通信学报 ›› 2018, Vol. 39 ›› Issue (6): 133-145.doi: 10.11959/j.issn.1000-436x.2018090

• 学术论文 • 上一篇    下一篇

虚拟平台环境中一种新的可信证书链扩展方法

谭良1,2,齐能1,胡玲碧1   

  1. 1 四川师范大学计算机科学学院,四川 成都 610101
    2 中国科学院计算技术研究所,北京 100190
  • 修回日期:2018-03-14 出版日期:2018-06-01 发布日期:2018-07-09
  • 作者简介:谭良(1972-),男,四川泸州人,博士,四川师范大学教授,主要研究方向为可信计算、网络安全、云计算及大数据处理等。|齐能(1993-),男,河南商丘人,四川师范大学硕士生,主要研究方向为可信计算。|胡玲碧(1993-),女,四川威远人,四川师范大学硕士生,主要研究方向为可信计算。
  • 基金资助:
    国家自然科学基金资助项目(61373162);四川省科技基金资助项目(2014GZ0007);可视化计算与虚拟现实四川省重点实验室基金资助项目(KJ201402)

New extension method of trusted certificate chain in virtual platform environment

Liang TAN1,2,Neng QI1,Lingbi HU1   

  1. 1 College of Computer Science,Sichuan Normal University,Chengdu 610101,China
    2 Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190,China
  • Revised:2018-03-14 Online:2018-06-01 Published:2018-07-09
  • Supported by:
    The National Natural Science Foundation of China(61373162);Sichuan Science and Technology Project(2014GZ0007);Sichuan Key Laboratory of Visual Computing and Virtual Reality Project(KJ201402)

摘要:

利用可信计算技术构建可信虚拟平台环境时,如何合理地将底层物理的可信平台模块(TPM,trusted platform module)的证书信任扩展延伸到虚拟机环境是值得关注的问题。目前,已有的证书信任扩展方案均不完善,有的方案存在违背TCG规范的情况,有的方案增加密钥冗余和Privacy CA性能负担,有的方案甚至不能进行证书信任扩展。因此,提出了一种新的可信证书链扩展方法。首先,在TPM中新增一类证书——VMEK(virtual machine extension key),并构建对VMEK的管理机制,该证书的主要特点是其密钥不可迁移,且可对TPM内和TPM外的数据进行签名和加密。其次,利用证书VMEK对vTPM的vEK签名构建底层TPM和虚拟机vTPM的证书信任关系,实现可信证书链在虚拟机中的延伸。最后,在Xen中实现了VMEK证书及其管理机制和基于VMEK的证书信任扩展。实验结果表明,所提方案可以有效地实现虚拟平台的远程证明功能。

关键词: 可信计算, 虚拟平台, 可信平台模块, vTPM, 证书链扩展

Abstract:

When using trusted computing technology to build a trusted virtual platform environment,it is a hot problem that how to reasonably extend the underlying physical TPM certificate chain to the virtual machine environment.At present,the certificate trust expansion schemes are not perfect,either there is a violation of the TCG specifications,or TPM and vTPM certificate results inconsistent,either the presence of key redundancy,or privacy CA performance burden,some project cannot even extend the certificate trust.Based on this,a new extension method of trusted certificate chain was proposed.Firstly,a new class of certificate called VMEK (virtual machine extension key) was added in TPM,and the management mechanism of certificate VMEK was constructed,the main feature of which was that its key was not transferable and could be used to sign and encrypt the data inside and outside of TPM.Secondly,it used certificate VMEK to sign vTPM’s vEK to build the trust relationship between the underlying TPM and virtual machine,and realized extension of trusted certificate chain in virtual machine.Finally,in Xen,VMEK certificate and its management mechanism,and certificate trust extension based on VMEK were realized.The experiment results show that the proposed scheme can effectively realize the remote attestation function of virtual platform.

Key words: trusted computing, virtual platform, trusted platform module, vTPM, certificate chain extension

中图分类号: 

No Suggested Reading articles found!