CN114938275A - Method, apparatus, medium, and device for migrating virtual machine using quantum key - Google Patents
Method, apparatus, medium, and device for migrating virtual machine using quantum key Download PDFInfo
- Publication number
- CN114938275A CN114938275A CN202210856236.XA CN202210856236A CN114938275A CN 114938275 A CN114938275 A CN 114938275A CN 202210856236 A CN202210856236 A CN 202210856236A CN 114938275 A CN114938275 A CN 114938275A
- Authority
- CN
- China
- Prior art keywords
- key
- virtual
- quantum key
- quantum
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/4557—Distribution of virtual machine instances; Migration and load balancing
Abstract
The invention provides a method, a device, a medium and equipment for migrating a virtual machine by using a quantum key, wherein the method comprises the following steps: locking a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of the first virtual key manager as a session key for migration; sending a notification that the quantum key is locked to a quantum key distribution node comprising a second virtual key manager; encrypting, by the first virtual key manager, data of the virtual machine using the locked quantum key to securely migrate the data of the virtual machine from the first compute node to the second compute node. The invention can safely migrate the virtual machine by using the quantum key between different computing nodes connected to the same quantum key distribution node, and simultaneously keep the symmetry of the quantum key between different quantum key distribution nodes in the cloud computing platform.
Description
Technical Field
The present invention relates to the field of quantum encryption and decryption technologies, and in particular, to a method, an apparatus, a medium, and a device for migrating a virtual machine using a quantum key.
Background
In a quantum key based cloud computing platform, symmetric quantum keys may be used for different compute nodes connected to different quantum key distribution nodes to encrypt and decrypt data communicated between the compute nodes to ensure security of cloud stored data. However, using symmetric quantum keys for different compute nodes connected to the same quantum key distribution node to encrypt and decrypt data communicated between the compute nodes may break the symmetry of the quantum keys between the different quantum key distribution nodes and reduce the security of cloud stored data.
Disclosure of Invention
The invention aims to provide a method, a device, a medium and equipment for migrating a virtual machine by using a quantum key.
According to an aspect of the present invention, there is provided a method of migrating a virtual machine using a quantum key, the method including: locking a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of a first virtual key manager as a session key for migration in response to a notification of the migration of a virtual machine from a first compute node to a second compute node; sending a notification to a quantum key distribution node comprising a second virtual key manager that the quantum key is locked as a session key for the migration, the notification comprising an identification of the quantum key, such that the quantum key distribution node destroys, in response to the notification, a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of the second virtual key manager that corresponds to the identification of the quantum key; encrypting, by a first virtual key manager, data of a virtual machine using a locked quantum key in response to a data encryption request from a first compute node, the data encryption request including data of the virtual machine; transmitting the encrypted data of the virtual machine back to the first computing node as a response to the data encryption request, and migrating the encrypted data of the virtual machine to the second computing node by the first computing node; decrypting, by the first virtual key manager, the encrypted data of the virtual machine using the locked quantum key in response to a data decryption request from the second compute node, the data decryption request including the encrypted data of the virtual machine; and transmitting the decrypted data of the virtual machine back to the second computing node as a response to the data decryption request.
According to an embodiment of the invention, the method further comprises: obtaining a ciphertext of the locked quantum key from a quantum key pool of a first virtual key manager; acquiring a quantum key encryption key of the locked quantum key from the encryption card according to the identifier of the locked quantum key; the quantum key encryption key using the locked quantum key decrypts the locked quantum key from the ciphertext of the locked quantum key.
According to another aspect of the present invention, there is provided a method of migrating a virtual machine using a quantum key, the method comprising: receiving a notification from a quantum key distribution node comprising a first virtual key manager that a quantum key between the first virtual key manager and a second virtual key manager is locked as a session key for the migration, the notification comprising an identification of the quantum key; and destroying the quantum key between the first virtual key management machine and the second virtual key management machine corresponding to the identification of the quantum key in the quantum key pool of the second virtual key management machine in response to the notification.
According to another aspect of the present invention, there is provided an apparatus for migrating a virtual machine using a quantum key, the apparatus including: a quantum key locking unit configured to lock a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of a first virtual key manager as a session key for migration in response to a notification of the virtual machine migrating from a first compute node to a second compute node; a quantum key lock notification unit configured to send a notification to a quantum key distribution node comprising a second virtual key manager that the quantum key is locked as a session key for the migration, the notification comprising an identification of the quantum key, such that the quantum key distribution node destroys, in response to the notification, a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of the second virtual key manager that corresponds to the identification of the quantum key; a virtual machine data encryption unit configured to encrypt data of a virtual machine using a locked quantum key by a first virtual key manager in response to a data encryption request from a first compute node, the data encryption request including data of the virtual machine; a first data transmission unit configured to transmit the encrypted data of the virtual machine back to the first computing node as a response to the data encryption request, the first computing node migrating the encrypted data of the virtual machine to the second computing node; a virtual machine data decryption unit configured to decrypt, by the first virtual key manager, the encrypted data of the virtual machine using the locked quantum key in response to a data decryption request from the second compute node, the data decryption request including the encrypted data of the virtual machine; a second data transfer unit configured to transfer the decrypted data of the virtual machine back to the second computing node as a response to the data decryption request.
According to an embodiment of the invention, the apparatus further comprises: a quantum key ciphertext obtaining unit configured to obtain a ciphertext of the locked quantum key from a quantum key pool of the first virtual key manager; a quantum key encryption key obtaining unit configured to obtain a quantum key encryption key of the locked quantum key from the encryption card according to the identifier of the locked quantum key; a quantum key decryption unit configured to decrypt the locked quantum key from the ciphertext of the locked quantum key using a quantum key encryption key of the locked quantum key.
According to another aspect of the present invention, there is provided an apparatus for migrating a virtual machine using a quantum key, the apparatus including: a quantum key lock notification unit configured to receive a notification from a quantum key distribution node comprising a first virtual key manager that a quantum key between the first virtual key manager and a second virtual key manager is locked as a session key for the migration, the notification comprising an identification of the quantum key; a quantum key destruction response unit configured to destroy a quantum key between a first virtual key management machine and a second virtual key management machine corresponding to an identification of the quantum key in a quantum key pool of the second virtual key management machine in response to the notification.
According to another aspect of the invention, there is provided a computer readable storage medium storing a computer program which, when executed by a processor, implements the method for migrating a virtual machine using quantum keys as described above.
According to another aspect of the present invention, there is provided a computer apparatus comprising: a processor; a memory storing a computer program that, when executed by the processor, implements a method of migrating a virtual machine using quantum keys as previously described.
The method, the device, the medium and the equipment for migrating the virtual machine by using the quantum key can safely migrate the virtual machine by using the quantum key among different computing nodes connected to the same quantum key distribution node, and simultaneously keep the symmetry of the quantum key among different quantum key distribution nodes in a cloud computing platform.
Drawings
The above objects and features of the present invention will become more apparent from the following description when taken in conjunction with the accompanying drawings.
FIG. 1 shows a schematic diagram of a cloud computing platform according to an exemplary embodiment of the present invention.
Fig. 2 shows a schematic flow diagram of a method for migrating a virtual machine using quantum keys according to an exemplary embodiment of the present invention.
FIG. 3 illustrates another schematic flow chart diagram of a method for migrating a virtual machine using quantum keys in accordance with an exemplary embodiment of the present invention.
Fig. 4 shows a schematic operational timing diagram for migrating a virtual machine using quantum keys in a cloud computing platform according to an exemplary embodiment of the present invention.
Fig. 5 is a schematic block diagram illustrating an apparatus for migrating a virtual machine using a quantum key according to an exemplary embodiment of the present invention.
Fig. 6 illustrates another schematic block diagram of an apparatus for migrating a virtual machine using a quantum key according to an exemplary embodiment of the present invention.
Fig. 7 shows a schematic architecture diagram of a system for migrating virtual machines using quantum keys in a cloud computing platform according to an exemplary embodiment of the present invention.
Fig. 8 illustrates an exemplary data interaction process for migrating a virtual machine using quantum keys in a cloud computing platform according to an exemplary embodiment of the present invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
FIG. 1 shows a schematic diagram of a cloud computing platform according to an exemplary embodiment of the present invention.
Referring to fig. 1, in the cloud computing platform shown in fig. 1, different computing platforms may be connected to different quantum key distribution nodes, one or more virtual machines may run on each computing platform, one or more virtual key managers may be generated on each quantum key distribution node based on a virtualization technique to provide data encryption and decryption services for the corresponding virtual machine, and the virtual key managers in the same quantum key distribution node may be data-isolated to reduce the risk of quantum key leakage between different virtual key managers in the same quantum key distribution node, which makes data access between the virtual key managers in the same quantum key distribution node impossible.
In addition, in the cloud computing platform shown in fig. 1, each Quantum Key Distribution node is connected to a Quantum Key Distribution device (QKD for short) (not shown) in addition to the corresponding computing platform, so as to perform Quantum Key Distribution by the Quantum Key Distribution device connected to other Quantum Key Distribution nodes in the cloud computing platform, and provide security for data transmission between different computing nodes or different virtual machines in the cloud computing platform by performing vector comparison and data post-processing on Quantum light generated in a Quantum Key Distribution process to screen out appropriate symmetric Quantum keys.
For example, when a virtual machine migrates from compute node a to compute node C due to a device failure or other reasons, in the case where compute node a and compute node C are respectively connected to different quantum key distribution nodes, a symmetric quantum key for use between compute node a and compute node C may be generated by performing quantum key distribution between the quantum key distribution node to which compute node a is connected and the quantum key distribution node to which compute node C is connected to ensure security of the virtual machine during migration. However, when a virtual machine migrates from compute node a to compute node B due to a device failure or other reasons, in the case where both compute node a and compute node B are connected to the same quantum key distribution node and the virtual key manager assigned by the virtual machine before migration and the virtual key manager assigned after migration of the virtual machine are the same virtual key manager, if quantum keys in the quantum key pool of the virtual key manager are directly used to encrypt and decrypt migrated virtual machine data, the symmetry of quantum keys between different quantum key distribution nodes in the cloud computing platform may be broken.
To this end, the present invention proposes hereinafter a method and apparatus for migrating a virtual machine using a quantum key to overcome the occurrence of the above-mentioned problems.
Fig. 2 shows a schematic flow diagram of a method for migrating a virtual machine using quantum keys according to an exemplary embodiment of the present invention.
Referring to fig. 2, the method illustrated in fig. 2 may include the following steps.
In step 201, a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of a first virtual key manager may be locked as a session key for migration in response to a notification of a migration of a virtual machine from a first compute node to a second compute node.
At step 202, a notification that the quantum key is locked as a session key for migration may be sent to a quantum key distribution node that includes the second virtual key manager, the notification including an identification of the quantum key, such that the quantum key distribution node destroys, in response to the notification, the quantum key between the first virtual key manager and the second virtual key manager in the quantum key pool of the second virtual key manager that corresponds to the identification of the quantum key.
In step 203, data of the virtual machine may be encrypted by the first virtual key manager using the locked quantum key in response to a data encryption request from the first compute node, the data encryption request including data of the virtual machine.
At step 204, the encrypted data of the virtual machine may be transmitted back to the first computing node as a response to the data encryption request, and the first computing node migrates the encrypted data of the virtual machine to the second computing node.
In step 205, the encrypted data of the virtual machine may be decrypted by the first virtual key manager using the locked quantum key in response to a data decryption request from the second compute node, the data decryption request including the encrypted data of the virtual machine.
At step 206, the decrypted data of the virtual machine may be transmitted back to the second computing node as a response to the data decryption request.
In the cloud computing platform, the quantum keys may be stored in the quantum key pools of the respective virtual key managers in a form of ciphertext, and thus, before encrypting and decrypting data of the virtual machines using the locked quantum keys, the ciphertext of the locked quantum keys may be obtained from the quantum key pool of the first virtual key manager, the quantum key encryption key of the locked quantum keys may be obtained from the encryption card according to the identification of the locked quantum keys, and the locked quantum keys may be decrypted from the ciphertext of the locked quantum keys using the quantum key encryption key of the locked quantum keys. In an example, the quantum key distribution node where the first virtual key manager is located includes an encryption card, and the encryption card may be pre-provisioned with quantum key encryption keys of respective quantum keys in a quantum key pool of the first virtual key manager.
The above method may be performed in a quantum key distribution node comprising a first virtual key manager to ensure secure migration of a virtual machine from a first compute node to a second compute node, during which the first virtual key manager for providing data encryption and decryption services to the virtual machine may be configured to provide data encryption and decryption services to the first compute node and the second compute node to enable the secure migration.
FIG. 3 illustrates another schematic flow chart of a method for migrating a virtual machine using quantum keys in accordance with an exemplary embodiment of the present invention.
Referring to fig. 3, the method illustrated in fig. 3 may include the following steps.
At step 301, a notification may be received that a quantum key between a first virtual key manager and a second virtual key manager from a quantum key distribution node comprising the first virtual key manager is locked as a session key for migration, the notification comprising an identification of the quantum key.
At step 302, a quantum key between the first virtual key manager and the second virtual key manager corresponding to the identification of the quantum key in the quantum key pool of the second virtual key manager may be destroyed in response to the notification.
The above method may be performed in a quantum key distribution node comprising a second virtual key manager to maintain quantum key symmetry between different quantum key distribution nodes in a cloud computing platform.
Fig. 4 shows a schematic operational timing diagram for migrating a virtual machine using quantum keys in a cloud computing platform according to an exemplary embodiment of the present invention.
Referring to fig. 4, in the cloud computing platform, the virtual key manager VQKM1 may be generated in the quantum key distribution node QKDN1 based on virtualization technology, and the virtual key manager VQKM2 may be generated in the quantum key distribution node QKDN2 based on virtualization technology. When the virtual machine VM migrates from the compute node a to the compute node B due to equipment failure or other reasons, in the case that the compute node a and the compute node B are both connected to the quantum key distribution node QKDN1, and the virtual key management machine allocated to the virtual machine VM before migration and the virtual key management machine allocated to the virtual machine VM after migration are both the virtual key management machine VQKM1, the virtual machine VM may be migrated in the following operation sequence.
