CN114244515B - Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment - Google Patents

Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment Download PDF

Info

Publication number
CN114244515B
CN114244515B CN202210174882.8A CN202210174882A CN114244515B CN 114244515 B CN114244515 B CN 114244515B CN 202210174882 A CN202210174882 A CN 202210174882A CN 114244515 B CN114244515 B CN 114244515B
Authority
CN
China
Prior art keywords
virtual machine
key
symmetric
secret key
hypervisor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210174882.8A
Other languages
Chinese (zh)
Other versions
CN114244515A (en
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongling Zhixing Chengdu Technology Co ltd
Original Assignee
Zhongling Zhixing Chengdu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongling Zhixing Chengdu Technology Co ltd filed Critical Zhongling Zhixing Chengdu Technology Co ltd
Priority to CN202210174882.8A priority Critical patent/CN114244515B/en
Publication of CN114244515A publication Critical patent/CN114244515A/en
Application granted granted Critical
Publication of CN114244515B publication Critical patent/CN114244515B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure relates to a Hypervisor-based virtual machine communication method, a Hypervisor-based virtual machine communication device, a readable storage medium and electronic equipment, wherein the method is applied to a plurality of virtual machines constructed based on a Hypervisor of a virtual machine monitor, and comprises the following steps: the virtual machines read the symmetric keys from the storage partitions; the storage partition is positioned on a Hypervisor layer and isolated from the plurality of virtual machines, and the symmetric secret keys are used for network communication and/or non-network communication among the plurality of virtual machines. In the scheme, the symmetric secret key is not easy to be cracked, the safety of communication between the virtual machines can be improved, and the scheme does not involve adding a new hardware storage secret key, so that the hardware cost is reduced.

Description

Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of communications, and in particular, to a Hypervisor-based virtual machine communication method and apparatus, a readable storage medium, and an electronic device.
Background
The Hypervisor is also called a Virtual Machine Monitor (Virtual Machine Monitor), and a plurality of Virtual machines are constructed based on the Hypervisor Virtual machines, wherein the Virtual machines which can establish communication connection with the Internet through an access gateway router are unsafe Virtual machines, the Virtual machines which do not establish communication connection with the access gateway router are only safe Virtual machines, the data communication between the unsafe Virtual machines and other terminals and servers in the Internet is encrypted and transmitted, and the communication data between the Virtual machines is plaintext.
The current communication encryption method conventionally includes symmetric encryption and asymmetric encryption, encryption and decryption keys used by a symmetric encryption algorithm and an asymmetric encryption algorithm are usually encrypted and stored in a file system accessible by a virtual machine, and the encryption and decryption keys are also stored in an hsm (hardware security module) hardware security module.
In practice, the following risks are found in the current communication transmission between virtual machines: 1) potential safety hazards exist in plaintext transmission among the virtual machines, the unsafe virtual machines are accessed to the Internet and invaded maliciously, and data communicated among the virtual machines are intercepted and decoded, so that data leakage is caused; 2) the encryption and decryption secret key is encrypted and stored in a file system accessible to the virtual machine, and the risk of being cracked exists; 3) storing the encryption and decryption keys in the HSM increases hardware costs. Therefore, the technical problem that the communication and transmission safety between the virtual machines is low exists in the prior art.
Disclosure of Invention
The disclosure aims to provide a Hypervisor-based virtual machine communication method, a Hypervisor-based virtual machine communication device, a readable storage medium and electronic equipment, which are used for solving the technical problem of low communication transmission security between virtual machines in the prior art.
In order to achieve the above object, a first aspect of the present disclosure provides a virtual machine communication method applied between multiple virtual machines constructed based on a Hypervisor, the method including:
The virtual machines read the symmetric keys from the storage partitions; the symmetric keys are stored in a Hypervisor layer, the storage partitions are isolated from the virtual machines, and the symmetric keys are used for network communication and/or non-network communication among the virtual machines.
Optionally, the method for using a symmetric key for network communication includes:
the first virtual machine and the second virtual machine use the symmetric secret key to carry out negotiation of a data transmission secret key; in the key negotiation process, the asymmetric encryption public key performs encryption transmission by using the symmetric key and a symmetric encryption algorithm, and the data transmission secret key performs encryption transmission by using the asymmetric encryption public key, a private key and an asymmetric encryption algorithm;
after the data transmission secret key is obtained through negotiation, the first virtual machine and the second virtual machine perform data encryption transmission by using the data transmission secret key.
Optionally, the negotiating, by the first virtual machine and the second virtual machine, the data transmission key using the symmetric key includes:
the first virtual machine generates the asymmetric encryption public key and the private key according to an asymmetric encryption secret key generation algorithm; the first virtual machine is a communication connection initiator;
Establishing communication connection between the first virtual machine and the second virtual machine, wherein the first virtual machine encrypts the public key and the asymmetric encryption algorithm by using the symmetric secret key to generate a first ciphertext;
the first virtual machine sends the first ciphertext to the second virtual machine;
after receiving the first ciphertext, the second virtual machine decrypts the first ciphertext by using the symmetric secret key to obtain the public key and the asymmetric encryption algorithm;
the second virtual machine generates a data transmission secret key according to a secret key generation algorithm of symmetric encryption, and encrypts the data transmission secret key by using the public key to generate a second ciphertext;
the second virtual machine sends the second ciphertext to the first virtual machine;
and after receiving the second ciphertext, the first virtual machine decrypts the second ciphertext by using the private key to obtain the data transmission secret key.
Optionally, the method for using the symmetric key for non-network communication includes:
the first virtual machine acquires original data to be sent and encrypts the original data by using the symmetric secret key; the first virtual machine is a communication connection initiator;
The first virtual machine sends the encrypted data to the second virtual machine;
and after receiving the encrypted data, the second virtual machine decrypts the encrypted data by using the symmetric secret key to obtain the original data.
Optionally, the plurality of virtual machines read the symmetric keys stored in the storage partition through an interface provided by the Hypervisor.
Optionally, the storage partition is located on a key storage virtual machine different from the plurality of virtual machines.
A second aspect of the present disclosure provides a virtual machine communication apparatus, including:
the Hypervisor module is used for constructing a plurality of virtual machines;
the key storage module is used for storing a symmetric key, the symmetric key is stored in a Hypervisor layer, and a storage partition of the symmetric key is isolated from the virtual machines; the symmetric key is used for network communication and/or non-network communication among the plurality of virtual machines;
the network communication module is used for constructing a network communication mechanism among the plurality of virtual machines;
and the non-network communication module is used for constructing a non-network communication mechanism among the plurality of virtual machines.
A third aspect of the disclosure provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method of the first aspect.
A fourth aspect of the present disclosure provides an electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the method of the first aspect.
According to the technical scheme, the symmetric secret keys are stored in the storage partitions isolated from the Hypervisor layer and the virtual machines, network communication and non-network communication are carried out among the virtual machines based on the symmetric secret keys, and the symmetric secret keys are stored in the storage partitions isolated from the virtual machines. And the scheme does not relate to the addition of a new hardware storage secret key, so that the hardware cost is reduced.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
FIG. 1 is a schematic diagram of a virtual machine communication system shown in accordance with an exemplary embodiment;
FIG. 2 is a schematic flow diagram illustrating the construction of non-network secure communications among multiple virtual machines based on Hypervisor in accordance with an illustrative embodiment;
FIG. 3 is a schematic flow diagram illustrating a Hypervisor-based construction of network secure communications between multiple virtual machines in accordance with an illustrative embodiment;
FIG. 4 is a block diagram illustrating a virtual machine communication device in accordance with an exemplary embodiment;
FIG. 5 is a block diagram illustrating an electronic device in accordance with an example embodiment.
In the drawing, 401 is a Hypervisor module, 402 is a key storage module, 403 is a network communication module, 404 is a non-network communication module, 500 is an electronic device, 501 is a processor, 502 is a memory, 503 is a multimedia component, 504 is an (I/O) interface, and 505 is a communication component.
Detailed Description
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
The embodiment of the disclosure provides a technical scheme based on communication between Hypervisor virtual machines, and realizes data transmission safety between the virtual machines on the basis of not increasing hardware cost. In the scheme, a symmetric encryption and decryption key (hereinafter referred to as a symmetric key) used for symmetric encryption is stored in a single nonvolatile storage device partition, is only provided for Hypervisor access, and is provided with a uniform access interface to read the symmetric key; the non-network communication between the virtual machines uses a symmetric encryption algorithm; the network communication between the virtual machines uses an asymmetric encryption algorithm and a symmetric encryption algorithm, the network communication between the virtual machines comprises the steps of establishing network communication connection, a key negotiation process and a communication data encryption and decryption process, and the two secure communication methods realize the function of data secure transmission between the virtual machines.
Compared with the traditional communication mode between the virtual machines, the scheme has the characteristics of safety, cross-platform and uniformity. Compared with the prior plaintext transmission mode among the virtual machines, the transmission after the communication encryption is more favorable for protecting the security of data; the symmetric key storage mechanism and the access interface provided by the Hypervisor access the symmetric key data through a multi-system mechanism, so that the storage security and the use uniformity of the key are protected; through encryption transmission, non-network communication and network communication among the virtual machines, communication data are not easy to intercept, and the communication data are encrypted by a symmetric encryption algorithm, so that the data transmission safety is further enhanced.
Further, the symmetric key is stored in a single nonvolatile storage device partition, only Hypervisor access is allowed, the storage partition is isolated from the virtual machine, and the scheme does not involve adding a new hardware storage key (such as HSM), so that the hardware cost is reduced.
In one possible implementation, the storage partition of the symmetric key can be separately placed in a small virtual machine, so that the safety and the decoupling of the storage data partition are enhanced.
Next, a system in the embodiment of the present disclosure will be explained.
As shown in fig. 1, the system mainly comprises a Hypervisor, a key storage module, a network communication module between virtual machines, and a non-network communication module between virtual machines.
The main functions of the components are as follows:
Hypervisor
the method is used for running a plurality of virtual machines on one SOC (System on Chip). The Hypervisor can realize partition isolation, health monitoring, graphic monitoring, safe display, quick start and the like, can realize System isolation, and comprises a Central Processing Unit (CPU), a device I/O (input/output), a Memory, a System Memory Management Unit (SMMU) and other resource isolation, and can support virtual machine communication: support virtual ethernet, fast messaging mechanism, memory zero copy, etc.
Key storage module
The symmetric key is stored in a single nonvolatile storage device partition and is only provided for the Hypervisor to access, and the Hypervisor provides an interface for each virtual machine to access.
Network communication module between virtual machines
Hypervisor constructs a set of network communication mechanism between virtual machines, and combines a symmetric encryption method and an asymmetric encryption method to realize network communication security. The network communication involves three steps, namely establishing network communication connection, key negotiation and data encryption transmission; the method comprises the following steps that a key negotiation process uses symmetric encryption and asymmetric encryption, transmission of a public key in the key negotiation process uses symmetric encryption, a generated data transmission key is transmitted by asymmetric encryption, the public key encrypts the data transmission key, a private key is used for decryption, and a new data transmission key is obtained as a result of key negotiation; the data encryption transmission process uses a symmetric encryption algorithm, and the used secret key is the data transmission secret key obtained by the secret key negotiation.
Non-network communication module based on Hypervisor between virtual machines
The Hypervisor constructs a non-network Communication mechanism among a set of virtual machines, which comprises virtual pipelines, IPC (Inter-Process Communication), shared memory and the like, packages data to be sent according to a specified format, encrypts the data to be sent by using a symmetric key based on a symmetric encryption algorithm, sends the data to a target virtual machine by using a Communication method provided by the Hypervisor, and decrypts the data by using the symmetric key to obtain original data.
In the embodiment of the present disclosure, vm1 and vm2 select non-network communication or network communication according to different service requirements, as shown in fig. 1, network communication is used between application APP1 and application APP3, and non-network communication is used between application APP2 and application APP4, in the following description, a first virtual machine is abbreviated as vm1, and a second virtual machine is abbreviated as vm 2. The foregoing is by way of example only, and the disclosure is not limited thereto.
When the system is started, the Hypervisor needs to complete initialization work of a key storage module, mount an independent key storage partition to the Hypervisor, and cache a symmetric key to a cache. The initial value of the symmetric key may be updated by a burn-in tool or an upgrade, and the symmetric key storage partition may be a read-only partition.
Reading symmetric key
After the Hypervisor finishes the loading initialization of the symmetric keys, a plurality of virtual machines are started, and the Hypervisor provides a uniform access interface for the virtual machines to use.
Symmetric encryption
Symmetric encryption uses an encryption method of a single cryptosystem, i.e. the same key can be used for both encryption and decryption of information. Common symmetric Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple Data Encryption Algorithm), AES (Advanced Encryption Standard), and Blowfish Encryption Algorithm, where AES is an Advanced Encryption Standard, which is a next generation Encryption Algorithm Standard, and has a high speed and a high security level, and those skilled in the art can select a symmetric Encryption Algorithm according to actual requirements.
Asymmetric encryption
The asymmetric encryption algorithm needs to use two secret keys for encryption and decryption, the two secret keys are a public key and a private key, the public key is public, the private key is private, the public key is used for encrypting data, only the corresponding private key can decrypt the data, the private key is used for encrypting the data, only the corresponding public key can decrypt the data, and the private key is stored by a generator, so that the security level of the asymmetric encryption is higher than that of the symmetric encryption. The asymmetric encryption has the disadvantage of low speed, so that the asymmetric encryption in the embodiment of the disclosure is applied to the key negotiation process, the data volume is small, and the communication speed is not influenced.
Non-network communication and network communication are described below by way of two examples, respectively.
Fig. 2 is a schematic flow chart illustrating a process of constructing non-network secure communication among multiple virtual machines based on Hypervisor according to an exemplary embodiment, where the implementation of the entire scheme is a communication channel virtualized among the virtual machines constructed by Hypervisor, and the communication channel includes a virtual pipe, a message queue, a shared memory communication channel, and the like.
As shown in fig. 2, vm1 and vm2 are virtual machines, and vm1 is a communication connection initiator, and the specific implementation flow is as follows.
Step 201, vm1 reads the symmetric key;
vm1 reads a symmetric key and an encryption algorithm from an interface provided by a Hypervisor layer, and non-network communication between virtual machines uses symmetric encryption and decryption;
step 202, vm1 obtains data to be sent;
vm1 generates original data to be sent according to own business requirements;
step 203, vm1 encrypts the original data;
encrypting original data by using a symmetric secret key based on a symmetric encryption algorithm to obtain a ciphertext;
step 204, vm2 reads the symmetric key;
vm2 reads a symmetric key and an encryption algorithm from an interface provided by a Hypervisor layer, non-network communication between virtual machines uses symmetric encryption and decryption, the virtual machines share the same set of symmetric key and algorithm, vm1 uses a data ciphertext encrypted by the symmetric key, and vm2 uses the same set of symmetric key to decrypt to obtain original data;
Step 205, vm1 sends data cipher text;
vm1 and vm2 establish a non-network communication channel, and vm1 sends the original data ciphertext to vm 2.
Step 206, the vm2 decrypts the data by the symmetric key;
and after receiving the data ciphertext, the vm2 decrypts the data ciphertext by using the read symmetric key and the algorithm to obtain original data.
Step 207, vm2 obtains data to be sent;
and the vm2 returns response data or constructs a new request service according to the service requirements of the two parties to generate original data to be sent.
Step 208, the vm2 encrypts data by using the symmetric key;
and encrypting the original data generated in the previous step by using the obtained symmetric key and the obtained algorithm.
Step 209, vm2 returns data;
and returning the data ciphertext obtained in the last step to vm 1.
Step 210, the vm1 decrypts data by using the symmetric key;
the vm1 receives the data ciphertext returned by the vm2, and decrypts the data ciphertext by using the symmetric key and the algorithm obtained in the step 201 to obtain the original data.
Step 201 and step 210 as above complete the implementation process of non-network secure communication between virtual machines, where the key point is that multiple virtual machines are built through the Hypervisor virtualization technology, and the secure key provided by the Hypervisor stores and provides a general access interface, so that the virtual machine running on the Hypervisor can read the symmetric key through the access interface provided by the Hypervisor.
Fig. 3 is a schematic flowchart illustrating a process of building network security communication between multiple virtual machines based on Hypervisor according to an exemplary embodiment, where vm1 and vm2 are virtual machines, where vm1 is a communication connection initiator, and the security communication includes a communication connection establishment process, a key negotiation process, and a data encryption transmission process, and a specific implementation flow is as follows.
Step 301, vm1 generates an asymmetric encryption key pair;
the network communication between the virtual machines uses asymmetric encryption and symmetric encryption methods, before communication connection is established, a new asymmetric encryption public key and a new asymmetric encryption private key are generated according to an asymmetric encryption generation algorithm, the public key is encrypted and sent to vm2, the private key is stored by vm1, and the steps belong to a secret key negotiation stage.
Step 302, vm1 reads the symmetric key;
vm1 needs to encrypt the asymmetric encryption public key obtained in step 301 and an asymmetric encryption algorithm, the encryption algorithm uses a symmetric encryption algorithm, and vm1 reads the symmetric public key and the symmetric encryption algorithm of the response from the interface provided by the Hypervisor layer.
Step 303, vm2 reads the symmetric key;
the public key is encrypted by symmetric encryption in the key negotiation stage, and vm2 needs to read the symmetric secret key and the algorithm to decrypt the public key and the asymmetric encryption algorithm of asymmetric encryption.
Step 304, vm1 encrypts the asymmetric encryption and decryption public key and the encryption algorithm;
the step 302 reads the symmetric key and the symmetric encryption algorithm to encrypt the asymmetric encryption public key and the asymmetric encryption algorithm generated in the step 301.
Step 305, vm1 establishes network communication
Network communication connection is actively initiated by vm1, and the communication foundation is virtual network communication constructed by Hypervisor.
Step 306, vm1 sends the ciphertext;
vm1 sends the ciphertext from step 304 to vm 2.
Step 307, vm2 decrypts the ciphertext;
the vm2 receives the ciphertext, decrypts the ciphertext with the symmetric key and the algorithm read in the step 302 to obtain an asymmetric encryption public key and an asymmetric encryption algorithm, and uses the asymmetric encryption public key and the asymmetric encryption algorithm to subsequently encrypt the data transmission key, and the ciphertext encrypted by the asymmetric public key can only be decrypted by using the paired private key.
Step 308, vm2 generates a data transmission key;
and generating a data transmission secret key for subsequent service data communication according to a symmetric encryption generation algorithm, wherein the symmetric encryption is selected by the data communication encryption algorithm, and the symmetric encryption algorithm has the advantage of high encryption speed.
Step 309, vm2 encrypts the data transmission key;
and (4) encrypting the data transmission secret key and the symmetric encryption algorithm generated in the step 308 by using the asymmetric encryption public key and the encryption algorithm obtained in the step 307 to obtain a ciphertext.
Step 310, the vm2 returns the encrypted data transmission key;
vm2 returns the encrypted ciphertext.
Step 311, decrypting the data transmission key by the vm1 private key;
vm1 reads the data transmission ciphertext, decrypts the data transmission ciphertext by using a private key to obtain original data, the key negotiation is completed in the above steps, the data communication between the subsequent virtual machines is used for negotiating to obtain a data transmission secret key, and the algorithm uses a symmetric encryption algorithm.
Step 312, vm1 obtains transmission data;
and according to the service requirement, vm1 generates original data to be sent.
Step 313, vm1 encrypts transmission data;
and encrypting the original data in the step 312 by using a symmetric encryption algorithm and a data transmission key to obtain a data ciphertext.
Step 314, vm1 sends the ciphertext;
and sending the encrypted data ciphertext.
Step 315, vm2 decrypts the ciphertext;
vm2 receives the original data cipher text, and decrypts the cipher text with the data transmission key obtained by the negotiation to obtain the original data.
Step 316, vm2 obtains transmission data;
the vm2 responds or establishes a new service request according to the service requirement, generates new data to be sent, and encrypts the new data to be sent by using the negotiated data transmission secret key to obtain a sending ciphertext.
Step 317, vm2 sends the encrypted ciphertext;
and transmitting the data ciphertext.
Step 318, vm1 decrypts the original data;
the vm1 receives the data, and decrypts the data with the negotiated data transmission key to obtain the original data.
Through the scheme, step 301-318 completes the function of network security communication between virtual machines, wherein the key step is a key negotiation process, symmetric encryption and asymmetric encryption are combined, keys used in symmetric encryption are stored in a separate nonvolatile storage device partition mounted on a Hypervisor layer, public keys and private keys of asymmetric encryption are regenerated before communication connection is established, and based on uniqueness of asymmetric encryption, the private keys are not provided externally and only stored in the secure virtual machines, so that communication security in the key negotiation process is ensured, and security level of network communication between the virtual machines is also enhanced. And the asymmetric secret key is used for establishing communication connection each time to generate a new secret key pair, and the new secret key pair does not need to be stored, so that compared with the situation that a set of encryption and decryption secret keys are used for a long time, the risk of being cracked exists, the network communication method in the embodiment of the disclosure is safer, and the hardware cost of extra storage cannot be increased.
Based on the same inventive concept, an embodiment of the present disclosure further provides a virtual machine communication apparatus, as shown in fig. 4, including: the Hypervisor module 401 is used for constructing a plurality of virtual machines; a key storage module 402, configured to store a symmetric key, where the symmetric key is stored in a Hypervisor layer, and a storage partition of the symmetric key is isolated from the multiple virtual machines; the symmetric key is used for network communication and/or non-network communication among the plurality of virtual machines; a network communication module 403, configured to construct a network communication mechanism between the plurality of virtual machines; a non-network communication module 404, configured to construct a non-network communication mechanism between the plurality of virtual machines.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Fig. 5 is a block diagram of an electronic device 500 shown in accordance with an example embodiment. As shown in fig. 5, the electronic device 500 may include: a processor 501 and a memory 502. The electronic device 500 may also include one or more of a multimedia component 503, an input/output (I/O) interface 504, and a communication component 505.
The processor 501 is configured to control the overall operation of the electronic device 500, so as to complete all or part of the steps in the virtual machine communication method. The memory 502 is used to store various types of data to support operation at the electronic device 500, such as instructions for any application or method operating on the electronic device 500 and application-related data, such as contact data, messaging, pictures, audio, video, and so forth. The Memory 502 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. The multimedia component 503 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 502 or transmitted through the communication component 505. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 504 provides an interface between the processor 501 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 505 is used for wired or wireless communication between the electronic device 500 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, 4G, NB-IOT, eMTC, or other 5G, etc., or a combination of one or more of them, which is not limited herein. The corresponding communication component 505 may thus comprise: Wi-Fi module, Bluetooth module, NFC module, etc.
In an exemplary embodiment, the electronic Device 500 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components for performing the above-described virtual machine communication method.
In another exemplary embodiment, there is also provided a computer readable storage medium including program instructions which, when executed by a processor, implement the steps of the virtual machine communication method described above. For example, the computer readable storage medium may be the memory 502 described above that includes program instructions executable by the processor 501 of the electronic device 500 to perform the virtual machine communication method described above.
In another exemplary embodiment, a computer program product is also provided, which comprises a computer program executable by a programmable apparatus, the computer program having code portions for performing the above-mentioned virtual machine communication method when executed by the programmable apparatus.
The preferred embodiments of the present disclosure are described in detail above with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details in the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure.
It should be noted that, in the above embodiments, the various features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various possible combinations will not be further described in the present disclosure.
In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.

Claims (8)

1. A virtual machine communication method based on Hypervisor is applied to a plurality of virtual machines constructed based on a virtual machine monitor Hypervisor, and is characterized by comprising the following steps:
the plurality of virtual machines read the symmetric keys from the storage partitions; the symmetric key is stored in a Hypervisor layer, the storage partition is isolated from the virtual machines, the symmetric key in the storage partition is only provided for the Hypervisor to access, and the Hypervisor provides an interface for each virtual machine to access;
The symmetric key is used for data transmission key negotiation of network communication and data transmission of non-network communication among the plurality of virtual machines;
in the negotiation process of the data transmission secret key of network communication, the data transmission secret key adopts an asymmetric encryption public key and a private key and an asymmetric encryption algorithm to carry out encryption transmission, and the asymmetric encryption public key carries out encryption transmission by using the symmetric secret key and the symmetric encryption algorithm.
2. The method of claim 1, wherein the method when the first virtual machine and the second virtual machine are in network communication comprises:
the first virtual machine and the second virtual machine use the symmetric secret key to carry out negotiation of a data transmission secret key;
after the data transmission secret key is obtained through negotiation, the first virtual machine and the second virtual machine perform data encryption transmission by using the data transmission secret key.
3. The method of claim 2, wherein the first virtual machine and the second virtual machine negotiate for a data transmission key using the symmetric key, comprising:
the first virtual machine generates the asymmetric encryption public key and the private key according to an asymmetric encryption secret key generation algorithm; the first virtual machine is a communication connection initiator;
Establishing communication connection between the first virtual machine and the second virtual machine, wherein the first virtual machine uses the symmetric secret key to encrypt the public key and the asymmetric encryption algorithm to generate a first ciphertext;
the first virtual machine sends the first ciphertext to the second virtual machine;
after receiving the first ciphertext, the second virtual machine decrypts the first ciphertext by using the symmetric secret key to obtain the public key and the asymmetric encryption algorithm;
the second virtual machine generates a data transmission secret key according to a secret key generation algorithm of symmetric encryption, and encrypts the data transmission secret key by using the public key to generate a second ciphertext;
the second virtual machine sends the second ciphertext to the first virtual machine;
and after receiving the second ciphertext, the first virtual machine decrypts the second ciphertext by using the private key to obtain the data transmission secret key.
4. The method of claim 2, wherein the method of using the symmetric key for non-network communications comprises:
the first virtual machine acquires original data to be sent, and encrypts the original data by using the symmetric secret key; the first virtual machine is a communication connection initiator;
The first virtual machine sends the encrypted data to the second virtual machine;
and after receiving the encrypted data, the second virtual machine decrypts the encrypted data by using the symmetric secret key to obtain the original data.
5. The method of claim 1, wherein the storage partition is located on a key storage virtual machine different from the plurality of virtual machines.
6. A Hypervisor-based virtual machine communication apparatus, comprising:
the Hypervisor module is used for constructing a plurality of virtual machines;
the system comprises a secret key storage module, a Hypervisor layer and a plurality of virtual machines, wherein the secret key storage module is used for storing a symmetric secret key, the symmetric secret key is stored in the Hypervisor layer, the storage partition is isolated from the virtual machines, the symmetric secret key in the storage partition is only provided for the Hypervisor to access, and the Hypervisor provides an interface for each virtual machine to access; the symmetric key is used for data transmission key negotiation of network communication and data transmission of non-network communication among the plurality of virtual machines;
the network communication module is used for constructing a network communication mechanism among the virtual machines; in the negotiation process of a data transmission secret key of network communication, the data transmission secret key adopts an asymmetric encryption public key and a private key and an asymmetric encryption algorithm to carry out encryption transmission, and the asymmetric encryption public key carries out encryption transmission by using the symmetric secret key and the symmetric encryption algorithm;
And the non-network communication module is used for constructing a non-network communication mechanism among the plurality of virtual machines.
7. A non-transitory computer-readable storage medium, on which a computer program is stored, which program, when executed by a processor, performs the steps of the method of any one of claims 1 to 5.
8. An electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the method of any one of claims 1-5.
CN202210174882.8A 2022-02-25 2022-02-25 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment Active CN114244515B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210174882.8A CN114244515B (en) 2022-02-25 2022-02-25 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210174882.8A CN114244515B (en) 2022-02-25 2022-02-25 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN114244515A CN114244515A (en) 2022-03-25
CN114244515B true CN114244515B (en) 2022-06-28

Family

ID=80748360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210174882.8A Active CN114244515B (en) 2022-02-25 2022-02-25 Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN114244515B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117527263A (en) * 2023-12-21 2024-02-06 中国电信股份有限公司技术创新中心 Secure communication method, device, equipment and storage medium between virtual machines

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8839451B1 (en) * 2006-08-07 2014-09-16 Moka5, Inc. Activation and security of software

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8806224B2 (en) * 2005-06-28 2014-08-12 Intel Corporation Low cost trusted platform
CN102103551A (en) * 2009-12-22 2011-06-22 中国长城计算机深圳股份有限公司 Method and system for encrypting and decrypting storage equipment data, and virtual machine monitor
CN101867530B (en) * 2010-05-31 2012-10-24 西安电子科技大学 Things-internet gateway system based on virtual machine and data interactive method
CN102073821B (en) * 2011-01-27 2012-10-31 北京工业大学 XEN platform-based virtual safety communication tunnel establishing method
CN103748556B (en) * 2011-08-30 2018-02-02 惠普发展公司,有限责任合伙企业 BIOS communicates when being run with virtual trust
US8700898B1 (en) * 2012-10-02 2014-04-15 Ca, Inc. System and method for multi-layered sensitive data protection in a virtual computing environment
CN103414558A (en) * 2013-07-17 2013-11-27 电子科技大学 XEN cloud platform-based virtual machine block device isolation method
CN103532985B (en) * 2013-11-01 2016-08-24 中国联合网络通信集团有限公司 Communication means, equipment and system between virtual machine
CN104461678B (en) * 2014-11-03 2017-11-24 中国科学院信息工程研究所 A kind of method and system that cryptographic service is provided in virtualized environment
CN105471657B (en) * 2015-12-11 2019-12-13 航天恒星科技有限公司 inter-domain communication log management method, device and system for virtual machine
US11989332B2 (en) * 2016-08-11 2024-05-21 Intel Corporation Secure public cloud with protected guest-verified host control

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8839451B1 (en) * 2006-08-07 2014-09-16 Moka5, Inc. Activation and security of software

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"A Hypervisor-Based Secure Storage Scheme";Dan Wang et al.;《2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing》;20100607;全文 *
"A Secure and Formally Verified Linux KVM Hypervisor";Shih-Wei Li et al.;《2021 IEEE Symposium on Security and Privacy (SP)》;20210826;全文 *
基于可信平台模块的虚拟机安全协议;刘谦等;《信息安全与技术》;20100810(第06期);全文 *
基于虚拟机的OpenSSH秘钥数据隔离方法;陈康等;《通信学报》;20090215(第02期);全文 *
密钥安全及其在虚拟化技术下的新发展;祝凯捷等;《密码学报》;20160215(第01期);全文 *

Also Published As

Publication number Publication date
CN114244515A (en) 2022-03-25

Similar Documents

Publication Publication Date Title
JP7209750B2 (en) Blockchain-based multi-party computing method, device, electronic device, non-transitory computer-readable storage medium and computer program
EP3916604B1 (en) Method and apparatus for processing privacy data of block chain, device, storage medium and computer program product
US10609006B2 (en) Self-encrypting key management system
CN111737366B (en) Private data processing method, device, equipment and storage medium of block chain
US10122713B2 (en) Method and device for the secure authentication and execution of programs
US8909939B1 (en) Distribution of cryptographic host keys in a cloud computing environment
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
JPH03243035A (en) System and method for ciphered communication
CN112055004A (en) Data processing method and system based on small program
CN110177099B (en) Data exchange method, transmitting terminal and medium based on asymmetric encryption technology
CN103986723B (en) A kind of secret communication control, secret communication method and device
CN113849835B (en) Key processing method, device, equipment and storage medium
CN109379345B (en) Sensitive information transmission method and system
CN113612597A (en) Data calculation method, device and system and electronic equipment
CN114244515B (en) Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment
EP3720042B1 (en) Method and device for determining trust state of tpm, and storage medium
CN113489706B (en) Data processing method, device, system, equipment and storage medium
CN114691034A (en) Data storage method and data processing equipment
CN114338179A (en) Page encryption method, page decryption method, device, terminal and server
CN114173328A (en) Key exchange method and device and electronic equipment
WO2024158886A1 (en) Non-custodial techniques for data encryption and decryption
CN109450899B (en) Key management method and device, electronic equipment and storage medium
US12058257B2 (en) Data storage method, data read method, electronic device, and program product
CN115801252A (en) Safe cloud desktop system combined with quantum encryption technology
CN115422547A (en) Data processing method, processor and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant