计算机工程与应用 ›› 2024, Vol. 60 ›› Issue (12): 283-293.DOI: 10.3778/j.issn.1002-8331.2302-0143

• 网络、通信与安全 • 上一篇    下一篇

面向多租户的可信容器分层密钥管理方法

钟倩,赵波,安杨,李蔚栋,陈喜丰,上官晨晗   

  1. 1.武汉大学 国家网络安全学院 空天信息安全与可信计算教育部重点实验室,武汉 430072
    2.武汉大学 计算机学院,武汉 430072
  • 出版日期:2024-06-15 发布日期:2024-06-14

Multi-Tenant-Oriented Trusted Container Hierarchical Key Management Method#br#

ZHONG Qian, ZHAO Bo, AN Yang, LI Weidong, CHEN Xifeng, SHANGGUAN Chenhan   

  1. 1.Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
    2.School of Computer Science, Wuhan University, Wuhan 430072, China
  • Online:2024-06-15 Published:2024-06-14

摘要: 针对现有可信容器框架在多租户场景下缺乏密钥保护的问题,提出一种基于可信平台模块TPM的可信容器分层密钥管理方法TCKM。利用分层密钥管理机制,绑定TPM与容器密钥块,保护容器密钥块生成与存储的安全。通过基于容器属性的密钥授权值在密钥使用时验证容器属性,使得只有满足一定属性的指定容器能够获取并使用密钥,防止容器密钥块的盗用,实现密钥的安全使用。采用内核与硬件TPM相结合的加密方式提高基于TCKM密钥管理方法的数据保护效率。实现了TCKM密钥管理方法并基于Docker18.09进行测试与评估,测试结果表明,方案以较小的性能开销保护可信容器内密钥的安全及文件数据的机密性,具有很好安全性和数据保护效率。

关键词: 容器, 多租户, 可信计算, 密钥管理

Abstract: Aiming at the problem that the existing trusted container framework lacks key protection, a trusted container hierarchical key management (TCKM) method based on the trusted platform module is proposed. The hardware TPM and the container key block are bound by the hierarchical key management mechanism to protect the security of the generation and storage stage of the container key block. When the key is used, the container attribute is verified through the key authorization value, so that only the specified container that meets certain attributes can obtain and use the key, preventing the theft of the container key block, and realizing the secure use of the key. Finally, the encryption method combining kernel and hardware TPM is adopted to improve the efficiency of data protection based on TCKM key management method. The TCKM key management method is implemented and evaluated based on Docker18.09. The results show that the mechanism can effectively protect the security of the key and the confidentiality of the file data in the container.

Key words: container, multi-tenancy, trusted computing, key management