虚拟平台环境中一种新的可信证书链扩展方法

doi:10.11959/j.issn.1000-436x.2018090

Abstract

Abstract:

When using trusted computing technology to build a trusted virtual platform environment,it is a hot problem that how to reasonably extend the underlying physical TPM certificate chain to the virtual machine environment.At present,the certificate trust expansion schemes are not perfect,either there is a violation of the TCG specifications,or TPM and vTPM certificate results inconsistent,either the presence of key redundancy,or privacy CA performance burden,some project cannot even extend the certificate trust.Based on this,a new extension method of trusted certificate chain was proposed.Firstly,a new class of certificate called VMEK (virtual machine extension key) was added in TPM,and the management mechanism of certificate VMEK was constructed,the main feature of which was that its key was not transferable and could be used to sign and encrypt the data inside and outside of TPM.Secondly,it used certificate VMEK to sign vTPM’s vEK to build the trust relationship between the underlying TPM and virtual machine,and realized extension of trusted certificate chain in virtual machine.Finally,in Xen,VMEK certificate and its management mechanism,and certificate trust extension based on VMEK were realized.The experiment results show that the proposed scheme can effectively realize the remote attestation function of virtual platform.

Key words: trusted computing, virtual platform, trusted platform module, vTPM, certificate chain extension

CLC Number:

TP309

Liang TAN,Neng QI,Lingbi HU. New extension method of trusted certificate chain in virtual platform environment[J]. Journal on Communications, 2018, 39(6): 133-145.

Figures/Tables 26

References 27

[1]	ZHANG Y , ZHOU Y . 4VP:A novel meta OS approach for streaming programs in ubiquitous computing[C]// International Conference on Advanced Information NETWORKING and Applications. 2007: 394-403.
[2]	ZHANG Y , ZHOU Y . Transparent computing:a new paradigm for pervasive computing[C]// International Conference on Ubiquitous Intelligence and Computing. 2006: 1-11.
[3]	陈康, 郑纬民 . 云计算:系统实例与研究现状[J]. 软件学报, 2009,20(5): 1337-1348.
	CHEN K , ZHENG W M . Cloud computing:system case and research status[J]. Journal of Software, 2009,20(5): 1337-1348.
[4]	罗军舟, 金嘉晖, 宋爱波 ,等. 云计算:体系架构与关键技术[J]. 通信学报, 2011,32(7): 3-21.
	LUO J Z , JIN J H , SONG A B ,et al. Cloud computing:architecture and key technologies[J]. Journal on Communications, 2011,32(7): 3-21.
[5]	林闯, 苏文博, 孟坤 ,等. 云计算安全:架构、机制与模型评价[J]. 计算机学报, 2013,36(9): 1765-1784.
	LIN C , SU W B , MENG K ,et al. Cloud computing security:architecture,mechanism and model evaluation[J]. Chinese Journal of Computers, 2013,36(9): 1765-1784.
[6]	王国峰, 刘川意, 潘鹤中 ,等. 云计算模式内部威胁综述[J]. 计算机学报, 2017,40(2): 296-316.
	WANG G F , LIU C Y , PAN H Z ,et al. An overview of internal threats in cloud computing models[J]. Chinese Journal of Computers, 2017,40(2): 296-316.
[7]	MAHAJAN A , SHARMA S . The malicious insiders threat in the cloud[J]. International Journal of Engineering Research and General Science, 2015,3(2): 245-256.
[8]	BOUCHé J , KAPPES M . Attacking the cloud from an insider perspective[C]// Internet Technologies and Applications. 2015.
[9]	王焘, 张文博, 魏峻 ,等. 一种基于故障预测的云计算系统自适应监测方法[P]. CN105677538A, 2016.
	WANG H , ZHANG W B , WEI J ,et al. An adaptive monitoring method for cloud computing systems based on fault prediction[P]. CN105677538A, 2016.
[10]	沈昌祥, 张焕国, 王怀民 ,等. 可信计算的研究与发展[J]. 中国科学:信息科学, 2010(2): 139-166.
	SHEN C X , ZHANG H G , WANG H M ,et al. Research and development of trusted computing[J]. Chinese Science:Information Science, 2010(2): 139-166.
[11]	冯登国, 秦宇, 汪丹 ,等. 可信计算技术研究[J]. 计算机研究与发展, 2011,48(8): 1332-1349.
	FENG D G , QIN Y , WANG D ,et al. Research on trusted computing technology[J]. Journal of Computer Research and Development, 2011,48(8): 1332-1349.
[12]	CHEN Y , PAXSON V , KATZ R H . What’s new about cloud computing security?[J]. 2014,20.
[13]	KO R K L , JAGADPRAMANA P , MOWBRAY M ,et al. Trust cloud:a framework for accountability and trust in cloud computing[C]// Services. 2011: 584-588.
[14]	刘川意, 王国峰, 林杰 ,等. 可信的云计算运行环境构建和审计[J]. 计算机学报, 2016,39(2): 339-350.
	LIU C Y , WANG G F , LIN J ,et al. Trusted cloud computing operating environment construction and auditing[J]. Chinese Journal of Computers, 2016,39(2): 339-350.
[15]	田俊峰, 常方舒 . 基于 TPM 联盟的可信云平台管理模型[J]. 通信学报, 2016,37(2): 1-10.
	TIAN J F , CHANG F S . Trusted cloud platform management model based on TPM alliance[J]. Journal on Communications, 2016,37(2): 1-10.
[16]	吴吉义, 沈千里, 章剑林 ,等. 云计算:从云安全到可信云[J]. 计算机研究与发展, 2011,48(S1): 229-233.
	WU J Y , SHEN Q L , ZHANG J L ,et al. Cloud computing:from cloud security to trusted clouds[J]. Journal of Computer Research and Development, 2011,48(S1): 229-233.
[17]	BERGER S , GOLDMAN K A , PEREZ R ,et al. vTPM:virtualizing the trusted platform module[C]// Conference on Usenix Security Symposium. 2006:21.
[18]	ENGLAND P , LOESER J . Para-virtualized TPM sharing[C]// International Conference on Trusted Computing and Trust in Information Technologies:Trusted Computing-Challenges and Applications. 2008: 119-132.
[19]	STUMPF F , ECKERT C . Enhancing trusted platform modules with hardware-based virtualization techniques[C]// Second International Conference on Emerging Security Information,Systems and Technologies. 2008: 1-9.
[20]	ALBELOOSHI B , SALAH K , MARTIN T ,et al. Securing cryptographic keys in the IaaS cloud model[C]// IEEE/ACM International Conference on Utility and Cloud Computing. 2016: 42-56.
[21]	YU Z , WANG Q , ZHANG W ,et al. A cloud certificate authority architecture for virtual machines with trusted platform module[C]// IEEE International Conference on High PERFORMANCE Computing and Communications. 2015: 1377-1380.
[22]	CHANG D , CHU X , QIN Y ,et al. TSD:a flexible root of trust for the cloud[C]// IEEE International Conference on Trust,Security and Privacy in Computing and Communications. 2012: 119-126.
[23]	WAN X , XIAO Z , REN Y . Building trust into cloud computing using virtualization of TPM[C]// Fourth International Conference on Multimedia Information NETWORKING and Security. 2013: 59-63.
[24]	XUE D , WU X , GAO Y ,et al. TrustVP:construction and evolution of trusted chain on virtualization computing platform[C]// Eighth International Conference on Computational Intelligence and Security. 2013: 623-630.
[25]	GOYETTE R . A review of “vTPM:virtualizing the trusted platform module”[R]. Network Security and Cryptography Symposium, 2007: 1-17.
[26]	王丽娜, 高汉军, 余荣威 ,等. 基于信任扩展的可信虚拟执行环境构建方法研究[J]. 通信学报, 2011,32(9): 1-8.
	WANG L N , GAO H J , YU R W ,et al. Research on the construction method of trusted virtual execution environment based on trust extension[J]. Journal on Communications, 2011,32(9): 1-8.
[27]	杨永娇, 严飞, 毛军鹏 ,等. Ng-vTPM:新一代TPM虚拟化框架设计[J]. 武汉大学学报(理学版), 2015,61(2): 103-111.
	YANG Y J , YAN F , MAO J P ,et al. Ng-vTPM:a new generation of TPM virtualization framework design[J]. Journal of Wuhan University (Science Materials), 2015,61(2): 103-111.

Metrics

Recommended 0

No Suggested Reading articles found!

数据段名称	说明	字段设置
VMEK公钥	VMEK公钥部分	必须
TPM制造商	确定TPM制造商的标识符	必须
TPM模块	确定TPM模块的信息	必须
TPM一致性参考	指向TPM一致性证书的指针	必须
平台类型	确定平台的类型	必须
平台制造商	确定平台制造商的标志符	必须
发布者	确定证书的发布者	必须
签名值	发布者的签名值	必须
TPM规范	确定TPM遵守的规范	必须
PCR值	虚拟平台的PCR值	可选
源VMEK证书	源虚拟平台VMEK证书，便于回溯	可选
有效期	证书有效的时间段	可选
策略参考	证书的策略参考	可选
其他	扩展域（保留）	可选

名称	允许的签名方案	允许的加密方案
签名密钥	TPM_ES_NONE	TPM_SS_RSASSAPKCS1 v15_SHA1
存储密钥	TPM_ES_RSAESOAEP_SHA1_MGF1	TPM_SS_NONE
VEMK密钥	TPM_ES_RSAESOAEP_ SHA1_MGF1	TPM_SS_RSASSAPKCS1 v15_SHA1

证书类型	发布者	证书作用	证书内容
背书证书	TPM制造商	证明TPM身份	TPM模块、发布者、TPM规范、签名值、公钥等
一致性证书	可信第三方	指出评估者认可TPM的设计和实现符合评估准则	评估者名、平台制造商名、平台型号、平台版本号、背书证书
平台证书	平台制造商	确认平台的制造者并且描述平台的属性	背书证书、平台模型、发布者、平台规范、签名值等
确认证书	可信第三方	确认系统中某个硬件或软件	确认实体名、组件生产商名、组件型号、发布者、签名值等
AIK证书	Privacy CA	证明TPM及平台的身份	AIK公钥、TPM模块、发布者、TPM规范、签名值、身份标签（背书证书、验证证书和平台证书）等
VMEK证书	Privacy CA	用来迁移vTPM及证书信任扩展	VMEK 公钥、TPM 模块、平台类型、一致性证书、发布者、签名值、源PCR值、源VMEK证书等

方案	是否遵守TCG规范	是否增加密钥冗余	是否增加PCA负担	信任是否扩展
vTPM vEK to hTPM AIK Binding	否	否	是	是
hTPM AIK signs vTPM vAIK	否	否	是	是
Local CA issue vEK Certificat	是	否	否	否
vTPM vEK to hTPM EK Binding	否	否	否	是
vTPM vAIK to hTPM SK Binding	是	是（多）	否	是
hTPM EPS Product vEK	是	否	否	否
本文方案	是	否（1个）	否	是

配置项	物理平台（Dom0特权域）	用户虚拟机（DomU-Ubuntu）
CPU	Intel Core i3 @3.4 GHz	Intel Core i3 @3.4 GHz
内核版本	Linux3.19.0	Linux3.19.0
内存	8 GB	4 GB
二级缓存	4 MB	4 MB
硬盘容量	1 TB	30 GB

New extension method of trusted certificate chain in virtual platform environment

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 26

References 27

Related Articles 15

Metrics

Recommended 0

源码名称及版本	名称	文件路径	类型/作用
TPM_Emulator-0.7.4	TPM_KEY_USAGE	//tpm_emulator-0.7.4/tpm/tpm_structures.h	证书常量
	PM_KEY_VMEK		数据结构
	TPM_VMEK_CONTENTS
	TPM_CreateVMEKKeyPair	//tpm_emulator-0.7.4/tpm/tpm_structures.h	函数定义
	TPM_ActiveVMEK
	TPM_VMEKLoad
	TPM_VMEK_Signing
	TPM_CreateVMEKKeyPair	//tpm_emulator-0.7.4/tpm/tpm_identity.c	接口函数
	TPM_ActiveVMEK
	TPM_VMEKLoad	//tpm_emulator-0.7.4/tpm/tpm_vmekref.c
	TPM_VMEK_Signing
Xen-4.4.0	VEMK_Info	//xen-4.4.0/xen/include/public/xen.h	vmek标识
	VMEK_Info	//xen-4.4.0/stubdom/vtpmmgr/tpm.h	vmek信息

应用层接口	TSP层接口	TCS层接口	TPM命令
VTPM_CreateVMEKKeyPair	VTSP_CreateVMEKKeyPair	TCSP_CreateVMEKKeyPair	TPM_CreateVMEKKeyPair
VTPM_TPM_VMEKLoad	VTSP_VMEKLoad	TCSP_VMEKLoad	TPM_VMEKLoad
VTPM_ActiveVMEK	VTSP_ActiveVMEK	TCSP_ActiveVMEK	TPM_ActiveVMEK
VTPM_VMEK_Signing	VTSP_VMEK_Signing	TCSP_VMEK_Signing	TPM_VMEK_Signing

实验组序	生成vAIK证书时间/s
实验组序	生成VMEK证书	签发vEK证书	签发vAIK证书	合计
第1组	10.03	3.11	3.20	16.34
第2组	10.02	3.10	3.20	16.32
第3组	10.04	3.10	3.21	16.35
第4组	10.03	3.10	3.19	16.32
第5组	10.03	3.09	3.20	16.32
平均值	10.03	3.10	3.20	16.33

[1]	Bibo TU, Jie CHENG, Haojun XIA, Kun ZHANG, Ruina SUN. Overview of research on trusted attestation technology of cloud virtualization platform [J]. Journal on Communications, 2021, 42(12): 212-225.
[2]	Xinfeng HE,Junfeng TIAN,Fanming LIU. Survey on trusted cloud platform technology [J]. Journal on Communications, 2019, 40(2): 154-163.
[3]	Junfeng TIAN,Tianle LI. Data integrity verification based on model cloud federation of TPA [J]. Journal on Communications, 2018, 39(8): 113-124.
[4]	Junfeng TIAN,Yongchao ZHANG. Trusted auditing method of virtual machine based on improved expectation decision method [J]. Journal on Communications, 2018, 39(6): 52-63.
[5]	Xingshu CHEN,Wei WANG,Xin JIN. Label-based protection scheme of vTPM secret [J]. Journal on Communications, 2018, 39(11): 170-180.
[6]	Tian-shu WANG,Gong-xuan ZHANG,Xi-chen YANG. Trusted solution monitoring system based on ZigBee wireless sensor network [J]. Journal on Communications, 2017, 38(Z2): 67-77.
[7]	Lei WANG,Ming-hua YANG,Zeng-liang LIU,Jian-qun ZHENG. Trust chain generating and updating algorithm for dual redundancy system [J]. Journal on Communications, 2017, 38(1): 1-8.
[8]	Wei FENG,Yu QIN,Deng-guo FENG,Bo YANG,Ying-jun ZHANG. Design and implementation of secure Windows platform based on TCM [J]. Journal on Communications, 2015, 36(8): 91-103.
[9]	. Research of a trusted execution environment module for multiple platforms [J]. Journal on Communications, 2014, 35(Z2): 11-85.
[10]	. Trusted virtual machine management model for cloud computing [J]. Journal on Communications, 2014, 35(Z2): 13-105.
[11]	Qian-ying ZHANG,Shi-jun ZHAO,Wei FENG,Yu QIN,Deng-guo FENG. Research of a trusted execution environment module for multiple platforms [J]. Journal on Communications, 2014, 35(Z2): 72-85.
[12]	Zhen-ji ZHOU,Li-fa WU,Zheng HONG,Hai-guang LAI,Cheng-hui ZHENG. Trusted virtual machine management model for cloud computing [J]. Journal on Communications, 2014, 35(Z2): 94-105.
[13]	. Research of platform identity attestation based on trusted chip [J]. Journal on Communications, 2014, 35(8): 13-106.
[14]	Qian-ying ZHANG,Deng-guo FENG,Shi-jun ZHAO. Research of platform identity attestation based on trusted chip [J]. Journal on Communications, 2014, 35(8): 94-106.
[15]	Yue-lei XIAO,Yu-min WANG,Liao-jun PANG,Shi-chong TAN. WLAN Mesh security association scheme in trusted computing environment [J]. Journal on Communications, 2014, 35(7): 94-103.