CN104717235B - A kind of resources of virtual machine detection method - Google Patents
A kind of resources of virtual machine detection method Download PDFInfo
- Publication number
- CN104717235B CN104717235B CN201310674591.6A CN201310674591A CN104717235B CN 104717235 B CN104717235 B CN 104717235B CN 201310674591 A CN201310674591 A CN 201310674591A CN 104717235 B CN104717235 B CN 104717235B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- configuration information
- service provider
- cloud service
- provider server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0882—Utilisation of link capacity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2212/00—Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
- G06F2212/15—Use in a specific computing environment
- G06F2212/151—Emulated environment, e.g. virtual machine
Abstract
The invention discloses a kind of resources of virtual machine detection method, this method includes:In any client, inventory initiates resource request to cloud service provider server according to demand, and when receiving the resources of virtual machine of response, obtain the real deployment information of virtual machine corresponding to the UUID carried in the resources of virtual machine of management platform forwarding, the credibility of the resources of virtual machine of cloud service provider server response is determined using the real deployment information, is able to confirm that the credibility of the resources of virtual machine of cloud service provider server response.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of resources of virtual machine detection method.
Background technology
Cloud computing(cloud computing)It is the increase, use and delivery mode of the related service based on internet, leads to
Often it is related to by internet to provide dynamic easily extension and the often resource of virtualization.Cloud is a kind of ratio of network, internet
Explain saying.Past often represents telecommunications network in figure with cloud, is also used for representing taking out for internet and underlying infrastructure later
As.
Narrow sense cloud computing refers to delivery and the use pattern of IT infrastructure, by network with demand, easy extension way obtains
Resource needed for obtaining;Broad sense cloud computing refers to delivery and the use pattern of service, by network with demand, easy extension way obtain institute
Need to service.This service can be IT to software, internet is related or other services.It means that computing capability also may be used
Circulated as a kind of commodity by internet.
Trust computing is the study hotspot in current information security field, it was demonstrated that problem is the problem of trust computing is mostly important
One of.Because credible based on proof, only prove that trusting relationship could be established in incredible environment.
Developing rapidly for domestic and international reliable computing technology also promotes for proving deepening continuously for Study on Problems, these researchs
The involved scope of work is very extensive, from calculating platform to application program, from overall architecture to specific agreement, from upper system
All it has been incorporated into the research of credible proof to bottom hardware.
The remote proving that TCG is proposed(remote attestation)Concept cause for prove problem research turn into
Forward position focus problem in information security field.In TCG specifications, it was demonstrated that(attestation)It is three of credible calculating platform
One of foundation characteristic.The present invention has expanded believable concept, meets the credible proof between virtual machine and user.
In cloud computing service, user charges use cloud computing service, but for the quality of service, the configuration of virtual machine
The authenticity of information, it can not obtain.
The content of the invention
In view of this, the present invention provides a kind of resources of virtual machine detection method, is able to confirm that cloud service provider server
The credibility of the resources of virtual machine of response.
In order to solve the above technical problems, the technical proposal of the invention is realized in this way:
A kind of resources of virtual machine detection method, applied to including cloud service provider server, management platform and multiple visitors
In the system at family end, the cloud service provider server configures multiple virtual machines;The management platform receives the cloud clothes
During the configuration information of each virtual machine after the signature of business provider server transmission and encryption, verify, decrypt and store;The side
Method includes:
Any client according to demand inventory to the cloud service provider server initiate resource request when, it is described
Resource request is transmitted to the cloud service provider server by the management platform;
The client receives the management platform forwarding, and the cloud service provider server is according to the money received
During the resources of virtual machine of source request response, obtained in the management platform and deposited according to the UUID carried in the resources of virtual machine of response
The configuration information of the corresponding virtual machine of storage;
The client is matched using the demand inventory for sending resource request with the configuration information obtained by preset rules,
If the match is successful, it is determined that the resources of virtual machine of response is credible;Otherwise, it determines the resources of virtual machine of response is insincere.
In summary, the present invention is by the way that in any client, inventory initiates to provide to cloud service provider server according to demand
Source is asked, and when receiving the resources of virtual machine of response, obtains what is carried in the resources of virtual machine of management platform forwarding
The real deployment information of virtual machine corresponding to UUID, determine what cloud service provider server responded using the real deployment information
The credibility of resources of virtual machine, it is able to confirm that the credibility of the resources of virtual machine of cloud service provider server response.
Brief description of the drawings
Fig. 1 is resources of virtual machine detection method schematic flow sheet in the specific embodiment of the invention.
Embodiment
For the objects, technical solutions and advantages of the present invention are more clearly understood, develop simultaneously embodiment referring to the drawings, right
Scheme of the present invention is described in further detail.
A kind of resources of virtual machine detection method is proposed in the embodiment of the present invention, applied to including cloud service provider service
In the system of device, management platform and multiple client, cloud service provider server is by by the configuration of each virtual machine of configuration
Information signed, encrypt after, be sent to management platform storage, any client according to demand inventory to cloud service provider
Server initiates resource request, and when receiving the resources of virtual machine of response, obtains the virtual machine money of management platform forwarding
The general unique identifier carried in source(Universally Unique Identifier, UUID)Corresponding virtual machine it is true
Real configuration information, the credibility of the resources of virtual machine of cloud service provider server response is determined using the real deployment information.
With it, it is able to confirm that whether the resources of virtual machine of cloud service provider server response is credible.
During the specific embodiment of the invention, management platform can be that cloud service provider end increases an equipment within the system
Realize management platform function or realized using existing certain server in cloud service provider end.
Cloud service provider server configures multiple virtual machines;Physical machine credible generation is configured on cloud service provider server
Reason, and virtual machine trusted agent is respectively configured in each virtual machine for configuration.
Cloud service provider server obtains the configuration information of each virtual machine of configuration by the physics trusted agent configured,
Call hardware trusted platform(TPM)Signature function signs the configuration information of each virtual machine;Can by each virtual machine configured
The configuration information of the virtual machine of physical machine trusted agent signature corresponding to letter proxy authentication simultaneously carries out configuration information application, calls empty
Intend trusted platform(vTPM)Signature function is signed and sent out after the configuration information signed by vTPM signature functions is encrypted
Give management platform.
User password can be used to be encrypted as key in encryption.
Management platform receives matching somebody with somebody for each virtual machine after the signature that the cloud service provider server is sent and encryption
When confidence ceases, verify, decrypt and store.
3 virtual machines are configured with cloud service provider server, respectively exemplified by virtual machine 1, virtual machine 2 and virtual machine 3.
Cloud service provider server configures a physical machine trusted agent, and virtual machine trusted agent is respectively configured for 3 virtual machines
Virtual machine trusted agent 1, virtual machine trusted agent 2 and virtual machine trusted agent 3.
Cloud service provider server can carry out the configuration information of all virtual machines same treatment, virtual with one of them
Machine, as the configuration information of virtual machine 1 processing exemplified by illustrate processing procedure.
Cloud service provider server obtains the configuration information P of virtual machine 1 by the physical machine trusted agent configured, and adjusts
P is signed with hardware TPM signature functions, the P after signature is P1, i.e., using TPM signature key AIKpSign configuration information P, and
Configuration information after signature is sent to virtual machine 1.
The virtual machine trusted agent of virtual machine 1 receives P1, and verify that physical machine is signed, and configuration information P is applied;Call
The vTPM signature functions of virtual machine 1 and the P that signs1, the configuration information after being signed using vTPM signature functions is designated as P2.Call and add
Close function encrypting, key is user password, to P2Configuration information after encryption is designated as P3.And by P3It is sent to management platform.
Management platform receives the P of cloud service provider transmission3When, checking signature, and solve confidential information P3Obtain actual disposition
Information P is simultaneously stored.
Cloud service provider server, can by the physics configured when the configuration information for perceiving any virtual machine is changed
Letter agency obtains the configuration information of virtual machine change, and calls hardware TPM signature functions to match somebody with somebody confidence by what the virtual machine was changed
Breath signature;And the change signed by the virtual machine trusted agent checking physical machine trusted agent for the virtual machine configuration
After configuration information, by the configuration information application of the change, the vTPM signature functions called as the virtual machine configuration are signed and incited somebody to action
The configuration information for the change signed by the vTPM signature functions is sent to management platform after being encrypted;
The management platform receives the configuration information of the change after the encryption that the cloud service provider server is sent
When, the configuration information of the corresponding virtual machine stored using the configuration information update of the change after checking and decryption.
The configuration information that virtual machine 1 is perceived such as cloud service provider server has been changed, and is changed part and be set to Px, lead to
Cross physical machine trusted agent and call physical machine TPM signature functions and the P that signsx, use TPM signature key AIKpSignature change
Configuration information PxAfterwards, it is designated as Px1。
The virtual machine trusted agent of virtual machine 1 receives Px1, and verify that physical machine is signed, using the configuration information P of changex,
Call vTPM signature functions and the P that signsx1, the configuration information signed using vTPM signature functions is designated as Px2;And call encryption function
Encrypt Px2, key is user password, by the configuration information P of the change after encryptionx3It is sent to management platform.
Management platform receives Px3, checking signature, and solve confidential information Px3Obtain the configuration information P of changex.Signed in checking
When, checking TPM signatures and vTPM sign, and after being verified, use user key to decrypt the configuration information P of changex3Obtain Px, and
Use the configuration information P of changex3Update the configuration information for the virtual machine 1 being locally stored.
Referring to Fig. 1, Fig. 1 is resources of virtual machine detection method schematic flow sheet in the specific embodiment of the invention.Specific steps
For:
Step 101, any client according to demand inventory to the cloud service provider server initiate resource request when,
The resource request is transmitted to the cloud service provider server by the management platform.
Any client just can initiate resource request, needed for client when there is resource to need to cloud service provider
Resource such as 2 CPU, hard disk etc., these demands, which form one, needs inventory.
As client can send request, after management platform receives, be transmitted to cloud service by the web page of local
Provider server.
It is the visitor according to the content of resource request when cloud service provider server receives the resource request of the client
Family end is distributed and responds resources of virtual machine.
Step 102, the client receives management platform forwarding, and cloud service provider server is according to receiving
Resource request response resources of virtual machine when, the management platform is obtained according to the UUID that is carried in the resources of virtual machine of response
The configuration information of the corresponding virtual machine of middle storage.
When management platform receives the resources of virtual machine that cloud service provider is client end response, the client is transmitted to,
And shown on the client by web page.
Carry UUID wherein when cloud service provider server is responding resources of virtual machine, mark is which is virtual
Machine.The configuration information of client virtual machine according to corresponding to the UUID by web interface to management platform acquisition.
The configuration information of the virtual machine of acquisition is the real configuration information of virtual machine, and the configuration information utilizes TPM and vPTM
Configuration information is signed, ensures the authenticity of configuration information, in transmitting procedure, using encryption technology, confidence is matched somebody with somebody in guarantee
The confidentiality of breath.
Step 103, the client presses preset rules using the demand inventory for sending resource request with the configuration information obtained
Matched, if the match is successful, it is determined that the resources of virtual machine of response is credible;Otherwise, it determines the resources of virtual machine of response can not
Letter.
In specific implementation, the preset rules that are matched can be accurate matching or a range of matching,
As being two CPU in inventory, and show that the virtual machine is 3 CPU in the configuration information of the virtual machine, be considered as matching into
Work(.The resources of virtual machine that can be provided disclosure satisfy that the resource of client is needed for the match is successful standard.
In summary, the present invention is by the way that in any client, inventory initiates to provide to cloud service provider server according to demand
Source is asked, and when receiving the resources of virtual machine of response, obtains what is carried in the resources of virtual machine of management platform forwarding
The real deployment information of virtual machine corresponding to UUID, determine what cloud service provider server responded using the real deployment information
The credibility of resources of virtual machine, it is able to confirm that the credibility of the resources of virtual machine of cloud service provider server response.
Real configuration information, by trusted agent, is sent to management platform by the present invention in specific implementation;Configuring
In the transmitting procedure of information, configuration information is signed using TPM and vTPM, ensures the authenticity of configuration information, is being transmitted
During, using encryption technology, ensure the confidentiality of configuration information.It is objective used in cloud user in cloud computing service system
Family end is unfixed, it may be possible to notebook computer, tablet personal computer even mobile phone, so the computing capability of client is limited,
Invention increases management platform, management platform can verify signature, and decrypt the configuration information of virtual machine, reduce client
Calculate.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.It is all
Within the spirit and principles in the present invention, any modification, equivalent substitution and improvements made etc., the protection of the present invention should be included in
Within the scope of.
Claims (4)
1. a kind of resources of virtual machine detection method, it is characterised in that applied to including cloud service provider server, management platform
In the system of multiple client, the cloud service provider server configures multiple virtual machines;The management platform receives
During the configuration information of each virtual machine after the signature of the cloud service provider server transmission and encryption, verify, decrypt and deposit
Storage;Methods described includes:
Any client according to demand inventory to the cloud service provider server initiate resource request when, the resource
Request is transmitted to the cloud service provider server by the management platform;
The client receives the management platform forwarding, and the cloud service provider server please according to the resource received
When seeking the resources of virtual machine of response, the pipe is obtained according to the general unique identifier UUID carried in the resources of virtual machine of response
The configuration information of the corresponding virtual machine stored in platform;
The client is matched using the demand inventory for sending resource request with the configuration information obtained by preset rules, if
The match is successful, it is determined that the resources of virtual machine of response is credible;Otherwise, it determines the resources of virtual machine of response is insincere.
2. according to the method for claim 1, it is characterised in that configuring physical machine on the cloud service provider server can
Letter agency, and virtual machine trusted agent is respectively configured in each virtual machine for configuration;
Each virtual machine that the cloud service provider server passes through the physical machine trusted agent acquisition configuration configured matches somebody with somebody confidence
Breath, call hardware trusted platform TPM signature functions that the configuration information of each virtual machine is signed;Can by each virtual machine configured
The configuration information of the virtual machine of physical machine trusted agent signature corresponding to letter proxy authentication simultaneously carries out configuration information application, calls empty
Intend trusted platform vTPM signature functions to sign and send after the configuration information signed by vTPM signature functions is encrypted
To management platform.
3. according to the method for claim 2, it is characterised in that the configuration information that will be signed by vTPM signature functions
It is encrypted, including:
The configuration information signed by vTPM signature functions is encrypted using user password as key.
4. according to the method in claim 2 or 3, it is characterised in that methods described further comprises:
The cloud service provider server passes through the physical machine configured when the configuration information for perceiving any virtual machine is changed
Trusted agent obtains the configuration information of virtual machine change, and the configuration for calling hardware TPM signature functions to change the virtual machine
Information Signature;And by verifying the change of the physical machine trusted agent signature for the virtual machine trusted agent of the virtual machine configuration
Configuration information after, by the configuration information application of the change, call for the virtual machine configuration vTPM signature functions signature simultaneously
Management platform is sent to after the configuration information for the change signed by the vTPM signature functions is encrypted;
When the management platform receives the configuration information of the change after the encryption that the cloud service provider server is sent, make
The configuration information of the corresponding virtual machine stored with the configuration information update of the change after checking and decryption.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310674591.6A CN104717235B (en) | 2013-12-11 | 2013-12-11 | A kind of resources of virtual machine detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310674591.6A CN104717235B (en) | 2013-12-11 | 2013-12-11 | A kind of resources of virtual machine detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104717235A CN104717235A (en) | 2015-06-17 |
CN104717235B true CN104717235B (en) | 2018-01-02 |
Family
ID=53416195
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310674591.6A Active CN104717235B (en) | 2013-12-11 | 2013-12-11 | A kind of resources of virtual machine detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104717235B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106059801A (en) * | 2016-05-24 | 2016-10-26 | 北京哈工大计算机网络与信息安全技术研究中心 | Virtual machine credible evidence collection method and virtual machine credible evidence collection device based on cloud computing platform network |
CN110321678B (en) * | 2019-06-19 | 2021-08-31 | 北京信安世纪科技股份有限公司 | Control method, device, equipment and medium of virtual system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102202046A (en) * | 2011-03-15 | 2011-09-28 | 北京邮电大学 | Network-operating-system-oriented trusted virtual operating platform |
WO2012083771A1 (en) * | 2010-12-24 | 2012-06-28 | 中兴通讯股份有限公司 | Cloud computing system and method |
WO2012084837A1 (en) * | 2010-12-21 | 2012-06-28 | International Business Machines Corporation | Virtual machine validation |
CN103200020A (en) * | 2012-01-04 | 2013-07-10 | 中兴通讯股份有限公司 | Resource allocating method and resource allocating system |
-
2013
- 2013-12-11 CN CN201310674591.6A patent/CN104717235B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012084837A1 (en) * | 2010-12-21 | 2012-06-28 | International Business Machines Corporation | Virtual machine validation |
WO2012083771A1 (en) * | 2010-12-24 | 2012-06-28 | 中兴通讯股份有限公司 | Cloud computing system and method |
CN102202046A (en) * | 2011-03-15 | 2011-09-28 | 北京邮电大学 | Network-operating-system-oriented trusted virtual operating platform |
CN103200020A (en) * | 2012-01-04 | 2013-07-10 | 中兴通讯股份有限公司 | Resource allocating method and resource allocating system |
Also Published As
Publication number | Publication date |
---|---|
CN104717235A (en) | 2015-06-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP7457173B2 (en) | Internet of Things (IOT) device management | |
CN110537346B (en) | Safe decentralized domain name system | |
KR102424055B1 (en) | Apparatus and Method for Providing API Authentication using Two API Tokens | |
KR102018971B1 (en) | Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium | |
US9253185B2 (en) | Cloud centric application trust validation | |
CN111737366B (en) | Private data processing method, device, equipment and storage medium of block chain | |
US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
US20170214664A1 (en) | Secure connections for low power devices | |
CA2861221C (en) | Secure peer discovery and authentication using a shared secret | |
US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
CN106576043B (en) | Virally allocatable trusted messaging | |
US11611443B2 (en) | Network node encryption method and apparatus | |
CN114679293A (en) | Access control method, device and storage medium based on zero trust security | |
CN114584307B (en) | Trusted key management method and device, electronic equipment and storage medium | |
CN109981576B (en) | Key migration method and device | |
KR20190079186A (en) | Method for security communication in Network Functional Virtualization and System thereof | |
EP4096160A1 (en) | Shared secret implementation of proxied cryptographic keys | |
CN104717235B (en) | A kind of resources of virtual machine detection method | |
US11032708B2 (en) | Securing public WLAN hotspot network access | |
CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
Binu et al. | A mobile based remote user authentication scheme without verifier table for cloud based services | |
Luo et al. | TZ-KMS: A secure key management service for joint cloud computing with ARM TrustZone | |
WO2018040095A1 (en) | Method and device for generating security credential | |
Culnane et al. | Formalising Application-Driven Authentication & Access-Control based on Users’ Companion Devices | |
Chen et al. | A novel design of authentication-as-a-services (AaaS) architecture in cloud computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |