CN104717235B - A kind of resources of virtual machine detection method - Google Patents

A kind of resources of virtual machine detection method Download PDF

Info

Publication number
CN104717235B
CN104717235B CN201310674591.6A CN201310674591A CN104717235B CN 104717235 B CN104717235 B CN 104717235B CN 201310674591 A CN201310674591 A CN 201310674591A CN 104717235 B CN104717235 B CN 104717235B
Authority
CN
China
Prior art keywords
virtual machine
configuration information
service provider
cloud service
provider server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310674591.6A
Other languages
Chinese (zh)
Other versions
CN104717235A (en
Inventor
卢永忠
韩臻
刘刚
刘丰
纪方
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
MINISTRY OF RAILWAYS INFORMATION TECHNOLOGY CENTER
Original Assignee
MINISTRY OF RAILWAYS INFORMATION TECHNOLOGY CENTER
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by MINISTRY OF RAILWAYS INFORMATION TECHNOLOGY CENTER filed Critical MINISTRY OF RAILWAYS INFORMATION TECHNOLOGY CENTER
Priority to CN201310674591.6A priority Critical patent/CN104717235B/en
Publication of CN104717235A publication Critical patent/CN104717235A/en
Application granted granted Critical
Publication of CN104717235B publication Critical patent/CN104717235B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0882Utilisation of link capacity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/151Emulated environment, e.g. virtual machine

Abstract

The invention discloses a kind of resources of virtual machine detection method, this method includes:In any client, inventory initiates resource request to cloud service provider server according to demand, and when receiving the resources of virtual machine of response, obtain the real deployment information of virtual machine corresponding to the UUID carried in the resources of virtual machine of management platform forwarding, the credibility of the resources of virtual machine of cloud service provider server response is determined using the real deployment information, is able to confirm that the credibility of the resources of virtual machine of cloud service provider server response.

Description

A kind of resources of virtual machine detection method
Technical field
The present invention relates to communication technical field, more particularly to a kind of resources of virtual machine detection method.
Background technology
Cloud computing(cloud computing)It is the increase, use and delivery mode of the related service based on internet, leads to Often it is related to by internet to provide dynamic easily extension and the often resource of virtualization.Cloud is a kind of ratio of network, internet Explain saying.Past often represents telecommunications network in figure with cloud, is also used for representing taking out for internet and underlying infrastructure later As.
Narrow sense cloud computing refers to delivery and the use pattern of IT infrastructure, by network with demand, easy extension way obtains Resource needed for obtaining;Broad sense cloud computing refers to delivery and the use pattern of service, by network with demand, easy extension way obtain institute Need to service.This service can be IT to software, internet is related or other services.It means that computing capability also may be used Circulated as a kind of commodity by internet.
Trust computing is the study hotspot in current information security field, it was demonstrated that problem is the problem of trust computing is mostly important One of.Because credible based on proof, only prove that trusting relationship could be established in incredible environment.
Developing rapidly for domestic and international reliable computing technology also promotes for proving deepening continuously for Study on Problems, these researchs The involved scope of work is very extensive, from calculating platform to application program, from overall architecture to specific agreement, from upper system All it has been incorporated into the research of credible proof to bottom hardware.
The remote proving that TCG is proposed(remote attestation)Concept cause for prove problem research turn into Forward position focus problem in information security field.In TCG specifications, it was demonstrated that(attestation)It is three of credible calculating platform One of foundation characteristic.The present invention has expanded believable concept, meets the credible proof between virtual machine and user.
In cloud computing service, user charges use cloud computing service, but for the quality of service, the configuration of virtual machine The authenticity of information, it can not obtain.
The content of the invention
In view of this, the present invention provides a kind of resources of virtual machine detection method, is able to confirm that cloud service provider server The credibility of the resources of virtual machine of response.
In order to solve the above technical problems, the technical proposal of the invention is realized in this way:
A kind of resources of virtual machine detection method, applied to including cloud service provider server, management platform and multiple visitors In the system at family end, the cloud service provider server configures multiple virtual machines;The management platform receives the cloud clothes During the configuration information of each virtual machine after the signature of business provider server transmission and encryption, verify, decrypt and store;The side Method includes:
Any client according to demand inventory to the cloud service provider server initiate resource request when, it is described Resource request is transmitted to the cloud service provider server by the management platform;
The client receives the management platform forwarding, and the cloud service provider server is according to the money received During the resources of virtual machine of source request response, obtained in the management platform and deposited according to the UUID carried in the resources of virtual machine of response The configuration information of the corresponding virtual machine of storage;
The client is matched using the demand inventory for sending resource request with the configuration information obtained by preset rules, If the match is successful, it is determined that the resources of virtual machine of response is credible;Otherwise, it determines the resources of virtual machine of response is insincere.
In summary, the present invention is by the way that in any client, inventory initiates to provide to cloud service provider server according to demand Source is asked, and when receiving the resources of virtual machine of response, obtains what is carried in the resources of virtual machine of management platform forwarding The real deployment information of virtual machine corresponding to UUID, determine what cloud service provider server responded using the real deployment information The credibility of resources of virtual machine, it is able to confirm that the credibility of the resources of virtual machine of cloud service provider server response.
Brief description of the drawings
Fig. 1 is resources of virtual machine detection method schematic flow sheet in the specific embodiment of the invention.
Embodiment
For the objects, technical solutions and advantages of the present invention are more clearly understood, develop simultaneously embodiment referring to the drawings, right Scheme of the present invention is described in further detail.
A kind of resources of virtual machine detection method is proposed in the embodiment of the present invention, applied to including cloud service provider service In the system of device, management platform and multiple client, cloud service provider server is by by the configuration of each virtual machine of configuration Information signed, encrypt after, be sent to management platform storage, any client according to demand inventory to cloud service provider Server initiates resource request, and when receiving the resources of virtual machine of response, obtains the virtual machine money of management platform forwarding The general unique identifier carried in source(Universally Unique Identifier, UUID)Corresponding virtual machine it is true Real configuration information, the credibility of the resources of virtual machine of cloud service provider server response is determined using the real deployment information. With it, it is able to confirm that whether the resources of virtual machine of cloud service provider server response is credible.
During the specific embodiment of the invention, management platform can be that cloud service provider end increases an equipment within the system Realize management platform function or realized using existing certain server in cloud service provider end.
Cloud service provider server configures multiple virtual machines;Physical machine credible generation is configured on cloud service provider server Reason, and virtual machine trusted agent is respectively configured in each virtual machine for configuration.
Cloud service provider server obtains the configuration information of each virtual machine of configuration by the physics trusted agent configured, Call hardware trusted platform(TPM)Signature function signs the configuration information of each virtual machine;Can by each virtual machine configured The configuration information of the virtual machine of physical machine trusted agent signature corresponding to letter proxy authentication simultaneously carries out configuration information application, calls empty Intend trusted platform(vTPM)Signature function is signed and sent out after the configuration information signed by vTPM signature functions is encrypted Give management platform.
User password can be used to be encrypted as key in encryption.
Management platform receives matching somebody with somebody for each virtual machine after the signature that the cloud service provider server is sent and encryption When confidence ceases, verify, decrypt and store.
3 virtual machines are configured with cloud service provider server, respectively exemplified by virtual machine 1, virtual machine 2 and virtual machine 3. Cloud service provider server configures a physical machine trusted agent, and virtual machine trusted agent is respectively configured for 3 virtual machines Virtual machine trusted agent 1, virtual machine trusted agent 2 and virtual machine trusted agent 3.
Cloud service provider server can carry out the configuration information of all virtual machines same treatment, virtual with one of them Machine, as the configuration information of virtual machine 1 processing exemplified by illustrate processing procedure.
Cloud service provider server obtains the configuration information P of virtual machine 1 by the physical machine trusted agent configured, and adjusts P is signed with hardware TPM signature functions, the P after signature is P1, i.e., using TPM signature key AIKpSign configuration information P, and Configuration information after signature is sent to virtual machine 1.
The virtual machine trusted agent of virtual machine 1 receives P1, and verify that physical machine is signed, and configuration information P is applied;Call The vTPM signature functions of virtual machine 1 and the P that signs1, the configuration information after being signed using vTPM signature functions is designated as P2.Call and add Close function encrypting, key is user password, to P2Configuration information after encryption is designated as P3.And by P3It is sent to management platform.
Management platform receives the P of cloud service provider transmission3When, checking signature, and solve confidential information P3Obtain actual disposition Information P is simultaneously stored.
Cloud service provider server, can by the physics configured when the configuration information for perceiving any virtual machine is changed Letter agency obtains the configuration information of virtual machine change, and calls hardware TPM signature functions to match somebody with somebody confidence by what the virtual machine was changed Breath signature;And the change signed by the virtual machine trusted agent checking physical machine trusted agent for the virtual machine configuration After configuration information, by the configuration information application of the change, the vTPM signature functions called as the virtual machine configuration are signed and incited somebody to action The configuration information for the change signed by the vTPM signature functions is sent to management platform after being encrypted;
The management platform receives the configuration information of the change after the encryption that the cloud service provider server is sent When, the configuration information of the corresponding virtual machine stored using the configuration information update of the change after checking and decryption.
The configuration information that virtual machine 1 is perceived such as cloud service provider server has been changed, and is changed part and be set to Px, lead to Cross physical machine trusted agent and call physical machine TPM signature functions and the P that signsx, use TPM signature key AIKpSignature change Configuration information PxAfterwards, it is designated as Px1
The virtual machine trusted agent of virtual machine 1 receives Px1, and verify that physical machine is signed, using the configuration information P of changex, Call vTPM signature functions and the P that signsx1, the configuration information signed using vTPM signature functions is designated as Px2;And call encryption function Encrypt Px2, key is user password, by the configuration information P of the change after encryptionx3It is sent to management platform.
Management platform receives Px3, checking signature, and solve confidential information Px3Obtain the configuration information P of changex.Signed in checking When, checking TPM signatures and vTPM sign, and after being verified, use user key to decrypt the configuration information P of changex3Obtain Px, and Use the configuration information P of changex3Update the configuration information for the virtual machine 1 being locally stored.
Referring to Fig. 1, Fig. 1 is resources of virtual machine detection method schematic flow sheet in the specific embodiment of the invention.Specific steps For:
Step 101, any client according to demand inventory to the cloud service provider server initiate resource request when, The resource request is transmitted to the cloud service provider server by the management platform.
Any client just can initiate resource request, needed for client when there is resource to need to cloud service provider Resource such as 2 CPU, hard disk etc., these demands, which form one, needs inventory.
As client can send request, after management platform receives, be transmitted to cloud service by the web page of local Provider server.
It is the visitor according to the content of resource request when cloud service provider server receives the resource request of the client Family end is distributed and responds resources of virtual machine.
Step 102, the client receives management platform forwarding, and cloud service provider server is according to receiving Resource request response resources of virtual machine when, the management platform is obtained according to the UUID that is carried in the resources of virtual machine of response The configuration information of the corresponding virtual machine of middle storage.
When management platform receives the resources of virtual machine that cloud service provider is client end response, the client is transmitted to, And shown on the client by web page.
Carry UUID wherein when cloud service provider server is responding resources of virtual machine, mark is which is virtual Machine.The configuration information of client virtual machine according to corresponding to the UUID by web interface to management platform acquisition.
The configuration information of the virtual machine of acquisition is the real configuration information of virtual machine, and the configuration information utilizes TPM and vPTM Configuration information is signed, ensures the authenticity of configuration information, in transmitting procedure, using encryption technology, confidence is matched somebody with somebody in guarantee The confidentiality of breath.
Step 103, the client presses preset rules using the demand inventory for sending resource request with the configuration information obtained Matched, if the match is successful, it is determined that the resources of virtual machine of response is credible;Otherwise, it determines the resources of virtual machine of response can not Letter.
In specific implementation, the preset rules that are matched can be accurate matching or a range of matching, As being two CPU in inventory, and show that the virtual machine is 3 CPU in the configuration information of the virtual machine, be considered as matching into Work(.The resources of virtual machine that can be provided disclosure satisfy that the resource of client is needed for the match is successful standard.
In summary, the present invention is by the way that in any client, inventory initiates to provide to cloud service provider server according to demand Source is asked, and when receiving the resources of virtual machine of response, obtains what is carried in the resources of virtual machine of management platform forwarding The real deployment information of virtual machine corresponding to UUID, determine what cloud service provider server responded using the real deployment information The credibility of resources of virtual machine, it is able to confirm that the credibility of the resources of virtual machine of cloud service provider server response.
Real configuration information, by trusted agent, is sent to management platform by the present invention in specific implementation;Configuring In the transmitting procedure of information, configuration information is signed using TPM and vTPM, ensures the authenticity of configuration information, is being transmitted During, using encryption technology, ensure the confidentiality of configuration information.It is objective used in cloud user in cloud computing service system Family end is unfixed, it may be possible to notebook computer, tablet personal computer even mobile phone, so the computing capability of client is limited, Invention increases management platform, management platform can verify signature, and decrypt the configuration information of virtual machine, reduce client Calculate.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.It is all Within the spirit and principles in the present invention, any modification, equivalent substitution and improvements made etc., the protection of the present invention should be included in Within the scope of.

Claims (4)

1. a kind of resources of virtual machine detection method, it is characterised in that applied to including cloud service provider server, management platform In the system of multiple client, the cloud service provider server configures multiple virtual machines;The management platform receives During the configuration information of each virtual machine after the signature of the cloud service provider server transmission and encryption, verify, decrypt and deposit Storage;Methods described includes:
Any client according to demand inventory to the cloud service provider server initiate resource request when, the resource Request is transmitted to the cloud service provider server by the management platform;
The client receives the management platform forwarding, and the cloud service provider server please according to the resource received When seeking the resources of virtual machine of response, the pipe is obtained according to the general unique identifier UUID carried in the resources of virtual machine of response The configuration information of the corresponding virtual machine stored in platform;
The client is matched using the demand inventory for sending resource request with the configuration information obtained by preset rules, if The match is successful, it is determined that the resources of virtual machine of response is credible;Otherwise, it determines the resources of virtual machine of response is insincere.
2. according to the method for claim 1, it is characterised in that configuring physical machine on the cloud service provider server can Letter agency, and virtual machine trusted agent is respectively configured in each virtual machine for configuration;
Each virtual machine that the cloud service provider server passes through the physical machine trusted agent acquisition configuration configured matches somebody with somebody confidence Breath, call hardware trusted platform TPM signature functions that the configuration information of each virtual machine is signed;Can by each virtual machine configured The configuration information of the virtual machine of physical machine trusted agent signature corresponding to letter proxy authentication simultaneously carries out configuration information application, calls empty Intend trusted platform vTPM signature functions to sign and send after the configuration information signed by vTPM signature functions is encrypted To management platform.
3. according to the method for claim 2, it is characterised in that the configuration information that will be signed by vTPM signature functions It is encrypted, including:
The configuration information signed by vTPM signature functions is encrypted using user password as key.
4. according to the method in claim 2 or 3, it is characterised in that methods described further comprises:
The cloud service provider server passes through the physical machine configured when the configuration information for perceiving any virtual machine is changed Trusted agent obtains the configuration information of virtual machine change, and the configuration for calling hardware TPM signature functions to change the virtual machine Information Signature;And by verifying the change of the physical machine trusted agent signature for the virtual machine trusted agent of the virtual machine configuration Configuration information after, by the configuration information application of the change, call for the virtual machine configuration vTPM signature functions signature simultaneously Management platform is sent to after the configuration information for the change signed by the vTPM signature functions is encrypted;
When the management platform receives the configuration information of the change after the encryption that the cloud service provider server is sent, make The configuration information of the corresponding virtual machine stored with the configuration information update of the change after checking and decryption.
CN201310674591.6A 2013-12-11 2013-12-11 A kind of resources of virtual machine detection method Active CN104717235B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310674591.6A CN104717235B (en) 2013-12-11 2013-12-11 A kind of resources of virtual machine detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310674591.6A CN104717235B (en) 2013-12-11 2013-12-11 A kind of resources of virtual machine detection method

Publications (2)

Publication Number Publication Date
CN104717235A CN104717235A (en) 2015-06-17
CN104717235B true CN104717235B (en) 2018-01-02

Family

ID=53416195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310674591.6A Active CN104717235B (en) 2013-12-11 2013-12-11 A kind of resources of virtual machine detection method

Country Status (1)

Country Link
CN (1) CN104717235B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059801A (en) * 2016-05-24 2016-10-26 北京哈工大计算机网络与信息安全技术研究中心 Virtual machine credible evidence collection method and virtual machine credible evidence collection device based on cloud computing platform network
CN110321678B (en) * 2019-06-19 2021-08-31 北京信安世纪科技股份有限公司 Control method, device, equipment and medium of virtual system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform
WO2012083771A1 (en) * 2010-12-24 2012-06-28 中兴通讯股份有限公司 Cloud computing system and method
WO2012084837A1 (en) * 2010-12-21 2012-06-28 International Business Machines Corporation Virtual machine validation
CN103200020A (en) * 2012-01-04 2013-07-10 中兴通讯股份有限公司 Resource allocating method and resource allocating system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012084837A1 (en) * 2010-12-21 2012-06-28 International Business Machines Corporation Virtual machine validation
WO2012083771A1 (en) * 2010-12-24 2012-06-28 中兴通讯股份有限公司 Cloud computing system and method
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform
CN103200020A (en) * 2012-01-04 2013-07-10 中兴通讯股份有限公司 Resource allocating method and resource allocating system

Also Published As

Publication number Publication date
CN104717235A (en) 2015-06-17

Similar Documents

Publication Publication Date Title
JP7457173B2 (en) Internet of Things (IOT) device management
CN110537346B (en) Safe decentralized domain name system
KR102424055B1 (en) Apparatus and Method for Providing API Authentication using Two API Tokens
KR102018971B1 (en) Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium
US9253185B2 (en) Cloud centric application trust validation
CN111737366B (en) Private data processing method, device, equipment and storage medium of block chain
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
US20170214664A1 (en) Secure connections for low power devices
CA2861221C (en) Secure peer discovery and authentication using a shared secret
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN106576043B (en) Virally allocatable trusted messaging
US11611443B2 (en) Network node encryption method and apparatus
CN114679293A (en) Access control method, device and storage medium based on zero trust security
CN114584307B (en) Trusted key management method and device, electronic equipment and storage medium
CN109981576B (en) Key migration method and device
KR20190079186A (en) Method for security communication in Network Functional Virtualization and System thereof
EP4096160A1 (en) Shared secret implementation of proxied cryptographic keys
CN104717235B (en) A kind of resources of virtual machine detection method
US11032708B2 (en) Securing public WLAN hotspot network access
CN115473655B (en) Terminal authentication method, device and storage medium for access network
Binu et al. A mobile based remote user authentication scheme without verifier table for cloud based services
Luo et al. TZ-KMS: A secure key management service for joint cloud computing with ARM TrustZone
WO2018040095A1 (en) Method and device for generating security credential
Culnane et al. Formalising Application-Driven Authentication & Access-Control based on Users’ Companion Devices
Chen et al. A novel design of authentication-as-a-services (AaaS) architecture in cloud computing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant