CN115934258A - Data processing method and device, electronic equipment and storage medium - Google Patents
Data processing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115934258A CN115934258A CN202211732134.3A CN202211732134A CN115934258A CN 115934258 A CN115934258 A CN 115934258A CN 202211732134 A CN202211732134 A CN 202211732134A CN 115934258 A CN115934258 A CN 115934258A
- Authority
- CN
- China
- Prior art keywords
- task
- virtual machine
- log
- information
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 26
- 238000000034 method Methods 0.000 claims abstract description 22
- 238000004891 communication Methods 0.000 claims description 214
- 238000012795 verification Methods 0.000 claims description 57
- 238000012545 processing Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 11
- 239000003795 chemical substances by application Substances 0.000 description 19
- 238000010586 diagram Methods 0.000 description 13
- 238000012423 maintenance Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Storage Device Security (AREA)
Abstract
The present disclosure provides a data processing method, an apparatus, an electronic device and a storage medium, the method comprising: acquiring and executing a virtual machine task; generating a task log text corresponding to the virtual machine task; generating header file information of an encryption task log of the virtual machine task based on a hash value of a historical encryption log and a first identity character corresponding to the virtual machine task; the historical encrypted log is an encrypted log of a previous historical task of the currently executed virtual machine task; generating first remote certification information corresponding to the virtual machine task based on the header file information and the task log text; splicing the header file information, the task log text and the first remote certification information to generate an encrypted task log of the virtual machine task; the encrypted task log is used for proving the credibility of the text of the related task log.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a data processing method and apparatus, an electronic device, and a storage medium.
Background
A virtual machine refers to a complete computer system with complete hardware system functionality, which is emulated by software, running in a completely isolated environment. Related work tasks are executed in a virtual machine running mode, stronger isolation is provided for the work load on the same host machine, and malicious programs can be greatly reduced from acquiring confidential data of other virtual machines running on the same host machine.
However, the conventional virtualization technology cannot resist potential safety hazards caused by operation and maintenance operations performed by operation and maintenance personnel, for example, the operation and maintenance personnel may perform operation and maintenance operations such as task configuration and startup on a virtual machine, and some potential safety hazards may be introduced when performing the operation and maintenance operations. Based on this technical scenario, a trusted and traceable log service for the virtual machine is needed to enhance the security protection of the virtual machine. Therefore, how to ensure the credibility of the task log is a problem worthy of solution.
Disclosure of Invention
The disclosed embodiments at least provide a data processing method, a data processing device, an electronic device, and a storage medium, when executing a virtual machine task, a task log text corresponding to the virtual machine task is generated, header file information of an encrypted task log is generated by using a hash value of a historical encrypted log and a first identity character corresponding to the virtual machine task, first remote certification information is generated by using the header file information and the task log text, the header file information, the task log text, and the first remote certification information are spliced to obtain an encrypted task log, the header file information in the encrypted task can reflect the encrypted log of a previous historical task, the credibility of the historical encrypted log can be verified by using the header file information, and the remote certification information can reflect the header file information and the task log text, so as to certify the credibility of the header file information and the task log text, thereby implementing a credible and traceable task log.
In a first aspect, an embodiment of the present disclosure provides a data processing method, including:
acquiring and executing a virtual machine task;
generating a task log text corresponding to the virtual machine task;
generating header file information of an encryption task log of the virtual machine task based on a hash value of a historical encryption log and a first identity character corresponding to the virtual machine task; the historical encrypted log is an encrypted log of a previous historical task of the currently executed virtual machine task;
generating first remote certification information corresponding to the virtual machine task based on the header file information and the task log text;
splicing the header file information, the task log text and the first remote certification information to generate an encrypted task log of the virtual machine task; the encrypted task log is used for proving the credibility of the text of the related task log.
In an optional implementation manner, the generating, based on the header information and the task log text, first remote attestation information corresponding to the virtual machine task includes:
splicing the header file information and the task log text to obtain first verification information corresponding to the header file information;
and signing the hash value of the first verification information and the running environment information of the virtual machine by using physical hardware corresponding to the virtual machine to obtain first remote certification information.
In an optional embodiment, the obtaining the virtual machine task includes:
responding to a communication connection instruction, and determining a first communication certificate corresponding to a virtual machine based on a second identity character carried by the communication connection instruction and a first key corresponding to the current virtual machine;
sending the first communication certificate to a target communication terminal, and establishing communication connection with the target communication terminal after the target communication terminal successfully verifies the first communication certificate;
and acquiring the virtual machine task of the target communication end based on the communication connection.
In an optional implementation manner, the determining, based on the second identity character carried in the communication connection instruction and the first key corresponding to the current virtual machine, the first communication credential corresponding to the virtual machine includes:
generating second verification information corresponding to a second identity character based on the second identity character carried by the communication connection instruction and a first secret key corresponding to the current virtual machine;
signing the second verification information and the running environment information of the virtual machine by using a signature key corresponding to physical hardware for running the virtual machine to obtain second remote certification information;
and determining a first communication certificate corresponding to the virtual machine based on the second remote attestation information and the first key.
In an optional implementation manner, the generating, based on a second identity character carried by the communication connection instruction and a first key corresponding to the current virtual machine, second verification information corresponding to the second identity character includes:
splicing the second identity character with the first secret key to obtain initial second verification information;
and determining a hash value of the initial second verification information, and using the determined hash value as second verification information corresponding to the second identity character.
In an optional embodiment, the virtual machine task includes a loading task of a virtual service and/or a configuration task of the virtual service.
In an alternative embodiment, executing a virtual machine task includes:
sending a key acquisition request to a key management terminal under the condition that the virtual machine task is a loading task of virtual service;
generating third verification information corresponding to the third identity character based on the third identity character fed back by the key management end and a second key corresponding to the current virtual machine;
signing the third verification information and the running environment information of the virtual machine by using physical hardware corresponding to the virtual machine to obtain third remote certification information;
determining a third communication certificate corresponding to the virtual machine based on the third remote attestation information and the second secret key;
sending the third communication certificate to the key management end, and acquiring a third key for decrypting the program to be loaded corresponding to the loading task from the key management end after the key management end successfully verifies the third communication certificate;
and loading the program to be loaded based on the third key.
In a second aspect, an embodiment of the present disclosure further provides a data processing apparatus, including:
the execution module is used for acquiring and executing the virtual machine task;
the first generation module is used for generating a task log text corresponding to the virtual machine task;
the second generation module is used for generating header file information of the encrypted task log of the virtual machine task based on a hash value of a historical encrypted log and a first identity character corresponding to the virtual machine task; the historical encrypted log is an encrypted log of a previous historical task of the currently executed virtual machine task;
a third generating module, configured to generate, based on the header information and the task log text, first remote attestation information corresponding to the virtual machine task;
a fourth generating module, configured to splice the header file information, the task log text, and the first remote attestation information to generate an encrypted task log of the virtual machine task; the encrypted task log is used for proving the credibility of the text of the related task log.
In a third aspect, an embodiment of the present disclosure further provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions being executed by the processor to perform the data processing method described above, or steps of any possible implementation of the data processing method.
In a fourth aspect, the disclosed embodiments also provide a computer-readable storage medium, where a computer program is stored, and the computer program is executed by a processor to perform the data processing method or the steps in any possible implementation manner of the data processing method.
The data processing method, the data processing device, the electronic equipment and the storage medium provided by the embodiment of the disclosure acquire and execute the virtual machine task; generating a task log text corresponding to the virtual machine task; generating header file information of an encryption task log of the virtual machine task based on a hash value of a historical encryption log and a first identity character corresponding to the virtual machine task; the historical encrypted log is an encrypted log of a previous historical task of the currently executed virtual machine task; generating first remote certification information corresponding to the virtual machine task based on the header file information and the task log text; splicing the header file information, the task log text and the first remote certification information to generate an encrypted task log of the virtual machine task; the encrypted task log is used for proving the credibility of the text of the related task log. The encrypted task log of the embodiment of the disclosure can prove the security of the header file information and the task log text by verifying the corresponding first remote proof information, and the header file information can verify the security of the historical encrypted log, so that each adjacent encrypted task log forms a chain structure, the tampered behavior of any historical encrypted log can be reflected on the chain structure, when a user checks the encrypted task log, the user only needs to check whether the chain structure is correct, and can know whether the encrypted task log is modified, and a credible and traceable security certificate can be provided for a virtual machine.
In order to make the aforementioned objects, features and advantages of the present disclosure more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings required in the embodiments will be briefly described below, and the drawings herein incorporated in and forming a part of the specification illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the technical solutions of the present disclosure. It is appreciated that the following drawings depict only certain embodiments of the disclosure and are therefore not to be considered limiting of its scope, for those skilled in the art will be able to derive additional related drawings therefrom without the benefit of the inventive faculty.
Fig. 1 shows a flow chart of a data processing method provided by an embodiment of the present disclosure;
FIG. 2 illustrates a schematic diagram of an encrypted task log provided by an embodiment of the disclosure;
FIG. 3 is a flowchart illustrating steps provided by an embodiment of the present disclosure to obtain virtual machine tasks;
FIG. 4 depicts a schematic diagram of a data processing system provided by an embodiment of the present disclosure;
fig. 5 shows a schematic diagram of a key management end provided by an embodiment of the present disclosure;
FIG. 6 illustrates a flow chart for deploying a data processing system provided by an embodiment of the present disclosure;
FIG. 7 is a schematic diagram illustrating a deployment of multiple virtual machines provided in an embodiment of the present disclosure;
FIG. 8 shows a schematic diagram of a data processing apparatus provided by an embodiment of the present disclosure;
fig. 9 shows a schematic diagram of an electronic device provided by an embodiment of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions in the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, not all of the embodiments. The components of the embodiments of the present disclosure, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the disclosure, provided in the accompanying drawings, is not intended to limit the scope of the disclosure, as claimed, but is merely representative of selected embodiments of the disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the disclosure without making creative efforts, shall fall within the protection scope of the disclosure.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The term "and/or" herein merely describes an associative relationship, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the term "at least one" herein means any one of a variety or any combination of at least two of a variety, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.
In order to solve the technical problem that the security of a virtual machine task log cannot be guaranteed in the prior art, the disclosed embodiment provides a data processing method, when a virtual machine task is executed, a task log text corresponding to the virtual machine task is generated, head file information of an encrypted task log is generated by using a hash value of a historical encrypted log and a first identity character corresponding to the virtual machine task, then first remote certification information is generated by using the head file information and the task log text, the head file information, the task log text and the first remote certification information are spliced to obtain the encrypted task log, the head file information in the encrypted task can reflect the encrypted log of the previous historical task, the credibility of the historical encrypted log can be verified by using the head file information, and the remote certification information can reflect the head file information and the task log text, so that the credibility of the head file information and the task log text is certified, and a credible and traceable task log is realized.
For the convenience of understanding of the present embodiment, a detailed description is first given of a data processing method disclosed in the embodiments of the present disclosure, and an execution subject of the data processing method provided in the embodiments of the present disclosure is generally a computer device with certain computing capability. In some possible implementations, the data processing method may be implemented by a processor invoking computer readable instructions stored in a memory.
Referring to fig. 1, which is a flowchart of a data processing method provided in the embodiment of the present disclosure, an execution subject of the method takes a virtual machine as an example, and includes steps S101 to S105, where:
and S101, acquiring and executing a virtual machine task.
In this step, the virtual machine may obtain a virtual machine task from a corresponding target communication end, where the virtual machine task may include a virtual service loading task and/or a virtual service configuration task, the virtual service loading task may enable the virtual machine to load a virtual service image, so as to run the virtual service, and the virtual service configuration task may configure and maintain some parameters of the virtual machine or the running virtual service.
The target communication terminal may be a computer device running the virtual machine, and an administrator may send a virtual machine task to the virtual machine through the target communication terminal, so as to implement configuration of the virtual machine.
Before the virtual machine task is obtained, communication connection can be established between the virtual machine and the target communication end, the target communication end can send a communication connection instruction to the virtual machine to start establishing the communication connection, and then the target communication end and the virtual machine can communicate by using the established communication connection.
And S102, generating a task log text corresponding to the virtual machine task.
For example, when the virtual machine executes a virtual machine task, a task log text corresponding to the virtual machine task may be generated, and the task log text may record an operation instruction, an operation result, a hash value of the operation command, and other data received by the virtual machine.
S103, generating header file information of an encryption task log of the virtual machine task based on a hash value of a historical encryption log and a first identity character corresponding to the virtual machine task; the historical encrypted log is an encrypted log of a previous historical task of the currently executed virtual machine task.
In order to ensure traceability of the virtual machine task, a task log text corresponding to the virtual machine task may be generated, and in order to ensure that the task log text is not tampered, the task log may be encrypted.
The embodiment of the present disclosure may adopt ring type encryption, that is, the new encryption log may include information of the previous encryption log, and if the previous encryption log is modified, the new encryption log cannot be matched with information in the next encryption log. To achieve this effect, the embodiments of the present disclosure may generate header file information of an encrypted task log based on a historical encrypted log of a previous historical task of a currently executed virtual machine task and a first identity character corresponding to the virtual machine task.
The header file information may be formed by splicing the hash value of the history encryption log and the first identity character, and the hash value of the history encryption log in the header file information may be verified under the condition that the first identity character is held, and if the hash value of the history encryption log is different from the hash value extracted from the header file information, the history encryption log is modified.
And S104, generating first remote certification information corresponding to the virtual machine task based on the header file information and the task log text.
The remote certification is a characteristic of the trusted execution environment, the proving party can measure a series of dimensions such as the running environment, the hardware version and the execution code of the proving party through physical hardware, and meanwhile, the measured value can be generated by the trusted hardware to be a digital signature which is not falsifiable and is endorsed by a hardware provider. The digital signature can be verified on hardware supply, and can be used as proof of physical hardware security after verification.
In specific implementation, the header file information and the task log text may be spliced to obtain first verification information corresponding to the header file information, and then, the hash value of the first verification information and the operating environment information of the virtual machine are signed by using physical hardware corresponding to the virtual machine to obtain first remote attestation information.
Specifically, the hash value of the first verification information, the task log text, and the operating environment of the virtual machine may be measured, and the obtained measurement value may be signed.
For example, the physical hardware may be a processor running a virtual machine, and the running environment information of the virtual machine may include an identifier of the physical hardware running the virtual machine, a system version of the virtual machine, execution code of the virtual machine, and the like, which may be generally preconfigured, and it may be determined whether the virtual machine is tampered by verifying whether the running environment is consistent with the preconfigured.
In the practical application process, the first remote attestation information can provide the security verification of physical hardware, and can verify whether the header file information and the task log text are modified by judging whether the header file information and the task log text information are matched with the header file information and the task log text in the signed first remote attestation information.
S105, splicing the header file information, the task log text and the first remote certification information to generate an encrypted task log of the virtual machine task; the encrypted task log is used for proving the credibility of the text of the related task log.
In this step, the header information, the task log text information, and the first remote certification information may be spliced to obtain an encrypted task log. The task log text in the encrypted task log records a task execution process of the virtual machine for executing the virtual machine task, the header file information in the encrypted task log is used for proving the credibility of the historical encrypted log, and the first remote proving information is used for proving the credibility of the generated task log text and the header file information.
Specifically, referring to fig. 2, which is a schematic diagram of an encrypted task log provided in the embodiment of the present disclosure, the encrypted task log may include three components, namely a head component, a middle component, and a tail component, where the head component may include a hash value of a historical encrypted log of a previous historical task and a random character string, that is, the header file information, the middle component may include the task log text, and the tail component may include the first remote attestation information.
For data security of the encrypted task log, the encrypted task log may be encrypted again when the encrypted task log is transmitted, and the key management end stores the key used in encryption, and the target communication end may request the key management end for the key used in decryption when the encrypted task log is decrypted.
In an embodiment, a virtual machine task may be obtained from a target communication end through a communication connection, a communication agent module may be run in a virtual machine, the communication agent module may establish a communication connection with the target communication end in response to a communication connection instruction sent by the target communication end, the target communication end may be a host running the virtual machine or another host, the target communication end may run a communication agent service, and before the target communication end establishes the communication connection, the target communication end may verify security of the virtual machine a priori.
Referring to fig. 3, a flowchart of a step of acquiring a virtual machine task provided in the embodiment of the present application is shown, where the step includes S301 to S304, where:
s301, responding to a communication connection instruction, and determining a first communication certificate corresponding to the virtual machine based on a second identity character carried by the communication connection instruction and a first key corresponding to the current virtual machine.
The target communication terminal can generate a random character string, namely a second identity character, the communication agent module can send the second identity character to the communication agent module along with the communication connection instruction, the communication agent module can generate a public key and a private key, and the first communication certificate information of the virtual machine can be generated by using the public key, namely the first key, and the first key of the second identity character set.
When the first communication credential information is generated, the first key and the second identity character may be spliced to obtain initial second verification information, and then the hash value of the initial second verification information is calculated to obtain the second verification information.
For example, before obtaining a communication connection instruction, for communication security, a target communication terminal may configure a certificate indicating an identity of the target communication terminal on a communication proxy module in advance, the target communication terminal retains a private key corresponding to the certificate, then, when the communication proxy module is started on a virtual machine, the communication proxy module generates a public key and a private key corresponding to the certificate, sends a request for establishing connection to the target communication terminal, and sends a random string together with the request, after the target communication terminal obtains the request for establishing connection, the target communication terminal may generate a second identity character, then, the second identity character generated by the target communication terminal, the random string generated by the communication proxy module and the public key of the target communication terminal are spliced, and the random string and the signature are signed by using the private key corresponding to the certificate stored in the communication proxy module, and finally, the second identity character, the public key for communication stored by the target communication terminal, and the communication proxy module for signature generate the random string and signature and send the signature to the communication proxy module.
The communication agent module may then verify the received signature using the stored certificate and generate the second verification information.
Then, after obtaining the second verification information, the communication agent module may sign the second verification information and the running environment information of the virtual machine by using a signature key corresponding to physical hardware for running the virtual machine, so as to obtain second remote attestation information.
Thereafter, a first communication credential corresponding to the virtual machine may be determined based on the second remote attestation information and the first key.
For example, the second remote attestation information and the first key may be directly used as the first communication credential corresponding to the virtual machine.
S302, the first communication certificate is sent to a target communication terminal, and after the target communication terminal successfully verifies the first communication certificate, communication connection is established with the target communication terminal.
In this step, the first communication certificate may be sent to the target communication terminal, and the target communication terminal may verify the signature in the first communication certificate to prove the security of the physical hardware of the virtual machine, and then verify the signed data to verify whether the second authentication information therein is consistent with the second authentication information sent to the communication agent module by itself, and whether the environment information of the virtual machine is correct, thereby implementing verification of the security of the virtual machine.
After the target communication terminal successfully verifies the first communication certificate, communication connection can be established with the target communication terminal, public keys are exchanged, and secure communication is achieved.
S303, based on the communication connection, the virtual machine task of the target communication end is obtained.
After the communication connection is established, data transmission can be carried out between the target communication end and the communication agent module, the target communication end or the communication agent module can generate a random character string, the random character string and information to be sent are encrypted through any symmetric encryption algorithm, then the random character string and the data to be transmitted are encrypted through an asymmetric encryption algorithm, the data obtained through encryption of the symmetric algorithm and the data obtained through encryption of the asymmetric algorithm are spliced, and the spliced data are sent to the other side to realize data transmission.
After the communication connection is established with the target communication terminal, the target communication terminal can send the virtual machine task to the communication agent module by using the established communication connection, so as to realize the configuration of the virtual machine.
When the virtual machine task is a loading task of the virtual service, the communication agent module receives an encrypted image of the virtual service, and can send a key acquisition request to the key management end in order to decrypt the encrypted image.
For example, the communication agent module may first send a key obtaining request to the key management end; then, generating third verification information corresponding to a third identity character based on the third identity character fed back by the key management end and a second key corresponding to the current virtual machine; then, signing the third verification information and the running environment information of the virtual machine by using physical hardware corresponding to the virtual machine to obtain third remote certification information; then, determining a second communication certificate corresponding to the current virtual machine based on the third remote attestation information and the second key; finally, the second communication certificate is sent to the key management end, and after the key management end successfully verifies the second communication certificate, a third key for decrypting the program to be loaded corresponding to the loading task is obtained from the key management end; then, the program to be loaded may be loaded based on the third key.
The way of the key management terminal proving its own security to the communication agent module is similar to the above steps, and the second key may be replaced with data determined based on the common parameter and the private parameter in the key exchange protocol.
After the first communication credential is sent to the target communication end, the target communication end needs to verify the first communication credential, and a detailed verification process may be as follows:
1. sending a communication connection instruction to the virtual machine; the communication connection instruction carries a second identity character.
2. Acquiring a first communication certificate fed back by the virtual machine; the first communication certificate comprises second remote certification information obtained by signing second verification information and running environment information of the virtual machine by physical hardware corresponding to the virtual machine, and a first communication certificate determined based on the second remote certification information and a first key of the virtual machine; the second authentication information is generated based on the second identity character and the first key.
3. Requesting a service party corresponding to the physical hardware to perform signature authentication on the second remote certification information carried in the first communication certificate, and extracting the first secret key from the first communication certificate under the condition that the second remote certification information passes the signature authentication; and splicing the extracted first secret key and second identity characters sent to the virtual machine to obtain characters to be verified, and verifying the first communication certificate based on the characters to be verified and the second verification information carried in the first communication certificate.
In this step, the target communication terminal may request a service party corresponding to the physical hardware, such as a hardware provider, to perform signature authentication on the first remote attestation information, determine whether the signature is signed by the physical hardware provided by the service party, and verify the first identity character after the signature authentication is passed.
In this step, the first authentication information is a hash value of initial first authentication information obtained by splicing the first authentication character and the first key, and the first communication credential may be authenticated based on the hash value of the authentication character and the first authentication information.
4. And establishing communication connection with the virtual machine under the condition that the first communication certificate is successfully verified and the running environment information carried in the first remote certification information is correct.
In this step, if the first communication credential is successfully verified and the operating environment information of the virtual machine is consistent with the preconfigured operating environment information, it may be determined that the virtual machine is safe and a communication connection may be established with the target communication terminal.
According to the data processing method, the safety of the virtual machine can be proved through verifying the first remote proof information corresponding to the encrypted task logs, the first remote proof information is determined according to the task log text and the historical encrypted logs of the previous historical task of the current execution of the virtual machine task, each adjacent encrypted task logs form a chain structure, the tampered behavior of any historical encrypted log can be reflected on the chain structure, when a user checks the encrypted task logs, whether the encrypted task logs are modified can be known only by checking whether the chain structures are correct, and effective and non-tampered safety proofs can be provided for the virtual machine.
Referring to fig. 4, a schematic diagram of a data processing system provided in an embodiment of the present disclosure is a data processing system, where the data processing system is composed of a Virtual Machine, a host (target Communication end) running the Virtual Machine, and a key management end, a task load and a Communication proxy module may run in the Virtual Machine, the Communication proxy module is deployed with a load monitoring module, an encryption/decryption module, a load loading module, and a log module, the host may run a Communication proxy service, the Communication between the Communication proxy service and the Communication proxy module may be based on a Virtual Machine Communication Interface Sockets (VSOCK) technology, the Communication proxy service may obtain a task log from the Communication proxy module and display the task log through a trusted log module, a user may use a service update module of the Communication proxy module to issue a Virtual Machine task to the Virtual Machine, a trust certificate may be established between the Virtual Machine and the key management end, and a key required for decryption may be transmitted, and the key management end may use the trust root service to ensure security of a stored key.
Referring to fig. 5, a schematic diagram of a key management end provided in the embodiment of the present disclosure is shown, where the key management end includes an authentication module, a remote attestation module, and a trusted storage module, and may interact with a key access client, such as a virtual machine or a host, where the key access client may have a secure communication module and the remote attestation module, and the key management end and the key access client may further obtain a root of trust by using a root of trust service, so as to implement trusted data interaction. Preparing virtual machine mirror image, implanting communication agent module, closing other external access structure, measuring mirror image, determining virtual machine pre-configured operation environment, and completing information registration of key management end
Referring to fig. 6, which is a flowchart of the data processing system deployment provided in the embodiment of the present disclosure, as shown in the figure, the data processing system deployment first needs to be initialized, configure a virtual machine and a host, install a virtualization program, update a running environment, install a communication proxy service, then prepare a virtual machine image, implant a communication proxy module into the virtual machine image, close other external access structures, complete measurement of the image, determine a running environment pre-configured by the virtual machine, complete information registration of a key management end, then start the virtual machine, send a configuration command to the communication proxy module through the communication proxy service, complete environment preparation for running a task load, generate a task log by the communication proxy module, then encrypt the task load image, register a load decryption key at a key management end, then send the task load image to the communication proxy module, the communication proxy module and the key management end verify the credibility of both sides remotely, then obtain the key, decrypt the task load, and finally start the task load.
Referring to fig. 7, which is a schematic diagram of deployment of multiple virtual machines provided in the embodiment of the present disclosure, the diagram includes multiple hosts, each host may run multiple virtual machines, each host may deploy a communication agent service, and each virtual machine running on the host communicates with the communication agent service through its own communication agent module.
It will be understood by those of skill in the art that in the above method of the present embodiment, the order of writing the steps does not imply a strict order of execution and does not impose any limitations on the implementation, as the order of execution of the steps should be determined by their function and possibly inherent logic.
Based on the same inventive concept, a data processing apparatus corresponding to the data processing method is also provided in the embodiments of the present disclosure, and since the principle of solving the problem of the apparatus in the embodiments of the present disclosure is similar to the data processing method in the embodiments of the present disclosure, the implementation of the apparatus may refer to the implementation of the method, and the repeated parts are not described again.
Referring to fig. 8, a schematic diagram of a data processing apparatus provided in an embodiment of the present disclosure is shown, where the apparatus includes:
an execution module 810, configured to obtain and execute a virtual machine task;
a first generating module 820, configured to generate a task log text corresponding to the virtual machine task;
a second generating module 830, configured to generate header information of an encrypted task log of the virtual machine task based on a hash value of a historical encrypted log and a first identity character corresponding to the virtual machine task; the historical encrypted log is an encrypted log of a previous historical task of the currently executed virtual machine task;
a third generating module 840, configured to generate, based on the header information and the task log text, first remote attestation information corresponding to the virtual machine task;
a fourth generating module 850, configured to splice the header information, the task log text, and the first remote attestation information, and generate an encrypted task log of the virtual machine task; the encrypted task log is used for proving the credibility of the text of the related task log.
In an optional implementation manner, the third generating module 840 is specifically configured to:
splicing the header file information and the task log text to obtain first verification information corresponding to the header file information;
and signing the hash value of the first verification information and the running environment information of the virtual machine by using physical hardware corresponding to the virtual machine to obtain first remote certification information.
In an optional implementation manner, the executing module 810 is specifically configured to:
responding to a communication connection instruction, and determining a first communication certificate corresponding to a virtual machine based on a second identity character carried by the communication connection instruction and a first key corresponding to the current virtual machine;
sending the first communication certificate to a target communication terminal, and establishing communication connection with the target communication terminal after the target communication terminal successfully verifies the first communication certificate;
and acquiring the virtual machine task of the target communication terminal based on the communication connection.
In an optional embodiment, when determining the first communication credential corresponding to the virtual machine based on the second identity character carried in the communication connection instruction and the first key corresponding to the current virtual machine, the execution module 810 is configured to:
generating second verification information corresponding to a second identity character based on the second identity character carried by the communication connection instruction and a first secret key corresponding to the current virtual machine;
signing the second verification information and the running environment information of the virtual machine by using a signature key corresponding to physical hardware for running the virtual machine to obtain second remote certification information;
and determining a first communication certificate corresponding to the virtual machine based on the second remote attestation information and the first key.
In an optional embodiment, when generating second verification information corresponding to a second identity character based on the second identity character carried in the communication connection instruction and the first key corresponding to the current virtual machine, the execution module 810 is configured to:
splicing the second identity character with the first secret key to obtain initial second verification information;
and determining a hash value of the initial second verification information, and using the determined hash value as second verification information corresponding to the second identity character.
In an optional embodiment, the virtual machine task includes a loading task of a virtual service and/or a configuration task of the virtual service.
In an alternative embodiment, the executing module 810, when executing the virtual machine task, is configured to:
sending a key acquisition request to a key management end under the condition that the virtual machine task is a loading task of virtual service;
generating third verification information corresponding to the third identity character based on the third identity character fed back by the key management end and a second key corresponding to the current virtual machine;
signing the third verification information and the running environment information of the virtual machine by using physical hardware corresponding to the virtual machine to obtain third remote certification information;
determining a third communication certificate corresponding to the virtual machine based on the third remote attestation information and the second key;
sending the third communication certificate to the key management end, and acquiring a third key for decrypting the program to be loaded corresponding to the loading task from the key management end after the key management end successfully verifies the third communication certificate;
and loading the program to be loaded based on the third key.
The description of the processing flow of each module in the device and the interaction flow between the modules may refer to the related description in the above method embodiments, and will not be described in detail here.
Corresponding to the data processing method in fig. 1, an embodiment of the present disclosure further provides an electronic device 900, as shown in fig. 9, which is a schematic structural diagram of the electronic device 900 provided in the embodiment of the present disclosure, and includes:
a processor 91, a memory 92, and a bus 93; the storage 92 is used for storing execution instructions and includes a memory 921 and an external storage 922; the memory 921 is also referred to as an internal memory, and is configured to temporarily store operation data in the processor 91 and data exchanged with an external memory 922 such as a hard disk, the processor 91 exchanges data with the external memory 922 through the memory 921, and when the electronic apparatus 900 operates, the processor 91 communicates with the memory 92 through the bus 93, so that the processor 91 executes the following instructions:
acquiring and executing a virtual machine task;
generating a task log text corresponding to the virtual machine task;
generating header file information of an encryption task log of the virtual machine task based on a hash value of a historical encryption log and a first identity character corresponding to the virtual machine task; the historical encrypted log is an encrypted log of a previous historical task of the currently executed virtual machine task;
generating first remote certification information corresponding to the virtual machine task based on the header file information and the task log text;
splicing the header file information, the task log text and the first remote certification information to generate an encrypted task log of the virtual machine task; the encrypted task log is used for proving the credibility of the text of the related task log.
In an alternative embodiment, in the instructions executed by the processor 91, the generating, based on the header information and the task log text, first remote attestation information corresponding to the virtual machine task includes:
splicing the header file information and the task log text to obtain first verification information corresponding to the header file information;
and signing the hash value of the first verification information and the running environment information of the virtual machine by using physical hardware corresponding to the virtual machine to obtain first remote certification information.
In an optional implementation manner, the obtaining the virtual machine task in the instruction executed by the processor 91 includes:
responding to a communication connection instruction, and determining a first communication certificate corresponding to a virtual machine based on a second identity character carried by the communication connection instruction and a first key corresponding to the current virtual machine;
sending the first communication certificate to a target communication terminal, and establishing communication connection with the target communication terminal after the target communication terminal successfully verifies the first communication certificate;
and acquiring the virtual machine task of the target communication terminal based on the communication connection.
In an optional implementation manner, in the instructions executed by the processor 91, the determining, based on the second identity character carried in the communication connection instruction and the first key corresponding to the current virtual machine, the first communication credential corresponding to the virtual machine includes:
generating second verification information corresponding to a second identity character based on the second identity character carried by the communication connection instruction and a first secret key corresponding to the current virtual machine;
signing the second verification information and the running environment information of the virtual machine by using a signature key corresponding to physical hardware for running the virtual machine to obtain second remote certification information;
and determining a first communication certificate corresponding to the virtual machine based on the second remote attestation information and the first key.
In an optional implementation manner, in an instruction executed by the processor 91, the generating, based on a second identity character carried in the communication connection instruction and a first key corresponding to a current virtual machine, second verification information corresponding to the second identity character includes:
splicing the second identity character with the first secret key to obtain initial second verification information;
and determining a hash value of the initial second verification information, and taking the determined hash value as second verification information corresponding to the second identity character.
