CN103747036A - Trusted security enhancement method in desktop virtualization environment - Google Patents
Trusted security enhancement method in desktop virtualization environment Download PDFInfo
- Publication number
- CN103747036A CN103747036A CN201310716776.9A CN201310716776A CN103747036A CN 103747036 A CN103747036 A CN 103747036A CN 201310716776 A CN201310716776 A CN 201310716776A CN 103747036 A CN103747036 A CN 103747036A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- tcm
- virtual machines
- credible
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a trusted security enhancement method in a desktop virtualization environment. The method comprises the following steps that: a thin client and a server are started and automatically carry out trusted measurement and trust chain transferring from bottom-layer hardware to upper-layer application software; thin client trusted access and platform bidirectional remote attestation is carried out; and after the successful access authentication, remote desktop connection software is started and the thin client obtains a desktop of a server virtual machine and carries out access and operation. According to the invention, the integrity and confidentiality principles of the terminal platform and communication transmission in the desktop virtualization environment can be fully considered; and techniques like physical trust root-based trust link transfer technique, the trusted BIOS measurement technique, the trusted platform access and remote attestation technique and the like can be utilized comprehensively. Therefore, defects of the traditional desktop virtualization safety protection measure can be overcome; and the management difficulty of the virtual data center can be effectively reduced and the security can be improved.
Description
Technical field
The invention belongs to network security technology field, particularly the credible and secure Enhancement Method under a kind of desktop virtual environment.
Background technology
In recent years, desktop virtual technology adds that with the calculating based on server the use of thin-client has changed the Distributed Calculation use pattern of conventional P C, desktop or client operating system and original physical hardware are isolated, realized application more flexibly.The desktop virtual technology of customer-centric can be configured and manage user rather than equipment, effectively improves the efficiency of deployment and leading subscriber desktop environment.
But, live and work in desktop virtual technology to people brings easily simultaneously, also many potential safety hazards have been exposed, traditional Security mechanism and strategy are when the new security challenge bringing in the face of Intel Virtualization Technology itself, be difficult to the objective of defense that reaches predetermined, cannot have effectively blocked assailant's unauthorized access and invasion.
At virtual credible and secure protection correlative technology field, application number is that 200580041663.7 patent discloses a kind of for being based upon the method and system of the connection between data server and middleware server, in order to ensure the safety connecting, it has defined a plurality of trust attribute relevant to trusted context between middleware server and database server, by the coupling of trust attribute, sets up safe connection.Although the method has guaranteed certain connection safety on transmission link, lack connecting both sides' platform authentication and integrated authentication, be therefore difficult to guarantee the End-to-End Security of transfer of data.The patent that application number is 200580020738.3 discloses a kind of method that the safety virtualization of credible platform module is provided, containing physics TPM(Trusted Platform Module, credible platform module) in treatment system, create virtual TPM, this virtual TPM service can be stored the key for the virtual TPM in physics TPM, and this virtual TPM service simultaneously can be used virtual TPM so that the physics TPM feature of emulation to be provided.Although the method has been done enhancing to the fail safe of virtual platform itself and integrality, because the method is only for single device, cannot be applied to the front and back end transfer of data demand under desktop virtual environment, therefore there is certain application limitation.
In sum, from the angle of end-to-end communication, also there is following safety problem in desktop virtual at present:
Startup that server and terminal equipment are credible: conventional security safeguard procedures cannot Authentication devices start-up course in the integrality of each assembly, when hardware, firmware, virtual machine monitor, operating system and application program, any one is tampered the safety that all can directly threaten whole platform.Especially when virtual machine monitor is tampered or kidnap, because it has very high privilege, can destroy the security model of whole virtual machine architecture, the safety prevention measure in virtual machine also all can lose efficacy.
Network access security and platform authentication: the diversity of accessing user terminal to network has strengthened the possibility that end-to-end communication information is maliciously forged, steals, distorted.Meanwhile, the characteristics such as multiplexing and resource-sharing virtual, memory space of the isomerism of access network and user terminal, data center have reduced the examination ability to user behavior.
Summary of the invention
In order to address the above problem, the present invention proposes the credible and secure Enhancement Method under a kind of desktop virtual environment.By this server handling ability that depends on of thin client, realize data access and apply the occupation mode of processing, alleviating to a certain extent the potential safety hazard of sensitive data resource in terminal, obtaining safer remote application and data access capabilities.
To achieve these goals, the present invention by the following technical solutions.
According to the application model of desktop virtual, desktop virtual infrastructure is divided into front end thin client and two, Back end data center part.Front end thin client is connected for realizing with the virtual machine that is deployed in data center server, and carries out remote desktop demonstration, common office operation and other Operational Visits; Back end data center exists with the form of server, provides resources of virtual machine, memory source, storage resources etc., and certain function of safety protection interface is provided to user.Architectural framework of the present invention as shown in Figure 1, mainly comprises three parts: startup that front end thin client is credible, startup that back-end server is credible and platform credible access authentication.By embedding credible password module (Trusted Cryptography Module, TCM) at thin client, the method under the credible Computational frames such as employing integrity measurement, transitive trust realizes the secure and trusted of user terminal self; Adopt credible access and remote proving technology to solve the access authentication of remote terminal, adopt the encryption method of reliable hardware module to realize the safeguard protection to transmission data; By building trusted servers, introduce virtual credible crypto module (vTCM), realize the access of trusted users terminal security, improve desktop virtual environment in the face of the Initiative Defense ability of malicious attack.
A credible and secure Enhancement Method under desktop virtual environment, comprises the following steps:
Step 1: start thin client and server, both carry out credible tolerance and the transitive trust to upper application software by bottom hardware automatically.
The object of carrying out credible tolerance and transitive trust is the fail safe that guarantees platform self.
Step 2: access that thin client is credible and platform bidirectional remote prove.
The object of this step is to guarantee inquiry side and both integralities of proof side.
Step 3: after access authentication success, start Remote desk process software, thin client obtains the desktop of server virtual machine and conducts interviews and operate.
The present invention takes into full account integrality and the secrecy principle of terminal platform and communications under desktop virtual environment, transitive trust technology, credible BIOS measurement technology, credible platform access and the remote proving technology etc. of comprehensive utilization based on physics root of trust, made up the deficiency of the virtual safety prevention measure of conventional desktop, effectively reduced the management difficulty of virtual data center and improved its fail safe.Compared with prior art, the present invention has the following advantages:
(1), by credible tolerance and the transitive trust of thin client and server, improved the fail safe of platform self;
(2) by virtual TCM, build credible and secure virtual machine platform, made guest virtual machine can share safety function and the attribute of physics TCM;
(3) by introducing credible access authentication, provide the approach that between platform, integrality proves mutually, it can be with platform self-security effectively in conjunction with also further guaranteeing end-to-end transmission security.
Accompanying drawing explanation
Fig. 1 is architectural framework schematic diagram of the present invention;
Fig. 2 is the main flow chart of the method for the invention;
Fig. 3 is the credible startup flow chart of thin client;
Fig. 4 is the credible startup flow chart of server;
Fig. 5 is credible access and remote platform proof flow chart.
Embodiment
Below in conjunction with drawings and Examples, the invention will be further described.
The main flow chart of the method for the invention as shown in Figure 2, comprises the following steps:
Step 1: thin client and server carry out credible startup.
Select credible password module TCM as the root of trust of whole platform, for whole platform provides the most basic credible calculation services.TCM can solve well BIOS in transitive trust mechanism as root of trust and can illegally have been distorted, cannot guarantee the believable problem of root of trust.As shown in Figure 3, method is as follows for the credible startup flow process of thin client:
(1) under the mechanism of action of trust chain, after system power-up, first control is passed to TCM, by the integrality of TCM tolerance BIOS, and measured integrity measurement value is stored in the register of TCM.Now, TCM compares the BIOS original measurement value of this measured value and storage, if consistent, TCM passes to BIOS by control; If inconsistent, BIOS recovered and again measure, until measure successfully.
(2) integrality of BIOS tolerance hardware and operating system loading program, stores measured value in the register of TCM.TCM compares the hardware of this measured value and storage and operating system loading program original measurement value, if consistent, TCM passes to operating system loading program by control; If inconsistent, halt system starts.
(3) integrality of operating system loading program metric operations system, stores metric in the register of TCM.TCM compares the operating system original measurement value of this measured value and storage, if consistent, TCM passes to operating system by control; If inconsistent, operating system recovered and again measured, until measure successfully.
(4) operating system is measured the integrality of crucial application software, metric is stored in the register of TCM.TCM compares the crucial application software original measurement value of this measured value and storage, if consistent, TCM passes to crucial application software by control; If inconsistent, crucial application software recovered and again measured, until measure successfully.
In virtual environment, the transmission of trust chain has new characteristic, more complicated.On the basis of the credible startup of above-mentioned thin client, increase the trusted mechanism of virtual Domain, introduced virtual TCM module (vTCM).As shown in Figure 4, method is as follows for the credible startup flow process of server:
(1) after server powers up, first TCM chip starts as root of trust, and credible BIOS is carried out to integrity measurement, the cryptographic Hash result of tolerance is stored on the register of TCM chip, and compares with the original cryptographic Hash of BIOS of depositing in TCM chip secure storage section.If coupling, TCM passes to credible BIOS by control, and system loads BIOS starts; If do not mated, credible BIOS recovered and re-start tolerance, until measure successfully.
(2) after credible BIOS obtains control, the key hardware information of platform and operating system loading program are carried out to integrity measurement, the cryptographic Hash result of tolerance is stored on the register of TCM chip, and with deposit in key hardware in TCM chip secure storage section and the original cryptographic Hash of operating system loading program and compare.If coupling, thinks that key hardware information and operating system loading program are credible, control is handed to operating system loading program; If do not mated, halt system starts.
(3) after operating system loading program obtains control, the image file of virtual machine monitor and critical data are carried out to integrity measurement, the cryptographic Hash result of tolerance is stored on the register of TCM chip, and with deposit in virtual machine monitor image file in TCM chip secure storage section and the cryptographic Hash of critical data and compare.If coupling, thinks that virtual machine monitor image file and critical data are credible, by control, give virtual machine monitor, virtual machine monitor starts; If do not mated, virtual machine monitor and critical data are recovered also to tolerance again, until measure successfully.
(4) virtual machine monitor obtains after control, first call authentication module active user is carried out to authentication based on USBKey, identification user right, then call control of authority module and carry out control of authority, communication control module communicates control according to authority, and the image file of managing virtual machines and critical data are carried out to integrity measurement, the cryptographic Hash result of tolerance is stored on the register of TCM chip, and compares with the cryptographic Hash of depositing in the managing virtual machines image file in TCM chip secure storage section.If coupling, thinks that managing virtual machines image file is credible, by control, give managing virtual machines, managing virtual machines starts; If do not mated, managing virtual machines recovered and again measure, until measure successfully.
(5) before managing virtual machines is controlled guest virtual machine startup, managing virtual machines carries out integrity measurement to guest virtual machine, the cryptographic Hash result of tolerance is stored on the register of vTCM, and with the original cryptographic Hash comparison of guest virtual machine of depositing in vTCM secure storage section.If coupling, thinks that guest virtual machine is credible, by control, give guest virtual machine, guest virtual machine starts; If do not mated, guest virtual machine recovered and again measure, know and measure successfully.
(6) after guest virtual machine starts, when virtual Domain operation application software, guest virtual machine operating system is measured the integrality of application software, metric is stored on the register of vTCM, and with the original cryptographic Hash comparison of application software of depositing in vTCM secure storage section.If coupling, thinks that application software is credible, by control, give application software process; If do not mated, application software recovered and again measured, know and measure successfully.
So far, through above (1)~(6) process, on TCM chip and the interactive basis of platform, complete foundation step by step and the transmission of credible and secure virtual machine platform trusting relationship, when low-level parts authenticate to higher leveled parts when credible, low level parts just can be delivered to trust state on higher leveled parts, and the credible and secure virtual machine just mechanism based on this transitive trust has expanded to the credibility of root of trust the virtual computation environmental of platform.
Step 2: thin client and server carry out credible access and remote platform proves.
Credible Access Control Technique mainly solves the credible access problem of terminal equipment in network environment, before terminal equipment access network, must check whether it meets the access strategy of this network, as whether user identity legal, whether safety, completeness of platform possess etc. platform status, suspicious or problematic terminal equipment will be isolated or limiting network access scope, until it is through revising or taked corresponding safety measure.As shown in Figure 5, method is as follows for access process:
(1) carry out platform identity authentication.
User terminal sends network insertion request message, and request management virtual machine is opened authentication;
Managing virtual machines receives after authentication request, to user terminal, sends response message, notifies the beginning of shaking hands;
User terminal starts session process, to managing virtual machines transmission client sessions ID, secure transfer protocol version number, compression algorithm, encryption suite and initial random number;
Managing virtual machines is received after conversation message, to user terminal requests authentication, sends the information such as managing virtual machines certificate and certificate request;
User terminal carries out platform identity authentication to managing virtual machines, if authentication success, client sends acknowledgement frame and confirms replying managing virtual machines, if verification process occurs abnormal, lead to the failure, user terminal sends warning message to managing virtual machines, and the reason of authentification failure is described;
Managing virtual machines receives that above-mentioned replying authenticates afterwards to user terminal platform identity.If authentification failure, managing virtual machines sends warning message to user terminal, the type of error while comprising authentification failure in this warning message; Authentication success sends the message of having shaken hands to user terminal, opens authenticating user identification.
(2) carry out Platform integrity authentication.
On the basis of platform identity authentication success, user terminal is again set up to shake hands with managing virtual machines and is connected, as Platform integrity authentication interface channel;
Managing virtual machines sends the bulleted list that will carry out integrity measurement to user terminal;
User terminal is made and being replied, and to managing virtual machines, sends and comprises integrity measurement information and the signing messages requiring in integrity measurement list;
Managing virtual machines is verified the integrity information of user terminal after receiving response packet, is verified the transmission of rear line terminal and is proved to be successful message;
User terminal is received after success message, sends the bulleted list that will carry out integrity measurement to managing virtual machines;
Managing virtual machines is made and being replied, and to user terminal, sends and comprises integrity measurement information and the signing messages requiring in integrity measurement list;
User terminal is verified the integrity information of managing virtual machines after receiving response packet, after being verified, to managing virtual machines, sends and is proved to be successful message.
(3) carry out virtual machine integrated authentication.
After Platform integrity authentication success, user terminal sends Remote desk process request to guest virtual machine, and both sides set up the connection of shaking hands;
User terminal is initiated integrality verification request to guest virtual machine, sends the bulleted list that will carry out integrity measurement via managing virtual machines guest virtual machine;
Managing virtual machines carries out integrity verification to guest virtual machine, and successful rear line terminal sends and comprises integrity measurement information and the signing messages requiring in integrity measurement list;
User terminal confirms after receiving, and sets up secure communication between guest virtual machine, carries out Remote desk process operation.
Step 3: connect credible enter authentication success after, user terminal starts Remote desk process software, with USBKey and username-password, obtain the authentication of guest virtual machine to user, after authentication success, user logins guest virtual machine, complete thin client to the long-range access of virtual data center, start thus routine office work operation and related service access.
Claims (4)
1. the credible and secure Enhancement Method under desktop virtual environment, is characterized in that comprising the following steps:
Step 1: start thin client and server, both carry out credible tolerance and the transitive trust to upper application software by bottom hardware automatically;
The credible starting method of thin client is as follows:
(1) under the mechanism of action of trust chain, after system power-up, first control is passed to TCM, by the integrality of TCM tolerance BIOS, and measured integrity measurement value is stored in the register of TCM; TCM compares the BIOS original measurement value of this measured value and storage, if consistent, TCM passes to BIOS by control; If inconsistent, BIOS recovered and again measure, until measure successfully;
(2) integrality of BIOS tolerance hardware and operating system loading program, stores measured value in the register of TCM; TCM compares the hardware of this measured value and storage and operating system loading program original measurement value, if consistent, TCM passes to operating system loading program by control; If inconsistent, halt system starts;
(3) integrality of operating system loading program metric operations system, stores metric in the register of TCM; TCM compares the operating system original measurement value of this measured value and storage, if consistent, TCM passes to operating system by control; If inconsistent, operating system recovered and again measured, until measure successfully;
(4) operating system is measured the integrality of crucial application software, metric is stored in the register of TCM; TCM compares the crucial application software original measurement value of this measured value and storage, if consistent, TCM passes to crucial application software by control; If inconsistent, crucial application software recovered and again measured, until measure successfully;
The credible starting method of server is as follows:
(1) after server powers up, first TCM chip starts as root of trust, and credible BIOS is carried out to integrity measurement, the cryptographic Hash result of tolerance is stored on the register of TCM chip, and compares with the original cryptographic Hash of BIOS of depositing in TCM chip secure storage section; If coupling, TCM passes to credible BIOS by control, and system loads BIOS starts; If do not mated, credible BIOS recovered and re-start tolerance, until measure successfully;
(2) after credible BIOS obtains control, the key hardware information of platform and operating system loading program are carried out to integrity measurement, the cryptographic Hash result of tolerance is stored on the register of TCM chip, and with deposit in key hardware in TCM chip secure storage section and the original cryptographic Hash of operating system loading program and compare; If coupling, thinks that key hardware information and operating system loading program are credible, control is handed to operating system loading program; If do not mated, halt system starts;
(3) after operating system loading program obtains control, the image file of virtual machine monitor and critical data are carried out to integrity measurement, the cryptographic Hash result of tolerance is stored on the register of TCM chip, and with deposit in virtual machine monitor image file in TCM chip secure storage section and the cryptographic Hash of critical data and compare; If coupling, thinks that virtual machine monitor image file and critical data are credible, by control, give virtual machine monitor, virtual machine monitor starts; If do not mated, virtual machine monitor and critical data are recovered also to tolerance again, until measure successfully;
(4) virtual machine monitor obtains after control, first call authentication module active user is carried out to authentication based on USBKey, identification user right, then call control of authority module and carry out control of authority, communication control module communicates control according to authority, and the image file of managing virtual machines and critical data are carried out to integrity measurement, the cryptographic Hash result of tolerance is stored on the register of TCM chip, and compares with the cryptographic Hash of depositing in the managing virtual machines image file in TCM chip secure storage section; If coupling, thinks that managing virtual machines image file is credible, by control, give managing virtual machines, managing virtual machines starts; If do not mated, managing virtual machines recovered and again measure, until measure successfully;
(5) before managing virtual machines is controlled guest virtual machine startup, managing virtual machines carries out integrity measurement to guest virtual machine, the cryptographic Hash result of tolerance is stored on the register of vTCM, and with the original cryptographic Hash comparison of guest virtual machine of depositing in vTCM secure storage section; If coupling, thinks that guest virtual machine is credible, by control, give guest virtual machine, guest virtual machine starts; If do not mated, guest virtual machine recovered and again measure, know and measure successfully;
(6) after guest virtual machine starts, when virtual Domain operation application software, guest virtual machine operating system is measured the integrality of application software, metric is stored on the register of vTCM, and with the original cryptographic Hash comparison of application software of depositing in vTCM secure storage section; If coupling, thinks that application software is credible, by control, give application software process; If do not mated, application software recovered and again measured, know and measure successfully;
Step 2: access that thin client is credible and platform bidirectional remote prove, method is as follows:
(1) carry out platform identity authentication;
(2) carry out Platform integrity authentication;
(3) carry out virtual machine integrated authentication;
Step 3: after access authentication success, start Remote desk process software, thin client obtains the desktop of server virtual machine and conducts interviews and operate.
2. the credible and secure Enhancement Method under a kind of desktop virtual environment according to claim 1, is characterized in that, the method that described step 2 is carried out platform identity authentication is as follows:
User terminal sends network insertion request message, and request management virtual machine is opened authentication;
Managing virtual machines receives after authentication request, to user terminal, sends response message, notifies the beginning of shaking hands;
User terminal starts session process, to managing virtual machines transmission client sessions ID, secure transfer protocol version number, compression algorithm, encryption suite and initial random number;
Managing virtual machines is received after conversation message, to user terminal requests authentication, sends the information such as managing virtual machines certificate and certificate request;
User terminal carries out platform identity authentication to managing virtual machines, if authentication success, client sends acknowledgement frame and confirms replying managing virtual machines, if verification process occurs abnormal, lead to the failure, user terminal sends warning message to managing virtual machines, and the reason of authentification failure is described;
Managing virtual machines receives that above-mentioned replying authenticates afterwards to user terminal platform identity; If authentification failure, managing virtual machines sends warning message to user terminal, the type of error while comprising authentification failure in this warning message; Authentication success sends the message of having shaken hands to user terminal, opens authenticating user identification.
3. the credible and secure Enhancement Method under a kind of desktop virtual environment according to claim 1, is characterized in that, the method that described step 2 is carried out Platform integrity authentication is as follows:
On the basis of platform identity authentication success, user terminal is again set up to shake hands with managing virtual machines and is connected, as Platform integrity authentication interface channel;
Managing virtual machines sends the bulleted list that will carry out integrity measurement to user terminal;
User terminal is made and being replied, and to managing virtual machines, sends and comprises integrity measurement information and the signing messages requiring in integrity measurement list;
Managing virtual machines is verified the integrity information of user terminal after receiving response packet, is verified the transmission of rear line terminal and is proved to be successful message;
User terminal is received after success message, sends the bulleted list that will carry out integrity measurement to managing virtual machines;
Managing virtual machines is made and being replied, and to user terminal, sends and comprises integrity measurement information and the signing messages requiring in integrity measurement list;
User terminal is verified the integrity information of managing virtual machines after receiving response packet, after being verified, to managing virtual machines, sends and is proved to be successful message.
4. the credible and secure Enhancement Method under a kind of desktop virtual environment according to claim 1, is characterized in that, the method that described step 2 is carried out virtual machine integrated authentication is as follows:
After Platform integrity authentication success, user terminal sends Remote desk process request to guest virtual machine, and both sides set up the connection of shaking hands;
User terminal is initiated integrality verification request to guest virtual machine, sends the bulleted list that will carry out integrity measurement via managing virtual machines guest virtual machine;
Managing virtual machines carries out integrity verification to guest virtual machine, and successful rear line terminal sends and comprises integrity measurement information and the signing messages requiring in integrity measurement list;
User terminal confirms after receiving, and sets up secure communication between guest virtual machine, carries out Remote desk process operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310716776.9A CN103747036B (en) | 2013-12-23 | 2013-12-23 | Trusted security enhancement method in desktop virtualization environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310716776.9A CN103747036B (en) | 2013-12-23 | 2013-12-23 | Trusted security enhancement method in desktop virtualization environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103747036A true CN103747036A (en) | 2014-04-23 |
| CN103747036B CN103747036B (en) | 2017-05-24 |
Family
ID=50504023
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310716776.9A Active CN103747036B (en) | 2013-12-23 | 2013-12-23 | Trusted security enhancement method in desktop virtualization environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103747036B (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104200156A (en) * | 2014-08-27 | 2014-12-10 | 山东超越数控电子有限公司 | Trusted cryptosystem based on Loongson processor |
| CN104468573A (en) * | 2014-12-09 | 2015-03-25 | 国家电网公司 | Credible cloud terminal device |
| CN104601555A (en) * | 2014-12-30 | 2015-05-06 | 中国航天科工集团第二研究院七〇六所 | Trusted security control method of virtual cloud terminal |
| CN105656842A (en) * | 2014-11-12 | 2016-06-08 | 江苏威盾网络科技有限公司 | Method for ensuring secure intranet environment |
| CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | Method for constructing virtual trusted platform based on VTPM |
| CN106341416A (en) * | 2016-09-29 | 2017-01-18 | 中国联合网络通信集团有限公司 | Access method of multi-level data center and multi-level data center |
| CN106570402A (en) * | 2015-10-13 | 2017-04-19 | 深圳市中电智慧信息安全技术有限公司 | Encryption module and process trusted measurement method |
| CN107196755A (en) * | 2017-03-28 | 2017-09-22 | 山东超越数控电子有限公司 | A kind of VPN device safe starting method and system |
| CN107657170A (en) * | 2016-07-25 | 2018-02-02 | 北京计算机技术及应用研究所 | The Trusted Loading for supporting intelligently to repair starts control system and method |
| CN108632214A (en) * | 2017-03-20 | 2018-10-09 | 中兴通讯股份有限公司 | A kind of method and device for realizing mobile target defence |
| CN108989651A (en) * | 2018-09-05 | 2018-12-11 | 深圳市中科智库互联网信息安全技术有限公司 | Credible video camera |
| CN109634619A (en) * | 2018-11-23 | 2019-04-16 | 试金石信用服务有限公司 | Credible performing environment implementation method and device, terminal device, readable storage medium storing program for executing |
| CN109766702A (en) * | 2019-01-11 | 2019-05-17 | 北京工业大学 | The credible starting method of inspection of overall process based on virtual machine state data |
| CN109840430A (en) * | 2017-11-28 | 2019-06-04 | 中国科学院沈阳自动化研究所 | The secure processing units and its bus arbitration method of PLC |
| CN110647740A (en) * | 2018-06-27 | 2020-01-03 | 复旦大学 | TPM-based container trusted boot method and device |
| CN110990120A (en) * | 2019-11-28 | 2020-04-10 | 同济大学 | Inter-partition communication method and device for virtual machine monitor, storage medium and terminal |
| CN111125666A (en) * | 2019-12-25 | 2020-05-08 | 四川英得赛克科技有限公司 | Trusted control method and system based on trusted computing system |
| CN111831609A (en) * | 2020-06-18 | 2020-10-27 | 中国科学院数据与通信保护研究教育中心 | Method and system for unified management and distribution of binary file metric values in virtualization environment |
| CN112905300A (en) * | 2021-03-04 | 2021-06-04 | 中国科学院信息工程研究所 | Trusted starting method and system for virtual machine |
| CN113326096A (en) * | 2021-06-03 | 2021-08-31 | 成都市昊峰网络工程有限公司 | Virtual machine safety management system |
| CN113824683A (en) * | 2021-08-13 | 2021-12-21 | 中国光大银行股份有限公司 | Trusted domain establishing method and device and data system |
| CN116340956A (en) * | 2023-05-25 | 2023-06-27 | 国网上海能源互联网研究院有限公司 | Trusted protection optimization method and device for electric embedded terminal equipment |
| CN116956364A (en) * | 2023-09-21 | 2023-10-27 | 中航金网(北京)电子商务有限公司 | Virtualized product integrity verification method, device and system and electronic equipment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108243006A (en) * | 2017-12-04 | 2018-07-03 | 山东超越数控电子股份有限公司 | A kind of credible redundant code server based on domestic TCM chips |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060020781A1 (en) * | 2004-06-24 | 2006-01-26 | Scarlata Vincent R | Method and apparatus for providing secure virtualization of a trusted platform module |
| CN101599025A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | Safety virtualization method of trusted crypto module |
| CN101957900A (en) * | 2010-10-26 | 2011-01-26 | 中国航天科工集团第二研究院七○六所 | Credible virtual machine platform |
| CN102136043A (en) * | 2010-01-22 | 2011-07-27 | 中国长城计算机深圳股份有限公司 | Computer system and measuring method thereof |
| CN103441986A (en) * | 2013-07-29 | 2013-12-11 | 中国航天科工集团第二研究院七〇六所 | Data resource security control method in thin client mode |
-
2013
- 2013-12-23 CN CN201310716776.9A patent/CN103747036B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060020781A1 (en) * | 2004-06-24 | 2006-01-26 | Scarlata Vincent R | Method and apparatus for providing secure virtualization of a trusted platform module |
| CN101599025A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | Safety virtualization method of trusted crypto module |
| CN102136043A (en) * | 2010-01-22 | 2011-07-27 | 中国长城计算机深圳股份有限公司 | Computer system and measuring method thereof |
| CN101957900A (en) * | 2010-10-26 | 2011-01-26 | 中国航天科工集团第二研究院七○六所 | Credible virtual machine platform |
| CN103441986A (en) * | 2013-07-29 | 2013-12-11 | 中国航天科工集团第二研究院七〇六所 | Data resource security control method in thin client mode |
Non-Patent Citations (1)
| Title |
|---|
| 陈志浩 等: "一个基于TPM芯片的可信网络接入模型", 《信息网络安全》 * |
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104200156A (en) * | 2014-08-27 | 2014-12-10 | 山东超越数控电子有限公司 | Trusted cryptosystem based on Loongson processor |
| CN105656842A (en) * | 2014-11-12 | 2016-06-08 | 江苏威盾网络科技有限公司 | Method for ensuring secure intranet environment |
| CN104468573B (en) * | 2014-12-09 | 2019-01-01 | 国家电网公司 | A kind of credible cloud terminal installation |
| CN104468573A (en) * | 2014-12-09 | 2015-03-25 | 国家电网公司 | Credible cloud terminal device |
| CN104601555A (en) * | 2014-12-30 | 2015-05-06 | 中国航天科工集团第二研究院七〇六所 | Trusted security control method of virtual cloud terminal |
| CN106570402A (en) * | 2015-10-13 | 2017-04-19 | 深圳市中电智慧信息安全技术有限公司 | Encryption module and process trusted measurement method |
| CN105956465A (en) * | 2016-05-04 | 2016-09-21 | 浪潮电子信息产业股份有限公司 | Method for constructing virtual trusted platform based on VTPM |
| CN107657170A (en) * | 2016-07-25 | 2018-02-02 | 北京计算机技术及应用研究所 | The Trusted Loading for supporting intelligently to repair starts control system and method |
| CN107657170B (en) * | 2016-07-25 | 2020-12-01 | 北京计算机技术及应用研究所 | Trusted loading starting control system and method supporting intelligent repair |
| CN106341416B (en) * | 2016-09-29 | 2019-07-09 | 中国联合网络通信集团有限公司 | A kind of access method at multi-stage data center and multi-stage data center |
| CN106341416A (en) * | 2016-09-29 | 2017-01-18 | 中国联合网络通信集团有限公司 | Access method of multi-level data center and multi-level data center |
| CN108632214A (en) * | 2017-03-20 | 2018-10-09 | 中兴通讯股份有限公司 | A kind of method and device for realizing mobile target defence |
| CN108632214B (en) * | 2017-03-20 | 2022-02-22 | 中兴通讯股份有限公司 | Method and device for realizing moving target defense |
| CN107196755A (en) * | 2017-03-28 | 2017-09-22 | 山东超越数控电子有限公司 | A kind of VPN device safe starting method and system |
| CN109840430A (en) * | 2017-11-28 | 2019-06-04 | 中国科学院沈阳自动化研究所 | The secure processing units and its bus arbitration method of PLC |
| CN110647740A (en) * | 2018-06-27 | 2020-01-03 | 复旦大学 | TPM-based container trusted boot method and device |
| CN110647740B (en) * | 2018-06-27 | 2023-12-05 | 复旦大学 | Container trusted starting method and device based on TPM |
| CN108989651A (en) * | 2018-09-05 | 2018-12-11 | 深圳市中科智库互联网信息安全技术有限公司 | Credible video camera |
| CN109634619A (en) * | 2018-11-23 | 2019-04-16 | 试金石信用服务有限公司 | Credible performing environment implementation method and device, terminal device, readable storage medium storing program for executing |
| CN109634619B (en) * | 2018-11-23 | 2022-05-10 | 试金石信用服务有限公司 | Trusted execution environment implementation method and device, terminal device and readable storage medium |
| CN109766702B (en) * | 2019-01-11 | 2021-02-05 | 北京工业大学 | Whole-process trusted start inspection method based on virtual machine state data |
| CN109766702A (en) * | 2019-01-11 | 2019-05-17 | 北京工业大学 | The credible starting method of inspection of overall process based on virtual machine state data |
| CN110990120A (en) * | 2019-11-28 | 2020-04-10 | 同济大学 | Inter-partition communication method and device for virtual machine monitor, storage medium and terminal |
| CN110990120B (en) * | 2019-11-28 | 2023-08-29 | 同济大学 | Inter-partition communication method and device for virtual machine monitor, storage medium and terminal |
| CN111125666A (en) * | 2019-12-25 | 2020-05-08 | 四川英得赛克科技有限公司 | Trusted control method and system based on trusted computing system |
| CN111125666B (en) * | 2019-12-25 | 2021-01-12 | 四川英得赛克科技有限公司 | Trusted control method and system based on trusted computing system |
| CN111831609A (en) * | 2020-06-18 | 2020-10-27 | 中国科学院数据与通信保护研究教育中心 | Method and system for unified management and distribution of binary file metric values in virtualization environment |
| CN111831609B (en) * | 2020-06-18 | 2024-01-02 | 中国科学院数据与通信保护研究教育中心 | Method and system for unified management and distribution of binary metric values in virtualized environments |
| CN112905300A (en) * | 2021-03-04 | 2021-06-04 | 中国科学院信息工程研究所 | Trusted starting method and system for virtual machine |
| CN113326096A (en) * | 2021-06-03 | 2021-08-31 | 成都市昊峰网络工程有限公司 | Virtual machine safety management system |
| CN113824683A (en) * | 2021-08-13 | 2021-12-21 | 中国光大银行股份有限公司 | Trusted domain establishing method and device and data system |
| CN116340956B (en) * | 2023-05-25 | 2023-08-08 | 国网上海能源互联网研究院有限公司 | Trusted protection optimization method and device for electric embedded terminal equipment |
| CN116340956A (en) * | 2023-05-25 | 2023-06-27 | 国网上海能源互联网研究院有限公司 | Trusted protection optimization method and device for electric embedded terminal equipment |
| CN116956364A (en) * | 2023-09-21 | 2023-10-27 | 中航金网(北京)电子商务有限公司 | Virtualized product integrity verification method, device and system and electronic equipment |
| CN116956364B (en) * | 2023-09-21 | 2024-02-09 | 中航国际金网(北京)科技有限公司 | Virtualized product integrity verification method, device and system and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103747036B (en) | 2017-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103747036A (en) | Trusted security enhancement method in desktop virtualization environment | |
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| WO2022206349A1 (en) | Information verification method, related apparatus, device, and storage medium | |
| JP6965921B2 (en) | Network function virtualization system and verification method | |
| US7913084B2 (en) | Policy driven, credential delegation for single sign on and secure access to network resources | |
| KR102511030B1 (en) | Verification information update method and device | |
| US8452954B2 (en) | Methods and systems to bind a device to a computer system | |
| US20120324545A1 (en) | Automated security privilege setting for remote system users | |
| US9118665B2 (en) | Authentication system and method | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| US20070101159A1 (en) | Total exchange session security | |
| CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
| CN112765684A (en) | Block chain node terminal management method, device, equipment and storage medium | |
| US20110078784A1 (en) | Vpn system and method of controlling operation of same | |
| CN113595985A (en) | Internet of things security cloud platform implementation method based on state cryptographic algorithm security chip | |
| CN112733129B (en) | Trusted access method for server out-of-band management | |
| CN111935067A (en) | Enterprise user identity authentication system based on cloud computing technology | |
| CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
| CN115065469A (en) | Data interaction method and device for power internet of things and storage medium | |
| Yang et al. | A Hybrid Blockchain-Based Authentication Scheme for Smart Home | |
| CN113869901B (en) | Key generation method, key generation device, computer-readable storage medium and computer equipment | |
| Liu et al. | Risk‐Based Dynamic Identity Authentication Method Based on the UCON Model | |
| CN111651740B (en) | Trusted platform sharing system for distributed intelligent embedded system | |
| CN112035853B (en) | Storage data access control system based on enterprise cloud disk | |
| Guo et al. | Extending registration and authentication processes of FIDO2 external authenticator with qr codes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |