric signature result sigmaiAnd a public key identity certificate cert (pk)i)。
3.5) the external verifier host collects the integrity information response result Resp sent by each cloud service end system host in the group within the specified timeiAnd summarizing to generate an aggregation signature tree. In the aggregated signature tree, each leaf node stores an integrity measurement signature result sigma of a cloud service end system host respectivelyiEach non-leaf node stores the aggregate signature result Δ of the integrity metrics of all the leaf nodes under iti
4) As shown in fig. 2, the external verifier host traverses the aggregate signature tree, and adds the first group cloud service end system host passing group verification to the trusted host resource pool in the cloud service end, specifically:
4.1) the external verifier host traverses a certain leaf node of the aggregation signature tree by adopting a breadth-first strategy and checks the aggregation signature result delta of the leaf nodeiAnd judging whether the cloud service end system host corresponding to the leaf node is group credible or group honest.
4.1.1) the external verifier host traverses a certain leaf node of the aggregated signature tree by adopting an aggregated signature algorithm based on bilinear pairings, judges whether the group cloud service end system host corresponding to the leaf node is credible, and has the following verification formula:
e(g,Δi)=∏ie(pki,hi) (1)
where e is a known bilinear map, g is a known generator, ΔiAggregate signature result, pk, of integrity metrics for group cloud service end-system hosts corresponding to leaf nodesiA public key identity certificate h of a server end system host i in the group cloud server end system hostiIs thatAnd (4) an integrity reference value of a service end system host i in the group cloud service end system host.
If the verification formula (1) is established, recording a verification result, adding all cloud service end system hosts in the group to a trusted host list, and entering step 4.2); if the verification formula (1) does not hold, step 4.1.2) is entered.
4.1.2) the external verifier host adopts a bilinear pairing-based aggregation signature algorithm to judge whether the group cloud service end system host corresponding to the leaf node is group honest, and the verification formula is as follows:
e(g,Δi)=∏ie(pki,h'i) (2)
wherein, h'iAnd measuring the integrity of the end system host i for the cloud service in the group.
If the formula (2) is verified to be established, judging the integrity measurement result h 'of the cloud service end system host i in the group cloud service end system host'iAnd the integrity reference value hiWhether the cloud service end systems are consistent or not is judged, if yes, each cloud service end system host i in the group is added to the trusted host list; and if the cloud service end system hosts i are not consistent, adding each cloud service end system host i in the group to the untrusted host list.
4.2) the external verifier host checks whether the trusted host list is empty, and if the trusted host list is empty, the step 4.1) is carried out to traverse other leaf nodes; and if not, adding all cloud service end system hosts in the current trusted host list to the trusted host resource pool.
5) As shown in fig. 3, the external verifier host traverses the aggregated signature tree in cooperation with the group cloud service end system host in the trusted host resource pool to perform a group verification task of the cloud service end and complete external verification of the cloud service end, which specifically includes:
5.1) the external verifier host checks whether an idle cloud service end system host exists in the trusted host resource pool (namely, the cloud service end system host which does not perform group verification task exists), and if yes, the step 5.2 is executed; if not, go to step 5.3).
5.2) external authenticator host according to the designationA scheduling algorithm (a complete fair scheduling algorithm), which takes unverified leaf nodes in the aggregated signature tree as group verification tasks, sends verification assisting requests to idle cloud service system hosts in a trusted host resource pool to distribute the group verification tasks to the idle cloud service system hosts, wherein the number of unverified nodes is determined by the ratio of the computing performance and the communication performance of the cloud service system hosts, and the verification assisting requests comprise node integrity verification assisting permission tokens T2Aggregate signature subtree to be verified and host group identification set { q) to be verifiedj} and host group integrity measurement result set { h 'to be verified'jAnd aggregate signature result delta of host population to be verifiedj
5.3) the idle cloud service end system host in the trusted host resource pool verifies the assistance verification request, and when the node integrity verification assistance permission token T in the assistance verification request is determined2When the cloud service side owner host issues, the idle cloud service side system host in the current credible host resource pool traverses the leaf nodes which are not verified in the aggregated signature tree by adopting the method of the step 4.1), and the aggregated signature result delta of the leaf nodes is checkediJudging whether the cloud service end system host corresponding to the leaf node is group credible or group honest, and sending a verification result to an external verifier host; when it is determined that the node integrity verification assistance permission token T in the assistance verification request is present2And if the cloud service side is not signed by the owner host, rejecting the response and exiting the step. And the verification result comprises a trusted node number, an honest node number and an untrusted node number.
5.4) the external verifier host marks the corresponding leaf node Q in the aggregated signature tree according to the credible node number and the honest node numberjThe trusted host list and the untrusted host list are updated simultaneously for access.
5.5) the external verifier host checks whether leaf nodes which are not verified exist in the aggregation signature tree, and if yes, the step 5.1) is carried out; if not, go to step 5.6).
5.6) the external verification side host stores all the trusted cloud service end system hosts in a trusted host list, stores all the untrusted cloud service end system hosts in an untrusted host list, and adds all the cloud service end system hosts in the current trusted host list to a trusted host resource pool.
And 5.7) the external verifier host cooperates with the group cloud service end system host in the trusted host resource pool to traverse the aggregation signature tree to perform group verification task of the cloud service end, so as to complete external verification of the cloud service end.
The above embodiments are only used for illustrating the present invention, and the structure, connection mode, manufacturing process, etc. of the components may be changed, and all equivalent changes and modifications performed on the basis of the technical solution of the present invention should not be excluded from the protection scope of the present invention.

Claims (9)

1. A fine-grained cloud server side rapid external certification method based on aggregate signature is characterized by comprising the following steps:
1) the cloud service side owner host sets initial information for each cloud service side system host;
2) the cloud server side owner host issues a credible verification permission token to the external verifier host according to a token application request submitted by the external verifier host;
3) the external verifier host generates an aggregation signature tree according to the initial information of each cloud service end system host and the issued credible verification permission token, and the specific process is as follows:
3.1) the external verifier host sends an integrity information collection request to each cloud service end system host in the group, wherein the integrity information collection request comprises a node integrity information collection permission token and a random number of the certification feature;
3.2) each cloud service end system host respectively verifies whether the node integrity information collection permission token is signed by the cloud service end owner host according to the public key in the key pair; if yes, each cloud service end system host respectively generates an integrity measurement result according to the trusted architecture of the cloud service end system host; if not, rejecting the response and exiting the step;
3.3) each cloud service end system host respectively generates an integrity measurement signature result according to a private key in the key pair and the random number of the certification feature;
3.4) each cloud service end system host respectively sends an integrity information response result to an external verifier host, wherein the integrity information response result comprises an integrity measurement result, an integrity measurement signature result and a public key identity certificate of the cloud service end system host;
3.5) the external verifier host collects the integrity information response results sent by each cloud service end system host in the group, and gathers to generate an aggregation signature tree, wherein in the aggregation signature tree, each leaf node stores the integrity measurement signature results of a cloud service end system host, and each non-leaf node stores the aggregation signature results of the integrity measurement of all the leaf nodes under the leaf node;
4) the external verifier host traverses the aggregation signature tree, and adds the first group cloud service end system host passing group verification to a trusted host resource pool in the cloud service end;
5) and the external verifier host traverses the aggregated signature tree in cooperation with the group cloud service end system host in the trusted host resource pool to perform group verification task of the cloud service end and complete external verification of the cloud service end.
2. The method for fast external attestation of fine-grained cloud service based on aggregate signature as claimed in claim 1, wherein the specific process of step 1) is as follows:
1.1) the cloud service side owner host sets a serial number for each cloud service side system host;
1.2) each cloud service end system host generates a key pair for signature according to the trusted architecture of the host;
1.3) the certificate authority issues a public key identity certificate for each cloud service end system host according to the number and the key pair of each cloud service end system host.
3. The method for fast external attestation of fine-grained cloud service based on aggregate signature as claimed in claim 2, wherein the specific process of step 2) is as follows:
2.1) the external verifying host submits a token application request to the cloud service side owner host;
2.2) the cloud service side owner host examines the token application request submitted by the external verifier host according to the public key identity certificate and the serial number of the cloud service side system host and judges whether to issue a credible verification permission token;
if the submitted token application request is consistent with the public key identity certificate and the serial number of the corresponding cloud service end system host, the cloud service end owner host issues a node integrity information collection permission token and a node integrity verification assistance permission token to the external verifier host;
if the submitted token application request is inconsistent with the public key identity certificate and the number of the corresponding cloud service end system host, the cloud service end owner host does not issue the node integrity information collection permission token and the node integrity verification assistance permission token to the external verifier host.
4. The fine-grained cloud server rapid external attestation method based on aggregate signature as claimed in claim 3, wherein the token application request includes an applicant identity certificate and application content.
5. The fine-grained cloud server quick external attestation method based on aggregate signature as claimed in claim 3 wherein the node integrity information collection license token includes token holder verifying party identity information, token validity period and node integrity information collection license token check information;
the node integrity verification assisting license token comprises a white list required by integrity verification, a token validity period and node integrity verification assisting license token checking information.
6. The method for fast external attestation of fine-grained cloud service based on aggregate signature as claimed in claim 5, wherein the specific process of step 4) is as follows:
4.1) the external verifier host traverses a certain leaf node of the aggregation signature tree, and judges whether the cloud service end system host corresponding to the leaf node is group credible or group honest by checking the aggregation signature result of the leaf node;
4.2) the external verifier host checks whether the trusted host list is empty, and if the trusted host list is empty, the step 4.1) is carried out to traverse other leaf nodes; and if not, adding all cloud service end system hosts in the current trusted host list to the trusted host resource pool.
7. The method for fast externally proving of the fine-grained cloud server based on the aggregated signature as claimed in claim 6, wherein the specific process of the step 4.1) is as follows:
4.1.1) the external verifier host traverses a certain leaf node of the aggregated signature tree by adopting an aggregated signature algorithm based on bilinear pairings, and judges whether the group cloud service end system host corresponding to the leaf node is group credible or not, wherein the group credibility verification formula is as follows:
e(g,Δi)=∏ie(pki,hi)
where e is a known bilinear map, g is a known generator, ΔiAggregate signature result, pk, of integrity metrics for group cloud service end-system hosts corresponding to leaf nodesiA public key identity certificate h of a server end system host i in the group cloud server end system hostiThe integrity reference value of a service end system host i in the group of cloud service end system hosts is obtained;
if the group credibility verification formula is established, all cloud service end system hosts in the group cloud service end system host are added to the credible host list, and the step 4.2) is carried out; if the group credibility verification formula is not established, entering a step 4.1.2);
4.1.2) the external verifier host adopts a bilinear pairing-based aggregation signature algorithm to judge whether the group cloud service end system host corresponding to the leaf node is group honest, and the group honest verification formula is as follows:
e(g,Δi)=∏ie(pki,h'i)
wherein, h'iThe integrity measurement result of the cloud service end system host i in the group is obtained;
if the group honesty verification formula is established, judging whether the integrity measurement results of all cloud service end system hosts in the group cloud service end system host are consistent with the corresponding integrity reference value; if the cloud service end system hosts are consistent with the trusted host list, adding each cloud service end system host in the group to the trusted host list; and if the cloud service end system hosts are not consistent, adding each cloud service end system host in the group to the untrusted host list.
8. The method for fast external attestation of fine-grained cloud service based on aggregate signature as claimed in claim 7, wherein the specific process of step 5) is as follows:
5.1) the external verifying host checks whether an idle cloud service end system host exists in the trusted host resource pool, and if yes, the step 5.2) is carried out; if not, entering step 5.3);
5.2) the external verifier host takes unverified leaf nodes in the aggregated signature tree as group verification tasks according to a specified scheduling algorithm, and sends an auxiliary verification request to an idle cloud service end system host in a trusted host resource pool;
5.3) the idle cloud service end system host in the trusted host resource pool verifies the assistance verification request, when the node integrity verification assistance permission token in the assistance verification request is issued by the cloud service end owner host, the idle cloud service end system host in the current trusted host resource pool traverses the leaf node which is not verified in the aggregated signature tree, judges whether the cloud service end system host corresponding to the leaf node is group credible or group honest by checking the aggregated signature result of the leaf node, and sends the verification result to the external verifier host; when the node integrity verification assistance permission token in the assistance verification request is determined not to be issued by the cloud service side owner host, rejecting the response, and exiting the step;
5.4) the external verifier host marks the corresponding leaf node in the aggregated signature tree as accessed according to the verification result, and meanwhile, updates the trusted host list and the untrusted host list;
5.5) the external verifier host checks whether leaf nodes which are not verified exist in the aggregation signature tree, and if yes, the step 5.1) is carried out; if not, entering step 5.6);
5.6) the external verification side host stores all the credible cloud service end system hosts in a credible host list, stores all the untrustworthy cloud service end system hosts in an untrustworthy host list, and adds all the cloud service end system hosts in the current credible host list to a credible host resource pool;
and 5.7) the external verifier host cooperates with the group cloud service end system host in the trusted host resource pool to traverse the aggregation signature tree to perform group verification task of the cloud service end, so as to complete external verification of the cloud service end.
9. The fine-grained cloud server rapid external attestation method based on aggregate signatures as claimed in claim 8 wherein the verification result includes a trusted node number, an honest node number and an untrusted node number;
the assistant verification request comprises a node integrity verification assistant permission token, an aggregate signature subtree to be verified, a host group identification set to be verified, a host group integrity measurement result set to be verified and an aggregate signature result of a host group to be verified.
CN201910230942.1A 2019-03-26 2019-03-26 Fine-grained cloud server side rapid external certification method based on aggregated signature Active CN109981288B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910230942.1A CN109981288B (en) 2019-03-26 2019-03-26 Fine-grained cloud server side rapid external certification method based on aggregated signature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910230942.1A CN109981288B (en) 2019-03-26 2019-03-26 Fine-grained cloud server side rapid external certification method based on aggregated signature

Publications (2)

Publication Number Publication Date
CN109981288A CN109981288A (en) 2019-07-05
CN109981288B true CN109981288B (en) 2021-11-09

Family

ID=67080550

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910230942.1A Active CN109981288B (en) 2019-03-26 2019-03-26 Fine-grained cloud server side rapid external certification method based on aggregated signature

Country Status (1)

Country Link
CN (1) CN109981288B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113067626B (en) * 2021-03-15 2022-03-04 西安电子科技大学 Unmanned system bee colony credibility certification method based on edge computing
CN117119456B (en) * 2023-10-24 2024-01-23 国网智能电网研究院有限公司 5G MEC multi-container remote certification method, system, device and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103414731A (en) * 2013-08-29 2013-11-27 青岛大学 Identity-based aggregate signature method with parallel key-insulation
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN107592203A (en) * 2017-09-25 2018-01-16 深圳技术大学筹备办公室 A kind of aggregate signature method and its system based on lattice
CN108600171A (en) * 2018-03-22 2018-09-28 陕西师范大学 A kind of cloud data certainty delet method for supporting fine granularity to access

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103414731A (en) * 2013-08-29 2013-11-27 青岛大学 Identity-based aggregate signature method with parallel key-insulation
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN107592203A (en) * 2017-09-25 2018-01-16 深圳技术大学筹备办公室 A kind of aggregate signature method and its system based on lattice
CN108600171A (en) * 2018-03-22 2018-09-28 陕西师范大学 A kind of cloud data certainty delet method for supporting fine granularity to access

Also Published As

Publication number Publication date
CN109981288A (en) 2019-07-05

Similar Documents

Publication Publication Date Title
KR102173426B1 (en) Privacy preserving public key infrastructure based self sign and verification system and method in decentralized identity
KR101421329B1 (en) A method for authenticating a trusted platform based on the tri-element peer authentication(tepa)
CN107196762B (en) Big data oriented power determining method
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
CN112637189A (en) Multi-layer block chain cross-domain authentication method in application scene of Internet of things
US20020147905A1 (en) System and method for shortening certificate chains
CN111224788B (en) Electronic contract management method, device and system based on block chain
CN108769230B (en) Transaction data storage method, device, server and storage medium
Lin et al. EBCPA: Efficient blockchain-based conditional privacy-preserving authentication for VANETs
JP2010508567A (en) Disabling malware on computing devices
EP2608477A1 (en) Trusted certificate authority to create certificates based on capabilities of processes
WO2009006813A1 (en) A method and system for categorizing content
CN109981288B (en) Fine-grained cloud server side rapid external certification method based on aggregated signature
CN115378737B (en) Cross-domain device communication trust method, device, equipment and medium
CN114444134A (en) Data use authorization method, system and device
CN111989892B (en) Authentication system and computer-readable recording medium
CN110990790B (en) Data processing method and equipment
CN113010872A (en) Identity authentication method and device, computer equipment and storage medium
CN115277010A (en) Identity authentication method, system, computer device and storage medium
CN112332980B (en) Digital certificate signing and verifying method, equipment and storage medium
CN113259137A (en) Power grid access control method, system and storage medium based on user attributes
CN116132071B (en) Identity authentication method and device for identification analysis node based on blockchain
CN113344551A (en) Multi-head credit granting method, device, equipment and medium based on zero-knowledge proof technology
Bao et al. BAP: A Blockchain-Assisted Privacy-Preserving Authentication Protocol With User-Controlled Data Linkability for VANETs
Zhou et al. Fair cloud auditing based on blockchain for resource-constrained IoT devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant