云环境中可信虚拟平台的远程证明方案研究
作者:
作者单位:

作者简介:

胡玲碧(1993-),女,四川威远人,学士,主要研究领域为可信计算;谭良(1972-),男,博士,教授,主要研究领域为可信计算,网络安全,云计算,大数据处理.

通讯作者:

胡玲碧,E-mail:csjkhlb@163.com

中图分类号:

基金项目:

国家自然科学基金(61373162);四川省科技支撑项目(2014GZ007)


Research on Trusted Virtual Platform Remote Attestation Method in Cloud Computing
Author:
Affiliation:

Fund Project:

National Natural Science Foundation of China (61373162); Sichuan Science and Technology Support Project (2014GZ007)

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    云环境中如何证明虚拟平台的可信,是值得研究的问题.由于云环境中虚拟平台包括运行于物理平台上的虚拟机管理器和虚拟机,它们是不同的逻辑运行实体,具有层次性和动态性,因此,现有的可信终端远程证明方案,包括隐私CA (privacy certification authority,简称PCA)方案和直接匿名证明(direct anonymous attestation,简称DAA)方案,都并不能直接用于可信虚拟平台.而TCG发布的Virtualized Trusted Platform Architecture Specification 1.0版中,可信虚拟平台的远程证明方案仅仅是个框架,并没有具体实施方案.为此,提出了一种自顶向下的可信虚拟平台远程证明实施方案——TVP-PCA.该方案是在虚拟机中设置一个认证代理,在虚拟机管理器中新增一个认证服务,挑战方首先通过顶层的认证代理证明虚拟机环境可信,然后通过底层的认证服务证明运行于物理平台上的虚拟机管理器可信,顶层和底层证明合起来确保了整个虚拟平台的可信,有效解决了顶层证明和底层证明的同一性问题.实验结果表明,该方案不仅能够证明虚拟机的可信,而且还能证明虚拟机管理器和物理平台的可信,因而证明了云环境中的虚拟平台是真正可信的.

    Abstract:

    In cloud computing, how to prove the trust of a virtual platform is a hot problem. A virtual platform includes the virtual machine manager that runs on the physical platform and the virtual machines that are different logical entities with hierarchy and dynamics. Existing trusted computing remote attestation schemes, such as the privacy certification authority (PCA) scheme and the direct anonymous attestation (DAA) scheme, cannot be directly used for trusted virtual platform. Moreover, the remote attestation scheme of trusted virtual platform in virtualized trusted platform architecture specification of TCG is only a framework without concrete implementation plan. To address these issues, this paper proposes a top-down remote attestation project, called TVP-PCA, for trusted virtual platform. This project designs and implements an attestation agent in the top-level virtual machine and an attestation service in the underlying virtual machine manager. With this approach, a challenger can first use the top-level agent to prove that the virtual machine is trusted, and then use the underlying service to prove that the virtual machine manager can be trusted, both attestations together ensure the credibility of the entire virtual platform. This paper solves the identity problem of the top-level attestation and the underlying attestation effectively. Experiments show that this project can not only prove the trust of the virtual machine, but also prove the trust of the virtual machine manager and the physical platform, thus establishing that the virtual platform of the cloud computing is trusted.

    参考文献
    相似文献
    引证文献
引用本文

胡玲碧,谭良.云环境中可信虚拟平台的远程证明方案研究.软件学报,2018,29(9):2874-2895

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2016-09-04
  • 最后修改日期:2016-12-07
  • 录用日期:
  • 在线发布日期: 2017-07-20
  • 出版日期:
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号