面向多租户的可信容器分层密钥管理方法

doi:10.3778/j.issn.1002-8331.2302-0143

摘要/Abstract

摘要： 针对现有可信容器框架在多租户场景下缺乏密钥保护的问题，提出一种基于可信平台模块TPM的可信容器分层密钥管理方法TCKM。利用分层密钥管理机制，绑定TPM与容器密钥块，保护容器密钥块生成与存储的安全。通过基于容器属性的密钥授权值在密钥使用时验证容器属性，使得只有满足一定属性的指定容器能够获取并使用密钥，防止容器密钥块的盗用，实现密钥的安全使用。采用内核与硬件TPM相结合的加密方式提高基于TCKM密钥管理方法的数据保护效率。实现了TCKM密钥管理方法并基于Docker18.09进行测试与评估，测试结果表明，方案以较小的性能开销保护可信容器内密钥的安全及文件数据的机密性，具有很好安全性和数据保护效率。

关键词: 容器, 多租户, 可信计算, 密钥管理

Abstract: Aiming at the problem that the existing trusted container framework lacks key protection, a trusted container hierarchical key management (TCKM) method based on the trusted platform module is proposed. The hardware TPM and the container key block are bound by the hierarchical key management mechanism to protect the security of the generation and storage stage of the container key block. When the key is used, the container attribute is verified through the key authorization value, so that only the specified container that meets certain attributes can obtain and use the key, preventing the theft of the container key block, and realizing the secure use of the key. Finally, the encryption method combining kernel and hardware TPM is adopted to improve the efficiency of data protection based on TCKM key management method. The TCKM key management method is implemented and evaluated based on Docker18.09. The results show that the mechanism can effectively protect the security of the key and the confidentiality of the file data in the container.

Key words: container, multi-tenancy, trusted computing, key management

钟倩, 赵波, 安杨, 李蔚栋, 陈喜丰, 上官晨晗. 面向多租户的可信容器分层密钥管理方法[J]. 计算机工程与应用, 2024, 60(12): 283-293.

ZHONG Qian, ZHAO Bo, AN Yang, LI Weidong, CHEN Xifeng, SHANGGUAN Chenhan. Multi-Tenant-Oriented Trusted Container Hierarchical Key Management Method#br#[J]. Computer Engineering and Applications, 2024, 60(12): 283-293.

参考文献

[1] ARUN C, WATARU K. The innovation leader’s guide to navigating the cloud-native container ecosystem[EB/OL]. (2021-08-18) [2023-04-01]. https://www.gartn-er.com/en/documents/4004870.
[2] SULTAN S, AHMAD I, DIMITRIOU T. Container security: issues, challenges, and the road ahead[J]. IEEE Access, 2019, 7(1): 52976-52996.
[3] SOUPPAYA M, MORELLO J, SCARFONE K. Application container security guide[R]. National Institute of Standards and Technology, 2017.
[4] MANU A R, PATEL J K, AKHTAR S, et al. A study, analysis and deep dive on cloud PAAS security in terms of docker container security[C]//Proceedings of the 2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT), Nagercoil, India, 2016: 1-13.
[5] 沈昌祥, 张焕国, 王怀民, 等. 可信计算的研究与发展[J]. 中国科学: 信息科学, 2010, 40(2): 139-166.
SHEN C X, ZHANG H G, WANG H M, et al. Review on research and development of trusted computing[J]. Scientia Sinica (Informationis), 2010, 40(2): 139-166.
[6] 张焕国, 罗捷, 金刚, 等. 可信计算研究进展[J]. 武汉大学学报 (理学版), 2006, 52(5): 513-518.
ZHANG H G, LUO J, JIN G. Development of trusted computing research[J]. Journal of Wuhan University (Natural Science Edition), 2006, 52(5): 513-518.
[7] HOSSEINZADEH S, LAURéN S, LEPP?NEN V. Security in container-based virtualization through vTPM[C]//Proceedings of the 9th International Conference on Utility and Cloud Computing, Shanghai, China, 2016: 214-219.
[8] PEREZ R, SAILER R, VAN DOORN L. vTPM: virtualizing the trusted platform module[C]//Proceedings of the 15th Conference on USENIX Security Symposium, 2006: 305-320.
[9] 王鹃, 胡威, 张雨菡, 等. 基于Docker的可信容器[J]. 武汉大学学报 (理学版), 2017, 63(2): 102-108.
WANG J, HU W, ZHANG Y H, et al. Trusted container based on docker[J]. Journal of Wuhan University (Natural Science Edition), 2017, 63(2): 102-108.
[10] GUO Y, YU A, GONG X, et al. Building trust in container environment[C]//Proceedings of the 2019 IEEE International Conference on Trust, Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering, Rotorua, New Zealand, 2019: 1-9.
[11] LUO W, SHEN Q, XIA Y, et al. Container-IMA: a privacy-preserving integrity measurement architecture for containers[C]//Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses, Beijing, China, 2019: 487-500.
[12] TRUYEN E, VAN L D, RENIERS V, et al. Towards a container-based architecture for multi-tenant SaaS applications[C]//Proceedings of the 15th International Workshop on Adaptive and Reflective Middleware, Trento, Italy, 2016: 1-6.
[13] KIM M, MOHINDRA A, MUTHUSAMY V, et al. Building scalable, secure, multi-tenant cloud services on IBM bluemix[J]. IBM Journal of Research and Development, 2016, 60(2/3): 1-12.
[14] JOY A M. Performance comparison between Linux containers and virtual machines[C]//Proceedings of the 2015 International Conference on Advances in Computer Engineering and Applications, Ghaziabad, India, 2015: 342-346.
[15] 涂碧波, 程杰, 夏豪骏, 等. 云虚拟化平台可信证明技术研究综述[J]. 通信学报, 2021, 42(12): 212-225.
TU B B, CHENG J, XIA H J, et al. Overview of research on trusted attestation technology of cloud virtualization platform[J]. Journal on Communications, 2021, 42(12): 212-225.
[16] SHUKUR H, ZEEBAREE S, ZEBARI R, et al. Cloud computing virtualization of resources allocation for distributed systems[J]. Journal of Applied Science and Technology Trends, 2020, 1(3): 98-105.
[17] 陈轶阳, 王小宁, 卢莎莎, 等. 面向高性能计算系统的容器技术综述[J]. 计算机科学, 2023, 50(2): 353-363.
CHEN Y Y, WANG X N, LU S S, et al. Survey of container technology for high-performance computing system[J]. Computer Science, 2023, 50(2): 353-363.
[18] 魏小锋, 郭玉东, 林键. 基于MNT随机化容器文件系统安全性加强技术[J]. 计算机工程与应用, 2018, 54(6): 81-85.
WEI X F, GUO Y D, LIN J. Hardening technology for container file system based on MNT namespace randomization[J]. Computer Engineering and Applications, 2018, 54(6): 81-85.
[19] 章勤, 刘树明. 基于可信计算平台的加密文件系统[J]. 微处理机, 2008(1): 39-42.
ZHANG Q, LIU S M. An encrypted file system based on trusted computing platform[J]. Microprocessors, 2008(1): 39-42.
[20] 胡如会, 张起荣. 基于身份的TPM密钥存储管理的研究[J]. 计算机工程与应用, 2017, 53(13): 125-128.
HU R H, ZHANG Q R. Research of TPM key store management based on identity[J]. Computer Engineering and Applications, 2017, 53(13): 125-128.
[21] YANG X, SHEN Q, YANG Y, et al. A way of key management in cloud storage based on trusted computing[C]//8th IFIP International Conference on Network and Parallel Computing (NPC 2011), Changsha, China, 2011: 135-145.
[22] HOSSEINZADEH S, SEQUEIROS B, INáCIO P R M, et al. Recent trends in applying TPM to cloud computing[J]. Security and Privacy, 2020, 3(1): e93.
[23] 赵波, 李逸帆, 米兰·黑娜亚提, 等. 基于可信模块的云存储用户密钥管理机制研究[J]. 工程科学与技术, 2014, 46(6): 25-31.
ZHAO B, LI Y F, MILAN H, et al. Research of key management based on trusted module for cloud storage user.[J]. Advanced Engineering Sciences, 2014, 46(6): 25-31.
[24] VMWARE INC. vSphere 安全性[EB/OL]. (2022-11-23) [2023-04-01]. https://docs.vmware.com/cn/VMware-vSphere/7.0/vsphere-esxi-vcenter-server-703-security-guide.pdf.
[25] AWS CLOUDHSM. Managed hardware security module (HSM) on the AWSCloud[EB/OL]. [2022-12-13]. https://aws. amazon.com/cloudhsm.
[26] 王智慧, 周忠君. 容器热迁移优化技术研究[J]. 计算机系统应用, 2023, 32(4): 86-93.
WANG Z H, ZHOU Z J. Research on optimization technology for container live migration[J]. Computer Systems & Applications, 2023, 32(4): 86-93.
[27] 黄宇晴, 赵波, 肖钰, 等. 一种基于KVM的vTPM虚拟机动态迁移方案[J]. 山东大学学报 (理学版), 2017, 52(6): 69-75.
HUANG Y Q, ZHAO B, XIAO Y, et al. A vTPM-VM live migration scheme based on KVM[J]. Journal of Shandong University (Natural Science), 2017, 52(6): 69-75.