针对虚拟可信平台模块的国密算法扩展技术研究
Research on the Extension of Chinese Commercial Cryptographic Algorithms for Virtual Trusted Platform Module
作者:陈兴蜀(四川大学 网络空间安全学院, 四川 成都 610065;四川大学 网络空间安全研究院, 四川 成都 610065);蒋超(四川大学 网络空间安全学院, 四川 成都 610065;四川大学 网络空间安全研究院, 四川 成都 610065);王伟(四川大学 网络空间安全研究院, 四川 成都 610065;四川大学 计算机学院, 四川 成都 610065);金鑫(四川大学 网络空间安全研究院, 四川 成都 610065;四川大学 计算机学院, 四川 成都 610065);兰晓(四川大学 网络空间安全学院, 四川 成都 610065;四川大学 网络空间安全研究院, 四川 成都 610065)
Author:CHEN Xingshu(College of Cybersecurity, Sichuan Univ., Chengdu 610065, China;Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China);JIANG Chao(College of Cybersecurity, Sichuan Univ., Chengdu 610065, China;Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China);WANG Wei(Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China;College of Computer Sci., Sichuan Univ., Chengdu 610065, China);JIN Xin(Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China;College of Computer Sci., Sichuan Univ., Chengdu 610065, China);LAN Xiao(College of Cybersecurity, Sichuan Univ., Chengdu 610065, China;Cybersecurity Research Inst., Sichuan Univ., Chengdu 610065, China)
收稿日期:2019-09-04 年卷(期)页码:2020,52(3):141-149
期刊名称:工程科学与技术
Journal Name:Advanced Engineering Sciences
关键字:云计算;可信计算;虚拟可信平台模块;虚拟机信任链
Key words:cloud computing;trusted computing;virtual trusted platform module;virtual trusted chain
基金项目:国家自然科学基金项目(61802270;61802271);中央高校基本科研业务费专项资金(SCU2018D018;SCU2018D022)
中文摘要
为了规避使用外国密码算法带来的法律风险,满足中国《商用密码管理条例》的合规性要求,响应网络空间安全的自主可控要求,促进虚拟可信计算技术在国内云计算业务的大规模应用,本文对虚拟可信平台模块(virtual trusted platform module,vTPM)和虚拟机信任链相关组件添加了对中国国家商用密码算法(国密算法)的支持。首先,在vTPM中添加对密码算法工具包GmSSL(GM/T secure sockets layer)中散列密码算法(SM3)和对称密码算法(SM4)的调用接口,并利用GmSSL的大数运算模块实现国密算法中的非对称密码算法(SM2)的调用接口,从而为上层应用提供基于国密算法的可信计算功能。其次,在虚拟机信任链相关组件中添加SM3算法的实现代码,达成建立基于国密算法的虚拟机信任链的目标。最后,验证vTPM中调用接口的正确性和建立的虚拟机信任链的有效性,对比基于SM3算法和SHA-1算法虚拟机信任链的虚拟机开机时间。实验结果表明,添加的调用接口正确且有效,并且和基于SHA-1算法虚拟机信任链的虚拟机相比,基于SM3算法虚拟机信任链的虚拟机开机时间只增加3%,在安全性提升的同时其性能损耗在可接受范围。
英文摘要
In order to avoid the legal risks of using foreign countries’ cryptographic algorithms and address the compliance requirements of the regulations on commercial cryptographic management of China, the support of Chinese commercial cryptographic algorithms (national cryptographic algorithms) was added into the virtual trusted platform module (vTPM); simultaneously, to respond to the autonomous and controllable requirements of cybersecurity and promote the large-scale application of virtual trusted computing technology in the domestic cloud computing business the related components of the virtual trusted chain were transformed. Firstly, the interfaces of the Hash cryptographic algorithm SM3 and the symmetric cryptographic algorithm SM4 in the cryptographic toolkit GmSSL (GM/T secure socket layer) were added to vTPM, and the asymmetric cryptographic algorithm SM2 was implemented by the big number arithmetic module of GmSSL, which provides the trusted computing functions based on the national cryptographic algorithms for upper-layer applications. Secondly, the implementation for the SM3 algorithm was added into the related components so that the virtual trusted chain based on the national cryptographic algorithm can be established. Finally, the correctness of the interfaces and the effectiveness of the virtual trusted chain were verified, and the boot time of the virtual machine based on the SM3-algorithm and SHA–1-algorithm virtual trusted chain were compared. The experiments show that the interfaces added are correct and effective, and compared with the virtual machine based on the SHA–1-algorithm virtual trusted chain, the boot time of the one based on the SM3-algorithm virtual trusted chain only increases by 3%, of which the security is improved while its performance consumption is acceptable.
【关闭】
