CN111787116B - System and method for trusted authentication of container mirror image based on block chain technology - Google Patents
System and method for trusted authentication of container mirror image based on block chain technology Download PDFInfo
- Publication number
- CN111787116B CN111787116B CN202010644383.1A CN202010644383A CN111787116B CN 111787116 B CN111787116 B CN 111787116B CN 202010644383 A CN202010644383 A CN 202010644383A CN 111787116 B CN111787116 B CN 111787116B
- Authority
- CN
- China
- Prior art keywords
- mirror image
- signature
- image
- component
- block chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a system and a method for credible authentication of a container mirror image based on a block chain technology, wherein the system comprises a mirror image signature registration component, a decentralized mirror image credible authentication component, a mirror image signature verification component and a mirror image warehouse; the method comprises the following steps: step 1: the original author uploads a mirror image to a mirror image signature registration component, the mirror image signature registration component calculates mirror image author information, a digital signature, a mirror image name and a mirror image ID according to the mirror image, integrates the mirror image author information, the digital signature, the mirror image name and the mirror image ID into credible authentication information, writes the mirror image and the credible authentication information into an intelligent contract, writes the intelligent contract into a block chain network, and uploads the mirror image to a mirror image warehouse; step 2: a downloader downloads the mirror image from the mirror image warehouse, performs digital signature calculation on the mirror image, and acquires the mirror image and a digital signature from the decentralized mirror image trusted authentication component; and step 3: and comparing and verifying the two digital signatures, and if the two digital signatures are the same, allowing the mirror image to be used, and if the two digital signatures are not the same, refusing the mirror image to be used.
Description
Technical Field
The invention relates to the field of cloud native, in particular to a system and a method for trusted authentication of container mirror images based on a block chain technology.
Background
In the cloud native field, application development and application deployment based on a container technology are both based on a container mirror image downloaded from a remote place, but credibility authentication of the downloaded mirror image is an important safety problem and is also a problem of intellectual property protection, and at present, aiming at solving the problem of how to prevent the mirror image from being tampered between the mirror image uploaded to a server and the mirror image downloaded and used by a user, the application of the patent provides a decentralized technology of an intelligent contract technology based on a block chain to authenticate the container mirror image, the method can well solve the problems, and the same technology can also perform corresponding credible authentication on a container arrangement script;
the Docker (application container engine) mirror image distribution is realized by distributing data through a remote warehouse (registry), a mirror image publisher constructs a container mirror image on a local computer, then pushes the mirror image to a remote warehouse, and then other users can pull the mirror image through a network;
in existing mirror repository technologies, there are several security mechanisms to ensure that the mirror is not tampered/trustable:
1. mirror image operation of a mirror image warehouse provider requires user name/password login, and random tampering of mirror images by people is avoided;
2. the container mirror image signature technology (Docker Content Trust) is used for digitally signing a mirror image and guaranteeing the authentication of the mirror image signature in a mirror image warehouse;
3. the uploading/downloading of the mirror image warehouse provider is encrypted transmission through an HTTPS protocol;
4. part of mirror image warehouse providers can also provide a basic mirror image security scanning mechanism, and can discover malicious mirror images with illegal implantation security risks in advance to a certain extent and prompt users;
5. on the mirror image downloading page, the user names uploaded by the mirror images are generally marked, and the user names are sorted according to the downloading amount and the like so as to ensure that the most popular mirror images are arranged in front;
however, the prior art methods are not completely reliable, and the above-mentioned security mechanisms have the following disadvantages:
1. a user name and a password: the weak user name password is often easy to crack, and a server of a warehouse service provider can be invaded maliciously, so that the downloaded mirror image cannot be guaranteed to be the mirror image uploaded by the original author at the beginning;
2. mirror image signature technology: firstly, the technology needs a centralized authentication server (Docker note server) to verify, a public key of the signature is added to the note server (Notary server), and the address of the centralized server is possibly maliciously hijacked or forged, so that even if the mirror image content is signed, the signature cannot be guaranteed not to be tampered;
the protocol of HTTPS is subject to "man-in-the-middle attacks" in some scenarios, and is not absolutely secure;
4. if an untrusted mirror image containing malicious codes is uploaded, although a mirror image warehouse supplier has a security scanning function and cannot ensure that all malicious programs are discovered at the first time, the trustiness and reliability of mirror image contents cannot be guaranteed;
5. some malicious attackers can upload a mirror image with the same name as the existing hot mirror image and download the mirror image in a 'fish eyes mixing with beads' mode, because the warehouse page is generally sorted by downloading the hot degree, a plagiarism attacker can easily arrange the plagiarism mirror image in the front position by forging the hot condition and steal the crown right of the mirror image;
regarding security trust issues: in the cloud native field, in the application development and deployment process based on kubernets or dockers, remote downloading of mirror images is required, the security is very important, the reliability of the mirror images fundamentally determines the security of the application, but the security field based on containers is not mature in the industry;
and (3) in an application development stage: in the development process based on containerization, a service logic is superposed on a basic mirror image acquired from a mirror image warehouse on the cloud, and when an untrusted mirror image is online along with an application, the enterprise security is seriously influenced;
an application deployment phase: in the modern deployment process, the containerization deployment is adopted to reduce the environmental difference, but because the production server where the application deployment is on line is generally independent from the development and test environment, the production server is basically required to acquire the mirror image from a remote mirror image warehouse and download the mirror image to the local post-deployment. However, after the mirror image is uploaded to the mirror image warehouse by the original author, the mirror image may be maliciously replaced by a hacker, so that subsequent downloading users all download the malicious mirror image, and also may be hijacked by the hacker in the process of mirror image transmission and replaced by the malicious mirror image, which may cause a huge security risk;
problems with intellectual property:
the container mirror image is constructed based on program codes and is also the labor output and intellectual property of science and technology workers in nature, but if the mirror image is uploaded to a public warehouse, the mirror image is easily downloaded by others and then is reissued on its name, and on the contrary, the original author easily loses intellectual property;
the Docker mirror image distribution is realized by distributing data through a remote mirror image warehouse (registry), a mirror image publisher constructs a mirror image on a local computer, then pushes the mirror image to a remote warehouse, and then other users can pull the mirror image through a network;
in this process, how to ensure that the pulled image is the original version published by the publisher
How to ensure that repository server providers have not been modified, how to mark ownership of images
How to ensure that the digital signature of the image is not tampered and the central server authenticating the signature is not hijacked
As is known, a centralized network is insecure, a download channel of an image may be maliciously invaded by DNS hijacking, man-in-the-middle hijacking, and the like, even if there is an authentication mechanism, if the authentication issuing/checking mechanism is implemented in a centralized server, the image of a container is hijacked by a hacker and a malicious program is embedded in the image of the container as described in the case of fig. 3:
1. the original author uploads the image to some image repository (assuming the image is denoted as X);
2. a hacker maliciously tampers with the mirror image and replaces the mirror image X with Y;
3. a user, who is supposed to download the image X, actually downloads the malicious image Y with a security risk.
As shown in fig. 4, another situation of infringing intellectual property is described, in which an original author publishes and uploads a mirror image in a public warehouse, and after a pirate modifies the mirror image author (the container mirror image has an attribute author (author), which can be modified), the mirror image is uploaded to another warehouse again, and the nominal attribution and intellectual property of the mirror image are stolen;
1. the original author uploads the mirror image to the warehouse 1;
2/3/4 some malicious plagiarizer downloads the image, tampers with the author property in the image, and uploads to warehouse 2 on its behalf.
Disclosure of Invention
The invention aims to solve the technical problems that various existing mirror image trust guarantee mechanisms are more or less defective, such as relying on a centralized server and the like, in the existing container mirror image distribution technology, the mirror image in a mirror image warehouse cannot be guaranteed to be an original version uploaded by an original author and cannot be guaranteed to be not tampered midway, if the mirror image is tampered, the problems such as mirror image potential safety hazard and intellectual property right can be caused, the container mirror image signature technology still relies on centralized authentication, and still has risks, the system provides a decentralized trusted authentication mechanism based on a block chain, strengthens and solves mirror image safety authentication, the invention provides a system for container mirror image trusted authentication based on the block chain technology, a mirror image publisher calculates the digital signature of the mirror image on a local computer, and then writes mirror image trusted authentication information including the digital signature into a trusted authentication component based on the block chain technology, the distributed cryptographic algorithm on the blockchain can ensure that forgery is avoided in the process, so that a publisher can safely share the mirror image on the public mirror image warehouse to solve the defects caused by the prior art.
The invention also provides a container mirror image credible authentication method based on the block chain technology.
In order to solve the technical problems, the invention provides the following technical scheme:
in a first aspect, a system for trusted authentication of container images based on a block chain technology comprises an image signature registration component, a decentralized image trusted authentication component, an image signature verification component and an image warehouse;
the mirror image signature registration component is used for uploading a mirror image by an original author, transmitting the mirror image to the mirror image warehouse, calculating the content of the mirror image to obtain credible authentication information, and transmitting the mirror image and the credible authentication information to the decentralized mirror image credible authentication component, wherein the credible authentication information comprises mirror image author information, a digital signature, a mirror image name and a mirror image ID;
the decentralized mirror image trusted authentication component is used for acquiring the mirror image and the trusted authentication information, combining the mirror image and the trusted authentication information into an intelligent contract and writing the intelligent contract into a block chain network, and the block chain network extracts the digital signature in the trusted authentication information;
the image signature verification component is used for calculating the digital signature of the image after the image is obtained from the image warehouse, obtaining the extracted digital signature from the decentralized image credible authentication component, verifying and comparing whether the two digital signatures are consistent or not, refusing a downloader to use the image if the two digital signatures are not consistent, and accepting the downloader to use the image if the two digital signatures are consistent.
In the above system for trusted authentication of container images based on the blockchain technology, the digital signature is a hash value obtained by calculating the content of the image by the image signature registration component.
The system for trustable authentication of container images based on the block chain technology is described above, wherein the computing method for computing the contents of the images by the image signature registration component to obtain the hash value is secure hash algorithm 128, secure hash algorithm 224, secure hash algorithm 256, secure hash algorithm 384, secure hash algorithm 512, information digest algorithm or hash algorithm.
The system for the trusted certification of the container mirror image based on the block chain technology is characterized in that the block chain network is a plurality of client sides which are connected with each other in pairs through the internet, the system for the trusted certification of the container mirror image based on the block chain technology is installed in each client side, the plurality of client sides form a distributed star-shaped structure, the block chain network has the decentralized characteristic, the trusted certification is carried out on the information and the digital signature of the mirror image, and the safety problem of centralized certification or centralized certificate issuance of a centralized system is solved.
The system for trustable authentication of the container mirror image based on the block chain technology is described, wherein the client is a trustable authentication system, and the trustable authentication system comprises a mirror image signature registration component and a mirror image signature verification component;
the mirror image signature registration component is used for performing signature calculation and registering in the block chain network when the mirror image is uploaded;
the image signature verification component is used for verifying the signature when the image is downloaded.
In a second aspect, a method for trusted authentication of container images based on a block chain technique includes the following steps:
step 1: an original author uploads a mirror image to a mirror image signature registration component, the mirror image signature registration component calculates mirror image author information, a digital signature, a mirror image name and a mirror image ID according to the mirror image, integrates the mirror image author information, the digital signature, the mirror image name and the mirror image ID into credible authentication information and then writes the information and the mirror image into a decentralized mirror image credible authentication component, the decentralized mirror image credible authentication component combines the mirror image and the credible authentication information into an intelligent contract to be written into a block chain network, then uploads the mirror image to a mirror image warehouse, and the mirror image warehouse associates the mirror image with the credible authentication information;
step 2: a downloader who downloads or uses the mirror image downloads the mirror image from the mirror image warehouse to the mirror image signature verification component, the mirror image signature verification component carries out digital signature calculation on the mirror image, and the mirror image and the digital signature are obtained from the decentralized mirror image credible authentication component;
and step 3: and comparing and verifying the digital signature calculated by the image signature verification component with the digital signature acquired from the decentralized image trusted authentication component, wherein if the two digital signatures are the same, the image signature verification component allows the image to be used, and if the two digital signatures are different, the image signature verification component refuses the image to be used.
The realization when using specifically is based on the intelligent contract that ether mill (Ethereum) realized:
in the mirror image signature registration component, an etherhouse (Ethereum) intelligent contract is realized by adopting a Solidity language, and the intelligent contract is realized by adopting the following data structure: ownerIdImageMap [ msg.sender ] [ repoTag ] = Image (imageHash, msg.sender, repoTag, imageId);
wherein:
owerIdImageMap is a record of the transaction;
sender is contract initiator (i.e. the original author of the image);
repoTag is the mirror name;
imageHash is a digital signature of the image;
imageId is the ID value of the mirror;
in implementation, based on the Ether houses, the name of the mirror image, the digital signature of the mirror image file, the transaction submitter and the mirror image ID are recorded on each contract transaction (the concept of the Ether houses);
implementation of the "digital signature" of the image: the image can be saved as a tar file by a "docker save" command, and then the tar file is calculated by a tool of an operating system (the secure hash algorithm 256 (SHA 256) hash value of the tar file (calculating the hash value of the image data by using the secure hash algorithm 256 is only one example of a digital signature generation manner, and the digital signature calculation manner of the technical scheme includes, but is not limited to, the secure hash algorithm 256);
in addition, in practice, generally, the image uploading and downloading are mostly realized by a docker engine (an open source container engine) (the docker push is used for uploading and the docker pull is used for downloading), so that one implementation manner of the system is as follows:
implanting the logic of the mirror image signature verification component in the uploading process into a docker engine, wherein the logic is realized in docker push, and when a docker push (uploading) command is executed, automatically triggering the signature registration on a blockchain network by an engine background;
and implanting the logic of the mirror image signature verification component in the downloading process into a docker engine, wherein the logic is realized in the docker pull, and when a docker pull command is executed, an engine background automatically triggers to a block chain to pull a signature and check a local file.
In the above method for trusted authentication of container images based on the block chain technology, the digital signature is a hash value obtained by calculating the content of the image by the image signature registration component;
the computing method for the image signature registration component to compute the content of the image to obtain the hash value is a secure hash algorithm 128, a secure hash algorithm 224, a secure hash algorithm 256, a secure hash algorithm 384, a secure hash algorithm 512, an information digest algorithm, or a hash algorithm.
The method for credible authentication of the container mirror image based on the block chain technology is characterized in that the block chain network comprises a plurality of clients which are connected with each other in pairs through the internet, the system for credible authentication of the container mirror image based on the block chain technology is installed in each client, and the plurality of clients form a distributed network system.
The above method for trustable authentication of container images based on the block chain technology is provided, wherein the client is a trustable authentication system, and the trustable authentication system includes an image signature registration component and an image signature verification component;
when the mirror image is uploaded, signature calculation and registration are carried out in the block chain network through the mirror image signature registration component;
and verifying the signature through the image signature verification component when the image is downloaded.
The technical scheme provided by the system and the method for credible authentication of the container mirror image based on the block chain technology has the following technical effects:
a block chain-based mirror image credible authentication network is maintained through a block chain network technology to carry out mirror image authentication and identification, and the mirror image is ensured to be unique and cannot be tampered from the source, so that the safety and credibility of the mirror image used by a user are guaranteed, and the copyright of an original author is also guaranteed;
the system for credible authentication of the container mirror image based on the block chain technology automatically incorporates the implementation mechanism into the container mirror image engine, so that signature and authentication actions do not need any additional operation for an uploader or a downloader, and the system is simple and convenient.
Drawings
FIG. 1 is a schematic structural diagram of a system for trusted authentication of container mirror images based on a block chain technique according to the present invention;
FIG. 2 is a schematic diagram illustrating a block chain network in a system for trusted authentication of container mirroring based on a block chain technique according to the present invention;
FIG. 3 is a diagram of a system for trusted authentication of container images based on blockchain technology according to an embodiment of the present invention;
FIG. 4 is a diagram of a scenario in which a container mirror is hijacked by a hacker to implant a malicious program;
fig. 5 is a scene diagram of a case of infringing intellectual property.
Detailed Description
In order to make the technical means, the inventive features, the objectives and the effects of the invention easily understood and appreciated, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the specific drawings, and it is obvious that the described embodiments are a part of the embodiments of the present invention, but not all of the embodiments.
All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
It should be understood that the structures, ratios, sizes, and the like shown in the drawings and described in the specification are only used for matching with the disclosure of the specification, so as to be understood and read by those skilled in the art, and are not used to limit the conditions under which the present invention can be implemented, so that the present invention has no technical significance, and any structural modification, ratio relationship change, or size adjustment should still fall within the scope of the present invention without affecting the efficacy and the achievable purpose of the present invention.
In addition, the terms "upper", "lower", "left", "right", "middle" and "one" used in the present specification are for clarity of description, and are not intended to limit the scope of the present invention, and the relative relationship between the terms and the terms is not to be construed as a scope of the present invention.
The first embodiment of the invention provides a system for trusted authentication of container mirror images based on a block chain technology, aiming at maintaining a trusted authentication network of mirror images based on a block chain through the block chain network technology to carry out mirror image authentication and identification, wherein the mirror images are ensured to be unique and can not be tampered from the source, thereby ensuring the security and the credibility of the mirror images used by users and also ensuring the copyright of original authors;
the system for credible authentication of the container mirror image based on the block chain technology automatically incorporates the implementation mechanism into the container mirror image engine, so that signature and authentication actions do not need any additional operation for an uploader or a downloader, and the system is simple and convenient.
As shown in fig. 1, in a first aspect, a system for trusted authentication of container images based on a block chain technology includes an image signature registration component, a decentralized image trusted authentication component, an image signature verification component, and an image repository;
the image signature registration component is used for uploading an image by an original author, transmitting the image to an image warehouse, calculating the content of the image to obtain credible authentication information, and transmitting the image and the credible authentication information to the decentralized image credible authentication component, wherein the credible authentication information comprises image author information, a digital signature, an image name and an image ID;
the decentralized mirror image credible authentication component is used for acquiring a mirror image and credible authentication information, combining the mirror image and the credible authentication information into an intelligent contract and writing the intelligent contract into a block chain network, and extracting a digital signature in the credible authentication information by the block chain network;
the image signature verification component is used for calculating the digital signature of the image after the image is obtained from the image warehouse, obtaining the extracted digital signature from the decentralized image credible authentication component, verifying and comparing whether the two digital signatures are consistent or not, refusing a downloader to use the image if the two digital signatures are inconsistent, and accepting the downloader to use the image if the two digital signatures are consistent.
The digital signature is a hash value obtained by calculating the content of the image by the image signature registration component.
The computing method for computing the content of the image to obtain the hash value by the image signature registration component is the secure hash algorithm 128, the secure hash algorithm 224, the secure hash algorithm 256, the secure hash algorithm 384, the secure hash algorithm 512, the information digest algorithm, or the hash algorithm.
As shown in fig. 2, the above system for trusted authentication of container mirror image based on blockchain technology is provided, where the blockchain network is a plurality of clients interconnected in pairs via the internet, the client is internally installed with a system for trusted authentication of container mirror image based on blockchain technology, the plurality of clients form a distributed star structure, and the blockchain network has a decentralized feature, performs trusted authentication on information and digital signature of mirror image, and avoids the security problem of centralized authentication of a centralized system or centralized certificate issuance.
The client is a trusted authentication system which comprises a mirror image signature registration component and a mirror image signature verification component;
the mirror image signature registration component is used for performing signature calculation and registering in the block chain network when the mirror image is uploaded;
the image signature verification component is used for verifying the signature when the image is downloaded.
As is well known, the blockchain technique solves the above-mentioned reliability problem of centralized networks;
the block chain is applied to the field of digital currency at first and gradually expands to other fields later to serve as an excellent technology for decentralized credible authentication;
the method can eliminate the possibility of easily tampering data in a centralized network by storing mirror image information on a decentralized block chain network, and makes data release and acquisition more convenient and safer by off-line signature and verification; (as shown in FIG. 3)
1. The original author uploads the mirror image X to a mirror image warehouse;
2. simultaneously registering the signature of the image in the block chain;
3. a hacker invades the mirror image warehouse, maliciously tampers with the mirror image, and changes X into Y;
4. a user downloads the image X (actually downloading the image Y);
5. after downloading is finished, calculating the signature of the downloaded mirror image, and immediately etching a block chain to check and compare;
6. and acquiring the signature of the image (which is the signature of X) on the blockchain, finding that the signature of the image does not accord with the signature of the locally downloaded image, and sending out a warning.
In a second aspect, a method for trusted authentication of container images based on a block chain technique includes the following steps:
step 1: the original author uploads a mirror image to a mirror image signature registration component, the mirror image signature registration component calculates mirror image author information, a digital signature, a mirror image name and a mirror image ID according to the mirror image, integrates the mirror image author information, the digital signature, the mirror image name and the mirror image ID into credible authentication information and then writes the information and the mirror image into a decentralized mirror image credible authentication component, the decentralized mirror image credible authentication component combines the mirror image and the credible authentication information into an intelligent contract to be written into a block chain network, then uploads the mirror image to a mirror image warehouse, and the mirror image warehouse associates the mirror image with the credible authentication information;
step 2: a downloader who downloads or uses the mirror image downloads the mirror image from the mirror image warehouse to the mirror image signature verification component, the mirror image signature verification component carries out digital signature calculation on the mirror image, and the mirror image and the digital signature are obtained from the decentralized mirror image credible authentication component;
and step 3: and comparing and verifying the digital signature calculated by the image signature verification component with the digital signature acquired from the decentralized image trusted authentication component, wherein if the two digital signatures are the same, the image signature verification component allows the image to be used, and if the two digital signatures are different, the image signature verification component refuses the image to be used.
The realization when using specifically is based on the intelligent contract that ether mill (Ethereum) realized:
in the mirror image signature registration component, an etherhouse (Ethereum) intelligent contract is realized by adopting a Solidity language, and the intelligent contract is realized by adopting the following data structure: ownerIdImageMap [ msg.sender ] [ repoTag ] = Image (imageHash, msg.sender, repoTag, imageId);
wherein:
owerIdImageMap is a record of the transaction;
sender is contract initiator (i.e. the original author of the image);
repoTag is the mirror name;
imageHash is a digital signature of the image;
imageId is the ID value of the mirror;
in implementation, based on the Ether houses, the name of the mirror image, the digital signature of the mirror image file, the transaction submitter and the mirror image ID are recorded on each contract transaction (the concept of the Ether houses);
implementation of the "digital signature" of the image: the image can be saved as a tar file by a "docker save" command, and then the hash value of the tar file is calculated by a tool of an operating system (the calculation of the hash value of the image data by using the secure hash algorithm 256 is only one example of a digital signature generation manner, and the digital signature calculation manner of the technical scheme includes, but is not limited to, the secure hash algorithm 256);
in addition, in practice, generally, the image uploading and downloading are mostly realized by a docker engine (an open source container engine) (a docker push (an instruction of the docker engine) is used for uploading, and a docker pull (another instruction of the docker engine) is used for downloading), so that one implementation manner of the system is as follows:
implanting the logic of the mirror image signature verification component in the uploading process into a docker engine, wherein the logic is realized in docker push, and when a docker push (uploading) command is executed, automatically triggering the signature registration on a blockchain network by an engine background;
and implanting the logic of the mirror image signature verification component in the downloading process into a docker engine, wherein the logic is realized in the docker pull, and when a docker pull command is executed, an engine background automatically triggers to a block chain to pull a signature and check a local file.
The digital signature is a hash value obtained by calculating the content of the mirror image by the mirror image signature registration component;
the computing method for the image signature registration component to compute the content of the image to obtain the hash value is the secure hash algorithm 128 or the secure hash algorithm 224 or the secure hash algorithm 256 or the secure hash algorithm 384 or the secure hash algorithm 512 or the message digest algorithm or the hash algorithm.
The block chain network comprises a plurality of clients which are connected with each other in pairs through the Internet, a container mirror image credible authentication system based on a block chain technology is installed in each client, and the clients form a distributed network system.
The client is a trusted authentication system which comprises a mirror image signature registration component and a mirror image signature verification component;
when the mirror image is uploaded, signature calculation and registration are carried out in the block chain network through a mirror image signature registration component;
the signature is verified by the image signature verification component when the image is downloaded.
In conclusion, the system and the method for trusted authentication of container mirror images based on the block chain technology can maintain a trusted authentication network of mirror images based on the block chain through the block chain network technology to perform mirror image authentication and identification, and the mirror images are ensured to be unique and cannot be tampered from the source, so that the safety and the credibility of the mirror images used by users are guaranteed, and the copyright of original authors is also guaranteed;
the system for credible authentication of the container mirror image based on the block chain technology automatically incorporates the implementation mechanism into the container mirror image engine, so that signature and authentication actions do not need any additional operation for an uploader or a downloader, and the system is simple and convenient.
Specific embodiments of the invention have been described above. It is to be understood that the invention is not limited to the particular embodiments described above, in that devices and structures not described in detail are understood to be implemented in a manner common in the art; various changes or modifications may be made by one skilled in the art within the scope of the claims without departing from the spirit of the invention, and without affecting the spirit of the invention.
Claims (6)
1. A container mirror image credibility authentication system based on block chain technology is characterized by comprising a mirror image signature registration component, a decentralized mirror image credibility authentication component, a mirror image signature verification component and a mirror image warehouse;
the mirror image signature registration component is used for uploading a mirror image by an original author, transmitting the mirror image to the mirror image warehouse, calculating the content of the mirror image to obtain credible authentication information, and transmitting the mirror image and the credible authentication information to the decentralized mirror image credible authentication component, wherein the credible authentication information comprises mirror image author information, a digital signature, a mirror image name and a mirror image ID; the digital signature is a hash value calculated by the mirror image signature registration component according to the content of the mirror image; the digital signature is implemented in a way that: saving the mirror image as a tar file through a docker save command, and then calculating a256 hash value of a secure hash algorithm of the tar file through a tool of an operating system;
the decentralized mirror image trusted authentication component is used for acquiring the mirror image and the trusted authentication information, combining the mirror image and the trusted authentication information into an intelligent contract and writing the intelligent contract into a block chain network, and the block chain network extracts the digital signature in the trusted authentication information;
the image signature verification component is used for calculating the digital signature of the image after acquiring the image from the image warehouse, acquiring the extracted digital signature from the decentralized image trusted authentication component, verifying and comparing whether the two digital signatures are consistent, refusing a downloader to use the image if the two digital signatures are not consistent, and accepting the downloader to use the image if the two digital signatures are consistent;
the system is realized as follows:
implanting the logic of the mirror image signature verification component in an uploading process into a docker engine, wherein the logic is realized in a docker push, and when an uploading command is executed, an engine background automatically triggers signature registration on the blockchain network;
and implanting the logic of the mirror image signature verification component in the downloading process into a docker engine, wherein the logic is realized in a docker pull, and when a downloading command is executed, an engine background automatically triggers a block chain to pull a signature and check a local file.
2. The system of claim 1, wherein the blockchain network is a plurality of clients interconnected in pairs via the internet, and the system for trusted authentication of container images based on blockchain technology is installed inside the clients.
3. The system for trusted certification of container images based on blockchain technology according to claim 2, wherein the client is a trusted certification system, and the trusted certification system includes an image signature registration component and an image signature verification component;
the mirror image signature registration component is used for performing signature calculation and registering in the block chain network when the mirror image is uploaded;
the image signature verification component is used for verifying the signature when the image is downloaded.
4. A method for trustable authentication of container mirror image based on block chain technology is characterized by comprising the following steps:
step 1: an original author uploads a mirror image to a mirror image signature registration component, the mirror image signature registration component calculates mirror image author information, a digital signature, a mirror image name and a mirror image ID according to the mirror image, integrates the mirror image author information, the digital signature, the mirror image name and the mirror image ID into credible authentication information and then writes the information and the mirror image into a decentralized mirror image credible authentication component, the decentralized mirror image credible authentication component combines the mirror image and the credible authentication information into an intelligent contract to be written into a block chain network, then uploads the mirror image to a mirror image warehouse, and the mirror image warehouse associates the mirror image with the credible authentication information; the digital signature is a hash value obtained by calculating the content of the mirror image by the mirror image signature registration component; the digital signature is implemented in a way that: saving the mirror image as a tar file through a docker save command, and then calculating a256 hash value of a secure hash algorithm of the tar file through a tool of an operating system;
step 2: a downloader who downloads or uses the mirror image downloads the mirror image from the mirror image warehouse to the mirror image signature verification component, the mirror image signature verification component carries out digital signature calculation on the mirror image, and the mirror image and the digital signature are obtained from the decentralized mirror image credible authentication component;
and step 3: comparing and verifying the digital signature calculated by the mirror image signature verification component with the digital signature acquired from the decentralized mirror image credible authentication component, if the two digital signatures are the same, allowing the mirror image to be used by the mirror image signature verification component, and if the two digital signatures are different, refusing the mirror image to be used by the mirror image signature verification component;
the logic of the mirror image signature verification component in the uploading process is implanted into a docker engine and is realized in a docker push, and when an uploading command is executed, an engine background automatically triggers signature registration on the blockchain network; and implanting the logic of the mirror image signature verification component in the downloading process into a docker engine, wherein the logic is realized in a docker pull, and when a downloading command is executed, an engine background automatically triggers a block chain to pull a signature and check a local file.
5. The method as claimed in claim 4, wherein the blockchain network is a plurality of clients interconnected in pairs via the internet, and the system for trustable authentication of container images based on blockchain technology is installed in the clients.
6. The method for trusted certification of container images based on blockchain technology according to claim 5, wherein the client is a trusted certification system, and the trusted certification system includes an image signature registration component and an image signature verification component;
when the mirror image is uploaded, signature calculation and registration are carried out in the block chain network through the mirror image signature registration component;
and verifying the signature through the image signature verification component when the image is downloaded.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010644383.1A CN111787116B (en) | 2020-07-07 | 2020-07-07 | System and method for trusted authentication of container mirror image based on block chain technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010644383.1A CN111787116B (en) | 2020-07-07 | 2020-07-07 | System and method for trusted authentication of container mirror image based on block chain technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111787116A CN111787116A (en) | 2020-10-16 |
| CN111787116B true CN111787116B (en) | 2021-08-20 |
Family
ID=72758842
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010644383.1A Active CN111787116B (en) | 2020-07-07 | 2020-07-07 | System and method for trusted authentication of container mirror image based on block chain technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111787116B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491548B (en) * | 2020-12-07 | 2022-12-09 | 苏州浪潮智能科技有限公司 | Cloud platform signature mirror image uploading and deleting method and device |
| CN113391880B (en) * | 2021-06-21 | 2023-04-07 | 超越科技股份有限公司 | Trusted mirror image transmission method for layered double hash verification |
| CN113572619B (en) * | 2021-09-22 | 2021-12-07 | 银河麒麟软件(长沙)有限公司 | Container cloud mirror image credible implementation method and system based on nottry |
| CN115550375B (en) * | 2022-08-31 | 2024-03-15 | 云南电网有限责任公司信息中心 | System, method and equipment for realizing block chain light weight based on containerization technology |
| CN117353922B (en) * | 2023-12-06 | 2024-03-22 | 南京中孚信息技术有限公司 | Method, system, equipment and medium for verifying container mirror image signature in off-line state |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106407814A (en) * | 2016-08-31 | 2017-02-15 | 福建联迪商用设备有限公司 | Burnt chip mirror image signature verification method and terminal and burnt chip mirror image burning method and system |
| CN108170590A (en) * | 2017-12-12 | 2018-06-15 | 北京大学深圳研究生院 | A kind of test system and method for block catenary system |
| CN109634619A (en) * | 2018-11-23 | 2019-04-16 | 试金石信用服务有限公司 | Credible performing environment implementation method and device, terminal device, readable storage medium storing program for executing |
| CN109788032A (en) * | 2018-12-17 | 2019-05-21 | 深圳壹账通智能科技有限公司 | Acquisition methods, device, computer equipment and the storage medium of image file |
| CN110138733A (en) * | 2019-04-03 | 2019-08-16 | 华南理工大学 | Object storage system based on block chain is credible to deposit card and access right control method |
| WO2020106498A1 (en) * | 2018-11-19 | 2020-05-28 | Rare Bits, Inc. | Lazy updating and state prediction for blockchain-based applications |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107239688B (en) * | 2017-06-30 | 2019-07-23 | 平安科技(深圳)有限公司 | The purview certification method and system in Docker mirror image warehouse |
| CN108566449A (en) * | 2018-04-17 | 2018-09-21 | 广州大学 | Domain name mapping data managing method, system and storage system based on block chain |
| CN108965468B (en) * | 2018-08-16 | 2021-04-30 | 北京京东尚科信息技术有限公司 | Block chain network service platform, chain code installation method thereof and storage medium |
| CN109491758A (en) * | 2018-10-11 | 2019-03-19 | 深圳市网心科技有限公司 | Docker mirror image distribution method, system, data gateway and computer readable storage medium |
| CN109800056A (en) * | 2019-01-16 | 2019-05-24 | 杭州趣链科技有限公司 | A kind of block chain dispositions method based on container |
| CN110287732A (en) * | 2019-05-15 | 2019-09-27 | 杭州趣链科技有限公司 | One kind depositing card method based on block chain electronic contract |
-
2020
- 2020-07-07 CN CN202010644383.1A patent/CN111787116B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106407814A (en) * | 2016-08-31 | 2017-02-15 | 福建联迪商用设备有限公司 | Burnt chip mirror image signature verification method and terminal and burnt chip mirror image burning method and system |
| CN108170590A (en) * | 2017-12-12 | 2018-06-15 | 北京大学深圳研究生院 | A kind of test system and method for block catenary system |
| WO2020106498A1 (en) * | 2018-11-19 | 2020-05-28 | Rare Bits, Inc. | Lazy updating and state prediction for blockchain-based applications |
| CN109634619A (en) * | 2018-11-23 | 2019-04-16 | 试金石信用服务有限公司 | Credible performing environment implementation method and device, terminal device, readable storage medium storing program for executing |
| CN109788032A (en) * | 2018-12-17 | 2019-05-21 | 深圳壹账通智能科技有限公司 | Acquisition methods, device, computer equipment and the storage medium of image file |
| CN110138733A (en) * | 2019-04-03 | 2019-08-16 | 华南理工大学 | Object storage system based on block chain is credible to deposit card and access right control method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111787116A (en) | 2020-10-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111787116B (en) | System and method for trusted authentication of container mirror image based on block chain technology | |
| US11128477B2 (en) | Electronic certification system | |
| US7395426B2 (en) | Method of authenticating content provider and assuring content integrity | |
| US9294288B2 (en) | Facilitating secure online transactions | |
| US7689828B2 (en) | System and method for implementing digital signature using one time private keys | |
| US20040003248A1 (en) | Protection of web pages using digital signatures | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| CN111209558B (en) | Internet of things equipment identity authentication method and system based on block chain | |
| CN109257391A (en) | A kind of access authority opening method, device, server and storage medium | |
| JP2002540540A (en) | Server computer that guarantees file integrity | |
| CN105872848B (en) | A kind of credible mutual authentication method suitable for asymmetric resource environment | |
| CN110378104A (en) | A method of upgrading is anti-to distort | |
| CN113708935B (en) | Internet of things equipment unified authentication method and system based on block chain and PUF | |
| CN109309645A (en) | A kind of software distribution security guard method | |
| CN101741561B (en) | Method and system for authenticating two-way hardware | |
| US8850576B2 (en) | Methods for inspecting security certificates by network security devices to detect and prevent the use of invalid certificates | |
| CN110445782B (en) | Multimedia safe broadcast control system and method | |
| WO2019178762A1 (en) | Method, server, and system for verifying validity of terminal | |
| KR100703777B1 (en) | System for verificating the integrity of coded contents and authenticating the contents provider | |
| CN110807210B (en) | Information processing method, platform, system and computer storage medium | |
| KR100458515B1 (en) | System and method that can facilitate secure installation of JAVA application for mobile client through wireless internet | |
| JP2010505334A (en) | System and method for facilitating secure online transactions | |
| US20090210719A1 (en) | Communication control method of determining whether communication is permitted/not permitted, and computer-readable recording medium recording communication control program | |
| CN111953477B (en) | Terminal equipment, generation method of identification token of terminal equipment and interaction method of client | |
| KR20130100032A (en) | Method for distributting smartphone application by using code-signing scheme |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220929 Address after: No. 4, 27th Floor, Building 2, No. 258, Xiadong Street Section, East Street, Jinjiang District, Chengdu City, Sichuan Province, China 610021 Patentee after: Chengdu Daoke Digital Technology Co.,Ltd. Address before: Room 1305-12, No.6 Weide Road, Yangpu District, Shanghai 200433 Patentee before: Shanghai Daoke Network Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CP02 | Change in the address of a patent holder |
Address after: Room 3001-3008, Floor 30, Building 1, No. 101, Gulou South Street, Qingyang District, Chengdu, Sichuan 610016 Patentee after: Chengdu Daoke Digital Technology Co.,Ltd. Address before: No. 4, 27th Floor, Building 2, No. 258, Xiadong Street Section, East Street, Jinjiang District, Chengdu City, Sichuan Province, China 610021 Patentee before: Chengdu Daoke Digital Technology Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder |