CN115314495A - Container reinforcement system and reinforcement method for 5G edge computing node - Google Patents
Container reinforcement system and reinforcement method for 5G edge computing node Download PDFInfo
- Publication number
- CN115314495A CN115314495A CN202210945182.4A CN202210945182A CN115314495A CN 115314495 A CN115314495 A CN 115314495A CN 202210945182 A CN202210945182 A CN 202210945182A CN 115314495 A CN115314495 A CN 115314495A
- Authority
- CN
- China
- Prior art keywords
- container
- vtpm
- manager
- module
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 230000002787 reinforcement Effects 0.000 title claims description 8
- 238000005259 measurement Methods 0.000 claims abstract description 71
- 230000008569 process Effects 0.000 claims abstract description 43
- 230000003014 reinforcing effect Effects 0.000 claims abstract description 27
- 238000012795 verification Methods 0.000 claims abstract description 13
- 238000003752 polymerase chain reaction Methods 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000007596 consolidation process Methods 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 229920003087 methylethyl cellulose Polymers 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a container reinforcing system and a reinforcing method facing to a 5G edge computing node, wherein the system comprises the following steps: the physical TPM is arranged on the host machine and used for encrypting data and protecting passwords; the container manager is used for carrying out credibility measurement and verification on the starting of the container; the vTPM module is arranged in the container to realize integrity measurement of container mirror images and trusted start of the container, and performs trusted measurement on a file system and a process during container operation; a measurement value reference library of a vTPM manager and a vTPM module is arranged in a host operating system kernel, and an MEC controller issues a secret key and a certificate for a physical TPM; a container reinforcing method based on the system constructs a complete trust chain from a host machine to a container manager and then to the container to start so as to ensure the trusted start of the container, dynamically measures a file system when the container runs, reinforces the container in the 5G edge computing node and ensures the credibility and safety when the container runs.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to a container reinforcing system and a reinforcing method for 5G edge computing nodes.
Background
Mobile Edge Computing (MEC) is a key technology in a 5G network, and the basic idea is to migrate cloud Computing service capability from the inside of a Mobile core network to the Edge of a Mobile access network, thereby realizing flexible utilization of Computing and storage resources. With the continuous development and wide application of cloud computing technology, virtualization technology also becomes increasingly important. The container technology is favored by more and more users by virtue of the advantages of low self resource occupation, insusceptibility to environmental factors and the like. Therefore, in MECs, vessels are also widely used.
One of the major obstacles to container application deployment is the safety issues they face. The container image and its internal programs may be maliciously tampered with at runtime by an attacker with a vulnerability. An attacker may gain access privileges to a running container, initiate an attack by modifying service configurations and binary files, starting up malicious scripts, or starting up new processes, thus requiring a solution to the problem of trusted start-up and secure running of containers and images.
At present, for a 5G network, the following solutions are mainly used for reinforcing a container:
(1) Depending on the security of a Linux kernel, the isolation of a container and the access limitation of resources are respectively realized by using a Namespace mechanism (Namespace) and a control group (Cgroups) mechanism, but the unauthorized communication behavior between the container and the outside can be caused by the overflow of an excessively thin container of the isolation mechanism;
(2) The method comprises the steps that software implementation of virtualization TPM (Virtual Trusted Platform Module, vTPM) is used, managers of the vTPM and the vTPM are stored in a privileged container, an adapter for setting the vTPM in a common container is communicated with the vTPM manager in the privileged container, and the privileged container is easy to attack due to poor isolation between the containers.
(3) The container is provided with key management based on a virtual trusted platform module of a trusted root server, but the key is easily intercepted by an attacker because the key is directly distributed by a vTPM manager.
Disclosure of Invention
Therefore, the invention aims to solve the problems of defects and the like in the prior art, and provides a container reinforcing system and a reinforcing method for a 5G edge computing node.
In a first aspect, the present invention provides a container consolidation system for 5G edge computing nodes, including: vTPM module, physics TPM, container manager, vTPM manager, MEC controller and host computer, wherein:
the MEC controller is used for storing a secret key and a certificate issued to the physical TPM;
the container manager is used for performing credibility measurement and verification on the starting of the container through the physical TPM;
the vTPM module is arranged in the container and used for realizing integrity measurement of a container mirror image and trusted start of the container and regularly performing trusted measurement on a runtime file system and a process of the container;
and a metric value reference library of a vTPM manager and a vTPM module is arranged in the kernel of the host operating system, wherein the vTPM manager is used for managing the vTPM modules of all containers.
In one embodiment, the vTPM module includes a vPCR submodule, a key storage submodule, and a measurement timer, where:
the vPCR submodule is used for storing a measurement value for performing credibility measurement on a file system and a process of the container;
the key sub-storage module is used for storing a key sent by the vTPM manager, a vAIK certificate and a vAIK key;
and the measurement timer is used for setting a time interval for measuring the file system and the process of the container.
In one embodiment, the container manager is provided with a container HASH reference value library and a key repository, wherein the container HASH reference value library is used for storing a HASH reference value and an encrypted HASH reference value; and the key storage bank is used for storing the keys generated by the physical TPM for the container.
In a second aspect, the present invention further provides a container reinforcing method facing a 5G edge computing node, where the container reinforcing system facing a 5G edge computing node based on the first aspect includes:
the container manager performs credibility measurement and verification on the starting of the container through the physical TPM;
after the trusted start of the container is realized, the vTPM module is bound with the physical TPM;
while the container is running, the vTPM module regularly performs credibility measurement on a file system and a process of the container.
In one embodiment, before the trusted measurement and verification of the container launch by the container manager through the physical TPM, the method further includes: and carrying out security initialization on the reinforcing system, wherein the process comprises the following steps: the MEC controller is used as a trusted third party to issue an AIK key and a certificate CAIK thereof for the physical TPM;
when a host machine is initialized and started, the physical TPM performs trusted starting measurement, and the system state is recorded in a PCR (polymerase chain reaction) inside the physical TPM;
the container manager is started, a container mirror image and a container HASH value are obtained, and the HASH value is stored in a container HASH reference value base as a container HASH reference value;
after the container manager acquires the container HASH value, calling an encryption interface of a physical TPM to acquire an encryption key, encrypting the HASH value and storing the encrypted HASH value;
when the encryption interface is called, the container manager sends the container ID to the physical TPM, and the physical TPM generates a pair of asymmetric keys for the container ID according to the container ID;
one of the keys generated by the physical TPM for the container is sent to the container manager, and the other key is stored in the physical TPM and is only used by the physical TPM.
In one embodiment, the process of trusted boot of a container includes:
when the container mirror image is started, the container manager calls an interface provided by a physical TPM to perform HASH calculation on the container mirror image;
after HASH calculation is completed, the HASH value, the encrypted container HASH reference value in the container HASH reference value base and the container ID are sent to a physical TPM to be compared, and whether the container mirror image is credible or not is determined;
the physical TPM inquires a key stored previously according to the container ID, decrypts the container HASH reference value, and compares the decrypted container HASH reference value with the HASH value calculated just now;
if the comparison result is consistent, the container is started up in a trusted mode, otherwise, the container is not started up;
and the physical TPM signs the compared result and returns the result to the container manager.
In one embodiment, the process of binding a vTPM module to a physical TPM comprises:
step S31: the vTPM module applies for an encryption key to the vTPM manager through the container manager, and a container ID is attached to the request;
step S32: the vTPM manager assigns a pair of asymmetric encryption keys to the vTPM module based on the container ID, including: encrypting the public key and the encrypted private key, sending the encrypted private key to the vTPM module, and storing the private key in the key sub-storage module by the vTPM module;
step S33: the vTPM module applies for connecting a physical TPM to a vTPM manager, and the request is accompanied with a container ID and a randomly generated random number nonce;
step S34: the vTPM manager sends the container ID to the physical TPM;
step S35: physical TPM establishes for vTPM module and returns vAIK key, certificate CvAIK to vTPM manager, vTPM manager uses encryption public key to encrypt it;
step S36: the vTPM module decrypts the information returned by the physical TPM by using the encryption private key, checks the freshness of the random number nonce, determines whether to accept the vAIK certificate and the vAIK key, and stores the vAIK certificate and the vAIK key in the key sub-storage module if the vAIK certificate and the vAIK key are accepted.
In an embodiment, after the vTPM module is bound with the physical TPM, the container is started for the first time, and the vTPM module may measure a file system and a process of the running container and store a measurement result in a metric value reference library during container running.
In one embodiment, the reference library of container runtime metric values is in the vTPM manager, and when the vTPM module sends the container runtime metric values to the vTPM manager, the metric value data is signed with the certificate CvAIK.
In one embodiment, the vTPM module timing the process of performing trust measurement on the file system and process of the container, including:
step S41: the vTPM module measures a file system and a process of the container according to a time interval set by the measurement timer, and stores a measurement value in vPCR;
step S42: if the running state of the container needs to be verified, the vTPM module sends the metric values stored in the vPCR to the vTPM manager, the metric values are compared with the reference values in the metric value reference library during the running of the container, and if the comparison results are equal, the vTPM module waits for measuring the file system next time until the container is deleted;
step S43: if the comparison result is not equal, the container file system is tampered, and operation judgment is needed;
step S44: if the file system is legally updated, modifying the reference value through administrator authentication, and repeating the steps S42 to S43;
step S45: if the authentication is not passed by the administrator, the illegal change is recorded, and the container is suspended.
The technical scheme of the invention has the following advantages:
1. the container reinforcing system facing the 5G edge computing node, provided by the embodiment of the invention, comprises the vTPM module, the physical TPM, the container manager, the vTPM manager, the MEC controller and the host, wherein the container manager performs trusted measurement and verification on the starting of the container through the physical TPM, the vTPM module performs trusted measurement on a runtime file system and a process of the container at the time of the container running, and the container in the 5G edge computing node is reinforced through the trusted measurement on the starting and the running of the container respectively, so that the starting and the running of the container can be ensured to be trusted, and the safety of the container is improved.
2. According to the container reinforcing method facing the 5G edge computing node, a container manager conducts credibility measurement and verification on starting of a container through a physical TPM, after the container is started in a credible mode, a vTPM module is bound with the physical TPM, when the container runs, the vTPM module conducts credibility measurement on a file system and a process of the container in a timing mode, a complete trust chain from a host to the container manager and then to the last container starting can be constructed, credible starting of the container is guaranteed, the file system when the container runs can be measured dynamically, the container in the 5G edge computing node is reinforced, the container and the running environment of the container are prevented from being tampered, and credibility and safety when the container runs are guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic structural diagram of an example of a container reinforcement system facing a 5G edge computing node according to an embodiment of the present invention;
fig. 2 is a flowchart of an example of a container consolidation method for a 5G edge computing node according to an embodiment of the present invention;
FIG. 3 is a flow diagram of a process for securely initializing a container consolidation system in accordance with an embodiment of the present invention;
FIG. 4 is a flow chart of a process for trusted boot of a container as contemplated by an embodiment of the present invention;
fig. 5 is a flowchart of a process of binding a vTPM module and a physical TPM according to an embodiment of the present invention;
fig. 6 is a flowchart of a process in which a vTPM module regularly measures the trustworthiness of a file system and a process of a container according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Fig. 1 is a block diagram of a container reinforcing system for a 5G edge computing node according to an embodiment of the present invention (in practical applications, multiple containers may be included, and fig. 1 uses two containers as an example), including: vTPM module, vTPM manager, container manager, MEC controller, physics TPM and host computer, wherein: the MEC controller is used for storing a secret key and a certificate issued to the physical TPM; the container manager is used for performing credibility measurement and verification on the starting of the container through the physical TPM; the vTPM module is arranged in the container and used for realizing integrity measurement of a container mirror image and trusted start of the container and regularly performing trusted measurement on a runtime file system and a process of the container; and a metric value reference library of a vTPM manager and a vTPM module is arranged in the kernel of the host operating system, wherein the vTPM manager is used for managing the vTPM module of each container. In actual application, the vTPM manager is in secure communication with the physical TPM through the TPM specification interface.
It should be noted that, in the embodiment of the present invention, the physical TPM is a Trusted Platform Module (TPM) security chip, which can effectively protect a PC and prevent an illegal user from accessing, and can implement security functions such as data encryption and password protection. Inside the physical TPM, there is a Platform Configuration Register (PCR) that is used to record the running state of the system. The value of the system can only be changed through expansion operation, the expansion operation is irreversible, through expansion, a PCR can record an infinite-length measurement value column, a sequence formed by a series of measurement values reflects the transition of the system state, one measurement value in the expansion sequence is changed, the subsequent measurement sequence is affected, and platform state information can be placed in a measurement log file outside a physical TPM in a log mode. The PCR records the summary of the information of the measurement log through extension so as to verify the measurement log at a later time, thereby confirming whether the system is credible.
The vTPM (Virtual Trusted Platform Module) Module is a software-based representation form of a physical Trusted Platform Module, provides hardware-based security related functions such as random number generation, certification, key generation and the like, and is carried by a container mirror image. After being added to the virtual machine, the vTPM module enables the host operating system to create and store the private key. These keys are not disclosed to the host operating system itself, so the virtual machine attack surface is reduced. Typically for a host operating system that is compromised in security, the security of its keys is also compromised, but enabling the TPM can reduce this risk to a large extent, and only the host operating system can use these keys for encryption or signing.
In this embodiment of the present invention, the vTPM module includes a vPCR submodule, a key storage submodule, and a timer module, where: the vPCR submodule is used for storing a measurement value for performing credibility measurement on a file system and a process of the container; the key sub-storage module is used for storing a key sent by the vTPM manager, a vAIK certificate and a vAIK key; and the measurement timer is used for setting a time interval for measuring the file system and the process of the container. The vTPM manager manages the vTPM modules of the containers, ensures the isolation of the vTPM modules, and ensures the safe communication between the vTPM modules and the physical TPM.
The container manager provided by the embodiment of the invention is provided with a container HASH reference value library and a key repository, and is used for storing a HASH reference value and an encrypted HASH reference value key repository and storing a key generated by a physical TPM for a container.
Based on the container reinforcing system facing the 5G edge computing node provided by the embodiment of the invention, the container manager is used for performing credibility measurement and verification on the starting of the container through the physical TPM, the vTPM module is used for performing credibility measurement on the runtime file system and the process of the container at the fixed time when the container runs, and the credibility measurement of the starting and running of the container is used for reinforcing the container in the 5G edge computing node based on electric power, so that the starting and running credibility of the container can be ensured, and the safety of the container is improved.
Example 2
Based on the container reinforcing system facing 5G edge computing nodes described in embodiment 1, an embodiment of the present invention provides a container reinforcing method facing 5G edge computing nodes, as shown in fig. 2, including:
step S1: the container manager performs trust measurement and verification on the start of the container through the physical TPM.
Step S2: after the trusted start of the container is realized, the vTPM module is bound with the physical TPM.
And step S3: while the container is running, the vTPM module regularly performs credibility measurement on a file system and a process of the container.
In the embodiment of the invention, an operating system of a host machine is a Linux system, a vTPM manager is added in a Linux kernel, which is only taken as an example and is not limited to the Linux system, and other operating systems can also be adopted, wherein the vTPM manager is introduced into the operating system of the host machine, a vTPM module is self-carried by a container mirror image, and the vTPM module is started firstly when the container is started, so that the starting measurement of the container and the binding with a physical TPM are realized, a complete trust chain starting from the host machine to the container manager and then to the last container is constructed, the trusted starting of the container is ensured, and the container and the operating environment thereof are prevented from being tampered; the file system of the container operation can be measured, and the credibility and the safety of the container operation are ensured.
In one embodiment, before the trusted measurement and verification of the container launch by the container manager through the physical TPM, the method further includes: and carrying out security initialization on the reinforcing system, wherein the process comprises the following steps: as shown in fig. 3, includes:
step S11: the MEC controller issues the AIK key and its certificate CAIK as a trusted third party to the physical TPM.
Step S12: when the host machine is initialized and started, the physical TPM carries out trusted starting measurement, and the system state is recorded in the PCR inside the physical TPM.
Step S13: the container manager starts, acquires the container image and the container HASH value, and stores the HASH value as a container HASH reference value in the container HASH reference value library.
Step S14: after the container manager acquires the container HASH value, an encryption interface of the physical TPM is called to acquire an encryption key, and the HASH value is encrypted and stored.
Step S15: when the encryption interface is called, the container manager sends the container ID to the physical TPM, and the physical TPM generates a pair of asymmetric keys for the container ID according to the container ID.
Step S16: one of the keys generated by the physical TPM for the container is sent to the container manager, and the other key is stored in the physical TPM and is only used by the physical TPM.
By securely initializing the container consolidation system, a baseline value is provided for subsequent dynamic measurements.
Specifically, the process of trusted boot of the container in step S2, as shown in fig. 4, includes:
step S21: when the container image is started, the container manager calls an interface provided by the physical TPM to perform HASH calculation on the container image.
Step S22: after the HASH calculation is completed, the HASH value, the container HASH reference value encrypted in the container HASH reference value library and the container ID are sent to a physical TPM for comparison, and whether the image is trusted or not is determined.
Step S23: the physical TPM queries the previously stored key from the container ID, decrypts the container HASH reference value, and compares the decrypted container HASH reference value with the HASH value just calculated.
Step S24: if the comparison result is consistent, the container is started up in a trusted mode, otherwise, the container is not started up;
step S25: the physical TPM signs the compared result and returns the result to the container manager.
To be noted, since the vTPM manager is disposed in the kernel of the host operating system, if the host implements trusted boot, the vTPM manager is considered to be trusted.
After the container is started, the vTPM manager helps the vTPM module to be bound with the bottom physical TPM; after binding is completed, when the container is started for the first time, the vTPM module can measure a file system and a process of the running container, a measurement result is stored in a container running measurement value reference library, the container running measurement value reference library is in the vTPM manager, and when the vTPM module sends a container running measurement value to the vTPM manager, a certificate CvAIK is used for signing measurement value data.
In this embodiment of the present invention, the process of binding the vTPM module and the physical TPM in step S3, as shown in fig. 5, includes:
step S31: the vTPM module applies for an encryption key to the vTPM manager through the container manager, and a container ID is attached to the request;
step S32: the vTPM manager assigns a pair of asymmetric encryption keys to the vTPM module according to the container ID, including: encrypting the public key Kpub and the encrypted private key Kprv, sending the encrypted private key Kprv to the vTPM module, and storing the private key in the key sub-storage module by the vTPM module;
step S33: the vTPM module applies for connecting a physical TPM to a vTPM manager, and the request is accompanied with a container ID and a randomly generated random number nonce;
step S34: the vTPM manager sends the container ID to the physical TPM;
step S35: the physical TPM is created for the vTPM module and returns a vAIK key and a certificate CvAIK to the vTPM manager, and the vTPM manager encrypts the vAIK key and the certificate CvAIK by using an encryption public key;
step S36: the vTPM module decrypts information returned by the physical TPM by using the encryption private key, checks freshness of the random number nonce, determines whether to accept the vAIK certificate and the vAIK key, and stores the vAIK certificate and the vAIK key in the key sub-storage module if the vAIK certificate and the vAIK key are accepted.
It should be noted that checking the freshness of the nonce refers to detecting whether the generation time of the nonce is close to or consistent with the time of binding the physical TPM and the vTPM module, and if the nonce belongs to the binding, accepting the MEC controller as a trusted third party to issue the AIK key and its certificate CAIK to the physical TPM.
In this embodiment of the present invention, in step S4, a process of performing a trusted measurement on a file system and a process of a container at regular time for a vTPM module, as shown in fig. 6, includes:
step S41: the vTPM module measures a file system and a process of the container according to a time interval set by the measurement timer, and stores a measurement value in vPCR;
step S42: if the running state of the container needs to be verified, the vTPM module sends the metric values stored in the vPCR to the vTPM manager, the metric values are compared with the reference values in the metric value reference library during the running of the container, and if the comparison results are equal, the vTPM module waits for measuring the file system next time until the container is deleted;
step S43: if the comparison result is not equal, the container file system is tampered, and whether legal operation is required to be judged;
step S44: if the file system is legally updated, modifying the reference value through administrator authentication, and repeating the step S42 to the step S43;
step S45: if the authentication is not passed by the administrator, the illegal change is recorded, and the container is suspended.
In the embodiment of the invention, the reference library of the measurement values of the container runtime is arranged in the vTPM manager, and when the vTPM module sends the measurement values of the runtime, the vAIK is used for signing data.
The container reinforcing method facing the 5G edge computing node provided by the embodiment of the invention can construct a complete trust chain from a host machine to a container manager and then to the last container to start, ensure the trusted start of the container, prevent the container and the operating environment thereof from being tampered, dynamically measure the file system during the operation of the container, and ensure the credibility and safety during the operation of the container.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. This need not be, nor should it be exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (10)
1. A container reinforcement system facing 5G edge computing nodes is characterized by comprising: vTPM module, physics TPM, container manager, vTPM manager, MEC controller and host computer, wherein:
the MEC controller is used for storing a secret key and a certificate issued to the physical TPM;
the container manager is used for performing credibility measurement and verification on the starting of the container through the physical TPM;
the vTPM module is arranged in the container and is used for realizing integrity measurement of a container mirror image and trusted start of the container and regularly performing trusted measurement on a runtime file system and a process of the container;
and a metric value reference library of a vTPM manager and a vTPM module is arranged in the kernel of the host operating system, wherein the vTPM manager is used for managing the vTPM modules of all containers.
2. The 5G edge computing node-oriented container reinforcement system of claim 1, wherein the vTPM module comprises a vPCR submodule, a key storage submodule and a measurement timer, wherein:
the vPCR submodule is used for storing a measurement value for performing credibility measurement on a file system and a process of the container;
the key sub-storage module is used for storing the key sent by the vTPM manager, the vAIK certificate and the vAIK key;
and the measurement timer is used for setting a time interval for measuring the file system and the process of the container.
3. The 5G-edge computing node-oriented container reinforcement system according to claim 1, wherein the container manager is provided with a container HASH reference value library and a key repository, and the container HASH reference value library is used for storing a HASH reference value and an encrypted HASH reference value; and the key storage bank is used for storing the keys generated by the physical TPM for the container.
4. A container reinforcing method for 5G edge computing nodes, based on the container reinforcing system for 5G edge computing nodes according to any one of claims 1 to 3, comprising:
the container manager performs credibility measurement and verification on the starting of the container through a physical TPM;
after the trusted start of the container is realized, the vTPM module is bound with the physical TPM;
while the container is running, the vTPM module regularly performs credibility measurement on a file system and a process of the container.
5. The container reinforcing method facing to 5G edge computing node according to claim 4, wherein before the trusted measurement and verification of the container launch by the container manager through the physical TPM, the method further comprises: and carrying out security initialization on the reinforcing system, wherein the process comprises the following steps:
the MEC controller is used as a trusted third party to issue an AIK key and a certificate CAIK thereof for the physical TPM;
when a host machine is initialized and started, the physical TPM performs trusted starting measurement, and the system state is recorded in a PCR (polymerase chain reaction) inside the physical TPM;
the container manager is started, a container mirror image and a container HASH value are obtained, and the HASH value is stored in a container HASH reference value base as a container HASH reference value;
after the container manager acquires the container HASH value, calling an encryption interface of a physical TPM to acquire an encryption key, encrypting the HASH value and storing the encrypted HASH value;
when the encryption interface is called, the container manager sends the container ID to the physical TPM, and the physical TPM generates a pair of asymmetric keys for the container ID according to the container ID;
one of the keys generated by the physical TPM for the container is sent to the container manager, and the other key is stored in the physical TPM and is only used by the physical TPM.
6. The 5G-edge computing node-oriented container consolidation method according to claim 4, wherein the process of trusted boot of the container includes:
when the container mirror image is started, the container manager calls an interface provided by a physical TPM to perform HASH calculation on the container mirror image;
after HASH calculation is completed, the HASH value, the encrypted container HASH reference value in the container HASH reference value base and the container ID are sent to a physical TPM to be compared, and whether the container mirror image is credible or not is determined;
the physical TPM inquires a key stored previously according to the container ID, decrypts the container HASH reference value, and compares the decrypted container HASH reference value with the HASH value calculated just now;
if the comparison result is consistent, the container is started trustfully, otherwise, the container is not started;
the physical TPM signs the compared result and returns the result to the container manager.
7. The 5G edge computing node-oriented container reinforcing method according to claim 4, wherein the binding process of the vTPM module and the physical TPM comprises:
step S31: the vTPM module applies for an encryption key to the vTPM manager through the container manager, and a container ID is attached to the request;
step S32: the vTPM manager assigns a pair of asymmetric encryption keys to the vTPM module according to the container ID, including: encrypting the public key and the encrypted private key, and sending the encrypted private key to the vTPM module, wherein the vTPM module stores the private key in the key sub-storage module;
step S33: the vTPM module applies for connecting a physical TPM to a vTPM manager, and the request is accompanied with a container ID and a randomly generated random number nonce;
step S34: the vTPM manager sends the container ID to the physical TPM;
step S35: the physical TPM is created for the vTPM module and returns a vAIK key and a certificate CvAIK to the vTPM manager, and the vTPM manager encrypts the vAIK key and the certificate CvAIK by using an encryption public key;
step S36: the vTPM module decrypts the information returned by the physical TPM by using the encryption private key, checks the freshness of the random number nonce, determines whether to accept the vAIK certificate and the vAIK key, and stores the vAIK certificate and the vAIK key in the key sub-storage module if the vAIK certificate and the vAIK key are accepted.
8. The container reinforcing method facing the 5G edge computing node, according to claim 7, wherein after the vTPM module is bound with the physical TPM, the container is started for the first time, the vTPM module can measure a file system and a process of the running container, and a measurement result is stored in a metric value reference library during the operation of the container.
9. The 5G edge computing node-oriented container consolidation method according to claim 8, wherein the container runtime metric value reference library is in a vTPM manager, and when the vTPM module sends the container runtime metric values to the vTPM manager, the metric value data is signed by a certificate CvAIK key.
10. The 5G-edge computing node-oriented container reinforcing method according to claim 9, wherein the vTPM module is used for timing a process of performing credibility measurement on a file system and a process of the container, and the method comprises the following steps:
step S41: the vTPM module measures a file system and a process of the container according to a time interval set by the measurement timer, and stores the measurement value in vPCR;
step S42: if the running state of the container needs to be verified, the vTPM module sends the metric values stored in the vPCR to the vTPM manager, the metric values are compared with the reference values in the metric value reference library when the container runs, and if the comparison results are equal, the vTPM module waits for measuring the file system for the next time until the container is deleted;
step S43: if the comparison result is not equal, the container file system is tampered, and operation judgment is needed;
step S44: if the file system is legally updated, modifying the reference value through administrator authentication, and repeating the steps S42 to S43;
step S45: if the authentication of the administrator is not passed, the illegal change is recorded, and the container is suspended.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210945182.4A CN115314495A (en) | 2022-08-08 | 2022-08-08 | Container reinforcement system and reinforcement method for 5G edge computing node |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210945182.4A CN115314495A (en) | 2022-08-08 | 2022-08-08 | Container reinforcement system and reinforcement method for 5G edge computing node |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115314495A true CN115314495A (en) | 2022-11-08 |
Family
ID=83860431
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210945182.4A Pending CN115314495A (en) | 2022-08-08 | 2022-08-08 | Container reinforcement system and reinforcement method for 5G edge computing node |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115314495A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117971347A (en) * | 2024-03-28 | 2024-05-03 | 中国人民解放军国防科技大学 | TrustZone-based container trusted service design method, trustZone-based container trusted service design equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
| US20190042759A1 (en) * | 2018-09-27 | 2019-02-07 | Intel Corporation | Technologies for fast launch of trusted containers |
| CN110647740A (en) * | 2018-06-27 | 2020-01-03 | 复旦大学 | TPM-based container trusted boot method and device |
-
2022
- 2022-08-08 CN CN202210945182.4A patent/CN115314495A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
| CN110647740A (en) * | 2018-06-27 | 2020-01-03 | 复旦大学 | TPM-based container trusted boot method and device |
| US20190042759A1 (en) * | 2018-09-27 | 2019-02-07 | Intel Corporation | Technologies for fast launch of trusted containers |
Non-Patent Citations (1)
| Title |
|---|
| 刘国杰: "基于 TPCM 的容器云可信环境研究", 《网络与信息安全学报》, 31 August 2021 (2021-08-31), pages 3 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117971347A (en) * | 2024-03-28 | 2024-05-03 | 中国人民解放军国防科技大学 | TrustZone-based container trusted service design method, trustZone-based container trusted service design equipment and storage medium |
| CN117971347B (en) * | 2024-03-28 | 2024-06-11 | 中国人民解放军国防科技大学 | TrustZone-based container trusted service design method, trustZone-based container trusted service design equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Paladi et al. | Providing user security guarantees in public infrastructure clouds | |
| EP2278514B1 (en) | System and method for providing secure virtual machines | |
| US7711960B2 (en) | Mechanisms to control access to cryptographic keys and to attest to the approved configurations of computer platforms | |
| KR100737628B1 (en) | Attestation using both fixed token and portable token | |
| US8595483B2 (en) | Associating a multi-context trusted platform module with distributed platforms | |
| US8745386B2 (en) | Single-use authentication methods for accessing encrypted data | |
| KR101402509B1 (en) | Methods and systems for modifying an integrity measurement based on user authentication | |
| US20140270179A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
| CN109756492B (en) | Cloud platform trusted execution method, device, equipment and medium based on SGX | |
| CN116490868A (en) | System and method for secure and fast machine learning reasoning in trusted execution environments | |
| WO2017128720A1 (en) | Vtpm-based method and system for virtual machine security and protection | |
| US20140040997A1 (en) | Self-deleting virtual machines | |
| CN108521424B (en) | Distributed data processing method for heterogeneous terminal equipment | |
| CN116566613A (en) | Securing communications with a secure processor using platform keys | |
| CN115334506A (en) | User trusted access system and method for 5G edge computing node | |
| CN115470477A (en) | Intelligent terminal, processor system thereof and trusted execution method | |
| CN115314495A (en) | Container reinforcement system and reinforcement method for 5G edge computing node | |
| JP5141056B2 (en) | Information processing apparatus and data transfer method of information processing apparatus | |
| CN108616517B (en) | High-reliability cloud platform service providing method | |
| Wang et al. | Independent credible: Secure communication architecture of Android devices based on TrustZone | |
| CN108449358B (en) | Cloud-based low-delay secure computing method | |
| Pedone et al. | Trusted computing technology and proposals for resolving cloud computing security problems | |
| EP3525391A1 (en) | Device and method for key provisioning | |
| CN117971347B (en) | TrustZone-based container trusted service design method, trustZone-based container trusted service design equipment and storage medium | |
| CN111147233B (en) | Reliable implementation method and node for ABE attribute encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |