云环境下可信系统架构与虚拟证书链生成研究
Research on Trusted System Architecture and Virtual Certificate Chain in Cloud Environment
DOI: 10.12677/CSA.2018.85082, PDF,  被引量   
作者: 王 冠*, 郭一清, 陈建中:北京工业大学计算机学院,北京;可信计算北京市重点实验室,北京
关键词: 可信平台模块可信虚拟域TPM证书虚拟证书链Trusted Platform Module Trusted Domain TPM Credential Virtual Certificate Chain
摘要: 本文提出了基于独立可信虚拟域(Domain Trusted, Domain T)的可信虚拟机系统架构,降低了现有系统中可信计算基(Trusted Computing Base, TCB)的大小,在保持Xen的Credit调度算法不变的情况下提高了vTPM (virtual TPM)计算性能。在此基础上,本文引入Domain T域身份密钥tEK,相比现有方法,在符合可信计算组织(Trusted Computing Group, TCG)主要规范的条件下生成了虚拟可信证书,为vTPM提供了信任根。最终测试结果表明,本系统在降低特权域TCB大小、提高vTPM计算性能的同时,提供了有效的客户虚拟机证书生成和身份认证的能力。
Abstract: This paper proposed a trusted virtual machine system architecture based on independent Domain T, reduced the TCB size of existing systems, and increased vTPM computing performance with Xen’s Credit scheduling algorithm unchanged. On this basis, by introducing the identity key of Domain T, it generated virtual trusted certificate under TCG main specifications, and provided a trusted root for vTPM. Finally, the test results show that the system reduces TCB size of Domain 0, improves vTPM computing performance, and provides client virtual machines with the capability of certificate generation and identity authentication.
文章引用:王冠, 郭一清, 陈建中. 云环境下可信系统架构与虚拟证书链生成研究[J]. 计算机科学与应用, 2018, 8(5): 738-747. https://doi.org/10.12677/CSA.2018.85082

参考文献

[1] 冯登国, 张敏, 张妍, 等. 云计算安全研究[J]. 软件学报, 2011, 22(1).
[2] 罗东俊. 基于可信计算的云计算安全若干关键问题研究[D]. 广州: 华南理工大学, 2014.
[3] 沈昌祥, 张焕国, 王怀民, 等. 可信计算的研究与发展[J]. 中国科学: 信息科学, 2010, 40(2): 139-166.
[4] Goldman, K.A. and Berger, S. TPM Main Part 3 IBM Commands. http://www.research.ibm.com/secure_systems_department/projects/vtpm/mainP3IBMCommandsrev10.pdf
[5] England, P. and Lo-eser, J. (2008) Para-Virtualized TPM Sharing. International Conference on Trusted Computing. Springer, Berlin, Heidelberg, 119-132.
[6] Anderson, M.J., Moffie, M. and Dalton, C.I. (2007) Towards Trustworthy Virtualisation Environments: Xen Library os Security Service Infrastructure. HP Technical Report, 88-111.
[7] Stumpf, F., Eckert, C. and Balfe, S. (2008) Towards Secure e-Commerce Based on Virtualization and Attestation Techniques. Third International Conference on Availability, Reliability and Secu-rity, 2008. ARES 08. IEEE, 376-382.
[8] Scarlata, V., Rozas, C., Wiseman, M., et al. (2008) TPM Virtualization: Building a General Framework. Trusted Computing. Vieweg + Teubner, 43-56.
[9] Perez, R., Sailer, R. and van Doorn, L. (2006) vTPM: Virtualizing the Trusted Platform Module. Proceedings of the 15th Conference on USENIX Security Symposium, 305-320.
[10] Stumpf, F., Benz, M., Hermanowski, M., et al. (2007) An Approach to a Trustworthy System Architecture Using Virtualization. International Confer-ence on Autonomic and Trusted Computing, Springer, Berlin, Heidelberg, 191-202.
[11] Jansen, B., Ramasamy, H. and Schunter, M. (2006) Flexible Integrity Protection and Verification Architecture for Virtual Machine Monitors. Second Workshop on Advances in Trusted Computing.
[12] Sadeghi, A.R., Stüble, C. and Winandy, M. (2008) Property-Based TPM Virtualization. International Con-ference on Information Security, Springer, Berlin, Heidelberg, 1-16.
[13] Strasser, M. and Stamer, H. (2008) A Software-Based Trusted Platform Module Emulator. International Conference on Trusted Computing, Springer, Berlin, Heidelberg, 33-47.
[14] TPM Main Specification Level 2 Version 1.2, Part 2, TPM Structures. 2011-1.
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf
[15] 顾振宇, 张申生, 李晓勇. Xen 中 Credit 调度算法的优化[J]. 微型电脑应用, 2009, 25(2): 1-3.
[16] 王丽娜, 高汉军, 余荣威, 等. 基于信任扩展的可信虚拟执行环境构建方法研究[J]. 通信学报, 2011.
[17] 荣星, 赵勇. 基于无证书环签名的虚拟机可信证明方案[J]. 计算机应用, 2017, 37(2): 378-382.