本文選題：可信計算 + 可信平臺模塊(TPM)��； 參考：《軟件學(xué)報》2017年10期

【摘要】：將可信計算技術(shù)應(yīng)用到虛擬計算系統(tǒng)中,可以在云計算、網(wǎng)絡(luò)功能虛擬化(network function virtualization,簡稱NFV)等場景下,提供基于硬件的可信保護功能.軟件實現(xiàn)的虛擬可信平臺模塊(virtual trused platform module,簡稱v TPM)基于一個物理TPM(physical TPM,簡稱p TPM),可讓每個虛擬機擁有自己專屬的TPM,但需要將對p TPM的信任擴展到v TPM上.現(xiàn)有方法主要采用證書鏈來進行擴展,但在虛擬機及其v TPM被遷移后,需要重新申請v TPM的身份密鑰證書,可能會存在大量的短命證書,成本較高,且不能及時撤銷舊p TPM對v TPM的信任擴展,也不能提供前向安全保證.提出了一種v TPM動態(tài)信任擴展(dynamic trust extension,簡稱DTE)方法,以滿足虛擬機頻繁遷移的需求.DTE將v TPM看作是p TPM的一個代理,v TPM每次進行遠程證明時,需從一個認證服務(wù)器(authenticaiton server,簡稱AS)處獲得一個有效的時間令牌.DTE在v TPM和p TPM之間建立了緊密的安全綁定關(guān)系,同時又能明顯區(qū)分兩種不同安全強度的TPM.在DTE里,v TPM被遷移后,無需重新獲取身份秘鑰證書,舊p TPM可及時撤銷對v TPM的信任擴展,而且DTE可提供前向安全性.從原型系統(tǒng)及其性能測試與分析來看,DTE是可行的.
[Abstract]:Applying trusted computing technology to virtual computing system can provide hardware-based trusted protection function under cloud computing, network function virtualization of network function virtualization and other scenarios. The virtual trused platform module, module implemented by the software is based on a physical TPM(physical TPM (p TPM), which enables each virtual machine to own its own TPMs, but it needs to extend its trust in p TPM to v TPM. The existing methods mainly use certificate chain to extend, but after the virtual machine and its v TPM are migrated, the identity key certificate of v TPM needs to be reapplied, so there may be a large number of short life certificates and the cost is high. Moreover, it can not undo the trust extension of old p TPM to v TPM in time, nor can it provide forward security guarantee. In this paper, a dynamic trust extension (DTE) method for v TPM dynamic trust extension is proposed to satisfy the need of frequent migration of virtual machines. It regards v TPM as a proxy of p TPM, v TPM, for remote authentication every time. A valid time token. DTE is obtained from an authentication server called authentication server. DTE establishes a tight security binding relationship between v TPM and p TPM, and can distinguish two kinds of TPM with different security strength. After the migration of v TPM in DTE, the old p TPM can revoke the trust extension of v TPM in time, and DTE can provide forward security. From the prototype system and its performance test and analysis, DTE is feasible.
【作者單位】： 武漢大學(xué)計算機學(xué)院;軟件工程國家重點實驗室(武漢大學(xué));
【基金】：國家重點基礎(chǔ)研究發(fā)展計劃(973)(2014CB340600) 國家自然科學(xué)基金(61772384)~~
【分類號】：TP309

【相似文獻】

相關(guān)期刊論文 前10條

1 王亞民;李穎;;可信平臺模塊在云計算中的應(yīng)用[J];電腦知識與技術(shù);2013年07期

2 張煥國;李晶;潘丹鈴;趙波;;嵌入式系統(tǒng)可信平臺模塊研究[J];計算機研究與發(fā)展;2011年07期

3 龐天丙;;嵌入式系統(tǒng)可信平臺模塊研究[J];電子技術(shù)與軟件工程;2013年18期

4 詹靜;張煥國;徐士偉;向，

本文編號：1979190