First, in operation S401, the quantum key distribution node QKDN1 may lock the quantum key a between the virtual key manager VQKM1 and the virtual key manager VQKM2 in the quantum key pool of the virtual key manager VQKM1 as a session key for migration in response to a notification of migration of the virtual machine VM from compute node a to compute node B.
Next, in operation S402, the quantum key distribution node QKDN1 may send a notification to the quantum key distribution node QKDN2 including the virtual key manager VQKM2 that the quantum key is locked as a session key for migration, the notification including an identification of the quantum key a.
Next, in operation S403, the quantum key distribution node QKDN2 may receive a notification from the quantum key distribution node QKDN1 that the quantum key a between the virtual key manager VQKM1 and the virtual key manager VQKM2 is locked as a session key for migration, the notification including an identification of the quantum key a.
Next, in operation S404, the quantum key distribution node QKDN2 may destroy the quantum key between the virtual key manager VQKM1 corresponding to the identity of the quantum key a and the virtual key manager VQKM2 in the quantum key pool of the virtual key manager VQKM2 in response to the notification.
Next, in operation S405, the quantum key distribution node QKDN1 may encrypt data of the virtual machine VM using the locked quantum key a by the virtual key manager VQKM1 in response to a data encryption request from the compute node a, the data encryption request including data of the virtual machine VM.
Next, in operation S406, the quantum key distribution node QKDN1 may transmit the encrypted data of the virtual machine VM back to the compute node a as a response to the data encryption request, and the compute node a migrates the encrypted data of the virtual machine VM to the compute node B.
Next, in operation S407, the quantum key distribution node QKDN1 may decrypt, by the virtual key manager VQKM1, the encrypted data of the virtual machine VM using the locked quantum key a in response to a data decryption request from the compute node B, the data decryption request including the encrypted data of the virtual machine VM.
Finally, in operation S408, the quantum key distribution node QKDN1 may transmit the decrypted data of the virtual machine VM back to the compute node B as a response to the data decryption request.
Fig. 5 is a schematic block diagram illustrating an apparatus for migrating a virtual machine using a quantum key according to an exemplary embodiment of the present invention.
Referring to fig. 5, an apparatus for migrating a virtual machine using a quantum key according to an exemplary embodiment of the present invention may include at least a quantum key locking unit 501, a quantum key locking notification unit 502, a virtual machine data encryption unit 503, a first data transfer unit 504, a virtual machine data decryption unit 505, and a second data transfer unit 506.
In the apparatus shown in fig. 5, the quantum key locking unit 501 is configured to lock a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of the first virtual key manager as a session key for migration in response to a notification that a virtual machine migrates from a first compute node to a second compute node; quantum key lock notification unit 502 is to send a notification that a quantum key is locked as a session key for migration to a quantum key distribution node including a second virtual key manager, the notification including an identification of the quantum key, such that the quantum key distribution node destroys, in response to the notification, a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of the second virtual key manager that corresponds to the identification of the quantum key; the virtual machine data encryption unit 503 is configured to encrypt, by the first virtual key manager, data of the virtual machine using the locked quantum key in response to a data encryption request from the first compute node, the data encryption request including the data of the virtual machine; the first data transmission unit 504 is configured to transmit the encrypted data of the virtual machine back to the first computing node as a response to the data encryption request, where the first computing node migrates the encrypted data of the virtual machine to the second computing node; virtual machine data decryption unit 505 is configured to decrypt, by the first virtual key manager, the encrypted data of the virtual machine using the locked quantum key in response to a data decryption request from the second compute node, the data decryption request including the encrypted data of the virtual machine; the second data transfer unit 506 is configured to transfer the decrypted data of the virtual machine back to the second computing node as a response to the data decryption request.
In addition, in the apparatus shown in fig. 5, a quantum key ciphertext obtaining unit, a quantum key encryption key obtaining unit, and a quantum key decryption unit (all not shown) are further included, where the quantum key ciphertext obtaining unit is configured to obtain a ciphertext of the locked quantum key from a quantum key pool of the first virtual key manager; the quantum key encryption key obtaining unit is used for obtaining a quantum key encryption key of the locked quantum key from the encryption card according to the identifier of the locked quantum key; the quantum key decryption unit is used for decrypting the locked quantum key from the ciphertext of the locked quantum key by using the quantum key encryption key of the locked quantum key.
Fig. 6 illustrates another schematic block diagram of an apparatus for migrating a virtual machine using a quantum key according to an exemplary embodiment of the present invention.
Referring to fig. 6, an apparatus for migrating a virtual machine using a quantum key according to an exemplary embodiment of the present invention may include at least a quantum key lock notification unit 601 and a quantum key destruction response unit 602.
In the apparatus shown in fig. 6, the quantum key lock notification unit 601 is configured to receive a notification that a quantum key between a first virtual key manager and a second virtual key manager of a quantum key distribution node including the first virtual key manager is locked as a session key for migration, the notification including an identification of the quantum key; the quantum key destruction response unit is used for responding to the notice and destroying the quantum key between the first virtual key management machine and the second virtual key management machine corresponding to the quantum key identification in the quantum key pool of the second virtual key management machine.
Fig. 7 shows a schematic architecture diagram of a system for migrating virtual machines using quantum keys in a cloud computing platform according to an exemplary embodiment of the present invention.
Referring to fig. 7, a system for migrating a virtual machine using a quantum key in a cloud computing platform according to an exemplary embodiment of the present invention may include the apparatuses illustrated in fig. 5 and 6. The apparatus shown in fig. 5 may be arranged in the quantum key distribution node QKDN1 shown in fig. 4, the apparatus shown in fig. 6 may be arranged in the quantum key distribution node QKDN2 shown in fig. 4, and when the virtual machine VM migrates from the compute node a to the compute node B, in a case where the compute node a and the compute node B are both connected to the quantum key distribution node QKDN1 and the virtual key manager assigned by the virtual machine VM before the migration and the virtual key manager assigned after the virtual machine migration are both the virtual key manager VQKM1, the virtual machine VM may implement secure migration of the virtual machine via the system shown in fig. 7.
The embodiment of the present invention will be described in further detail with reference to fig. 8.
Fig. 8 shows an exemplary data interaction process for migrating a virtual machine using quantum keys in a cloud computing platform according to an exemplary embodiment of the present invention.
Referring to fig. 8, a virtual key manager monitor, a virtual key manager VQKM1, and an encryption card may be included in the quantum key distribution node QKDN1 as shown in fig. 4, in the quantum key distribution node QKDN1, the virtual key manager monitor is responsible for allocating a respective virtual key manager for each of the running virtual machines in compute nodes a and B connected to the quantum key distribution node QKDN 1. The virtual key manager may be configured to provide data encryption and decryption services to the respective virtual machines, for example, the virtual key manager VQKM1 may be configured to provide data encryption and decryption services to the virtual machine VM, and during migration of the virtual machine VM, the virtual key manager VQKM1 may also be configured to provide data encryption and decryption services to compute node a and compute node B. The virtual key manager VQKM2 may be included in the quantum key distribution node QKDN2 as shown in fig. 4, and a QKD device connected through the quantum key distribution node QKDN2 may perform quantum key distribution with a QKD device connected to the quantum key distribution node QKDN1 to generate quantum keys for use between the virtual key manager VQKM1 and the virtual key manager VQKM 2. Thus, the quantum key pool of the virtual key manager VQKM1 and the quantum key pool of the virtual key manager VQKM2 each store a quantum key for use between the virtual key manager VQKM1 and the virtual key manager VQKM 2. When the virtual machine VM migrates from the compute node a to the compute node B, in the case where both the compute node a and the compute node B are connected to the quantum key distribution node QKDN1, and the virtual key management machine allocated by the virtual machine VM before migration and the virtual key management machine allocated after the virtual machine migration are both the virtual key management machine VQKM1, the virtual machine may be migrated according to the following data interaction process.
At 801, compute node a sends a virtual machine migration notification to compute node B.
At 802, the compute node B applies for a virtual key manager to the virtual key manager monitor (not shown) in the vector subkey distribution node QKDN1, which continues to use the virtual key manager VQKM1 as specified by the distribution policy.
At 803, the virtual key manager monitor sends a notification to the virtual key manager VQKM1 to migrate the virtual machine.
At 804, the virtual key manager VQKM1 locks the quantum key a between the virtual key manager VQKM1 and the virtual key manager VQKM2 in its quantum key pool as a session key for migration.
At 805, virtual key manager VQKM1 informs virtual key manager VQKM2 that quantum key a is locked as a session key for migration.
At 806, the virtual key manager VQKM2 destroys the quantum key corresponding to the identity of quantum key a from its quantum key pool to ensure symmetry of the virtual key manager VQKM1 with the virtual key manager VQKM2 on the quantum key.
At 807, computing node a sends a data encryption request to virtual key manager VQKM1, the data encryption request including data for the virtual machine.
At 808, the virtual key manager VQKM1 sends a data encryption request to the encryption card in the quantum key distribution node QKDN1, the data encryption request including data of the virtual machine, ciphertext of the quantum key a, identification of the quantum key a.
At 809, the encryption card obtains the quantum key encryption key from the identification of the quantum key a, and then decrypts the quantum key a from the ciphertext of the quantum key a using the quantum key encryption key to encrypt the data of the virtual machine using the quantum key a.
At 810, the encryption card returns a response to the virtual key manager VQKM1 for the data encryption request, the response including the ciphertext of the data of the virtual machine.
At 811, the virtual key manager VQKM1 transmits a response to the data encryption request back to compute node a, the response including the ciphertext of the data of the virtual machine.
At 812, compute node A migrates the ciphertext of the data of the virtual machine to compute node B.
At 813, the compute node B sends a data decryption request to the virtual key manager VQKM1, the data decryption request including the ciphertext of the data of the virtual machine.
At 814, the virtual key manager VQKM1 sends a data decryption request to the encryption card, the data decryption request including the cryptogram of the data for the virtual machine, the cryptogram of the quantum key a, and the identification of the quantum key a.
At 815, the encryption card obtains the quantum key encryption key according to the identification of the quantum key a, and then decrypts the quantum key a from the ciphertext of the quantum key a by using the quantum key encryption key, so as to decrypt the data of the virtual machine from the ciphertext of the data of the virtual machine by using the quantum key a.
At 816, the encryption card returns a response to the data decryption request to the virtual key manager VQKM1, the response including the decrypted data of the virtual machine.
At 817, the virtual key manager VQKM1 transmits a response to the data decryption request back to the computing node B, the response including the decrypted data of the virtual machine.
It can be seen that the method and apparatus for migrating a virtual machine using a quantum key according to exemplary embodiments of the present invention can securely migrate a virtual machine using a quantum key between different computing nodes connected to the same quantum key distribution node while maintaining symmetry of the quantum key between the different quantum key distribution nodes in a cloud computing platform.
There may also be provided a computer-readable storage medium storing a computer program according to an exemplary embodiment of the present invention. The computer readable storage medium stores a computer program that, when executed by a processor, causes the processor to perform a method of migrating a virtual machine using quantum keys according to the present invention. The computer readable recording medium is any data storage device that can store data read by a computer system. Examples of the computer-readable recording medium include: read-only memory, random access memory, read-only optical disks, magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission through the internet via wired or wireless transmission paths).
A computer apparatus may also be provided according to an exemplary embodiment of the present invention. The computer device includes a processor and a memory. The memory is for storing a computer program. The computer program is executed by a processor to cause the processor to execute the method of migrating a virtual machine using a quantum key according to the present invention.
While the present application has been shown and described with reference to preferred embodiments, it will be understood by those skilled in the art that various changes and modifications may be made to these embodiments without departing from the spirit and scope of the present application as defined by the following claims.
Claims (8)
1. A method for migrating virtual machines using quantum keys, the method comprising:
locking a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of a first virtual key manager as a session key for migration in response to a notification of the migration of a virtual machine from a first compute node to a second compute node;
sending a notification to a quantum key distribution node comprising a second virtual key manager that the quantum key is locked as a session key for the migration, the notification comprising an identification of the quantum key, such that the quantum key distribution node destroys, in response to the notification, a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of the second virtual key manager that corresponds to the identification of the quantum key;
encrypting, by a first virtual key manager machine, data of a virtual machine using a locked quantum key in response to a data encryption request from a first compute node, the data encryption request including data of the virtual machine;
transmitting the encrypted data of the virtual machine back to the first computing node as a response to the data encryption request, and migrating the encrypted data of the virtual machine to the second computing node by the first computing node;
decrypting, by the first virtual key manager, the encrypted virtual machine's data using the locked quantum key in response to a data decryption request from the second compute node, the data decryption request including the encrypted virtual machine's data;
and transmitting the decrypted data of the virtual machine back to the second computing node as a response to the data decryption request.
2. The method of claim 1, further comprising:
obtaining a ciphertext of the locked quantum key from a quantum key pool of a first virtual key manager;
acquiring a quantum key encryption key of the locked quantum key from the encryption card according to the identifier of the locked quantum key;
the quantum key encryption key using the locked quantum key decrypts the locked quantum key from the ciphertext of the locked quantum key.
3. A method for migrating virtual machines using quantum keys, the method comprising:
receiving a notification from a quantum key distribution node comprising a first virtual key manager that a quantum key between the first virtual key manager and a second virtual key manager is locked as a session key for the migration, the notification comprising an identification of the quantum key;
and destroying the quantum key between the first virtual key management machine and the second virtual key management machine corresponding to the identification of the quantum key in the quantum key pool of the second virtual key management machine in response to the notification.
4. An apparatus for migrating virtual machines using quantum keys, the apparatus comprising:
a quantum key locking unit configured to lock a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of a first virtual key manager as a session key for migration in response to a notification of the virtual machine migrating from a first compute node to a second compute node;
a quantum key locking notification unit configured to send a notification to a quantum key distribution node comprising a second virtual key manager that the quantum key is locked as a session key for the migration, the notification comprising an identification of the quantum key, such that the quantum key distribution node destroys, in response to the notification, a quantum key between a first virtual key manager and a second virtual key manager in a quantum key pool of the second virtual key manager that corresponds to the identification of the quantum key;
a virtual machine data encryption unit configured to encrypt data of a virtual machine using a locked quantum key by a first virtual key manager in response to a data encryption request from a first compute node, the data encryption request including data of the virtual machine;
a first data transmission unit configured to transmit the encrypted data of the virtual machine back to the first computing node as a response to the data encryption request, the first computing node migrating the encrypted data of the virtual machine to the second computing node;
a virtual machine data decryption unit configured to decrypt, by the first virtual key manager, the encrypted data of the virtual machine using the locked key in response to a data decryption request from the second computing node, the data decryption request including the encrypted data of the virtual machine;
a second data transfer unit configured to transfer the decrypted data of the virtual machine back to the second computing node as a response to the data decryption request.
5. The apparatus of claim 4, further comprising:
a quantum key ciphertext obtaining unit configured to obtain a ciphertext of the locked quantum key from a quantum key pool of the first virtual key manager;
a quantum key encryption key obtaining unit configured to obtain a quantum key encryption key of the quantum key from an encryption card according to the identifier of the locked quantum key;
a quantum key decryption unit configured to decrypt the locked quantum key from the ciphertext of the locked quantum key using a quantum key encryption key of the locked quantum key.
6. An apparatus for migrating virtual machines using quantum keys, the apparatus comprising:
a quantum key locking notification receiving unit configured to receive a notification from a quantum key distribution node comprising a first virtual key manager that a quantum key between the first virtual key manager and a second virtual key manager is locked as a session key for the migration, the notification comprising an identification of the quantum key;
a quantum key destruction response unit configured to destroy a quantum key between a first virtual key management machine and a second virtual key management machine corresponding to an identification of the quantum key in a quantum key pool of the second virtual key management machine in response to the notification.
7. A computer-readable storage medium storing a computer program which, when executed by a processor, implements the method for migrating a virtual machine using a quantum key of any one of claims 1 to 3.
8. A computing device, comprising:
a processor;
a memory storing a computer program which, when executed by the processor, implements the method of migrating a virtual machine using quantum keys of any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210856236.XA CN114938275B (en) | 2022-07-21 | 2022-07-21 | Method, apparatus, medium, and device for migrating virtual machine using quantum key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210856236.XA CN114938275B (en) | 2022-07-21 | 2022-07-21 | Method, apparatus, medium, and device for migrating virtual machine using quantum key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114938275A true CN114938275A (en) | 2022-08-23 |
| CN114938275B CN114938275B (en) | 2022-10-14 |
Family
ID=82869107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210856236.XA Active CN114938275B (en) | 2022-07-21 | 2022-07-21 | Method, apparatus, medium, and device for migrating virtual machine using quantum key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114938275B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101405694A (en) * | 2006-03-21 | 2009-04-08 | 国际商业机器公司 | Method and apparatus for migrating a virtual TPM instance and preserving uniqueness and completeness of the instance |
| CN107465689A (en) * | 2017-09-08 | 2017-12-12 | 大唐高鸿信安(浙江)信息科技有限公司 | The key management system and method for virtual credible platform module under cloud environment |
| CN109165079A (en) * | 2018-08-07 | 2019-01-08 | 郑州云海信息技术有限公司 | Cloud data center credible platform, trust chain constructing method, moving method based on virtualization |
| CN109508224A (en) * | 2018-11-15 | 2019-03-22 | 中国电子科技网络信息安全有限公司 | A kind of user data isolating and protecting system and method based on KVM virtual machine |
| CN109783192A (en) * | 2018-12-18 | 2019-05-21 | 北京可信华泰信息技术有限公司 | A kind of secure virtual machine migratory system |
| US20190268149A1 (en) * | 2018-02-28 | 2019-08-29 | Vmware, Inc. | Methods and systems that efficiently and securely store encryption keys |
| US20200004568A1 (en) * | 2018-06-27 | 2020-01-02 | International Business Machines Corporation | Virtual machine allocation and migration |
| CN113703911A (en) * | 2021-07-09 | 2021-11-26 | 郑州云海信息技术有限公司 | Virtual machine migration method, device, equipment and storage medium |
| US20220019367A1 (en) * | 2017-04-21 | 2022-01-20 | Pure Storage, Inc. | Migrating Data In And Out Of Cloud Environments |
| US20220179673A1 (en) * | 2020-12-03 | 2022-06-09 | International Business Machines Corporation | Secure virtual machine software management |
-
2022
- 2022-07-21 CN CN202210856236.XA patent/CN114938275B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101405694A (en) * | 2006-03-21 | 2009-04-08 | 国际商业机器公司 | Method and apparatus for migrating a virtual TPM instance and preserving uniqueness and completeness of the instance |
| US20220019367A1 (en) * | 2017-04-21 | 2022-01-20 | Pure Storage, Inc. | Migrating Data In And Out Of Cloud Environments |
| CN107465689A (en) * | 2017-09-08 | 2017-12-12 | 大唐高鸿信安(浙江)信息科技有限公司 | The key management system and method for virtual credible platform module under cloud environment |
| US20190268149A1 (en) * | 2018-02-28 | 2019-08-29 | Vmware, Inc. | Methods and systems that efficiently and securely store encryption keys |
| US20200004568A1 (en) * | 2018-06-27 | 2020-01-02 | International Business Machines Corporation | Virtual machine allocation and migration |
| CN109165079A (en) * | 2018-08-07 | 2019-01-08 | 郑州云海信息技术有限公司 | Cloud data center credible platform, trust chain constructing method, moving method based on virtualization |
| CN109508224A (en) * | 2018-11-15 | 2019-03-22 | 中国电子科技网络信息安全有限公司 | A kind of user data isolating and protecting system and method based on KVM virtual machine |
| CN109783192A (en) * | 2018-12-18 | 2019-05-21 | 北京可信华泰信息技术有限公司 | A kind of secure virtual machine migratory system |
| US20220179673A1 (en) * | 2020-12-03 | 2022-06-09 | International Business Machines Corporation | Secure virtual machine software management |
| CN113703911A (en) * | 2021-07-09 | 2021-11-26 | 郑州云海信息技术有限公司 | Virtual machine migration method, device, equipment and storage medium |
Non-Patent Citations (5)
| Title |
|---|
| P. SHARMA等: "Quantum Key Distribution Secured Optical Networks: A Survey", 《IEEE OPEN JOURNAL OF THE COMMUNICATIONS SOCIETY》 * |
| 代龙飞: "跨数据中心云服务实时迁移的研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 陈怡丹等: "云计算环境下虚拟机动态迁移的安全问题分析", 《计算机技术与发展》 * |
| 陈晖: "一个新型的量子密钥服务体系架构", 《中国电子科学研究院学报》 * |
| 马彰超等: "软件定义的量子密钥分发网络技术研究", 《邮电设计技术》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114938275B (en) | 2022-10-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6968223B2 (en) | Methods, devices, and systems for quantum key distribution | |
| US8295492B2 (en) | Automated key management system | |
| CN106161402B (en) | Encryption equipment key injected system, method and device based on cloud environment | |
| US9703965B1 (en) | Secure containers for flexible credential protection in devices | |
| US10965449B2 (en) | Autonomous secrets management for a key distribution service | |
| US11128447B2 (en) | Cryptographic operation method, working key creation method, cryptographic service platform, and cryptographic service device | |
| US10122713B2 (en) | Method and device for the secure authentication and execution of programs | |
| EP3860036B1 (en) | Key management method, security chip, service server and information system | |
| WO2014194494A1 (en) | Method, server, host and system for protecting data security | |
| WO2020114377A1 (en) | Secure distributed key management system | |
| US20190222414A1 (en) | System and method for controlling usage of cryptographic keys | |
| CN111191217B (en) | Password management method and related device | |
| US11606193B2 (en) | Distributed session resumption | |
| CN115314313A (en) | Information encryption method and device, storage medium and computer equipment | |
| CN113342473B (en) | Data processing method, migration method of secure virtual machine, related device and architecture | |
| CN114826702A (en) | Database access password encryption method and device and computer equipment | |
| CN114938275B (en) | Method, apparatus, medium, and device for migrating virtual machine using quantum key | |
| US8589690B2 (en) | Information processing apparatus, server apparatus, medium recording information processing program and information processing method | |
| CN114944917B (en) | Method, apparatus, medium, and device for migrating virtual machines using quantum keys | |
| CN114338091B (en) | Data transmission method, device, electronic equipment and storage medium | |
| BRPI0211618B1 (en) | Method for Creating a Virtual Private Network Using a Public Network | |
| CN112752265B (en) | Access control method, device and storage medium for network slice | |
| CN111431846B (en) | Data transmission method, device and system | |
| CN115242384A (en) | Method, apparatus, medium, and device for encrypting and decrypting virtual machine data using quantum key | |
| KR102558457B1 (en) | Apparatus and method for constructing virtual private network based on quantum random number |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |