可信虚拟平台安全机制研究
文献类型:学位论文
| 作者 | 秦宇 |
| 学位类别 | 博士 |
| 答辩日期 | 2009-01-14 |
| 授予单位 | 中国科学院软件研究所 |
| 授予地点 | 软件研究所 |
| 关键词 | 可信计算 可信平台模块 可信虚拟 可信虚拟平台 远程证明 更新证明 并发证明 |
| 其他题名 | Research on security mechanisms of trust virtualization platform |
| 中文摘要 | 本文主要研究可信虚拟平台上远程证明安全机制的模型和特殊问题,为此我们首先从普通可信计算平台远程证明出发,从证明粒度上扩展和改进了属性远程证明方法,确立了远程证明设计和实现的基本安全要求;然后根据可信虚拟平台上TPM的应用体系结构,提出兼顾动态信任根DRTM和虚拟机并发使用的TPM实用模型,为可信虚拟平台远程证明建立基础;紧接着讨论了虚拟机配置改变导致原有远程证明失效的问题,给出了可信虚拟平台更新证明方法;最后从远程证明实际应用需求出发,考虑可信虚拟平台复杂的动态性和并发性,给出了完整的可信虚拟平台并发远程证明模型和设计原则,提出了多虚拟机、多应用程序并发远程证明方法。 本文丰富了可信计算特色功能远程证明安全机制的研究内容,一方面完善了基于属性的远程证明方法,另一方面扩大远程证明的平台类型,拓展了远程证明的研究内容。分析了现有远程证明问题,结合可信虚拟平台自身特色,解决可信虚拟平台上远程证明动态性、并发性等特殊问题。在远程证明动态性方面采用配置杂凑树的方法表示出配置更新增量,提高了更新证明的效率;在远程证明并发性方面采用证明凭证链的方法实现多实例并发证明,据我们所知,对远程证明的并发性方面的讨论和研究尚属首次。本文提出了可信虚拟平台动态并发远程证明安全模型,并总结远程证明八项设计原则:真实性、动态性、一致性、并发性、隐私性、属性可撤销、抗伪装和重放攻击,对于设计实用的远程证明应用具有一定的指导价值。 本文侧重于可信虚拟平台远程证明的实用性研究,没有过多的关注于具体的证明类型和证明协议,从全新的角度来研究远程证明的动态性和并发性问题,扩大了远程证明研究的外延,对于后续相关研究具有一定的启发意义。 |
| 英文摘要 | This thesis focuses on studying the models and special problems of remote at-testation security mechanism for trust virtualization platform. For this we firstly ex-pand and improve the property-based attestation method on attestation granularity from common remote attestation for trusted computing platform, and establish the ba-sic security requirement of the remote attestation design and application. Then it is proposed that TPM practical model covering the dynamic trust root DRTM and virtual machine concurrent usage according to TPM application architecture on trust virtual-ization platform. Next the problem of remote attestation invalidation caused by virtual machine configuration change is discussed, and the update attestation method on trust virtualization platform is given out. From the practical application demand of remote attestation, in view of complicated dynamic characteristic and concurrency on trust virtualization platform, the complete remote attestation model and design principles are given out, and the attestation method on multiple virtual machines and multiple applications is presented at last. This thesis enriches the research contents on remote attestation security mecha-nism which is trusted computing feature function. It perfects property-based attesta-tion method on one hand, and it enlarges platform types, expands the contents for re-mote attestation on the other. The special problems about remote attestation dynamic characteristic, concurrency and so on for trust virtualization platform are attempted to solve by analyzing current attestation problems, combining the trust virtualization feature. In the aspect of dynamic characteristic the Merkle hash tree is used to repre-sent the increment of configuration update for improving update attestation efficiency. In the aspect of concurrency the attestation credential chains are used to implement multiple instances attestation. As far as I know, remote attestation concurrency study is the first tentative research. The security model of dynamic concurrent remote at-testation is proposed, it is also summarized that eight design principles of remote at-testation including authentic, dynamic characteristic, insistency, concurrency, privacy, property revocability, impersonation attack and replay attack resistance. These works have certain guidance value on remote attestation design. This thesis concerns on practicability of remote attestation on trust virtualization platform, and it does not focus on concrete attestation type and protocol. The dynamic characteristic and concurrent problems are studies from a new perspective, enlarging the research extension of remote attestation, so that it has certain inspirational value to relative subsequent research. |
| 语种 | 中文 |
| 公开日期 | 2011-03-17 |
| 页码 | 139 |
| 源URL | [http://124.16.136.157/handle/311060/7476]  |
| 专题 | 软件研究所_信息安全国家重点实验室_学位论文 |
| 推荐引用方式 GB/T 7714 | 秦宇. 可信虚拟平台安全机制研究[D]. 软件研究所. 中国科学院软件研究所. 2009. |
入库方式: OAI收割
来源:软件研究所
浏览0
下载0
收藏0
其他版本
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。