In an optional embodiment, the virtual machine task includes a loading task of a virtual service and/or a configuration task of the virtual service.
In an alternative embodiment, the processor 91 executes instructions to perform virtual machine tasks, including:
sending a key acquisition request to a key management end under the condition that the virtual machine task is a loading task of virtual service;
generating third verification information corresponding to the third identity character based on the third identity character fed back by the key management end and a second key corresponding to the current virtual machine;
signing the third verification information and the running environment information of the virtual machine by using physical hardware corresponding to the virtual machine to obtain third remote certification information;
determining a third communication certificate corresponding to the virtual machine based on the third remote attestation information and the second secret key;
sending the third communication certificate to the key management end, and acquiring a third key for decrypting the program to be loaded corresponding to the loading task from the key management end after the key management end successfully verifies the third communication certificate;
and loading the program to be loaded based on the third key.
The embodiments of the present disclosure also provide a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the steps of the data processing method described in the above method embodiments. The storage medium may be a volatile or non-volatile computer-readable storage medium.
The embodiments of the present disclosure also provide a computer program product, where the computer program product carries a program code, and instructions included in the program code may be used to execute the steps of the data processing method in the foregoing method embodiments, which may be referred to specifically in the foregoing method embodiments, and are not described herein again.
The computer program product may be implemented by hardware, software or a combination thereof. In an alternative embodiment, the computer program product is embodied in a computer storage medium, and in another alternative embodiment, the computer program product is embodied in a Software product, such as a Software Development Kit (SDK) or the like.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. In the several embodiments provided in the present disclosure, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some communication interfaces, indirect coupling or communication connection between devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solutions of the present disclosure, which are essential or part of the technical solutions contributing to the prior art, may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present disclosure. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above-mentioned embodiments are merely specific embodiments of the present disclosure, which are used to illustrate the technical solutions of the present disclosure, but not to limit the technical solutions, and the scope of the present disclosure is not limited thereto, and although the present disclosure is described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: any person skilled in the art can modify or easily conceive of the technical solutions described in the foregoing embodiments or equivalent technical features thereof within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present disclosure, and should be construed as being included therein. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.
Claims (10)
1. A data processing method, comprising:
acquiring and executing a virtual machine task;
generating a task log text corresponding to the virtual machine task;
generating header file information of an encryption task log of the virtual machine task based on a hash value of a historical encryption log and a first identity character corresponding to the virtual machine task; the historical encrypted log is an encrypted log of a previous historical task of the currently executed virtual machine task;
generating first remote certification information corresponding to the virtual machine task based on the header file information and the task log text;
splicing the header file information, the task log text and the first remote certification information to generate an encrypted task log of the virtual machine task; the encrypted task log is used for proving the credibility of the text of the related task log.
2. The method of claim 1, wherein generating first remote attestation information corresponding to the virtual machine task based on the header information and the task log text comprises:
splicing the header file information and the task log text to obtain first verification information corresponding to the header file information;
and signing the hash value of the first verification information and the running environment information of the virtual machine by using physical hardware corresponding to the virtual machine to obtain first remote certification information.
3. The method of claim 1, wherein obtaining the virtual machine task comprises:
responding to a communication connection instruction, and determining a first communication certificate corresponding to a virtual machine based on a second identity character carried by the communication connection instruction and a first key corresponding to the current virtual machine;
sending the first communication certificate to a target communication terminal, and establishing communication connection with the target communication terminal after the target communication terminal successfully verifies the first communication certificate;
and acquiring the virtual machine task of the target communication end based on the communication connection.
4. The method according to claim 3, wherein the determining, based on the second identity character carried by the communication connection instruction and the first key corresponding to the current virtual machine, the first communication credential corresponding to the virtual machine includes:
generating second verification information corresponding to a second identity character based on the second identity character carried by the communication connection instruction and a first secret key corresponding to the current virtual machine;
signing the second verification information and the running environment information of the virtual machine by using a signature key corresponding to physical hardware for running the virtual machine to obtain second remote certification information;
and determining a first communication certificate corresponding to the virtual machine based on the second remote attestation information and the first key.
5. The method according to claim 4, wherein the generating, based on the second identity character carried in the communication connection instruction and the first key corresponding to the current virtual machine, second verification information corresponding to the second identity character includes:
splicing the second identity character with the first secret key to obtain initial second verification information;
and determining a hash value of the initial second verification information, and using the determined hash value as second verification information corresponding to the second identity character.
6. The method of claim 1, wherein the virtual machine task comprises a loading task of a virtual service and/or a configuration task of a virtual service.
7. The method of claim 6, wherein executing the virtual machine task comprises:
sending a key acquisition request to a key management end under the condition that the virtual machine task is a loading task of virtual service;
generating third verification information corresponding to the third identity character based on the third identity character fed back by the key management end and a second key corresponding to the current virtual machine;
signing the third verification information and the running environment information of the virtual machine by using physical hardware corresponding to the virtual machine to obtain third remote certification information;
determining a third communication certificate corresponding to the virtual machine based on the third remote attestation information and the second key;
sending the third communication certificate to the key management end, and acquiring a third key for decrypting the program to be loaded corresponding to the loading task from the key management end after the key management end successfully verifies the third communication certificate;
and loading the program to be loaded based on the third key.
8. A data processing apparatus, comprising:
the execution module is used for acquiring and executing the virtual machine task;
the first generation module is used for generating a task log text corresponding to the virtual machine task;
the second generation module is used for generating header file information of the encrypted task log of the virtual machine task based on a hash value of a historical encrypted log and a first identity character corresponding to the virtual machine task; the historical encrypted log is an encrypted log of a previous historical task of the currently executed virtual machine task;
a third generating module, configured to generate, based on the header information and the task log text, first remote attestation information corresponding to the virtual machine task;
the fourth generation module is used for splicing the header file information, the task log text and the first remote certification information to generate an encrypted task log of the virtual machine task; the encrypted task log is used for proving the credibility of the text of the related task log.
9. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over the bus when the electronic device is in operation, the machine-readable instructions, when executed by the processor, performing the steps of the data processing method of any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, performs the steps of the data processing method according to one of the claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732134.3A CN115934258B (en) | 2022-12-30 | 2022-12-30 | Data processing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732134.3A CN115934258B (en) | 2022-12-30 | 2022-12-30 | Data processing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115934258A true CN115934258A (en) | 2023-04-07 |
| CN115934258B CN115934258B (en) | 2024-08-30 |
Family
ID=86552462
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211732134.3A Active CN115934258B (en) | 2022-12-30 | 2022-12-30 | Data processing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115934258B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101816148A (en) * | 2007-08-06 | 2010-08-25 | 伯纳德·德莫森纳特 | Be used to verify, data transmit and the system and method for protection against phishing |
| US9172738B1 (en) * | 2003-05-08 | 2015-10-27 | Dynamic Mesh Networks, Inc. | Collaborative logistics ecosystem: an extensible framework for collaborative logistics |
| CN105262592A (en) * | 2015-09-18 | 2016-01-20 | 浪潮(北京)电子信息产业有限公司 | Data interaction method and API interface |
| US20160330236A1 (en) * | 2015-05-08 | 2016-11-10 | Citrix Systems, Inc. | Combining internet routing information with access logs to assess risk of user exposure |
| CN110245489A (en) * | 2019-05-20 | 2019-09-17 | 阿里巴巴集团控股有限公司 | Receipt storage method, node and system based on plaintext log |
| CN110457898A (en) * | 2019-07-29 | 2019-11-15 | 阿里巴巴集团控股有限公司 | Operation note storage method, device and equipment based on credible performing environment |
-
2022
- 2022-12-30 CN CN202211732134.3A patent/CN115934258B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9172738B1 (en) * | 2003-05-08 | 2015-10-27 | Dynamic Mesh Networks, Inc. | Collaborative logistics ecosystem: an extensible framework for collaborative logistics |
| CN101816148A (en) * | 2007-08-06 | 2010-08-25 | 伯纳德·德莫森纳特 | Be used to verify, data transmit and the system and method for protection against phishing |
| US20160330236A1 (en) * | 2015-05-08 | 2016-11-10 | Citrix Systems, Inc. | Combining internet routing information with access logs to assess risk of user exposure |
| CN105262592A (en) * | 2015-09-18 | 2016-01-20 | 浪潮(北京)电子信息产业有限公司 | Data interaction method and API interface |
| CN110245489A (en) * | 2019-05-20 | 2019-09-17 | 阿里巴巴集团控股有限公司 | Receipt storage method, node and system based on plaintext log |
| CN110457898A (en) * | 2019-07-29 | 2019-11-15 | 阿里巴巴集团控股有限公司 | Operation note storage method, device and equipment based on credible performing environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115934258B (en) | 2024-08-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8799997B2 (en) | Secure network cloud architecture | |
| EP2278514A1 (en) | System and method for providing secure virtual machines | |
| CN111708991A (en) | Service authorization method, service authorization device, computer equipment and storage medium | |
| CN110737897B (en) | Method and system for starting measurement based on trusted card | |
| CN110770729B (en) | Method and apparatus for proving integrity of virtual machine | |
| CN105099705B (en) | A kind of safety communicating method and its system based on usb protocol | |
| CN106790045B (en) | distributed virtual machine agent device based on cloud environment and data integrity guarantee method | |
| CN107294710B (en) | Key migration method and device for vTPM2.0 | |
| Kreutz et al. | ANCHOR: Logically centralized security for software-defined networks | |
| CN110874478A (en) | Key processing method and device, storage medium and processor | |
| CN113014444A (en) | Internet of things equipment production test system and safety protection method | |
| CN111901304B (en) | Registration method and device of mobile security equipment, storage medium and electronic device | |
| KR20170089352A (en) | Firmware integrity verification for performing the virtualization system | |
| CN105786588A (en) | Remote authentication method for cleanroom trusted virtual machine monitor | |
| JP2018117185A (en) | Information processing apparatus, information processing method | |
| US20220131856A1 (en) | Remote Attestation Method and Apparatus | |
| Ullrich et al. | Vacuums in the cloud: Analyzing security in a hardened {iot} ecosystem | |
| CN107026729B (en) | Method and device for transmitting software | |
| CN115934258B (en) | Data processing method and device, electronic equipment and storage medium | |
| Ott et al. | Universal Remote Attestation for Cloud and Edge Platforms | |
| CN115348077A (en) | Virtual machine encryption method, device, equipment and storage medium | |
| Girtler et al. | Component integrity guarantees in software-defined networking infrastructure | |
| CN117121435A (en) | Connection elastic multi-factor authentication | |
| CN112000935B (en) | Remote authentication method, device, system, storage medium and computer equipment | |
| Pedone et al. | Trusted computing technology and proposals for resolving cloud computing security problems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |