System and method for trusted authentication of container mirror image based on block chain technology
Technical Field
The invention relates to the field of cloud native, in particular to a system and a method for trusted authentication of container mirror images based on a block chain technology.
Background
In the cloud native field, application development and application deployment based on a container technology are both based on a container mirror image downloaded from a remote place, but credibility authentication of the downloaded mirror image is an important safety problem and is also a problem of intellectual property protection, and at present, aiming at solving the problem of how to prevent the mirror image from being tampered between the mirror image uploaded to a server and the mirror image downloaded and used by a user, the application of the patent provides a decentralized technology of an intelligent contract technology based on a block chain to authenticate the container mirror image, the method can well solve the problems, and the same technology can also perform corresponding credible authentication on a container arrangement script;
the Docker (application container engine) mirror image distribution is realized by distributing data through a remote warehouse (registry), a mirror image publisher constructs a container mirror image on a local computer, then pushes the mirror image to a remote warehouse, and then other users can pull the mirror image through a network;
in existing mirror repository technologies, there are several security mechanisms to ensure that the mirror is not tampered/trustable:
1. mirror image operation of a mirror image warehouse provider requires user name/password login, and random tampering of mirror images by people is avoided;
2. the container mirror image signature technology (Docker Content Trust) is used for digitally signing a mirror image and guaranteeing the authentication of the mirror image signature in a mirror image warehouse;
3. the uploading/downloading of the mirror image warehouse provider is encrypted transmission through an HTTPS protocol;
4. part of mirror image warehouse providers can also provide a basic mirror image security scanning mechanism, and can discover malicious mirror images with illegal implantation security risks in advance to a certain extent and prompt users;
5. on the mirror image downloading page, the user names uploaded by the mirror images are generally marked, and the user names are sorted according to the downloading amount and the like so as to ensure that the most popular mirror images are arranged in front;
however, the prior art methods are not completely reliable, and the above-mentioned security mechanisms have the following disadvantages:
1. a user name and a password: the weak user name password is often easy to crack, and a server of a warehouse service provider can be invaded maliciously, so that the downloaded mirror image cannot be guaranteed to be the mirror image uploaded by the original author at the beginning;
2. mirror image signature technology: firstly, the technology needs a centralized authentication server (Docker note server) to verify, a public key of the signature is added to the note server (Notary server), and the address of the centralized server is possibly maliciously hijacked or forged, so that even if the mirror image content is signed, the signature cannot be guaranteed not to be tampered;
the protocol of HTTPS is subject to "man-in-the-middle attacks" in some scenarios, and is not absolutely secure;
4. if an untrusted mirror image containing malicious codes is uploaded, although a mirror image warehouse supplier has a security scanning function and cannot ensure that all malicious programs are discovered at the first time, the trustiness and reliability of mirror image contents cannot be guaranteed;
5. some malicious attackers can upload a mirror image with the same name as the existing hot mirror image and download the mirror image in a 'fish eyes mixing with beads' mode, because the warehouse page is generally sorted by downloading the hot degree, a plagiarism attacker can easily arrange the plagiarism mirror image in the front position by forging the hot condition and steal the crown right of the mirror image;
regarding security trust issues: in the cloud native field, in the application development and deployment process based on kubernets or dockers, remote downloading of mirror images is required, the security is very important, the reliability of the mirror images fundamentally determines the security of the application, but the security field based on containers is not mature in the industry;
and (3) in an application development stage: in the development process based on containerization, a service logic is superposed on a basic mirror image acquired from a mirror image warehouse on the cloud, and when an untrusted mirror image is online along with an application, the enterprise security is seriously influenced;
an application deployment phase: in the modern deployment process, the containerization deployment is adopted to reduce the environmental difference, but because the production server where the application deployment is on line is generally independent from the development and test environment, the production server is basically required to acquire the mirror image from a remote mirror image warehouse and download the mirror image to the local post-deployment. However, after the mirror image is uploaded to the mirror image warehouse by the original author, the mirror image may be maliciously replaced by a hacker, so that subsequent downloading users all download the malicious mirror image, and also may be hijacked by the hacker in the process of mirror image transmission and replaced by the malicious mirror image, which may cause a huge security risk;
problems with intellectual property:
the container mirror image is constructed based on program codes and is also the labor output and intellectual property of science and technology workers in nature, but if the mirror image is uploaded to a public warehouse, the mirror image is easily downloaded by others and then is reissued on its name, and on the contrary, the original author easily loses intellectual property;
the Docker mirror image distribution is realized by distributing data through a remote mirror image warehouse (registry), a mirror image publisher constructs a mirror image on a local computer, then pushes the mirror image to a remote warehouse, and then other users can pull the mirror image through a network;
in this process, how to ensure that the pulled image is the original version published by the publisher
How to ensure that repository server providers have not been modified, how to mark ownership of images
How to ensure that the digital signature of the image is not tampered and the central server authenticating the signature is not hijacked
As is known, a centralized network is insecure, a download channel of an image may be maliciously invaded by DNS hijacking, man-in-the-middle hijacking, and the like, even if there is an authentication mechanism, if the authentication issuing/checking mechanism is implemented in a centralized server, the image of a container is hijacked by a hacker and a malicious program is embedded in the image of the container as described in the case of fig. 3:
1. the original author uploads the image to some image repository (assuming the image is denoted as X);
2. a hacker maliciously tampers with the mirror image and replaces the mirror image X with Y;
3. a user, who is supposed to download the image X, actually downloads the malicious image Y with a security risk.
As shown in fig. 4, another situation of infringing intellectual property is described, in which an original author publishes and uploads a mirror image in a public warehouse, and after a pirate modifies the mirror image author (the container mirror image has an attribute author (author), which can be modified), the mirror image is uploaded to another warehouse again, and the nominal attribution and intellectual property of the mirror image are stolen;
1. the original author uploads the mirror image to the warehouse 1;
2/3/4 some malicious plagiarizer downloads the image, tampers with the author property in the image, and uploads to warehouse 2 on its behalf.
Disclosure of Invention
The invention aims to solve the technical problems that various existing mirror image trust guarantee mechanisms are more or less defective, such as relying on a centralized server and the like, in the existing container mirror image distribution technology, the mirror image in a mirror image warehouse cannot be guaranteed to be an original version uploaded by an original author and cannot be guaranteed to be not tampered midway, if the mirror image is tampered, the problems such as mirror image potential safety hazard and intellectual property right can be caused, the container mirror image signature technology still relies on centralized authentication, and still has risks, the system provides a decentralized trusted authentication mechanism based on a block chain, strengthens and solves mirror image safety authentication, the invention provides a system for container mirror image trusted authentication based on the block chain technology, a mirror image publisher calculates the digital signature of the mirror image on a local computer, and then writes mirror image trusted authentication information including the digital signature into a trusted authentication component based on the block chain technology, the distributed cryptographic algorithm on the blockchain can ensure that forgery is avoided in the process, so that a publisher can safely share the mirror image on the public mirror image warehouse to solve the defects caused by the prior art.
The invention also provides a container mirror image credible authentication method based on the block chain technology.
In order to solve the technical problems, the invention provides the following technical scheme:
in a first aspect, a system for trusted authentication of container images based on a block chain technology comprises an image signature registration component, a decentralized image trusted authentication component, an image signature verification component and an image warehouse;
the mirror image signature registration component is used for uploading a mirror image by an original author, transmitting the mirror image to the mirror image warehouse, calculating the content of the mirror image to obtain credible authentication information, and transmitting the mirror image and the credible authentication information to the decentralized mirror image credible authentication component, wherein the credible authentication information comprises mirror image author information, a digital signature, a mirror image name and a mirror image ID;
the decentralized mirror image trusted authentication component is used for acquiring the mirror image and the trusted authentication information, combining the mirror image and the trusted authentication information into an intelligent contract and writing the intelligent contract into a block chain network, and the block chain network extracts the digital signature in the trusted authentication information;
the image signature verification component is used for calculating the digital signature of the image after the image is obtained from the image warehouse, obtaining the extracted digital signature from the decentralized image credible authentication component, verifying and comparing whether the two digital signatures are consistent or not, refusing a downloader to use the image if the two digital signatures are not consistent, and accepting the downloader to use the image if the two digital signatures are consistent.
In the above system for trusted authentication of container images based on the blockchain technology, the digital signature is a hash value obtained by calculating the content of the image by the image signature registration component.
The system for trustable authentication of container images based on the block chain technology is described above, wherein the computing method for computing the contents of the images by the image signature registration component to obtain the hash value is secure hash algorithm 128, secure hash algorithm 224, secure hash algorithm 256, secure hash algorithm 384, secure hash algorithm 512, information digest algorithm or hash algorithm.
The system for the trusted certification of the container mirror image based on the block chain technology is characterized in that the block chain network is a plurality of client sides which are connected with each other in pairs through the internet, the system for the trusted certification of the container mirror image based on the block chain technology is installed in each client side, the plurality of client sides form a distributed star-shaped structure, the block chain network has the decentralized characteristic, the trusted certification is carried out on the information and the digital signature of the mirror image, and the safety problem of centralized certification or centralized certificate issuance of a centralized system is solved.
The system for trustable authentication of the container mirror image based on the block chain technology is described, wherein the client is a trustable authentication system, and the trustable authentication system comprises a mirror image signature registration component and a mirror image signature verification component;
the mirror image signature registration component is used for performing signature calculation and registering in the block chain network when the mirror image is uploaded;
the image signature verification component is used for verifying the signature when the image is downloaded.
In a second aspect, a method for trusted authentication of container images based on a block chain technique includes the following steps:
step 1: an original author uploads a mirror image to a mirror image signature registration component, the mirror image signature registration component calculates mirror image author information, a digital signature, a mirror image name and a mirror image ID according to the mirror image, integrates the mirror image author information, the digital signature, the mirror image name and the mirror image ID into credible authentication information and then writes the information and the mirror image into a decentralized mirror image credible authentication component, the decentralized mirror image credible authentication component combines the mirror image and the credible authentication information into an intelligent contract to be written into a block chain network, then uploads the mirror image to a mirror image warehouse, and the mirror image warehouse associates the mirror image with the credible authentication information;
step 2: a downloader who downloads or uses the mirror image downloads the mirror image from the mirror image warehouse to the mirror image signature verification component, the mirror image signature verification component carries out digital signature calculation on the mirror image, and the mirror image and the digital signature are obtained from the decentralized mirror image credible authentication component;
and step 3: and comparing and verifying the digital signature calculated by the image signature verification component with the digital signature acquired from the decentralized image trusted authentication component, wherein if the two digital signatures are the same, the image signature verification component allows the image to be used, and if the two digital signatures are different, the image signature verification component refuses the image to be used.
The realization when using specifically is based on the intelligent contract that ether mill (Ethereum) realized:
in the mirror image signature registration component, an etherhouse (Ethereum) intelligent contract is realized by adopting a Solidity language, and the intelligent contract is realized by adopting the following data structure: ownerIdImageMap [ msg.sender ] [ repoTag ] = Image (imageHash, msg.sender, repoTag, imageId);
wherein:
owerIdImageMap is a record of the transaction;
sender is contract initiator (i.e. the original author of the image);
repoTag is the mirror name;
imageHash is a digital signature of the image;
imageId is the ID value of the mirror;
in implementation, based on the Ether houses, the name of the mirror image, the digital signature of the mirror image file, the transaction submitter and the mirror image ID are recorded on each contract transaction (the concept of the Ether houses);
implementation of the "digital signature" of the image: the image can be saved as a tar file by a "docker save" command, and then the tar file is calculated by a tool of an operating system (the secure hash algorithm 256 (SHA 256) hash value of the tar file (calculating the hash value of the image data by using the secure hash algorithm 256 is only one example of a digital signature generation manner, and the digital signature calculation manner of the technical scheme includes, but is not limited to, the secure hash algorithm 256);
in addition, in practice, generally, the image uploading and downloading are mostly realized by a docker engine (an open source container engine) (the docker push is used for uploading and the docker pull is used for downloading), so that one implementation manner of the system is as follows:
implanting the logic of the mirror image signature verification component in the uploading process into a docker engine, wherein the logic is realized in docker push, and when a docker push (uploading) command is executed, automatically triggering the signature registration on a blockchain network by an engine background;
and implanting the logic of the mirror image signature verification component in the downloading process into a docker engine, wherein the logic is realized in the docker pull, and when a docker pull command is executed, an engine background automatically triggers to a block chain to pull a signature and check a local file.
In the above method for trusted authentication of container images based on the block chain technology, the digital signature is a hash value obtained by calculating the content of the image by the image signature registration component;
the computing method for the image signature registration component to compute the content of the image to obtain the hash value is a secure hash algorithm 128, a secure hash algorithm 224, a secure hash algorithm 256, a secure hash algorithm 384, a secure hash algorithm 512, an information digest algorithm, or a hash algorithm.
The method for credible authentication of the container mirror image based on the block chain technology is characterized in that the block chain network comprises a plurality of clients which are connected with each other in pairs through the internet, the system for credible authentication of the container mirror image based on the block chain technology is installed in each client, and the plurality of clients form a distributed network system.
The above method for trustable authentication of container images based on the block chain technology is provided, wherein the client is a trustable authentication system, and the trustable authentication system includes an image signature registration component and an image signature verification component;
when the mirror image is uploaded, signature calculation and registration are carried out in the block chain network through the mirror image signature registration component;
and verifying the signature through the image signature verification component when the image is downloaded.
The technical scheme provided by the system and the method for credible authentication of the container mirror image based on the block chain technology has the following technical effects:
a block chain-based mirror image credible authentication network is maintained through a block chain network technology to carry out mirror image authentication and identification, and the mirror image is ensured to be unique and cannot be tampered from the source, so that the safety and credibility of the mirror image used by a user are guaranteed, and the copyright of an original author is also guaranteed;
the system for credible authentication of the container mirror image based on the block chain technology automatically incorporates the implementation mechanism into the container mirror image engine, so that signature and authentication actions do not need any additional operation for an uploader or a downloader, and the system is simple and convenient.
Drawings
FIG. 1 is a schematic structural diagram of a system for trusted authentication of container mirror images based on a block chain technique according to the present invention;
FIG. 2 is a schematic diagram illustrating a block chain network in a system for trusted authentication of container mirroring based on a block chain technique according to the present invention;
FIG. 3 is a diagram of a system for trusted authentication of container images based on blockchain technology according to an embodiment of the present invention;
FIG. 4 is a diagram of a scenario in which a container mirror is hijacked by a hacker to implant a malicious program;
fig. 5 is a scene diagram of a case of infringing intellectual property.
Detailed Description
In order to make the technical means, the inventive features, the objectives and the effects of the invention easily understood and appreciated, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the specific drawings, and it is obvious that the described embodiments are a part of the embodiments of the present invention, but not all of the embodiments.
All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
It should be understood that the structures, ratios, sizes, and the like shown in the drawings and described in the specification are only used for matching with the disclosure of the specification, so as to be understood and read by those skilled in the art, and are not used to limit the conditions under which the present invention can be implemented, so that the present invention has no technical significance, and any structural modification, ratio relationship change, or size adjustment should still fall within the scope of the present invention without affecting the efficacy and the achievable purpose of the present invention.
In addition, the terms "upper", "lower", "left", "right", "middle" and "one" used in the present specification are for clarity of description, and are not intended to limit the scope of the present invention, and the relative relationship between the terms and the terms is not to be construed as a scope of the present invention.
The first embodiment of the invention provides a system for trusted authentication of container mirror images based on a block chain technology, aiming at maintaining a trusted authentication network of mirror images based on a block chain through the block chain network technology to carry out mirror image authentication and identification, wherein the mirror images are ensured to be unique and can not be tampered from the source, thereby ensuring the security and the credibility of the mirror images used by users and also ensuring the copyright of original authors;
the system for credible authentication of the container mirror image based on the block chain technology automatically incorporates the implementation mechanism into the container mirror image engine, so that signature and authentication actions do not need any additional operation for an uploader or a downloader, and the system is simple and convenient.
As shown in fig. 1, in a first aspect, a system for trusted authentication of container images based on a block chain technology includes an image signature registration component, a decentralized image trusted authentication component, an image signature verification component, and an image repository;
the image signature registration component is used for uploading an image by an original author, transmitting the image to an image warehouse, calculating the content of the image to obtain credible authentication information, and transmitting the image and the credible authentication information to the decentralized image credible authentication component, wherein the credible authentication information comprises image author information, a digital signature, an image name and an image ID;
the decentralized mirror image credible authentication component is used for acquiring a mirror image and credible authentication information, combining the mirror image and the credible authentication information into an intelligent contract and writing the intelligent contract into a block chain network, and extracting a digital signature in the credible authentication information by the block chain network;
the image signature verification component is used for calculating the digital signature of the image after the image is obtained from the image warehouse, obtaining the extracted digital signature from the decentralized image credible authentication component, verifying and comparing whether the two digital signatures are consistent or not, refusing a downloader to use the image if the two digital signatures are inconsistent, and accepting the downloader to use the image if the two digital signatures are consistent.
The digital signature is a hash value obtained by calculating the content of the image by the image signature registration component.
The computing method for computing the content of the image to obtain the hash value by the image signature registration component is the secure hash algorithm 128, the secure hash algorithm 224, the secure hash algorithm 256, the secure hash algorithm 384, the secure hash algorithm 512, the information digest algorithm, or the hash algorithm.
As shown in fig. 2, the above system for trusted authentication of container mirror image based on blockchain technology is provided, where the blockchain network is a plurality of clients interconnected in pairs via the internet, the client is internally installed with a system for trusted authentication of container mirror image based on blockchain technology, the plurality of clients form a distributed star structure, and the blockchain network has a decentralized feature, performs trusted authentication on information and digital signature of mirror image, and avoids the security problem of centralized authentication of a centralized system or centralized certificate issuance.
The client is a trusted authentication system which comprises a mirror image signature registration component and a mirror image signature verification component;
the mirror image signature registration component is used for performing signature calculation and registering in the block chain network when the mirror image is uploaded;
the image signature verification component is used for verifying the signature when the image is downloaded.
As is well known, the blockchain technique solves the above-mentioned reliability problem of centralized networks;
the block chain is applied to the field of digital currency at first and gradually expands to other fields later to serve as an excellent technology for decentralized credible authentication;
the method can eliminate the possibility of easily tampering data in a centralized network by storing mirror image information on a decentralized block chain network, and makes data release and acquisition more convenient and safer by off-line signature and verification; (as shown in FIG. 3)
1. The original author uploads the mirror image X to a mirror image warehouse;
2. simultaneously registering the signature of the image in the block chain;
3. a hacker invades the mirror image warehouse, maliciously tampers with the mirror image, and changes X into Y;
4. a user downloads the image X (actually downloading the image Y);
5. after downloading is finished, calculating the signature of the downloaded mirror image, and immediately etching a block chain to check and compare;
6. and acquiring the signature of the image (which is the signature of X) on the blockchain, finding that the signature of the image does not accord with the signature of the locally downloaded image, and sending out a warning.
In a second aspect, a method for trusted authentication of container images based on a block chain technique includes the following steps:
step 1: the original author uploads a mirror image to a mirror image signature registration component, the mirror image signature registration component calculates mirror image author information, a digital signature, a mirror image name and a mirror image ID according to the mirror image, integrates the mirror image author information, the digital signature, the mirror image name and the mirror image ID into credible authentication information and then writes the information and the mirror image into a decentralized mirror image credible authentication component, the decentralized mirror image credible authentication component combines the mirror image and the credible authentication information into an intelligent contract to be written into a block chain network, then uploads the mirror image to a mirror image warehouse, and the mirror image warehouse associates the mirror image with the credible authentication information;
step 2: a downloader who downloads or uses the mirror image downloads the mirror image from the mirror image warehouse to the mirror image signature verification component, the mirror image signature verification component carries out digital signature calculation on the mirror image, and the mirror image and the digital signature are obtained from the decentralized mirror image credible authentication component;
and step 3: and comparing and verifying the digital signature calculated by the image signature verification component with the digital signature acquired from the decentralized image trusted authentication component, wherein if the two digital signatures are the same, the image signature verification component allows the image to be used, and if the two digital signatures are different, the image signature verification component refuses the image to be used.
The realization when using specifically is based on the intelligent contract that ether mill (Ethereum) realized:
in the mirror image signature registration component, an etherhouse (Ethereum) intelligent contract is realized by adopting a Solidity language, and the intelligent contract is realized by adopting the following data structure: ownerIdImageMap [ msg.sender ] [ repoTag ] = Image (imageHash, msg.sender, repoTag, imageId);
wherein:
owerIdImageMap is a record of the transaction;
sender is contract initiator (i.e. the original author of the image);
repoTag is the mirror name;
imageHash is a digital signature of the image;
imageId is the ID value of the mirror;
in implementation, based on the Ether houses, the name of the mirror image, the digital signature of the mirror image file, the transaction submitter and the mirror image ID are recorded on each contract transaction (the concept of the Ether houses);
implementation of the "digital signature" of the image: the image can be saved as a tar file by a "docker save" command, and then the hash value of the tar file is calculated by a tool of an operating system (the calculation of the hash value of the image data by using the secure hash algorithm 256 is only one example of a digital signature generation manner, and the digital signature calculation manner of the technical scheme includes, but is not limited to, the secure hash algorithm 256);
in addition, in practice, generally, the image uploading and downloading are mostly realized by a docker engine (an open source container engine) (a docker push (an instruction of the docker engine) is used for uploading, and a docker pull (another instruction of the docker engine) is used for downloading), so that one implementation manner of the system is as follows:
implanting the logic of the mirror image signature verification component in the uploading process into a docker engine, wherein the logic is realized in docker push, and when a docker push (uploading) command is executed, automatically triggering the signature registration on a blockchain network by an engine background;
and implanting the logic of the mirror image signature verification component in the downloading process into a docker engine, wherein the logic is realized in the docker pull, and when a docker pull command is executed, an engine background automatically triggers to a block chain to pull a signature and check a local file.
The digital signature is a hash value obtained by calculating the content of the mirror image by the mirror image signature registration component;
the computing method for the image signature registration component to compute the content of the image to obtain the hash value is the secure hash algorithm 128 or the secure hash algorithm 224 or the secure hash algorithm 256 or the secure hash algorithm 384 or the secure hash algorithm 512 or the message digest algorithm or the hash algorithm.
The block chain network comprises a plurality of clients which are connected with each other in pairs through the Internet, a container mirror image credible authentication system based on a block chain technology is installed in each client, and the clients form a distributed network system.
The client is a trusted authentication system which comprises a mirror image signature registration component and a mirror image signature verification component;
when the mirror image is uploaded, signature calculation and registration are carried out in the block chain network through a mirror image signature registration component;
the signature is verified by the image signature verification component when the image is downloaded.
In conclusion, the system and the method for trusted authentication of container mirror images based on the block chain technology can maintain a trusted authentication network of mirror images based on the block chain through the block chain network technology to perform mirror image authentication and identification, and the mirror images are ensured to be unique and cannot be tampered from the source, so that the safety and the credibility of the mirror images used by users are guaranteed, and the copyright of original authors is also guaranteed;
the system for credible authentication of the container mirror image based on the block chain technology automatically incorporates the implementation mechanism into the container mirror image engine, so that signature and authentication actions do not need any additional operation for an uploader or a downloader, and the system is simple and convenient.
Specific embodiments of the invention have been described above. It is to be understood that the invention is not limited to the particular embodiments described above, in that devices and structures not described in detail are understood to be implemented in a manner common in the art; various changes or modifications may be made by one skilled in the art within the scope of the claims without departing from the spirit of the invention, and without affecting the spirit of the invention.