本文選題：可信計(jì)算 + 可信平臺(tái)模塊(TPM)�。� 參考：《軟件學(xué)報(bào)》2017年10期

【摘要】：將可信計(jì)算技術(shù)應(yīng)用到虛擬計(jì)算系統(tǒng)中,可以在云計(jì)算、網(wǎng)絡(luò)功能虛擬化(network function virtualization,簡(jiǎn)稱NFV)等場(chǎng)景下,提供基于硬件的可信保護(hù)功能.軟件實(shí)現(xiàn)的虛擬可信平臺(tái)模塊(virtual trused platform module,簡(jiǎn)稱v TPM)基于一個(gè)物理TPM(physical TPM,簡(jiǎn)稱p TPM),可讓每個(gè)虛擬機(jī)擁有自己專屬的TPM,但需要將對(duì)p TPM的信任擴(kuò)展到v TPM上.現(xiàn)有方法主要采用證書鏈來進(jìn)行擴(kuò)展,但在虛擬機(jī)及其v TPM被遷移后,需要重新申請(qǐng)v TPM的身份密鑰證書,可能會(huì)存在大量的短命證書,成本較高,且不能及時(shí)撤銷舊p TPM對(duì)v TPM的信任擴(kuò)展,也不能提供前向安全保證.提出了一種v TPM動(dòng)態(tài)信任擴(kuò)展(dynamic trust extension,簡(jiǎn)稱DTE)方法,以滿足虛擬機(jī)頻繁遷移的需求.DTE將v TPM看作是p TPM的一個(gè)代理,v TPM每次進(jìn)行遠(yuǎn)程證明時(shí),需從一個(gè)認(rèn)證服務(wù)器(authenticaiton server,簡(jiǎn)稱AS)處獲得一個(gè)有效的時(shí)間令牌.DTE在v TPM和p TPM之間建立了緊密的安全綁定關(guān)系,同時(shí)又能明顯區(qū)分兩種不同安全強(qiáng)度的TPM.在DTE里,v TPM被遷移后,無需重新獲取身份秘鑰證書,舊p TPM可及時(shí)撤銷對(duì)v TPM的信任擴(kuò)展,而且DTE可提供前向安全性.從原型系統(tǒng)及其性能測(cè)試與分析來看,DTE是可行的.
[Abstract]:Applying trusted computing technology to virtual computing system can provide hardware-based trusted protection function under cloud computing, network function virtualization of network function virtualization and other scenarios. The virtual trused platform module, module implemented by the software is based on a physical TPM(physical TPM (p TPM), which enables each virtual machine to own its own TPMs, but it needs to extend its trust in p TPM to v TPM. The existing methods mainly use certificate chain to extend, but after the virtual machine and its v TPM are migrated, the identity key certificate of v TPM needs to be reapplied, so there may be a large number of short life certificates and the cost is high. Moreover, it can not undo the trust extension of old p TPM to v TPM in time, nor can it provide forward security guarantee. In this paper, a dynamic trust extension (DTE) method for v TPM dynamic trust extension is proposed to satisfy the need of frequent migration of virtual machines. It regards v TPM as a proxy of p TPM, v TPM, for remote authentication every time. A valid time token. DTE is obtained from an authentication server called authentication server. DTE establishes a tight security binding relationship between v TPM and p TPM, and can distinguish two kinds of TPM with different security strength. After the migration of v TPM in DTE, the old p TPM can revoke the trust extension of v TPM in time, and DTE can provide forward security. From the prototype system and its performance test and analysis, DTE is feasible.
【作者單位】： 武漢大學(xué)計(jì)算機(jī)學(xué)院;軟件工程國家重點(diǎn)實(shí)驗(yàn)室(武漢大學(xué));
【基金】：國家重點(diǎn)基礎(chǔ)研究發(fā)展計(jì)劃(973)(2014CB340600) 國家自然科學(xué)基金(61772384)~~
【分類號(hào)】：TP309

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 王亞民;李穎;;可信平臺(tái)模塊在云計(jì)算中的應(yīng)用[J];電腦知識(shí)與技術(shù);2013年07期

2 張煥國;李晶;潘丹鈴;趙波;;嵌入式系統(tǒng)可信平臺(tái)模塊研究[J];計(jì)算機(jī)研究與發(fā)展;2011年07期

3 龐天丙;;嵌入式系統(tǒng)可信平臺(tái)模塊研究[J];電子技術(shù)與軟件工程;2013年18期

4 詹靜;張煥國;徐士偉;向，

本文編號(hào)：1979190