CN117519900A - Data encryption protection method based on trusted virtualization environment - Google Patents
Data encryption protection method based on trusted virtualization environment Download PDFInfo
- Publication number
- CN117519900A CN117519900A CN202311473554.9A CN202311473554A CN117519900A CN 117519900 A CN117519900 A CN 117519900A CN 202311473554 A CN202311473554 A CN 202311473554A CN 117519900 A CN117519900 A CN 117519900A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- data
- trusted
- management end
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000004891 communication Methods 0.000 claims abstract description 49
- 238000013507 mapping Methods 0.000 claims abstract description 21
- 230000005540 biological transmission Effects 0.000 claims abstract description 12
- 238000007726 management method Methods 0.000 claims description 156
- 238000013500 data storage Methods 0.000 claims description 37
- 238000012546 transfer Methods 0.000 claims description 5
- 230000003993 interaction Effects 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a data encryption protection method based on a trusted virtualization environment, and belongs to the field of data security. Based on an asymmetric encryption system, each user holds a public-private key pair, the public key of the user is stored by a trusted virtual machine management end, and the private key is stored by the user. And constructing a user public key pool and a user virtual machine serial number mapping table at the trusted virtual machine management end for user identity authentication, data encryption transmission and data encryption storage. Communication between trusted virtual machines of different users is required to establish communication connection after identity authentication through a trusted virtual machine management end. Under the mechanism, the user private key self-manages, so that the security storage pressure faced by a key management system in the traditional method is reduced; and provides comprehensive encryption protection for user shared data, user private data and communication data among virtual machines in the trusted virtualization environment.
Description
Technical Field
The invention belongs to the field of data security, and particularly relates to a data encryption protection method based on a trusted virtualization environment.
Background
Virtualization technology shares server resources while also carrying a more serious security threat. Among them, the data sharing in large quantities in the virtualized environment and the different user data storing in different places are easy to be attacked by the network, and the data security faces a great challenge. In a trusted virtualization environment, part of user shared data and user private data in cloud storage are important protection objects, and encryption protection of communication data among user virtual machines is also important. The common method is to solve the data security problem in terms of data encryption and decryption, key management, access control, transmission security and the like based on the identity characteristics of the user.
An existing data protection method and system in a trusted cloud environment. When data is generated, a user, an application system and a platform system sequentially encrypt the data by using respective encryption keys, and decrypt the data in reverse order when the data is used, so that the data is restored to a visible state. The triple encryption mechanism based on the user, the application system and the platform system can solve the data security interaction between the application system of the user virtual machine and the platform system, but has no protection effect on communication data among different user virtual machines. And this multi-key data encryption method also adds new challenges to key management.
In addition, a full-flow data encryption protection method and a full-flow data encryption protection system for the big data platform are provided. The system comprises an encryption and decryption algorithm module, a key management system and a big data component. When the big data component triggers an encryption and decryption request to the encryption and decryption algorithm module, the encryption and decryption algorithm module acquires a key from the key management system to complete the encryption and decryption request. The full-flow data encryption protection method of the big data platform is based on the key management system for identity authentication, and can ensure that data cannot be used by illegal users, but the key management system has a large security challenge, and encryption transmission is not carried out on the key when the key management system and the encryption and decryption algorithm module transmit the key, so that the risk of intercepting the key exists.
Disclosure of Invention
First, the technical problem to be solved
The invention aims to provide a data encryption protection method based on a trusted virtualization environment so as to solve the problem of difficult key management in the prior art.
(II) technical scheme
In order to solve the technical problems, the present invention provides a data encryption protection method based on a trusted virtualization environment, the method is based on a data encryption protection system, and the data encryption protection system comprises: the cloud storage system comprises a client, a trusted virtual machine management end, a trusted virtual machine and cloud storage; the method comprises the following steps:
s11, a user virtual machine initiates a data storage or reading request to a trusted virtual machine management end; totally divided into four data request types: a shared data storage request, a shared data read request, a private data storage request, and a private data read request;
s12, the trusted virtual machine management end judges whether the user virtual machine request is a storage service or a reading service through the service identification;
s13, the trusted virtual machine management end judges whether the shared data or the private data is the shared data or the private data through the data type identification;
s14, the trusted virtual machine management end performs corresponding storage or reading operation through the service identifier and the data type identifier;
s15, aiming at the data reading service, after the user virtual machine receives the encrypted data, the user virtual machine uses a private key of the user to decrypt the encrypted data;
s16, the data storage/reading interaction between the user virtual machine and the trusted virtual machine management end is finished.
Further, the data encryption protection system performs data encryption and identity authentication based on an asymmetric encryption system; each user needs a public and private key pair, and the trusted virtual machine management end also has the public and private key pair of the management end; the public key is responsible for data encryption and identity authentication, the private key is responsible for data decryption and digital signature, the trusted virtual machine management end also stores the public keys of all users, and a user public key pool is constructed.
Further, a user initiates a virtual machine creation, closing and restarting request to a trusted virtual machine management end through a client, each user can have a plurality of trusted virtual machines, each trusted virtual machine is identified by a unique serial number, a public key of the user and a plurality of created trusted virtual machine serial numbers form a virtual machine serial number mapping table, the virtual machine serial number mapping table is stored in the trusted virtual machine management end, and the trusted virtual machine management end can find all created virtual machines through the public keys of the user in the virtual machine serial number mapping table; the trusted virtual machine management end is a data transfer station of the system and is responsible for receiving and distributing data, and when the trusted virtual machine management end receives a data storage or reading request, the trusted virtual machine management end encrypts and stores the data into a cloud storage or reads related data from the cloud storage; the trusted virtual machine management end also manages and controls the communication establishment among the trusted virtual machines of different users, verifies the user identities of the two trusted virtual machines and forwards the communication establishment mode.
Further, in S11, the data storage encryption method is as follows:
shared data storage request: the user virtual machine encrypts data by using the public key of the trusted virtual machine management end and sends the encrypted data to the trusted virtual machine management end;
private data storage request: the user virtual machine encrypts private data by using the public key and sends the private data to the trusted virtual machine management end.
Further, in S14, each service processing manner is as follows:
shared data storage service: the trusted virtual machine management end stores the shared data encrypted by the public key of the trusted virtual machine management end into a cloud storage data center;
private data storage service: the user virtual machine encrypts the generated private data by using the public key of the user, uses the combined hash of the public key of the user and the timestamp as a key of the private data, sends the key-value to the trusted virtual machine management end, and the trusted virtual machine management end also stores the key-value in the cloud storage after receiving the data;
shared data read service: the trusted virtual machine management end reads encrypted data from the cloud storage data center, decrypts the encrypted data by using a private key of the trusted virtual machine management end at the trusted virtual machine management end, encrypts the data by using a public key of a user, and sends the encrypted data to the virtual machine of the requesting user, so that the encrypted data is ensured to be in an encrypted state in two sections of transmission processes;
private data reading service: when the user virtual machine reads private data in cloud storage, key values in the private data storage are required to be encrypted by using a public key of a trusted virtual machine management end and transmitted to the trusted virtual machine management end, and after the trusted virtual machine management end receives the encrypted key values, the encrypted key values are decrypted by using own private keys, and the encrypted key values are indexed to corresponding private data from the cloud storage through keys and transmitted back to the user virtual machine.
The invention also provides a data encryption protection method based on the trusted virtualization environment, which is based on a data encryption protection system, and the data encryption protection system comprises: the cloud storage system comprises a client, a trusted virtual machine management end, a trusted virtual machine and cloud storage; the method comprises the following steps:
s21, the trusted virtual machine 1 requests a trusted virtual machine management end to establish communication connection with the trusted virtual machine 2;
s22, the trusted virtual machine management end performs identity authentication on the virtual machine 1 and the virtual machine 2;
s23, judging an identity authentication result;
if any one of the virtual machine 1 or the virtual machine 2 has a problem in authentication, ending the communication establishment flow between the virtual machines; if the identity authentication has no problem, continuing to carry out;
and S24, the trusted virtual machine management end sends the identity authentication information of the virtual machine 1 and the communication establishment mode to the virtual machine 2.
The trusted virtual machine management end encrypts the identity authentication information and the communication establishment mode of the virtual machine 1 by using a user public key of the virtual machine 2, and performs digital signature by using a private key of the virtual machine management end to prevent data from being replaced;
s25, after receiving the message, the virtual machine 2 verifies and decrypts the message, and selects when to establish contact according to the application condition of the virtual machine;
the virtual machine 2 uses the public key of the management end to carry out message verification, then uses the private key of the virtual machine 2 to decrypt the data, stores the communication establishment method with the virtual machine 1, and automatically determines when to establish communication with the virtual machine 1;
s26, the virtual machine 2 encrypts data by using the public key of the virtual machine 1 and sends the encrypted data to the virtual machine 1;
s27, the virtual machine 1 encrypts the response message by using the public key of the user of the virtual machine 2, and the communication connection establishment is completed.
Further, the data encryption protection system performs data encryption and identity authentication based on an asymmetric encryption system; each user needs a public and private key pair, and the trusted virtual machine management end also has the public and private key pair of the management end; the public key is responsible for data encryption and identity authentication, the private key is responsible for data decryption and digital signature, the trusted virtual machine management end also stores the public keys of all users, and a user public key pool is constructed.
Further, a user initiates a virtual machine creation, closing and restarting request to a trusted virtual machine management end through a client, each user can have a plurality of trusted virtual machines, each trusted virtual machine is identified by a unique serial number, a public key of the user and a plurality of created trusted virtual machine serial numbers form a virtual machine serial number mapping table, the virtual machine serial number mapping table is stored in the trusted virtual machine management end, and the trusted virtual machine management end can find all created virtual machines through the public keys of the user in the virtual machine serial number mapping table; the trusted virtual machine management end is a data transfer station of the system and is responsible for receiving and distributing data, and when the trusted virtual machine management end receives a data storage or reading request, the trusted virtual machine management end encrypts and stores the data into a cloud storage or reads related data from the cloud storage; the trusted virtual machine management end also manages and controls the communication establishment among the trusted virtual machines of different users, verifies the user identities of the two trusted virtual machines and forwards the communication establishment mode
Further, the step S21 specifically includes: the trusted virtual machine 1 packages the serial numbers of the trusted virtual machine 1 and the virtual machine 2, the public key of the user and the public key of the established communication mode, encrypts data by using the public key of the trusted virtual machine management end, and digitally signs by using the private key of the trusted virtual machine, so that the data packet is prevented from being replaced.
Further, the step S22 specifically includes: after receiving the message, the trusted virtual machine management end uses the public key of the virtual machine 1 to verify the message, then uses the private key of the management end to decrypt, and uses the user public key pool and the virtual machine serial number mapping table of the trusted virtual machine management end to authenticate the identity of the virtual machine 1 and the virtual machine 2.
(III) beneficial effects
The invention provides a data encryption protection method based on a trusted virtualization environment. And constructing a user public key pool and a user virtual machine serial number mapping table at the trusted virtual machine management end for user identity authentication, data encryption transmission and data encryption storage. Communication between trusted virtual machines of different users is required to establish communication connection after identity authentication through a trusted virtual machine management end. Under the mechanism, the user private key self-manages, so that the security storage pressure faced by a key management system in the traditional method is reduced; and provides comprehensive encryption protection for user shared data, user private data and communication data among virtual machines in the trusted virtualization environment.
Drawings
FIG. 1 is a diagram of a system architecture of the present invention;
FIG. 2 is a flow chart of an embodiment of the data security transmission of the present invention;
FIG. 3 is a flow chart of an embodiment of establishing communication between different user virtual machines according to the present invention.
Detailed Description
To make the objects, contents and advantages of the present invention more apparent, the following detailed description of the present invention will be given with reference to the accompanying drawings and examples.
The invention aims to provide a data encryption protection method in a trusted virtualization environment, which aims to solve the problem of difficult key management in a common method and comprehensively encrypt and protect data among a user virtual machine, a platform and different user virtual machines.
FIG. 1 is a diagram of a system architecture of the present invention. As shown in fig. 1, the data encryption protection system of the present invention includes: the cloud storage system comprises a client, a trusted virtual machine management end, a trusted virtual machine and cloud storage.
The data encryption protection system performs data encryption and identity authentication based on an asymmetric encryption system. Each user needs a public-private key pair, and the trusted virtual machine management end also has the public-private key pair of the management end. The public key is responsible for data encryption and identity authentication, and the private key is responsible for data decryption and digital signature. The trusted virtual machine management end also stores public keys of all users, and builds a user public key pool. A user can initiate requests such as virtual machine creation, closing, restarting and the like to a trusted virtual machine management end through a client. Each user can have a plurality of trusted virtual machines, each trusted virtual machine is provided with a unique serial number for identification, a virtual machine serial number mapping table is formed by a public key of one user and a plurality of created trusted virtual machine serial numbers, the virtual machine serial number mapping table is stored in a trusted virtual machine management end, and the trusted virtual machine management end can find all created virtual machines through the public key of the user in the virtual machine serial number mapping table. The trusted virtual machine management end is a data transfer station of the system and is responsible for receiving and distributing data, and when the trusted virtual machine management end receives a data storage or reading request, the trusted virtual machine management end encrypts and stores the data into cloud storage or reads related data from the cloud storage. The trusted virtual machine management end also manages and controls the communication establishment among the trusted virtual machines of different users, verifies the user identities of the two trusted virtual machines and forwards the communication establishment mode.
Fig. 2 is a flow chart of an embodiment of the data security transmission of the present invention. Data transmission in a trusted virtualization environment is divided into two scenes, namely shared data storage and reading of a user in cloud storage and private data storage and reading of the user in cloud storage. The encryption protection method in the data transmission process comprises the following steps:
s11, the user virtual machine initiates a data storage or reading request to the trusted virtual machine management end. Totally divided into four data request types: a shared data storage request, a shared data read request, a private data storage request, a private data read request, wherein the data storage encryption method is as follows:
shared data storage request: and the user virtual machine encrypts data by using the public key of the trusted virtual machine management end and sends the encrypted data to the trusted virtual machine management end.
Private data storage request: the user virtual machine encrypts private data by using the public key and sends the private data to the trusted virtual machine management end.
And S12, the trusted virtual machine management end judges whether the user virtual machine request is a storage service or a reading service through the service identification.
S13, the trusted virtual machine management end judges whether the shared data or the private data is the shared data or the private data through the data type identification.
S14, the trusted virtual machine management end performs corresponding storage or reading operation through the service identifier and the data type identifier.
Shared data storage service: the trusted virtual machine management end stores the shared data encrypted by the public key of the trusted virtual machine management end into the cloud storage data center.
Private data storage service: the user virtual machine encrypts the generated private data by using the public key of the user, uses the combined hash of the public key of the user and the timestamp as a key of the private data, sends the key-value to the trusted virtual machine management end, and the trusted virtual machine management end also stores the key-value in the cloud storage after receiving the data.
Shared data read service: the trusted virtual machine management end reads the encrypted data from the cloud storage data center, decrypts the encrypted data by using the private key of the trusted virtual machine management end at the trusted virtual machine management end, encrypts the data by using the public key of the user, and sends the encrypted data to the virtual machine of the requesting user, so that the encrypted data is ensured to be in an encrypted state in two sections of transmission processes.
Private data reading service: when the user virtual machine reads private data in cloud storage, key values in the private data storage are required to be encrypted by using a public key of a trusted virtual machine management end and transmitted to the trusted virtual machine management end, and after the trusted virtual machine management end receives the encrypted key values, the encrypted key values are decrypted by using own private keys, and the encrypted key values are indexed to corresponding private data from the cloud storage through keys and transmitted back to the user virtual machine.
S15, aiming at the data reading service, after the user virtual machine receives the encrypted data, the user virtual machine uses the private key of the user to decrypt.
S16, the data storage/reading interaction between the user virtual machine and the trusted virtual machine management end is finished.
FIG. 3 is a flow chart of an embodiment of establishing communication between different user virtual machines according to the present invention. In the trusted virtualization environment, the virtual machines of two users are required to establish communication connection, identity authentication is carried out through a trusted virtual machine management end, and digital signature is carried out by using a private key, so that communication establishment data is prevented from being replaced. The method comprises the following specific steps:
s21, the trusted virtual machine 1 requests the trusted virtual machine management end to establish communication connection with the trusted virtual machine 2.
The trusted virtual machine 1 packages the serial numbers of the trusted virtual machine 1 and the virtual machine 2, the public key of the user and the public key of the established communication mode, encrypts data by using the public key of the trusted virtual machine management end, and digitally signs by using the private key of the trusted virtual machine, so that the data packet is prevented from being replaced.
S22, the trusted virtual machine management end performs identity authentication on the virtual machine 1 and the virtual machine 2.
After receiving the message, the trusted virtual machine management end uses the public key of the virtual machine 1 to verify the message, then uses the private key of the management end to decrypt, and uses the user public key pool and the virtual machine serial number mapping table of the trusted virtual machine management end to authenticate the identity of the virtual machine 1 and the virtual machine 2.
S23, judging an identity authentication result.
If any one of the virtual machine 1 or the virtual machine 2 has a problem in authentication, the communication establishment flow between the virtual machines is ended. If the identity authentication is not problematic, proceeding is continued.
And S24, the trusted virtual machine management end sends the identity authentication information of the virtual machine 1 and the communication establishment mode to the virtual machine 2.
The trusted virtual machine management end encrypts the identity authentication information and the communication establishment mode of the virtual machine 1 by using the public key of the user of the virtual machine 2, and performs digital signature by using the private key of the virtual machine management end to prevent data from being replaced.
And S25, after the virtual machine 2 receives the message, firstly verifying decryption, and selecting proper establishment of contact according to the application condition of the virtual machine.
The virtual machine 2 uses the public key of the management end to carry out message verification, then uses the private key of the virtual machine 2 to decrypt the data, stores the communication establishment method with the virtual machine 1, and automatically determines when to establish communication with the virtual machine 1.
S26, the virtual machine 2 encrypts data using the public key of the virtual machine 1 and transmits the encrypted data to the virtual machine 1.
S27, the virtual machine 1 encrypts the response message by using the public key of the user of the virtual machine 2, and the communication connection establishment is completed.
Based on an asymmetric encryption system, each user holds a public-private key pair, the public key of the user is stored by a trusted virtual machine management end, and the private key is stored by the user. And constructing a user public key pool and a user virtual machine serial number mapping table at the trusted virtual machine management end for user identity authentication, data encryption transmission and data encryption storage. Communication between trusted virtual machines of different users is required to establish communication connection after identity authentication through a trusted virtual machine management end. Under the mechanism, the user private key is self-managed, so that the security storage pressure faced by a key management system in the traditional method is reduced; and provides comprehensive encryption protection for user shared data, user private data and communication data among virtual machines in the trusted virtualization environment.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.
Claims (10)
1. The data encryption protection method based on the trusted virtualization environment is characterized by comprising the following steps of: the cloud storage system comprises a client, a trusted virtual machine management end, a trusted virtual machine and cloud storage; the method comprises the following steps:
s11, a user virtual machine initiates a data storage or reading request to a trusted virtual machine management end; totally divided into four data request types: a shared data storage request, a shared data read request, a private data storage request, and a private data read request;
s12, the trusted virtual machine management end judges whether the user virtual machine request is a storage service or a reading service through the service identification;
s13, the trusted virtual machine management end judges whether the shared data or the private data is the shared data or the private data through the data type identification;
s14, the trusted virtual machine management end performs corresponding storage or reading operation through the service identifier and the data type identifier;
s15, aiming at the data reading service, after the user virtual machine receives the encrypted data, the user virtual machine uses a private key of the user to decrypt the encrypted data;
s16, the data storage/reading interaction between the user virtual machine and the trusted virtual machine management end is finished.
2. The data encryption protection method based on the trusted virtualization environment according to claim 1, wherein the data encryption protection system performs data encryption and identity authentication based on an asymmetric encryption system; each user needs a public and private key pair, and the trusted virtual machine management end also has the public and private key pair of the management end; the public key is responsible for data encryption and identity authentication, the private key is responsible for data decryption and digital signature, the trusted virtual machine management end also stores the public keys of all users, and a user public key pool is constructed.
3. The data encryption protection method based on the trusted virtual environment as claimed in claim 2, wherein a user initiates a virtual machine creation, closing and restarting request to a trusted virtual machine management end through a client, each user can have a plurality of trusted virtual machines, each trusted virtual machine is identified by a unique serial number, a public key of the user and a plurality of created trusted virtual machine serial numbers form a virtual machine serial number mapping table, the virtual machine serial number mapping table is stored in the trusted virtual machine management end, and the trusted virtual machine management end can find all created virtual machines in the virtual machine serial number mapping table through the public key of the user; the trusted virtual machine management end is a data transfer station of the system and is responsible for receiving and distributing data, and when the trusted virtual machine management end receives a data storage or reading request, the trusted virtual machine management end encrypts and stores the data into a cloud storage or reads related data from the cloud storage; the trusted virtual machine management end also manages and controls the communication establishment among the trusted virtual machines of different users, verifies the user identities of the two trusted virtual machines and forwards the communication establishment mode.
4. The method for protecting data encryption based on trusted virtualization environment as claimed in claim 3, wherein in S11, the method for encrypting data storage is as follows:
shared data storage request: the user virtual machine encrypts data by using the public key of the trusted virtual machine management end and sends the encrypted data to the trusted virtual machine management end;
private data storage request: the user virtual machine encrypts private data by using the public key and sends the private data to the trusted virtual machine management end.
5. The method for protecting data encryption based on trusted virtualization environment according to claim 4, wherein in S14, each service processing mode is:
shared data storage service: the trusted virtual machine management end stores the shared data encrypted by the public key of the trusted virtual machine management end into a cloud storage data center;
private data storage service: the user virtual machine encrypts the generated private data by using the public key of the user, uses the combined hash of the public key of the user and the timestamp as a key of the private data, sends the key-value to the trusted virtual machine management end, and the trusted virtual machine management end also stores the key-value in the cloud storage after receiving the data;
shared data read service: the trusted virtual machine management end reads encrypted data from the cloud storage data center, decrypts the encrypted data by using a private key of the trusted virtual machine management end at the trusted virtual machine management end, encrypts the data by using a public key of a user, and sends the encrypted data to the virtual machine of the requesting user, so that the encrypted data is ensured to be in an encrypted state in two sections of transmission processes;
private data reading service: when the user virtual machine reads private data in cloud storage, key values in the private data storage are required to be encrypted by using a public key of a trusted virtual machine management end and transmitted to the trusted virtual machine management end, and after the trusted virtual machine management end receives the encrypted key values, the encrypted key values are decrypted by using own private keys, and the encrypted key values are indexed to corresponding private data from the cloud storage through keys and transmitted back to the user virtual machine.
6. The data encryption protection method based on the trusted virtualization environment is characterized by comprising the following steps of: the cloud storage system comprises a client, a trusted virtual machine management end, a trusted virtual machine and cloud storage; the method comprises the following steps:
s21, the trusted virtual machine 1 requests a trusted virtual machine management end to establish communication connection with the trusted virtual machine 2;
s22, the trusted virtual machine management end performs identity authentication on the virtual machine 1 and the virtual machine 2;
s23, judging an identity authentication result;
if any one of the virtual machine 1 or the virtual machine 2 has a problem in authentication, ending the communication establishment flow between the virtual machines; if the identity authentication has no problem, continuing to carry out;
and S24, the trusted virtual machine management end sends the identity authentication information of the virtual machine 1 and the communication establishment mode to the virtual machine 2.
The trusted virtual machine management end encrypts the identity authentication information and the communication establishment mode of the virtual machine 1 by using a user public key of the virtual machine 2, and performs digital signature by using a private key of the virtual machine management end to prevent data from being replaced;
s25, after receiving the message, the virtual machine 2 verifies and decrypts the message, and selects when to establish contact according to the application condition of the virtual machine;
the virtual machine 2 uses the public key of the management end to carry out message verification, then uses the private key of the virtual machine 2 to decrypt the data, stores the communication establishment method with the virtual machine 1, and automatically determines when to establish communication with the virtual machine 1;
s26, the virtual machine 2 encrypts data by using the public key of the virtual machine 1 and sends the encrypted data to the virtual machine 1;
s27, the virtual machine 1 encrypts the response message by using the public key of the user of the virtual machine 2, and the communication connection establishment is completed.
7. The data encryption protection method based on the trusted virtualization environment according to claim 6, wherein the data encryption protection system performs data encryption and identity authentication based on an asymmetric encryption system; each user needs a public and private key pair, and the trusted virtual machine management end also has the public and private key pair of the management end; the public key is responsible for data encryption and identity authentication, the private key is responsible for data decryption and digital signature, the trusted virtual machine management end also stores the public keys of all users, and a user public key pool is constructed.
8. The data encryption protection method based on the trusted virtual environment according to claim 7, wherein a user initiates a virtual machine creation, closing and restarting request to a trusted virtual machine management end through a client, each user can have a plurality of trusted virtual machines, each trusted virtual machine is identified by a unique serial number, a public key of the user and a plurality of created trusted virtual machine serial numbers form a virtual machine serial number mapping table, the virtual machine serial number mapping table is stored in the trusted virtual machine management end, and the trusted virtual machine management end can find all created virtual machines in the virtual machine serial number mapping table through the public key of the user; the trusted virtual machine management end is a data transfer station of the system and is responsible for receiving and distributing data, and when the trusted virtual machine management end receives a data storage or reading request, the trusted virtual machine management end encrypts and stores the data into a cloud storage or reads related data from the cloud storage; the trusted virtual machine management end also manages and controls the communication establishment among the trusted virtual machines of different users, verifies the user identities of the two trusted virtual machines and forwards the communication establishment mode.
9. The method for protecting data encryption based on trusted virtualization environment according to claim 8, wherein S21 specifically comprises: the trusted virtual machine 1 packages the serial numbers of the trusted virtual machine 1 and the virtual machine 2, the public key of the user and the public key of the established communication mode, encrypts data by using the public key of the trusted virtual machine management end, and digitally signs by using the private key of the trusted virtual machine, so that the data packet is prevented from being replaced.
10. The method for protecting data encryption based on trusted virtualization environment according to claim 9, wherein the step S22 specifically comprises: after receiving the message, the trusted virtual machine management end uses the public key of the virtual machine 1 to verify the message, then uses the private key of the management end to decrypt, and uses the user public key pool and the virtual machine serial number mapping table of the trusted virtual machine management end to authenticate the identity of the virtual machine 1 and the virtual machine 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311473554.9A CN117519900A (en) | 2023-11-07 | 2023-11-07 | Data encryption protection method based on trusted virtualization environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311473554.9A CN117519900A (en) | 2023-11-07 | 2023-11-07 | Data encryption protection method based on trusted virtualization environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117519900A true CN117519900A (en) | 2024-02-06 |
Family
ID=89756050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311473554.9A Pending CN117519900A (en) | 2023-11-07 | 2023-11-07 | Data encryption protection method based on trusted virtualization environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117519900A (en) |
-
2023
- 2023-11-07 CN CN202311473554.9A patent/CN117519900A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10554393B2 (en) | Universal secure messaging for cryptographic modules | |
| CN111416807B (en) | Data acquisition method, device and storage medium | |
| US8761401B2 (en) | System and method for secure key distribution to manufactured products | |
| CN101605137B (en) | Safe distribution file system | |
| WO2017097041A1 (en) | Data transmission method and device | |
| US20170244687A1 (en) | Techniques for confidential delivery of random data over a network | |
| EP3664405B1 (en) | Resource processing between two cloudsystems | |
| CN101019368A (en) | Method of delivering direct proof private keys to devices using a distribution CD | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN109525565B (en) | Defense method and system for short message interception attack | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| CN111865609A (en) | Private cloud platform data encryption and decryption system based on state cryptographic algorithm | |
| CN114765543B (en) | Encryption communication method and system of quantum cryptography network expansion equipment | |
| US20110010544A1 (en) | Process distribution system, authentication server, distribution server, and process distribution method | |
| CN112507296B (en) | User login verification method and system based on blockchain | |
| US20240232441A1 (en) | Executing entity-Specific Cryptographic Code in a Cryptographic | |
| WO2023151427A1 (en) | Quantum key transmission method, device and system | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| CN104125239A (en) | Network authentication method and system based on data link encryption transmission | |
| CN111901335B (en) | Block chain data transmission management method and system based on middle station | |
| CN113193958A (en) | High-safety high-efficiency quantum key service method and system | |
| CN115189928B (en) | Dynamic security migration method and system for password service virtual machine | |
| CN115865907A (en) | Secure communication method between desktop cloud server and terminal | |
| CN115001744A (en) | Cloud platform data integrity verification method and system | |
| KR102539418B1 (en) | Apparatus and method for mutual authentication based on physical unclonable function |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |