基于TPM联盟的可信云平台管理模型

doi:10.11959/j.issn.1000-436x.2016025

摘要/Abstract

摘要：

以可信计算技术为基础，针对可信云平台构建过程中可信节点动态管理存在的性能瓶颈问题，提出了基于TPM联盟的可信云平台体系结构及管理模型。针对TPM自身能力的局限性，提出了宏TPM和根TPM的概念。针对可信云中节点管理时间开销大的问题，引入时间树的概念组织TPM联盟，利用TPM和认证加密技术解决数据在TPM联盟内节点间的可信传输问题，提出了一种基于时间树的TPM联盟管理策略，包括节点配置协议、注册协议、注销协议、实时监控协议、网络管理修复协议和节点更新协议，阐述了时间树的生成算法，分析了建立可信节点管理网络的时间开销和节点状态监控的有效性。最后，通过仿真实验说明了模型具有较好的性能和有效性。

关键词: TPM联盟, 云计算, 可信云平台, 时间树

Abstract:

On the basis of trusted computing technology, trusted cloud platform architecture and management model based on theTPMalliance was proposed to solve the performance bottleneck of dynamic management of trusted nodes in the building process of trusted cloud platform. MacroTPMproposed to solve the capability limitation of TPM,the concept of time-based tree was introduced to organizeTPMalliance, addressing the problem of high time cost of nodes management in trusted cloud. It usedTPMand authentication encryption technology to solve trusted transmission problem of data among nodes inTPMalliance, and a management strategy of time-based treeTPMalliance was proposed, including node configuration protocol, node registration protocol, node logout protocol, node state real-time monitor protocol, trusted nodes management network repair protocol, node update protoc explains the production algorithm of time-based tree, analyses the effectiveness of the time cost of building trusted node management network and monitoring of node state. The simulation result indicates that the model is efficient, and the time cost in trusted node management can be reduced.

Key words: TPM alliance, cloud computing, trusted cloud platform, time-based tree

田俊峰,常方舒. 基于TPM联盟的可信云平台管理模型[J]. 通信学报, 2016, 37(2): 1-10.

Jun-feng TIAN,Fang-shu CHANG. Trusted cloud platform management model based onTPMalliance[J]. Journal on Communications, 2016, 37(2): 1-10.

图/表 14

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

表1

图13

参考文献 25

[1]	冯登国, 张敏, 张妍 . 云计算安全研究[J]. 软件学报, 2011, 22(1): 71-83. FENG D G , ZHANG M , ZHANG Y . Study on cloud computing security[J]. Journal of Software, 2011, 22(1): 71-83.
[2]	GARFINKEL T , PFAFF B , CHOW J . Terra: a virtual machine-based platform for trusted computing[J]. ACM SIGOPS Operating Systems Review, 2003, 37(5): 193-206.
[3]	BUTT S , LAGAR-CAVILLA H A , SRIVASTAVA A . Self-service cloud computing[C]// The 2012 ACM Conference on Computer and Communications Security. ACM, c2012: 253-264.
[4]	MCCUNE J M , LI Y , QU N . TrustVisor: efficient TCB reduction and attestation[C]// Security and Privacy (SP), 2010 IEEE Symposium. ACM, c2010: 143-158.
[5]	TADOKORO H , KOURAI K , CHIBA S . Preventing information leakage from virtual machines’ memory in IaaS clouds[J]. Information and Media Technologies, 2012, 7(4): 1421-1431.
[6]	BLEIKERTZ S , BUGIEL S , IDELER H . Client-controlled cryptography-as-a-service in the cloud[C]// Applied Cryptography and Network Security. Springer Berlin Heidelberg, c2013: 19-36.
[7]	CHEN C , RAJ H , SAROIU S . cTPM: a cloudTPMfor cross-device trusted applications[C]// The 11th USENIX Conference on Networked Systems Design and Implementation USENIX Association. c2014: 187-201.
[8]	吴吉义, 沈千里, 章剑林 . 云计算:从云安全到可信云[J]. 计算机研究与发展, 2011, 48(1): 229-233. WU J Y , SHEN Q L , ZHANG J L . Cloud computing: cloud security to trusted cloud[J]. Journal of Computer Research and Development, 2011, 48(1): 229-233.
[9]	SCHIFFMAN J , MOYER T , VIJAYAKUMAR H . Seeding clouds with trust anchors[C]// The 2010 ACM Workshop on Cloud Computing Security Workshop. ACM, c2010: 43-46.
[10]	DAVI L , SADEGHI A R , WINANDY M . Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks[C]// The 2009 ACM Workshop on Scalable Trusted Computing. ACM, c2009: 49-54.
[11]	BERGER S , CáCERES R , PENDARAKIS D . TVDc: managing security in the trusted virtual datacenter[J] ACM SIGOPS Operating Systems Review, 2008, 42(1): 40-47.
[12]	BERGER S , CáCERES S , GOLDMAN K . Security for the cloud infrastructure: trusted virtual data center implementation[J] IBM Journal of Research and Development, 2009, 53(4): 6: 1-6: 12.
[13]	SAYLER A , KELLER E , GRUNWALD D . Jobber: automating inter-tenant trust in the cloud[J/OL]. , 2013.
[14]	WU R , ZHANG X , AHN G J . Design and implementation of access control as a service for iaas cloud[J]. SCIENCE, 2013, 2(3):115-130.
[15]	刘川意, 唐博, 章剑林 . 面向云计算模式的运行环境可信性动态验证机制[J]. 软件学报, 2014, 25(3): 662-674. LIU C Y , LIN J , TANG B . Dynamic trustworthiness verifi ion mechanism for trusted cloud execution environment[J]. Journal of Software, 2014, 25(3): 662-674.
[16]	LI X Y , ZHOU L T , SHI Y . A trusted computing environment model in cloud architecture[C]// Machine Learning and Cybernetics (ICMLC), 2010 International Conference. IEEE, c2010: 2843-2848.
[17]	ZHANG F , CHEN J , CHEN H . CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization[C]// The Twenty-Third ACM Symposium on Operating Systems Principles. ACM, c2011: 203-216.
[18]	SANTOS N , GUMMADI K P , RODRIGUES R . Towards trusted cloud computing[C]// The 2009 Conference on Hot Topics in Cloud Computing. c2009: 3.
[19]	SANTOS N , RODRIGUES R , GUMMADI K P . Policy-sealed data: a new abstraction for building trusted cloud services[C]// USENIX Security Symposium. c2012: 175-188.
[20]	王丽娜, 任正伟, 董永峰 . 云存储中基于可信平台模块的密钥使用次数管理方法[J]. 计算机研究与发展, 2013, 50(8): 1628-1636. WANG L N , REN Z W , DONG Y F . A management approach to key-used times based on trusted platform module in cloud storage[J]. Journal of Computer Research and Development, 2013, 50(8): 1628-1636.
[21]	田俊峰, 吴志杰 . 一种可信的云存储控制模型[J]. 小型微型计算机系统, 2013, 34(4): 789-795. TIAN J F , WU Z J . Trusted control model of cloud storage[J]. Journal of Chinese Computer Systems, 2013, 34(4): 789-795.
[22]	张焕国, 陈璐, 张立强 . 可信网络连接研究[J]. 计算机学报, 2010, 33(4): 706-717. ZHANG H G , CHEN L , ZHANG L Q . Research on trusted network connection[J]. Chinese Journal of Computers, 2010, 33(4): 706-717.
[23]	WANG J , ZHAO B , ZHANG H . POSTER: an E2E trusted cloud infrastructure[C]// The 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, c2014: 1517-1519.
[24]	周振吉, 吴礼发, 洪征 . 云计算环境下的虚拟机可信度量模型[J]. 东南大学学报, (自然科学版), 2014, 44(1): 45-50. ZHOU Z J , WU L F , HONG Z . Trustworthiness measurement l of virtual machine for cloud computing[J]. Journal of Southeast University, (Natural Science Edition), 2014, 44(1): 45-50.
[25]	SZYDLO M . Merkle tree traversal in log space and time[C]// Advances in Cryptology-EUROCRYPT 2004. Springer Berlin Heidelberg, c2004: 541-554.

方式	描述
方式1	节点状态通过前驱节点传递到RTPM
方式2	节点状态通过兄弟节点传递到RTPM
方式3	节点状态通过前驱的前驱传递到RTPM
方式4	节点状态通过临时前驱传递到RTPM
方式5	节点状态通过RTPM计算出来