CN114244515A - Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment - Google Patents

Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment Download PDF

Info

Publication number
CN114244515A
CN114244515A CN202210174882.8A CN202210174882A CN114244515A CN 114244515 A CN114244515 A CN 114244515A CN 202210174882 A CN202210174882 A CN 202210174882A CN 114244515 A CN114244515 A CN 114244515A
Authority
CN
China
Prior art keywords
key
virtual machine
symmetric
virtual machines
hypervisor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210174882.8A
Other languages
Chinese (zh)
Other versions
CN114244515B (en
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongling Zhixing Chengdu Technology Co ltd
Original Assignee
Zhongling Zhixing Chengdu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongling Zhixing Chengdu Technology Co ltd filed Critical Zhongling Zhixing Chengdu Technology Co ltd
Priority to CN202210174882.8A priority Critical patent/CN114244515B/en
Publication of CN114244515A publication Critical patent/CN114244515A/en
Application granted granted Critical
Publication of CN114244515B publication Critical patent/CN114244515B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure relates to a Hypervisor-based virtual machine communication method, apparatus, readable storage medium and electronic device, the method is applied between a plurality of virtual machines constructed based on a Hypervisor, the method includes: the plurality of virtual machines read the symmetric keys from the storage partitions; wherein the storage partition is located in a Hypervisor layer and isolated from the plurality of virtual machines, and the symmetric keys are used for network communication and/or non-network communication among the plurality of virtual machines. In the scheme, the symmetric secret key is not easy to be cracked, the safety of communication between the virtual machines can be improved, and the scheme does not involve adding a new hardware storage secret key, so that the hardware cost is reduced.

Description

Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of communications, and in particular, to a Hypervisor-based virtual machine communication method, apparatus, readable storage medium, and electronic device.
Background
The Hypervisor is also called a Virtual Machine Monitor (Virtual Machine Monitor), and a plurality of Virtual machines are constructed based on the Hypervisor Virtual machines, wherein the Virtual Machine which can establish communication connection with the Internet through an access gateway router is an unsafe Virtual Machine, the Virtual Machine which does not establish communication connection with the access gateway router and only establishes communication connection with the Virtual Machine is a safe Virtual Machine, the data communication between the unsafe Virtual Machine and other terminals and servers in the Internet is encrypted and transmitted, and the communication data between the Virtual machines is plaintext.
The current communication encryption method conventionally includes symmetric encryption and asymmetric encryption, encryption and decryption keys used by the symmetric encryption algorithm and the asymmetric encryption algorithm are usually stored in a file system accessible by the virtual machine in an encrypted manner, and the encryption and decryption keys are also stored in an hsm (hardware security module) hardware security module.
In practice, it has been found that the following risks exist for current inter-virtual machine communication transfers: 1) potential safety hazards exist in plaintext transmission among the virtual machines, the unsafe virtual machines are accessed to the Internet and invaded maliciously, and data communicated among the virtual machines are intercepted and decoded, so that data leakage is caused; 2) the encryption and decryption secret keys are encrypted and stored in a file system accessible to the virtual machine, and the risk of being cracked exists; 3) storing the encryption and decryption keys in the HSM increases hardware costs. Therefore, the technical problem of low security of communication and transmission between virtual machines exists in the prior art.
Disclosure of Invention
The disclosure aims to provide a Hypervisor-based virtual machine communication method, a Hypervisor-based virtual machine communication device, a readable storage medium and electronic equipment, which are used for solving the technical problem of low communication transmission security between virtual machines in the prior art.
In order to achieve the above object, a first aspect of the present disclosure provides a virtual machine communication method applied between multiple virtual machines constructed based on a Hypervisor, the method including:
the plurality of virtual machines read the symmetric keys from the storage partitions; the symmetric key is stored in a Hypervisor layer, the storage partition is isolated from the virtual machines, and the symmetric key is used for network communication and/or non-network communication among the virtual machines.
Optionally, the method for using the symmetric key for network communication includes:
the first virtual machine and the second virtual machine use the symmetric secret key to carry out negotiation of a data transmission secret key; in the key negotiation process, the asymmetric encryption public key uses the symmetric key and a symmetric encryption algorithm to carry out encryption transmission, and the data transmission secret key uses the asymmetric encryption public key, a private key and the asymmetric encryption algorithm to carry out encryption transmission;
after the data transmission secret key is obtained through negotiation, the first virtual machine and the second virtual machine use the data transmission secret key to carry out data encryption transmission.
Optionally, the negotiating, by the first virtual machine and the second virtual machine, the data transmission key using the symmetric key includes:
the first virtual machine generates the asymmetric encryption public key and the private key according to an asymmetric encryption secret key generation algorithm; the first virtual machine is a communication connection initiator;
establishing communication connection between the first virtual machine and the second virtual machine, wherein the first virtual machine uses the symmetric secret key to encrypt the public key and the asymmetric encryption algorithm to generate a first ciphertext;
the first virtual machine sends the first ciphertext to the second virtual machine;
after receiving the first ciphertext, the second virtual machine decrypts the first ciphertext by using the symmetric secret key to obtain the public key and the asymmetric encryption algorithm;
the second virtual machine generates a data transmission secret key according to a secret key generation algorithm of symmetric encryption, and encrypts the data transmission secret key by using the public key to generate a second ciphertext;
the second virtual machine sends the second ciphertext to the first virtual machine;
and after receiving the second ciphertext, the first virtual machine decrypts the second ciphertext by using the private key to obtain the data transmission secret key.
Optionally, the method for using the symmetric key for non-network communication includes:
the first virtual machine acquires original data to be sent, and encrypts the original data by using the symmetric secret key; the first virtual machine is a communication connection initiator;
the first virtual machine sends the encrypted data to the second virtual machine;
and after receiving the encrypted data, the second virtual machine decrypts the encrypted data by using the symmetric secret key to obtain the original data.
Optionally, the plurality of virtual machines read the symmetric key stored in the storage partition through an interface provided by the Hypervisor.
Optionally, the storage partition is located on a key storage virtual machine different from the plurality of virtual machines.
A second aspect of the present disclosure provides a virtual machine communication apparatus, including:
the Hypervisor module is used for constructing a plurality of virtual machines;
the key storage module is used for storing a symmetric key, the symmetric key is stored in a Hypervisor layer, and a storage partition of the symmetric key is isolated from the virtual machines; the symmetric key is used for network communication and/or non-network communication among the plurality of virtual machines;
the network communication module is used for constructing a network communication mechanism among the plurality of virtual machines;
and the non-network communication module is used for constructing a non-network communication mechanism among the plurality of virtual machines.
A third aspect of the disclosure provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method of the first aspect.
A fourth aspect of the present disclosure provides an electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the method of the first aspect.
According to the technical scheme, the symmetric secret keys are stored in the storage partitions isolated from the Hypervisor layer and the virtual machines, network communication and non-network communication are carried out among the virtual machines based on the symmetric secret keys, and the symmetric secret keys are stored in the storage partitions isolated from the virtual machines. And the scheme does not relate to the addition of a new hardware storage secret key, so that the hardware cost is reduced.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
FIG. 1 is a schematic diagram illustrating a virtual machine communication system in accordance with an exemplary embodiment;
FIG. 2 is a schematic flow diagram illustrating the construction of non-network secure communications among multiple virtual machines based on Hypervisor in accordance with an illustrative embodiment;
FIG. 3 is a schematic flow diagram illustrating a Hypervisor-based construction of network secure communications between multiple virtual machines in accordance with an illustrative embodiment;
FIG. 4 is a block diagram illustrating a virtual machine communication device in accordance with an exemplary embodiment;
FIG. 5 is a block diagram illustrating an electronic device in accordance with an example embodiment.
In the drawing, 401 is a Hypervisor module, 402 is a key storage module, 403 is a network communication module, 404 is a non-network communication module, 500 is an electronic device, 501 is a processor, 502 is a memory, 503 is a multimedia component, 504 is an (I/O) interface, and 505 is a communication component.
Detailed Description
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
The embodiment of the disclosure provides a technical scheme based on communication between Hypervisor virtual machines, and realizes data transmission safety between the virtual machines on the basis of not increasing hardware cost. In the scheme, a symmetric encryption and decryption key (hereinafter referred to as a symmetric key) used for symmetric encryption is stored in a single nonvolatile storage device partition, is only provided for Hypervisor access, and is provided with a uniform access interface to read the symmetric key; the non-network communication between the virtual machines uses a symmetric encryption algorithm; the network communication between the virtual machines uses an asymmetric encryption algorithm and a symmetric encryption algorithm, the network communication between the virtual machines comprises the steps of establishing network communication connection, a key negotiation process and a communication data encryption and decryption process, and the two secure communication methods realize the function of data secure transmission between the virtual machines.
Compared with the traditional communication mode between the virtual machines, the scheme has the characteristics of safety, cross-platform performance and uniformity. Compared with the prior plaintext transmission mode among the virtual machines, the transmission after the communication encryption is more favorable for protecting the safety of data; the symmetric key storage mechanism and the access interface provided by the Hypervisor access the symmetric key data through a multi-system mechanism, so that the storage security and the use uniformity of the key are protected; through encryption transmission, non-network communication and network communication among the virtual machines, communication data are not easy to intercept, and the communication data are encrypted by a symmetric encryption algorithm, so that the data transmission safety is further enhanced.
Further, the symmetric key is stored in a single nonvolatile storage device partition, only Hypervisor access is allowed, the storage partition is isolated from the virtual machine, and the scheme does not involve adding a new hardware storage key (such as HSM), so that the hardware cost is reduced.
In one possible implementation, the storage partition of the symmetric key can be separately placed in a small virtual machine, so that the safety and the decoupling of the storage data partition are enhanced.
Next, a system in the embodiment of the present disclosure will be explained.
As shown in fig. 1, the system mainly comprises a Hypervisor, a key storage module, a network communication module between virtual machines, and a non-network communication module between virtual machines.
The main functions of the components are as follows:
Hypervisor
the method is used for running a plurality of virtual machines on one SOC (System on Chip). The Hypervisor can realize partition isolation, health monitoring, graphic monitoring, safe display, quick start and the like, can realize System isolation, and comprises a Central Processing Unit (CPU), a device I/O (input/output), a Memory, a System Memory Management Unit (SMMU) and other resource isolation, and can support virtual machine communication: support virtual ethernet, fast messaging mechanism, memory zero copy, etc.
Key storage module
The symmetric key is stored in a single nonvolatile storage device partition and is only provided for the Hypervisor to access, and the Hypervisor provides an interface for each virtual machine to access.
Network communication module between virtual machines
Hypervisor constructs a set of network communication mechanism between virtual machines, and combines a symmetric encryption method and an asymmetric encryption method to realize network communication security. The network communication involves three steps, namely establishing network communication connection, key negotiation and data encryption transmission; the method comprises the following steps that a key negotiation process uses symmetric encryption and asymmetric encryption, transmission of a public key in the key negotiation process uses symmetric encryption, a generated data transmission key is transmitted by asymmetric encryption, the public key encrypts the data transmission key, a private key is used for decryption, and a new data transmission key is obtained as a result of key negotiation; the data encryption transmission process uses a symmetric encryption algorithm, and the used secret key is the data transmission secret key obtained by the secret key negotiation.
Hypervisor-based non-network communication module between virtual machines
The Hypervisor constructs a set of non-network Communication mechanism between the virtual machines, including virtual pipelines, IPC (Inter-Process Communication), shared memory and the like, packages data to be sent according to a specified format, encrypts the data to be sent by using a symmetric key based on a symmetric encryption algorithm, sends the data to a target virtual machine by using a Communication method provided by the Hypervisor, and decrypts the data by using the symmetric key to obtain original data.
In the embodiment of the present disclosure, vm1 and vm2 select non-network communication or network communication according to different service requirements, as shown in fig. 1, network communication is used between application APP1 and application APP3, and non-network communication is used between application APP2 and application APP4, in the following description, a first virtual machine is abbreviated as vm1, and a second virtual machine is abbreviated as vm 2. The foregoing is by way of example only, and the disclosure is not limited thereto.
When the system is started, the Hypervisor needs to complete the initialization work of the key storage module, mount the independent key storage partition to the Hypervisor, and cache the symmetric key to the cache. The initial value of the symmetric key may be updated by a burn-in tool or upgrade, and the symmetric key storage partition may be a read-only partition.
Reading symmetric keys
After the Hypervisor finishes the loading initialization of the symmetric secret keys, starting a plurality of virtual machines, and providing a uniform access interface for the virtual machines to use.
Symmetric encryption
Symmetric encryption uses an encryption method of a single cryptosystem, i.e. the same key can be used for both encryption and decryption of information. Common symmetric Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple Data Encryption Algorithm), AES (Advanced Encryption Standard), and Blowfish Encryption Algorithm, where AES is an Advanced Encryption Standard, which is a next generation Encryption Algorithm Standard, and has a high speed and a high security level, and those skilled in the art can select a symmetric Encryption Algorithm according to actual requirements.
Asymmetric encryption
The asymmetric encryption algorithm needs to use two secret keys for encryption and decryption, the two secret keys are a public key and a private key, the public key is public, the private key is private, the public key is used for encrypting data, only the corresponding private key can decrypt the data, the private key is used for encrypting the data, only the corresponding public key can decrypt the data, and the private key is stored by a generator, so that the security level of the asymmetric encryption is higher than that of the symmetric encryption. The asymmetric encryption has the disadvantage of low speed, so that the asymmetric encryption in the embodiment of the disclosure is applied to the key negotiation process, the data volume is small, and the communication speed is not influenced.
Non-network communication and network communication are described below by way of two examples, respectively.
Fig. 2 is a schematic flow chart illustrating a process of constructing non-network secure communication among multiple virtual machines based on Hypervisor according to an exemplary embodiment, where the implementation of the entire scheme is a communication channel virtualized among the virtual machines constructed by Hypervisor, and the communication channel includes a virtual pipe, a message queue, a shared memory communication channel, and the like.
As shown in fig. 2, vm1 and vm2 are virtual machines, and vm1 is a communication connection initiator, and the specific implementation flow is as follows.
Step 201, vm1 reads the symmetric key;
vm1 reads a symmetric key and an encryption algorithm from an interface provided by a Hypervisor layer, and non-network communication between virtual machines uses symmetric encryption and decryption;
step 202, vm1 obtains data to be sent;
vm1 generates original data to be sent according to own business requirements;
step 203, vm1 encrypts the original data;
encrypting original data by using a symmetric secret key based on a symmetric encryption algorithm to obtain a ciphertext;
step 204, vm2 reads the symmetric key;
vm2 reads a symmetric key and an encryption algorithm from an interface provided by a Hypervisor layer, non-network communication between virtual machines uses symmetric encryption and decryption, the virtual machines share the same set of symmetric key and algorithm, vm1 uses a data ciphertext encrypted by the symmetric key, and vm2 uses the same set of symmetric key to decrypt to obtain original data;
step 205, vm1 sends data ciphertext;
vm1 and vm2 establish a non-network communication channel, and vm1 sends the original data ciphertext to vm 2.
Step 206, the vm2 decrypts the data by the symmetric key;
and after receiving the data ciphertext, the vm2 decrypts the data ciphertext by using the read symmetric key and the algorithm to obtain original data.
Step 207, vm2 obtains data to be sent;
and the vm2 returns response data or constructs a new request service according to the service requirements of the two parties to generate original data to be sent.
Step 208, the vm2 encrypts data by using the symmetric key;
and encrypting the original data generated in the previous step by using the obtained symmetric key and the obtained algorithm.
Step 209, vm2 returns data;
and returning the data ciphertext obtained in the last step to vm 1.
Step 210, the vm1 decrypts data by using the symmetric key;
the vm1 receives the data ciphertext returned by the vm2, and decrypts the data ciphertext by using the symmetric key and the algorithm obtained in the step 201 to obtain the original data.
Step 201 and step 210 as above complete the implementation process of non-network secure communication between virtual machines, where the key point is that multiple virtual machines are built through the Hypervisor virtualization technology, and the secure key provided by the Hypervisor stores and provides a general access interface, so that the virtual machine running on the Hypervisor can read the symmetric key through the access interface provided by the Hypervisor.
Fig. 3 is a schematic flowchart illustrating a process of building network security communication between multiple virtual machines based on Hypervisor according to an exemplary embodiment, where vm1 and vm2 are virtual machines, where vm1 is a communication connection initiator, and the security communication includes a communication connection establishment process, a key negotiation process, and a data encryption transmission process, and a specific implementation flow is as follows.
Step 301, vm1 generates an asymmetric encryption key pair;
the network communication between the virtual machines uses asymmetric encryption and symmetric encryption methods, before communication connection is established, a new asymmetric encryption public key and a new asymmetric encryption private key are generated according to an asymmetric encryption generation algorithm, the public key is encrypted and sent to vm2, the private key is stored by vm1, and the steps belong to a secret key negotiation stage.
Step 302, vm1 reads the symmetric key;
vm1 needs to encrypt the asymmetric encryption public key obtained in step 301 and an asymmetric encryption algorithm, the encryption algorithm uses a symmetric encryption algorithm, and vm1 reads the symmetric public key and the symmetric encryption algorithm of the response from the interface provided by the Hypervisor layer.
Step 303, vm2 reads the symmetric key;
the public key is encrypted by symmetric encryption in the key negotiation stage, and vm2 needs to read the symmetric secret key and the algorithm to decrypt the public key and the asymmetric encryption algorithm of asymmetric encryption.
Step 304, vm1 encrypts an asymmetric encryption and decryption public key and an encryption algorithm;
the step 302 reads the symmetric key and the symmetric encryption algorithm to encrypt the asymmetric encryption public key and the asymmetric encryption algorithm generated in the step 301.
Step 305, vm1 establishes network communication
Network communication connection is actively initiated by vm1, and the communication foundation is virtual network communication constructed by Hypervisor.
Step 306, vm1 sends the ciphertext;
vm1 sends the ciphertext from step 304 to vm 2.
Step 307, vm2 decrypts the ciphertext;
the vm2 receives the ciphertext, decrypts the ciphertext with the symmetric key and the algorithm read in the step 302 to obtain an asymmetric encryption public key and an asymmetric encryption algorithm, and uses the asymmetric encryption public key and the asymmetric encryption algorithm to subsequently encrypt the data transmission key, and the ciphertext encrypted by the asymmetric public key can only be decrypted by using the paired private key.
Step 308, vm2 generates a data transmission key;
and generating a data transmission secret key for subsequent service data communication according to a symmetric encryption generation algorithm, wherein the symmetric encryption is selected by the data communication encryption algorithm, and the symmetric encryption algorithm has the advantage of high encryption speed.
Step 309, vm2 encrypts the data transmission key;
and (4) encrypting the data transmission secret key and the symmetric encryption algorithm generated in the step 308 by using the asymmetric encryption public key and the encryption algorithm obtained in the step 307 to obtain a ciphertext.
Step 310, the vm2 returns the encrypted data transmission key;
vm2 returns the encrypted ciphertext.
Step 311, the vm1 private key decrypts the data transmission key;
after the vm1 reads the data transmission ciphertext, the data transmission ciphertext is decrypted by using a private key to obtain original data, key negotiation is completed in the steps, the data communication between the subsequent virtual machines is communicated with the negotiated data transmission secret key, and the algorithm uses a symmetric encryption algorithm.
Step 312, vm1 obtains transmission data;
and according to the service requirement, vm1 generates original data to be sent.
Step 313, vm1 encrypts transmission data;
and encrypting the original data in the step 312 by using a symmetric encryption algorithm and a data transmission key to obtain a data ciphertext.
Step 314, vm1 sends the ciphertext;
and sending the encrypted data ciphertext.
Step 315, vm2 decrypts the ciphertext;
vm2 receives the original data cipher text, and decrypts the cipher text with the data transmission key obtained by the negotiation to obtain the original data.
Step 316, vm2 obtains transmission data;
the vm2 responds or establishes a new service request according to the service requirement, generates new data to be sent, and encrypts the new data to be sent by using the negotiated data transmission secret key to obtain a sending ciphertext.
Step 317, vm2 sends the encrypted ciphertext;
and transmitting the data ciphertext.
Step 318, vm1 decrypts the original data;
the vm1 receives the data, decrypts the data with the negotiated data transmission key, and obtains the original data.
Through the scheme, step 301-318 completes the function of network security communication between virtual machines, wherein the key step is a key negotiation process, symmetric encryption and asymmetric encryption are combined, keys used in symmetric encryption are stored in a separate nonvolatile storage device partition mounted on a Hypervisor layer, public keys and private keys of asymmetric encryption are regenerated before communication connection is established, and based on uniqueness of asymmetric encryption, the private keys are not provided externally and only stored in the secure virtual machines, so that communication security in the key negotiation process is ensured, and security level of network communication between the virtual machines is also enhanced. And the asymmetric secret key is used for establishing communication connection each time to generate a new secret key pair without storage, and compared with the situation that a set of encryption and decryption secret keys are used for a long time, the risk of being cracked exists.
Based on the same inventive concept, an embodiment of the present disclosure further provides a virtual machine communication apparatus, as shown in fig. 4, including: the Hypervisor module 401 is used for constructing a plurality of virtual machines; a key storage module 402, configured to store a symmetric key, where the symmetric key is stored in a Hypervisor layer, and a storage partition of the symmetric key is isolated from the multiple virtual machines; the symmetric key is used for network communication and/or non-network communication among the plurality of virtual machines; a network communication module 403, configured to construct a network communication mechanism between the plurality of virtual machines; a non-network communication module 404, configured to construct a non-network communication mechanism between the plurality of virtual machines.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Fig. 5 is a block diagram illustrating an electronic device 500 in accordance with an example embodiment. As shown in fig. 5, the electronic device 500 may include: a processor 501 and a memory 502. The electronic device 500 may also include one or more of a multimedia component 503, an input/output (I/O) interface 504, and a communication component 505.
The processor 501 is configured to control the overall operation of the electronic device 500, so as to complete all or part of the steps in the virtual machine communication method. The memory 502 is used to store various types of data to support operation at the electronic device 500, such as instructions for any application or method operating on the electronic device 500 and application-related data, such as contact data, messaging, pictures, audio, video, and so forth. The Memory 502 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. The multimedia component 503 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 502 or transmitted through the communication component 505. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 504 provides an interface between the processor 501 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 505 is used for wired or wireless communication between the electronic device 500 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, 4G, NB-IOT, eMTC, or other 5G, etc., or a combination of one or more of them, which is not limited herein. The corresponding communication component 505 may thus comprise: Wi-Fi module, Bluetooth module, NFC module, etc.
In an exemplary embodiment, the electronic Device 500 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components for performing the above-described virtual machine communication method.
In another exemplary embodiment, there is also provided a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the virtual machine communication method described above. For example, the computer readable storage medium may be the memory 502 described above that includes program instructions executable by the processor 501 of the electronic device 500 to perform the virtual machine communication method described above.
In another exemplary embodiment, a computer program product is also provided, which comprises a computer program executable by a programmable apparatus, the computer program having code portions for performing the above-mentioned virtual machine communication method when executed by the programmable apparatus.
The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure.
It should be noted that, in the foregoing embodiments, various features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various combinations that are possible in the present disclosure are not described again.
In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.

Claims (9)

1. A virtual machine communication method based on Hypervisor is applied to a plurality of virtual machines constructed based on a virtual machine monitor Hypervisor, and is characterized by comprising the following steps:
the plurality of virtual machines read the symmetric keys from the storage partitions; the symmetric key is stored in a Hypervisor layer, the storage partition is isolated from the virtual machines, and the symmetric key is used for network communication and/or non-network communication among the virtual machines.
2. The method of claim 1, wherein the method of using the symmetric key for network communications comprises:
the first virtual machine and the second virtual machine use the symmetric secret key to carry out negotiation of a data transmission secret key; in the key negotiation process, the asymmetric encryption public key uses the symmetric key and a symmetric encryption algorithm to carry out encryption transmission, and the data transmission secret key uses the asymmetric encryption public key, a private key and the asymmetric encryption algorithm to carry out encryption transmission;
after the data transmission secret key is obtained through negotiation, the first virtual machine and the second virtual machine use the data transmission secret key to carry out data encryption transmission.
3. The method of claim 2, wherein the first virtual machine and the second virtual machine negotiating data transmission keys using the symmetric key comprises:
the first virtual machine generates the asymmetric encryption public key and the private key according to an asymmetric encryption secret key generation algorithm; the first virtual machine is a communication connection initiator;
establishing communication connection between the first virtual machine and the second virtual machine, wherein the first virtual machine uses the symmetric secret key to encrypt the public key and the asymmetric encryption algorithm to generate a first ciphertext;
the first virtual machine sends the first ciphertext to the second virtual machine;
after receiving the first ciphertext, the second virtual machine decrypts the first ciphertext by using the symmetric secret key to obtain the public key and the asymmetric encryption algorithm;
the second virtual machine generates a data transmission secret key according to a secret key generation algorithm of symmetric encryption, and encrypts the data transmission secret key by using the public key to generate a second ciphertext;
the second virtual machine sends the second ciphertext to the first virtual machine;
and after receiving the second ciphertext, the first virtual machine decrypts the second ciphertext by using the private key to obtain the data transmission secret key.
4. The method of claim 2, wherein the method of using the symmetric key for non-network communications comprises:
the first virtual machine acquires original data to be sent, and encrypts the original data by using the symmetric secret key; the first virtual machine is a communication connection initiator;
the first virtual machine sends the encrypted data to the second virtual machine;
and after receiving the encrypted data, the second virtual machine decrypts the encrypted data by using the symmetric secret key to obtain the original data.
5. The method of claim 1, wherein the plurality of virtual machines read symmetric keys stored in the storage partition through an interface provided by the Hypervisor.
6. The method of claim 1, wherein the storage partition is located on a key storage virtual machine different from the plurality of virtual machines.
7. A Hypervisor-based virtual machine communication apparatus, comprising:
the Hypervisor module is used for constructing a plurality of virtual machines;
the key storage module is used for storing a symmetric key, the symmetric key is stored in a Hypervisor layer, and a storage partition of the symmetric key is isolated from the virtual machines; the symmetric key is used for network communication and/or non-network communication among the plurality of virtual machines;
the network communication module is used for constructing a network communication mechanism among the plurality of virtual machines;
and the non-network communication module is used for constructing a non-network communication mechanism among the plurality of virtual machines.
8. A non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
9. An electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to carry out the steps of the method of any one of claims 1 to 6.
CN202210174882.8A 2022-02-25 2022-02-25 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment Active CN114244515B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210174882.8A CN114244515B (en) 2022-02-25 2022-02-25 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210174882.8A CN114244515B (en) 2022-02-25 2022-02-25 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN114244515A true CN114244515A (en) 2022-03-25
CN114244515B CN114244515B (en) 2022-06-28

Family

ID=80748360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210174882.8A Active CN114244515B (en) 2022-02-25 2022-02-25 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN114244515B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070016766A1 (en) * 2005-06-28 2007-01-18 Richmond Michael S Low cost trusted platform
CN101867530A (en) * 2010-05-31 2010-10-20 西安电子科技大学 Things-internet gateway system based on virtual machine and data interactive method
CN102073821A (en) * 2011-01-27 2011-05-25 北京工业大学 XEN platform-based virtual safety communication tunnel establishing method
CN102103551A (en) * 2009-12-22 2011-06-22 中国长城计算机深圳股份有限公司 Method and system for encrypting and decrypting storage equipment data, and virtual machine monitor
CN103414558A (en) * 2013-07-17 2013-11-27 电子科技大学 XEN cloud platform-based virtual machine block device isolation method
CN103532985A (en) * 2013-11-01 2014-01-22 中国联合网络通信集团有限公司 Communication method, equipment and system between virtual machines
US20140095868A1 (en) * 2012-10-02 2014-04-03 Ca, Inc. System and method for multi-layered sensitive data protection in a virtual computing environment
CN103748556A (en) * 2011-08-30 2014-04-23 惠普发展公司,有限责任合伙企业 Communication with a virtual trusted runtime bios
US8839451B1 (en) * 2006-08-07 2014-09-16 Moka5, Inc. Activation and security of software
CN104461678A (en) * 2014-11-03 2015-03-25 中国科学院信息工程研究所 Method and system for providing password service in virtualized environment
CN105471657A (en) * 2015-12-11 2016-04-06 航天恒星科技有限公司 Method, device and system for managing inter-domain communication log of virtual machine
US20220019698A1 (en) * 2016-08-11 2022-01-20 Intel Corporation Secure Public Cloud with Protected Guest-Verified Host Control

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070016766A1 (en) * 2005-06-28 2007-01-18 Richmond Michael S Low cost trusted platform
US8839451B1 (en) * 2006-08-07 2014-09-16 Moka5, Inc. Activation and security of software
CN102103551A (en) * 2009-12-22 2011-06-22 中国长城计算机深圳股份有限公司 Method and system for encrypting and decrypting storage equipment data, and virtual machine monitor
CN101867530A (en) * 2010-05-31 2010-10-20 西安电子科技大学 Things-internet gateway system based on virtual machine and data interactive method
CN102073821A (en) * 2011-01-27 2011-05-25 北京工业大学 XEN platform-based virtual safety communication tunnel establishing method
CN103748556A (en) * 2011-08-30 2014-04-23 惠普发展公司,有限责任合伙企业 Communication with a virtual trusted runtime bios
US20140095868A1 (en) * 2012-10-02 2014-04-03 Ca, Inc. System and method for multi-layered sensitive data protection in a virtual computing environment
CN103414558A (en) * 2013-07-17 2013-11-27 电子科技大学 XEN cloud platform-based virtual machine block device isolation method
CN103532985A (en) * 2013-11-01 2014-01-22 中国联合网络通信集团有限公司 Communication method, equipment and system between virtual machines
CN104461678A (en) * 2014-11-03 2015-03-25 中国科学院信息工程研究所 Method and system for providing password service in virtualized environment
CN105471657A (en) * 2015-12-11 2016-04-06 航天恒星科技有限公司 Method, device and system for managing inter-domain communication log of virtual machine
US20220019698A1 (en) * 2016-08-11 2022-01-20 Intel Corporation Secure Public Cloud with Protected Guest-Verified Host Control

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
DAN WANG ET AL.: ""A Hypervisor-Based Secure Storage Scheme"", 《2010 SECOND INTERNATIONAL CONFERENCE ON NETWORKS SECURITY, WIRELESS COMMUNICATIONS AND TRUSTED COMPUTING》 *
SHIH-WEI LI ET AL.: ""A Secure and Formally Verified Linux KVM Hypervisor"", 《2021 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP)》 *
刘谦等: "基于可信平台模块的虚拟机安全协议", 《信息安全与技术》 *
祝凯捷等: "密钥安全及其在虚拟化技术下的新发展", 《密码学报》 *
陈康等: "基于虚拟机的OpenSSH秘钥数据隔离方法", 《通信学报》 *

Also Published As

Publication number Publication date
CN114244515B (en) 2022-06-28

Similar Documents

Publication Publication Date Title
JP7209750B2 (en) Blockchain-based multi-party computing method, device, electronic device, non-transitory computer-readable storage medium and computer program
EP3916604A1 (en) Method and apparatus for processing privacy data of block chain, device, storage medium and coputer program product
JP6221014B1 (en) Secure shared key sharing system and method
EP3913850A1 (en) Key management method and related device
EP3123657B1 (en) Method and apparatus for cloud-assisted cryptography
US10122713B2 (en) Method and device for the secure authentication and execution of programs
CN111737366B (en) Private data processing method, device, equipment and storage medium of block chain
US8909939B1 (en) Distribution of cryptographic host keys in a cloud computing environment
CN106612275B (en) User terminal and method for transmitting and receiving messages
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
JPH03243035A (en) System and method for ciphered communication
CN108418817B (en) Encryption method and device
CN112055004A (en) Data processing method and system based on small program
CN110177099B (en) Data exchange method, transmitting terminal and medium based on asymmetric encryption technology
KR20160097892A (en) Apparatus and method for security service based virtualization
CN113849835B (en) Key processing method, device, equipment and storage medium
EP3682364A1 (en) Cryptographic services utilizing commodity hardware
CN109379345B (en) Sensitive information transmission method and system
US20200322158A1 (en) Method and apparatus for determining trust status of tpm, and storage medium
CN113612597A (en) Data calculation method, device and system and electronic equipment
US11411934B2 (en) System and method to securely broadcast a message to accelerators with switch
CN109450899B (en) Key management method and device, electronic equipment and storage medium
CN114244515B (en) Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment
CN113489706B (en) Data processing method, device, system, equipment and storage medium
CN115422547A (en) Data processing method, processor and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant