CN118523905A

CN118523905A - Method, apparatus, device and storage medium for acquiring certificate or credential

Info

Publication number: CN118523905A
Application number: CN202310171584.8A
Authority: CN
Inventors: 王海光; 李铁岩; 康鑫; 雷中定
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2023-02-20
Filing date: 2023-02-20
Publication date: 2024-08-20

Abstract

The present application provides methods, apparatus, devices, storage media and program products for obtaining certificates or credentials, relating to the field of data security. The method includes sending, at a physical host, a request to a validation server for obtaining an encryption certificate, the request including a target public key for a virtual trusted root of a virtual machine; receiving a random number encrypted by the target public key from the authentication server; acquiring signed remote attestation information from a hardware trust root of a physical host based on the encrypted random number; transmitting the signed remote attestation information and the target public key to a verification server; and receiving an encryption certificate for the target public key from the authentication server. The embodiment of the application realizes the association relation between the virtual trusted root and the hardware trusted root, improves the verification efficiency of the virtual trusted root corresponding to the hardware trusted root, and improves the user experience.

Description

Method, apparatus, device and storage medium for acquiring certificate or credential

Technical Field

Embodiments of the present application generally relate to the field of data security. More particularly, embodiments of the present application relate to methods, apparatuses, devices, and storage media for acquiring certificates or credentials.

Background

With the rapid development of the mobile internet, more and more conventional services such as government services, mobile payment, etc. are transferred to the internet. The mobile internet is an indispensable infrastructure in people's life. In order to meet the requirements of people on service quality, telecommunication operators are required to continuously adopt new technologies, and the agility of service deployment and the elastic expansion and contraction capability of network capacity are provided. Network virtualization and clouding techniques provide operators with the ability to quickly deploy and elastically stretch the network. Meanwhile, the network virtualization technology breaks the safety and credibility characteristics brought by the physical boundary of the original equipment. Operators do not own physical devices, but run a large number of virtual devices on their own or third-party cloud platforms, so operators must guarantee the credibility of the virtualized devices in the virtualized and clouded scenarios through new technical means. Remote authentication techniques may provide operators with remote authentication capabilities of trusted features of devices. However, there are a number of problems to be solved in this process.

Disclosure of Invention

Embodiments of the present application provide a scheme for acquiring certificates or credentials.

According to a first aspect of the present application, a method for obtaining a certificate is provided. The method comprises the following steps: transmitting, at the physical host, a request to the authentication server to obtain an encryption certificate, the request including a target public key for a virtual root of trust of the virtual machine; receiving a random number encrypted by the target public key from the authentication server; acquiring signed remote attestation information from a hardware root of trust of a physical host based on the encrypted random number, the signed remote attestation information including a signature certificate for the hardware root of trust; transmitting the signed remote attestation information and the target public key to a verification server; and receiving an encryption certificate for the target public key from the authentication server.

In this way, embodiments of the present application utilize the signed certificate of the hardware root of trust to generate remote attestation information, and then send the signed remote attestation information and the target public key to the verification server. The device sending the remote attestation information can be attested to be trusted by the signature certificate of the hardware trusted root contained in the remote attestation information, and further the target public key of the virtual trusted root of the virtual machine from the device can be determined to be trusted. Therefore, the method realizes the association of the virtual trusted root and the hardware trusted root, solves the performance problem caused by the hardware trusted root equipment when the virtual machine performs the depth certification, improves the verification efficiency of the virtual trusted root corresponding to the hardware trusted root equipment, and improves the user experience.

In some embodiments, wherein generating the key pair comprises: in response to the virtual trusted root being booted, a target public key is generated by the virtual trusted root. In this way, the security of the virtual trusted root can be improved.

In some embodiments, wherein obtaining signed remote attestation information comprises: decrypting the encrypted random number using a target private key corresponding to the target public key; and obtaining local attestation information for the hardware trusted root based on the decrypted random number, the local attestation information including a signed certificate; generating remote attestation information based on the decrypted random number and the local attestation information; the remote attestation information is signed using a signature private key corresponding to the signature certificate. By the method, the signed remote proof information can be quickly and accurately obtained, and the accuracy and safety of the obtained information are improved.

In some embodiments, wherein the authentication server is a first authentication server and the signature certificate is a first signature certificate, the method further comprises: the encrypted certificate is sent to the second authentication server to obtain a second signed certificate from the second authentication server. In this way, the security and efficiency of acquiring certificates are improved.

According to a second aspect of the present application, a method for providing a certificate is provided. The method comprises the following steps: generating, at the authentication server, a random number in response to receiving a request from the physical host for obtaining an encryption certificate, the request including a target public key for a virtual trusted root of the virtual machine; encrypting the random number using the target public key; transmitting the encrypted random number to the physical host; receiving, from the physical host, a target public key and signed remote attestation information, the signed remote attestation information including a signed certificate for a hardware root of trust of the physical host; and in response to the signed remote attestation information passing verification, sending an encryption certificate to the physical host, the encryption certificate being for the target public key.

By the method, the embodiment of the application realizes the association relation between the virtual trusted root and the hardware trusted root, solves the performance problem caused by the hardware trusted root equipment when the virtualization platform performs depth certification, improves the verification efficiency of the virtual trusted root corresponding to the hardware trusted root equipment, and improves the user experience.

In some embodiments, the method further comprises: the signed remote attestation information is verified by: verifying the signature using the verification public key in the signature certificate; and determining whether the signed remote attestation information includes a random number; and in response to the signature being verified and the signed remote attestation information including a random number, determining that the signed remote attestation information is verified. By the method, the remote certification information can be rapidly and safely verified, and verification efficiency and effect are improved.

According to a third aspect of the present application, a method for acquiring credentials is provided. The method comprises the following steps: transmitting, at the physical host, a request to the authentication server for obtaining the credential; obtaining a random number from a verification server; based on the random number and a set of public keys, obtaining signed remote attestation information from a hardware trusted root of the physical host, the signed remote attestation information including a signature certificate for the hardware trusted root; transmitting reply information to the authentication server, the reply information including signed remote attestation information, indication information about a set of public keys, and a random number; and obtaining a credential from the authentication server, the credential indicating the trustworthiness of the set of public keys.

In some embodiments, the method further comprises: a set of public keys is generated by a virtual machine manager in the physical host. In this way, a set of public keys can be quickly and accurately obtained.

In some embodiments, obtaining signed remote attestation information from a hardware trust root of a physical host comprises: generating a string based on the random number and a set of public keys; and generating a target hash value based on the string; based on the target hash value, signed remote attestation information is obtained from a hardware trusted root of the physical host. In this way, the security of data can be improved, and the verification effect is improved.

In some embodiments, wherein generating the character string comprises: the string is formed by linking the random number, a set of public keys, an internet protocol address of the virtual machine manager, and a port number of a remote authentication service of the virtual machine manager. By the method, the character string can be generated quickly, and the safety of the character string is improved.

In some embodiments, wherein generating the character string comprises: obtaining a root value by inputting a set of public keys into an accumulator; and generating a character string based on the root value and the random number. By the method, the character string can be generated quickly, and the safety of the character string is improved.

In some embodiments, wherein generating the string based on the root value and the random number comprises: the string is formed by linking the random number, the root value, the internet protocol address of the virtual machine manager, and the port number of the remote authentication service of the virtual machine manager. By the method, the character string can be formed quickly, and the safety of the character string is improved.

In some embodiments, wherein the indication information includes a root value. In this way, the verification efficiency of the key can be improved.

In some embodiments, wherein the indication information comprises a set of public keys. In this way, the verification efficiency and security of the key can be improved.

In some embodiments, wherein obtaining signed remote attestation information from a hardware root of trust of the physical host based on the target hash value comprises: based on the target hash value, local proving information aiming at the hardware trusted root is obtained, wherein the local proving information comprises a signature certificate; generating remote attestation information based on the target hash value and the local attestation information; the remote attestation information is signed using a signature private key corresponding to the signature certificate. In this way, the security of the remote attestation information can be improved.

In some embodiments, wherein the request is a first request, the signed remote attestation information is a first signed remote attestation information, the verification server is a first verification server, the signature is a first signature, the method further comprising: selecting a public key assigned to the virtual trusted root from a set of public keys in response to starting the virtual machine and the corresponding virtual trusted root; acquiring a signature certificate aiming at a public key; sending a second request for registering the virtual machine to a second verification server, wherein the second request comprises the identification of the virtual machine; receiving a third request from the second authentication server for obtaining the attestation information, the third request including a random number generated by the second authentication server; and sending signed second remote attestation information for the virtual machine to a second verification server for determining a trusted state of the virtual machine, the signed second remote attestation information including the signed certificate and a corresponding second signature. By the method, the trusted state of the virtual machine can be rapidly determined through the credibility of the hardware trusted root, the trusted state determination efficiency is improved, and the user experience is improved.

In some embodiments, wherein the third request further includes a policy to obtain attestation information; wherein transmitting the signed second remote attestation information includes: the signed second remote attestation information is sent based on the policy. By the method, the remote certification information can be acquired in various modes, and user experience is improved.

In some embodiments, wherein sending the signed second remote attestation information based on the policy includes: in response to the policy indication to obtain only attestation information for the virtual machine, obtaining signed second remote attestation information from the virtual trusted root based on the random number, the signed second remote attestation information further including an internet protocol address of a virtual machine manager in the physical host and a port number of a remote authentication service of the virtual machine manager; transmitting the signed second remote attestation information to a second verification server; in response to receiving a fourth request to obtain the credential, the fourth request including an internet protocol address, a port number, and the signed credential based on the public key in the signed credential; and sending the credentials to a second authentication server to determine the trusted status of the virtual machine. By the method, the trusted state of the virtual machine can be rapidly determined through the credibility of the hardware trusted root, the trusted state determination efficiency is improved, and the user experience is improved.

In some embodiments, wherein sending the signed second remote attestation information based on the policy includes: obtaining signed second remote attestation information from the virtual trusted root in response to the policy directive obtaining attestation information and credentials for the virtual machine; obtaining credentials from the virtual machine manager based on the public key; and sending the signed second remote attestation information and the credential to a second verification server for determining a trusted state of the virtual machine. By the method, the trusted state of the virtual machine can be rapidly determined through the credibility of the hardware trusted root, the trusted state determination efficiency is improved, and the user experience is improved.

According to a fourth aspect of the present application, a method for providing credentials is provided. The method comprises the following steps: receiving, at the authentication server, reply information from the physical host, the reply information including signed remote attestation information, indication information regarding a set of public keys, and a random number, the signed remote attestation information including a signed certificate for a hardware root of trust of the physical host; verifying the signed remote attestation information; generating a credential based on the remote attestation information and the indication information in response to the signed remote attestation information and the target hash value passing verification, the credential indicating the trustworthiness of a set of public keys; and sending the credential to the physical host.

In some embodiments, wherein the signed remote attestation information comprises a target hash value, wherein verifying the signed remote attestation information comprises: verifying the signature in the signed remote attestation information by means of a public key in the signing certificate; generating a verification hash value based on the random number and the indication information in response to the signature passing verification; and verifying the signed remote attestation information by comparing the target hash value with the verification hash value. By the method, the signed remote certification information can be rapidly verified, and verification efficiency is improved.

In some embodiments, wherein the indication information comprises a set of public keys, wherein generating the verification hash value comprises: generating a string based on the random number and a set of public keys; and generating a verification hash value based on the string. By the method, the hash value can be generated rapidly, so that verification efficiency and security are improved.

In some embodiments, wherein the reply message further includes an internet protocol address of a virtual machine manager in the physical host, a port number of a remote authentication service of the virtual machine manager; wherein generating the character string comprises: the string is formed by linking a random number, a set of public keys, an internet protocol address, and a port number. By the method, the generation efficiency of the character strings can be improved, and the efficiency of generating the character strings is improved.

In some embodiments, wherein the indication information includes a root value obtained by inputting a set of public keys into the accumulator, wherein generating the verification hash value includes: generating a character string based on the random number and the root value; and generating a verification hash value based on the string. By the method, the character string can be verified quickly, and the safety of character string verification is improved.

In some embodiments, wherein the reply message further includes an internet protocol address of a virtual machine manager in the physical host, a port number of a remote authentication service of the virtual machine manager; wherein generating the character string comprises: the string is formed by linking a random number, a root value, an internet protocol address, and a port number. By the method, the character string can be generated quickly, and the safety of the character string is improved.

In some embodiments, the credentials further include an internet protocol address and a port number. In this way more information can be provided.

In some embodiments, wherein generating the credential comprises: generating an evaluation result by evaluating the remote attestation information; and adding the evaluation result into the certificate. In this way, more information can be provided and the comprehensiveness of the voucher content is improved.

In some embodiments, wherein generating the credential comprises: generating an evaluation result by evaluating the remote attestation information; in response to the evaluation result satisfying the predetermined requirement, generating a credential, the credential including the evaluation result. In this way, credentials meeting predetermined requirements can be generated, further validating the remote attestation information.

In some embodiments, the method further comprises: generating a random number in response to receiving a request from a physical host to obtain credentials; and sending the random number to the physical host. In this way, it can be used to increase the accuracy of acquiring credentials.

According to a fifth aspect of the present application, a method for verifying information is provided. The method comprises the following steps: generating a random number at the authentication server in response to receiving a first request from the physical host to register a virtual machine in the physical host; transmitting a second request for acquiring the certification information to the physical host, the second request including a random number; and receiving, from the physical host, signed remote attestation information for the virtual machine, the signed remote attestation information including a signed certificate and a corresponding signature, the signed certificate being a certificate for a public key selected from a set of public keys assigned to the virtual machine, the credential indicating the trustworthiness of the set of public keys; based on the signed remote attestation information and the credentials, a trusted state of the virtual machine is determined.

In some embodiments, wherein the signed remote attestation information further includes an internet protocol address of a virtual machine manager in the physical host and a port number of a remote authentication service of the virtual machine manager, wherein the second request further includes a policy to obtain attestation information from the physical host, the policy indicating that only attestation information for the virtual machine is obtained, wherein receiving the signed remote attestation information and the credential for the virtual machine includes: receiving signed remote attestation information; verifying the signed remote attestation information; obtaining a signed certificate, an internet protocol address, and a port number from the signed remote attestation information in response to the signed remote attestation information passing the verification; sending a third request for acquiring the credential to the physical host, the third request including an internet protocol address, a port number, and a signed certificate; the credential is received from the physical host. By the method, the certification information for certifying the trust of the physical host can be quickly acquired.

In some embodiments, wherein determining the trusted state of the virtual machine comprises: verifying the certificate; in response to the credential passing the verification, determining whether a public key in the signed certificate is supported by the credential; and determining that the virtual machine is trusted in response to the public key being supported by the credential. By the method, the credibility of the virtual credible root can be determined based on the credibility of the hardware credible root, so that the efficiency of determining the credibility of the virtual machine is improved, and the verification efficiency is improved.

In some embodiments, wherein the second request further includes a policy to obtain attestation information from the physical host, the policy indicating that attestation information and credentials are to be obtained for the virtual machine, wherein determining the trusted state of the virtual machine includes: verifying the signed remote attestation information and the credentials; in response to the signed remote attestation information and the credential passing verification, obtaining a signed certificate from the signed remote attestation information; determining whether a public key in the signed certificate is supported by the credential; and determining that the virtual machine is trusted in response to the public key being supported by the credential. By the method, the credibility of the virtual credible root can be determined based on the credibility of the hardware credible root, so that the efficiency of determining the credibility of the virtual machine is improved, and the verification efficiency is improved.

In some embodiments, wherein determining whether the public key is supported by the credential comprises: it is determined whether the public key is present in the credential. By the method, whether the public key is available or not can be verified quickly, and verification efficiency of the public key is improved.

In some embodiments, wherein the credential includes a root value obtained by inputting a set of public keys into the accumulator, wherein determining whether the public keys are supported by the credential comprises: extracting a root value in the certificate; and determining whether the public key is supported by the credential based on the root value and the public key. By the method, whether the public key is available or not can be verified quickly, and verification efficiency of the public key is improved.

According to a sixth aspect of the present application, there is provided a method for verifying information. The method comprises the following steps: in response to receiving a first request from the physical host to register a virtual machine in the physical host, sending, at the first authentication server, a second request to the physical host to obtain attestation information, the second request including a random number; receiving signed remote attestation information for a virtual machine, the remote attestation information including a signed certificate, the signed certificate being a certificate for a public key selected from a set of public keys assigned to the virtual machine; responding to the signed remote attestation information to obtain a signature certificate through verification; transmitting a third request to the second authentication server for obtaining the credential, the third request comprising the signed certificate; obtaining credentials from a second authentication server; the trusted state of the virtual machine is determined based on a credential that indicates the trustworthiness of a set of public keys.

In some embodiments, wherein determining the trusted status comprises: in response to receiving the credential, validating the credential; in response to the credential passing the verification, determining whether a public key of the signed credential is supported by the credential; and determining that the virtual machine is trusted in response to the public key being supported by the credential. By the method, whether the virtual machine is trusted or not can be fast, and detection efficiency is improved.

In some embodiments, wherein determining whether the public key of the signed certificate is supported by the credential comprises: it is determined whether the public key is present in the credential. By the method, whether the public key is supported or not can be quickly determined, and verification efficiency is improved.

In some embodiments, wherein the credential includes a root value obtained by inputting a set of public keys into the accumulator, wherein determining whether the public key of the signed certificate is supported by the credential comprises: extracting a root value in the certificate; and determining whether the public key is supported by the credential based on the root value and the public key. By the method, whether the public key is supported or not can be quickly determined, and verification efficiency is improved.

According to a seventh aspect of the present application, there is provided an apparatus for acquiring a certificate. The device comprises: a request transmitting unit configured to transmit a request for acquiring an encryption certificate to the authentication server at the physical host, the request including a target public key for a virtual trusted root of the virtual machine; a random number acquisition unit configured to acquire a random number encrypted by the target public key from the authentication server; a remote attestation information acquisition unit configured to acquire signed remote attestation information from a hardware root of trust of a physical host based on the encrypted random number, the signed remote attestation information including a signature certificate for the hardware root of trust; a certification information and public key transmission unit configured to transmit the signed remote certification information and the target public key to the authentication server; and an encryption certificate receiving unit configured to receive an encryption certificate for the target public key from the authentication server.

According to an eighth aspect of the present application, there is provided an apparatus for providing a certificate. The device comprises: a random number generation unit configured to generate a random number at the authentication server in response to receiving a request from the physical host for obtaining an encryption certificate, the request including a target public key for a virtual root of trust of the virtual machine; an encryption unit configured to encrypt the random number using the target public key; a random number transmitting unit configured to transmit the encrypted random number to the physical host; a remote attestation information receiving unit configured to receive a target public key and signed remote attestation information from a physical host, the signed remote attestation information including a signature certificate and a corresponding signature for a hardware root of trust of the physical host; and a certificate transmission unit configured to transmit an encryption certificate to the physical host in response to the signed remote attestation information passing the verification, the encryption certificate being for the target public key.

According to a ninth aspect of the present application, an apparatus for acquiring credentials is provided. The device comprises: a request transmitting unit configured to transmit a request for acquiring a credential to the authentication server at the physical host; a random number acquisition unit configured to acquire a random number from the authentication server; a remote attestation information acquisition unit configured to acquire signed remote attestation information from a hardware root of trust of a physical host based on a random number and a set of public keys, the signed remote attestation information including a signature certificate for the hardware root of trust; and a reply information transmitting unit configured to transmit reply information including signed remote attestation information, indication information about a set of public keys, and a random number to the authentication server; a credential acquisition unit configured to acquire a credential from the authentication server, the credential indicating the trustworthiness of a set of public keys.

According to a tenth aspect of the present application, there is provided an apparatus for providing credentials. The device comprises: a reply information receiving unit configured to receive, at the authentication server, reply information from the physical host, the reply information including signed remote attestation information, indication information about a set of public keys, and a random number, the signed remote attestation information including a signed certificate for a hardware root of trust of the physical host; a verification unit configured to verify the signed remote attestation information; a credential generation unit configured to generate a credential indicating the trustworthiness of a set of public keys based on the remote attestation information and the indication information in response to the signed remote attestation information passing the verification; and a credential transmitting unit configured to transmit the credential to the physical host.

According to an eleventh aspect of the present application, there is provided an apparatus for verifying information. The device comprises: a random number generation unit configured to generate a random number at the authentication server in response to receiving a first request from the physical host to register the virtual machine in the physical host; a certification information acquisition unit configured to transmit a second request for acquiring certification information to the physical host, the second request including a random number; and a certification information and credential receiving unit configured to receive, from the physical host, signed remote certification information and credentials for the virtual machine, the signed remote certification information including a signed certificate and a corresponding signature, the signed certificate being a certificate for a public key selected from a set of public keys assigned to the virtual machine, the credentials indicating trustworthiness of the set of public keys; a trusted state determination unit configured to determine a trusted state of the virtual machine based on the signed remote attestation information and the credential.

According to a twelfth aspect of the present application, there is provided an apparatus for verifying information. The device comprises: a certification information acquisition unit configured to transmit, at the first authentication server, a second request to acquire certification information to the physical host in response to receiving a first request to register the virtual machine in the physical host from the physical host, the second request including a random number; a remote attestation information receiving unit configured to receive signed remote attestation information for a virtual machine, the remote attestation information including a signature certificate, the signature certificate being a certificate for a public key assigned to the virtual machine selected from a set of public keys; a certificate acquisition unit configured to acquire a signed certificate in response to the signed remote attestation information passing verification; a credential acquisition unit configured to send a third request for acquiring a credential to the second authentication server, the third request including a signed credential; a credential acquisition unit configured to acquire a credential from a second authentication server; a trusted state determination unit configured to determine a trusted state of the virtual machine based on a credential, the credential indicating the trustworthiness of the set of public keys.

According to a thirteenth aspect of the present application, there is also provided an electronic device including: at least one computing unit; at least one memory coupled to the at least one computing unit and storing instructions for execution by the at least one computing unit, which when executed by the at least one computing unit, cause the apparatus to perform the method according to any one of the first to sixth aspects of the application.

According to a fourteenth aspect of the present application there is also provided a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a method according to any of the first to sixth aspects of the present application.

According to a fifteenth aspect of the present application there is also provided a computer program product comprising computer executable instructions which when executed by a processor implement a method according to any of the first to sixth aspects of the present application.

It will be appreciated that the apparatus of the seventh to twelfth aspects, the electronic device of the thirteenth aspect, the computer storage medium of the fourteenth aspect, or the computer program product of the fifteenth aspect, as provided above, are for performing the methods provided in the first to sixth aspects. Therefore, the explanations or illustrations concerning the first to sixth aspects also apply to the seventh to fifteenth aspects. In addition, the advantages achieved by the seventh to fifteenth aspects can refer to the advantages in the corresponding methods, and are not described herein. A kind of electronic device with a high-pressure air-conditioning system

Drawings

The above and other features, advantages and aspects of embodiments of the present application will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, wherein like or similar reference numerals designate like or similar elements, and wherein:

FIG. 1 illustrates a schematic diagram of an example environment in which various embodiments of the application may be implemented;

FIG. 2 illustrates a schematic flow diagram for acquiring credentials according to some embodiments of the application;

FIG. 3 illustrates a schematic flow diagram for providing credentials according to some embodiments of the application;

FIG. 4 illustrates a schematic flow diagram of a process for acquiring a certificate and providing a certificate, according to some embodiments of the application;

FIG. 5 illustrates a schematic diagram of a system architecture according to some embodiments of the application;

FIG. 6 illustrates a schematic diagram for acquiring credentials and verification information, according to some embodiments of the application;

FIG. 7 illustrates an example of a credential according to some embodiments of the application;

FIG. 8 illustrates a schematic flow diagram for acquiring credentials according to some embodiments of the application;

FIG. 9 illustrates a schematic flow diagram for provisioning credentials, according to some embodiments of the application;

FIG. 10 shows a schematic flow chart diagram for verifying information according to some embodiments of the application;

FIG. 11 shows a schematic flow chart diagram for verifying information in accordance with some embodiments of the application;

Fig. 12 shows a schematic flow chart of a process for obtaining a passport according to some embodiments of the present application;

FIG. 13 shows a schematic flow chart diagram for remote attestation, according to some embodiments of the application;

fig. 14 shows a schematic flow chart of a process for obtaining a passport according to some embodiments of the present application;

FIG. 15 shows a schematic flow chart diagram for remote attestation, according to some embodiments of the present application;

FIG. 16 shows a schematic flow chart diagram for remote attestation, according to some embodiments of the present application;

FIG. 17 shows a schematic flow chart diagram for remote attestation, according to some embodiments of the present application;

FIG. 18 illustrates a block diagram of an apparatus for acquiring credentials according to some embodiments of the application;

FIG. 19 illustrates a block diagram of an apparatus for providing credentials in accordance with some embodiments of the application;

FIG. 20 illustrates a block diagram of an apparatus for acquiring credentials according to some embodiments of the application;

FIG. 21 illustrates a block diagram of an apparatus for providing credentials, according to some embodiments of the application;

FIG. 22 illustrates a block diagram of an apparatus for verifying information, according to some embodiments of the application;

FIG. 23 illustrates a block diagram of an apparatus for verifying information, according to some embodiments of the application; and

FIG. 24 illustrates a block diagram of a computing device capable of implementing various embodiments of the application.

Detailed Description

Embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While the application is susceptible of embodiment in the drawings, it is to be understood that the application may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided to provide a more thorough and complete understanding of the application. It should be understood that the drawings and embodiments of the application are for illustration purposes only and are not intended to limit the scope of the present application.

In describing embodiments of the present application, the term "comprising" and its like should be taken to be open-ended, i.e., including, but not limited to. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The terms "first," "second," and the like, may refer to different or the same object. Other explicit and implicit definitions are also possible below.

As mentioned above, remote verification is primarily intended to ensure the trustworthiness of a computer hardware platform. The proof of remote attestation is provided primarily by the trusted computing module of the verifier. Currently mainly comprises trusted platform modules (Trusted Platform Module, TPM) 1.0 and 2.0, trusted platform control modules (Trusted Platform Control Module, TPCM) and the like. The structure of the TPM trusted platform module mainly comprises input and output modules, keys, key management, hash algorithm, measurement, trusted report root and the like. The main function of the TPM is to provide an independent measurement module for the verifier and to send the measurement results to an external relying party or verifier. As system virtualization and clouding progresses, remote attestation is also extended to metrics of virtual machines. To measure virtual machines, the concept of virtualizing trusted platform modules (virtualized Trusted Platform Module, vTPM) is proposed. The vTPM adopts a software mode, realizes most functions of the TPM, including a trusted measurement root, a trusted report root, a trusted storage root and the like, and provides an interface similar to the TPM, so that the upper layer protocol can reuse most protocols designed for the TPM. Because the vTPM is a software implementation, it is difficult to independently provide a trusted measurement report, and support needs to be provided by relying on the underlying hardware trusted root, so that it is required to ensure that a trust chain can extend from the underlying hardware trusted root to the vTPM at the upper layer in design.

In order to solve the above problems, there are two conventional solutions. One conventional approach is to use the trustworthiness of the TPM's authentication key (Attestation IDENTITY KEY, AIK) to determine the trustworthiness of the remote Attestation provided by the vTPM. In this scheme whether the AIK of the vTPM is trusted or not needs to be guaranteed by the TPM. The scheme binds an AIK key pair in the vTPM with a public and private key of the AIK of the TPM. But this solution is mainly from an academic point of view and does not take into account how to combine with existing standards. Therefore, it is difficult to apply this scheme to practice. Another conventional approach is to pass a remote attestation evidence-based method between routers. In the scheme, the routers use the labeled passport for remote verification, so that the sharing of the evaluation result of the remote proof evidence of the router equipment is realized. But the scheme is designed based on hardware trusted roots and does not support virtual trusted roots. Thus, virtual trusted roots and depth attestations are also not supported.

To address at least some of the problems described above and other potential problems, in an embodiment of the application, a key pair for a virtual trusted root of a virtual machine is generated at a physical host, and then a request to obtain a certificate is sent to an authentication server to obtain a random number encrypted by a target public key from the authentication server. The physical host then obtains signed remote attestation information from the hardware root of trust of the physical host based on the encrypted random number, the signed remote attestation information including a signature certificate and a corresponding signature for the hardware root of trust. Finally the physical host sends the signed remote attestation information and the target public key to the verification server for receiving from the verification server an encrypted certificate for the target public key, the encrypted certificate being generated after the signed remote attestation information passes the verification. Based on the mode, the association relation between the virtual trusted root and the hardware trusted root is realized, the performance problem caused by the hardware trusted root equipment when the virtualization platform performs depth certification is solved, the verification efficiency of the virtual trusted root corresponding to the hardware trusted root equipment is improved, and the user experience is improved.

FIG. 1 illustrates a schematic diagram of an example environment 100 in which various embodiments of the application may be implemented. As shown in fig. 1, environment 100 includes a physical host 102. The physical host 102 is divided into three layers, the first layer being a hardware layer, including various hardware components of the physical host, such as a central processing unit, a memory, a hardware Root of Trust (RoT) 108; the second layer is a system layer 106, where the system layer 106 is configured to run an operating system and virtual machine management software, and includes a virtual machine manager 106; the third layer is a software layer for running various application software including virtual machines, containers, or virtual network function modules, etc. The hardware root of trust 108 serves as a base point of trust in the trusted computer system. The hardware root of trust 108 includes an authorized certificate that can prove that the hardware root of trust 108 is authenticated and therefore trusted. The virtual machine manager 106 includes a virtual trusted root (virtualized Root of Trust, vRoT) 110. The virtual trusted root 110 is used to prove the trustworthiness of the virtual machine 104.

Also shown in fig. 1 is an authentication server 114. For ease of description, the authentication server 114 may also be referred to as a first authentication server. The authentication server 114 performs authentication on information received from the virtual machine manager 106, and is mainly responsible for managing physical hosts, including functions of remote authentication evaluation of physical hosts, issuing virtual machine start and stop, and the like. In some embodiments, the validation server 114 validates the public key in the key pair provided by the virtual manager 106 for the virtual machine based on information obtained from the hardware root of trust 108 to generate an encryption certificate or identity certificate. In some embodiments, the validation server 114 provides credentials based on information of the hardware root of trust 108 provided by the virtual machine manager and a set of public keys for the virtual machine. The credential includes a signed certificate for the hardware root of trust and a set of public keys corresponding to the hardware root of trust. Thus, the validation server 114 is operable to determine the trustworthiness of the public key for the virtual root of trust based on the trustworthiness of the hardware root of trust. Alternatively or additionally, the first authentication server may be a plurality of servers providing a plurality of functions, such as a cloud pipe. In one example, the validation server 114 may be a cloud platform provider that is used to verify the trustworthiness of physical hosts in a cloud platform.

The example environment 100 also includes an authentication server 112. For convenience of description, the authentication server 112 may also be referred to as a second authentication server. The verification server 112 is mainly responsible for managing virtualized network elements and issuing functions of virtual network element starting, migration, stopping, remote sign verification and the like. The validation server 112 is used to interact with the virtual machine 104 to grant signature certificates to the virtual machine or to determine whether the virtual machine 104 is trusted. In some embodiments, the validation server 112 may provide the signature certificate for the virtual machine based on the encryption certificate or identity certificate received from the virtual machine 104 for the virtual machine. In some embodiments, the validation server 112 may obtain information from the virtual machine, the virtual machine manager 106, and/or the first validation server 114 to verify whether the virtual machine 104 or the virtual network function module is trusted according to certain information acquisition policies when virtual machine registration is performed. Alternatively or additionally, the authentication server may be a plurality of servers providing a plurality of functions, such as a network management. In one example, the first validation server may be a server using a cloud platform for validating a provided virtual machine in the cloud platform.

The physical hosts 104 illustrated in FIG. 1 include, but are not limited to, personal computers, servers, hand-held or laptop devices, mobile devices such as mobile phones, personal Digital Assistants (PDAs), media players, and the like, multiprocessor systems, consumer electronics, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The authentication servers 114 and 112 illustrated in FIG. 1 include, but are not limited to, servers, multiprocessor systems, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. Although fig. 1 shows one virtual machine and a corresponding virtual trusted root, it is merely an example and not a specific limitation of the present disclosure, a plurality of virtual machines may be run within a physical host and a plurality of virtual trusted roots corresponding to the plurality of virtual machines exist.

Through the method, the association relation between the virtual trusted root and the hardware trusted root is realized, and the performance problem caused by the hardware trusted root equipment when the virtualization platform performs depth certification is solved, so that the user experience is improved.

A schematic diagram of an example environment 100 in which embodiments of the present application can be implemented is described above in connection with fig. 1. A flowchart of a method 200 for acquiring credentials according to an embodiment of the present disclosure is described below in conjunction with fig. 2. The method 200 may be performed at the physical host 102 of fig. 1 and any suitable computing device.

At block 202, a request to obtain an encryption certificate is sent to an authentication server at a physical host. Wherein the request includes the target public key. In some embodiments, virtual machine manager 106 may launch a virtual trusted root when launching a virtual machine. Upon launching the virtual trusted root, a key pair for the virtual trusted root 110 is generated by the virtual trusted root 110, the key pair comprising a target public key and a target private key. Alternatively or additionally, the target public key may be an identity key or an endorsement key of the virtual machine. For example, to obtain an encryption certificate for the target public key, the virtual machine manager 106 in the physical host 102 sends a request to the validation server 114 to obtain the encryption certificate, the request including the target public key.

At block 204, a random number encrypted by the target public key is received from the authentication server. The authentication server 114, upon receiving the request, generates a random number and then encrypts with the target public key. The authentication server 114 sends the encrypted random number to the physical host 102.

At block 206, signed remote attestation information is obtained from a hardware root of trust of the physical host based on the encrypted random number. Wherein the signed remote attestation information includes a signed certificate for a hardware root of trust. Alternatively, the signed remote attestation information further includes a signature by the signed certificate. For example, the signed remote attestation information can be obtained from the hardware root of trust 108 in the physical host 102 based on the received random number.

In some embodiments, the physical host 102 receives the encrypted random number and then decrypts the encrypted random number using a target private key corresponding to the target public key to obtain the random number. If the other device receives the encrypted random number, it will not decrypt the random number because it does not have the target private key corresponding to the target public key. The physical host 102 obtains local attestation information for the hardware root of trust based on the decrypted random number. The local attestation information includes a signature certificate for the hardware root of trust that indicates that the hardware root of trust is trusted. Alternatively or additionally, the local attestation information also includes various information collected by the hardware root of trust, such as information about the basic input output system (Basic Input Output System, BIOS), information about the operating system, and so on. The physical host then generates remote attestation information based on the decrypted random number and the local attestation information. For example, a list of information is formed from the random number and the local attestation information. The physical host 102 then signs the remote attestation information using a signature private key corresponding to the signature certificate of the hardware root of trust.

At block 208, the signed remote attestation information and the target public key are sent to a verification server. For example, the physical host 102 sends the signed remote attestation information and the target public key to the verification server 114. At block 210, an encryption certificate for a target public key is received from an authentication server. The verification server 114 verifies the remote attestation information. And sending the encryption certificate of the target public key to the physical host after the verification is passed. The encryption certificate is generated after the signed remote attestation information is verified.

In some embodiments, physical host 102, after obtaining the encrypted certificate from authentication server 114, may also send the encrypted certificate to authentication server 112 to obtain the signed certificate from the second authentication server.

In the above manner, the signed certificate of the hardware root of trust is utilized to generate remote attestation information, and then the signed remote attestation information and the target public key are sent to the verification server. The device sending the remote attestation information can be attested to be trusted by the signature certificate of the hardware trusted root contained in the remote attestation information, and further the target public key of the virtual trusted root of the virtual machine from the device can be determined to be trusted. Therefore, the method realizes the association relation between the virtual trusted root and the hardware trusted root, solves the performance problem caused by the hardware trusted root equipment when the virtualization platform performs the depth certification, and improves the user experience.

A flowchart of a method for acquiring a certificate according to an embodiment of the present application is described above in connection with fig. 2. A schematic flow chart of a method 300 for providing credentials according to an embodiment of the present disclosure is described below in connection with fig. 3. Method 300 may be performed at authentication server 114 of fig. 1 and any suitable computing device.

At block 302, it is determined whether a request for obtaining an encryption certificate is received from a physical host. For example, the validation server 114 determines whether a request for obtaining an encryption certificate was received from the physical host 102. Wherein the request may include a target public key for a virtual root of trust of the virtual machine. For example, the target public key is from a key pair for a virtual trusted root generated when a virtual machine is started or a virtual trusted root is started at a physical host.

If a request is received from a physical host to obtain an encryption certificate, at block 304, a random number is generated at the authentication server. Such as the authentication server 114, generates a random number upon receiving a request to obtain an encryption certificate. At block 306, the random number is encrypted using the target public key. For example, the authentication server 114 encrypts the random number using the target public key. At block 308, the encrypted random number is sent to the physical host. At block 310, a target public key and signed remote attestation information are received from a physical host. The signed remote attestation information includes a signed certificate for a hardware trusted root of the physical host. For example, the authentication server 114 sends an encrypted random number to the physical host 102, and the physical host 102 then uses the encrypted random number to generate signed remote attestation information, the process of which may be described with reference to FIG. 2. The physical host 102 then sends the signed remote attestation information to the verification server 114.

At block 312, a determination is made as to whether the signed remote attestation information is verified. For example, the verification server 114 verifies the signed remote attestation information. In verifying the signed remote attestation information, the verification server needs to verify the signature using a verification public key in the signature certificate and determine whether the signed remote attestation information includes a random number. In some embodiments, the verification server 114 first verifies the signature using a verification public key in the signature certificate. If the signature fails verification of the verification public key, no further subsequent operations are performed. If the signature passes verification of the verification public key, it is then determined whether the signed remote attestation information includes a random number. If the random number is not included, the authentication process is ended. If the signed remote attestation information includes a random number, the verification passes. In some embodiments, the validation server 114 first determines whether the signed remote attestation information includes a random number. If the random number is not included, the verification process is ended. If the random number is included, the signature is then verified using the verification public key in the signature certificate. If the signature cannot be verified by the verification public key, the verification process is ended. If the signature is verified by the verification public key, the verification passes. The above examples are merely for the purpose of describing the present disclosure and are not intended to be a specific limitation thereof.

If the signed remote attestation information is verified, at block 314, an encryption certificate is sent to the physical host, the encryption certificate being for the target public key. Additionally, the encryption certificate includes the target public key. For example, after verifying the remote attestation information, verification server 114 generates a signature certificate using the target public key. The encryption certificate is then sent to the physical host 102.

A flowchart of a method for acquiring a certificate and providing a certificate according to an embodiment of the present application is described above in connection with fig. 2 and 3. A schematic diagram of a process 400 for acquiring credentials and providing credentials according to an embodiment of the present disclosure is described below in connection with fig. 4. The flow 400 may operate in the environment shown in fig. 1.

In the example depicted in fig. 4, authentication server 114 is represented as a cloud pipe 410 and authentication server 112 is represented as a network pipe 412. As shown in fig. 4, a flow 400 includes a hardware root of trust 402, a virtual machine manager 404, a virtual root of trust 406, virtual machines and virtual network functions 408, a cloud management 410, and a network management 412. At 414, the virtual machine manager initiates a virtual root of trust. The virtual root of trust then generates a key pair (vEk, vSk) at block 416, where vEk is the target public key and vSk is the target private key. Next, the virtual machine manager obtains 418vEk from the virtual trusted root. The virtual manager then sends 420 a virtual root of trust certificate application to the cloud management, which carries vEk. Next, the cloud tube generates a random number nonce1 at block 422. The cloud manager encrypts nonce1 using vEk and sends 424 a virtual root of trust certificate application challenge to the virtual machine manager, which includes the encrypted nonce1. The virtual machine manager then passes 426 the virtual root of trust certificate application challenge to the virtual root of trust. At block 428, virtual trusted root vRoT decrypts get nonce1. For example, virtual trusted root vRoT decrypts encrypted nonce1 using target private key vSk. The virtual machine manager then obtains 430 the decrypted nonce1 from the virtual trusted root vRoT. The virtual machine manager then invokes the remote attestation interface of the virtual root of trust RoT and sends 432 nonce1 as a parameter to the hardware root of trust RoT. The hardware root of trust RoT returns 434 signed remote proof evidence to the virtual machine manager. In this process, the hardware root of trust RoT obtains local information for the hardware root of trust, such as a signed certificate for the hardware root of trust, information about the operating system of the physical host, and the hardware. The hardware root of trust forms a list of information using the random number and the local information and then signs the information using a private key corresponding to the signature certificate of the hardware root of trust. The virtual machine manager sends 436 a reply to the cloud management containing vEk and the signed remote attestation information. At block 438, the cloud management verifies the signed remote attestation information. The signed remote attestation information includes a signed certificate for a hardware trusted root. Thus, the verification process includes verifying the signature in the signed remote attestation information by the public key of the signed certificate and confirming that the virtual root of trust RoT used nonce1 in the process of remote attestation evidence report generation. The sequence of the two steps of verification can be set according to the needs. Alternatively or additionally, the remote attestation information also includes information obtained by the hardware root of trust, including operating system information and hardware-related information, etc. At block 440, the cloud management generates an encrypted certificate, the public key of which is received vEk at 436. The cloud management server then sends 442 the encryption certificate for vEk to the virtual machine manager. The virtual machine manager sends 444 the received vEk certificate to the virtual root of trust vRoT. At block 446, the virtual trusted root vRoT stores the obtained encryption certificate. Next, at operation 448, the virtual machine obtains the remote attestation-signature certificate vAIK of the virtual machine or virtual network function module from the network manager using the certificate.

A schematic diagram of a process for acquiring a certificate and providing a certificate according to an embodiment of the present disclosure is described above in connection with fig. 4. A schematic diagram of a system architecture according to an embodiment of the present disclosure is described below in conjunction with fig. 5. As shown in fig. 5, system architecture 500 is one specific example of the example environment of fig. 1. The physical hosts 102 are responsible for running and managing virtual machines, with virtual network functions running on one or more virtual machines. The virtual machine manager 106 also includes a key and credential management module 504. The key and credential management module 504 is internal to the virtual machine manager 106 on the physical host and is responsible for generating key pairs, sending remote attestation to the credential management module 506 on the authentication server 114, and receiving credentials generated by the credential management module 506 on the authentication server 114. The virtual machine 104 includes a policy handling module 102, which runs inside the virtual machine or physical host, and is responsible for handling policies in remote attestation and instructing the associated remote attestation module to provide corresponding remote attestation content.

The validation server 114 includes a credential management module 506, a verifier 510, and a credential authorization module 508. The verifier is used for verifying the received information. The certificate authority module 508 is used to manage the issuance of certificates. The credential management module 506 is used to manage generation and transmission of credentials, and the like. For descriptive convenience, authentication server 114 may also be referred to as a first authentication server. The credential management module 506 is responsible for receiving the key pair list and its remote certificate sent on the physical host, processing the above data, generating a verification result, adding the original data of the remote certificate and the key link evidence, signing them to form a credential, and sending it to the physical host. The validation server 112 includes a validator 512 and a certificate authority module 514. The verifier 512 is used to verify the received information. The certificate authority module 514 is used to manage the issuance of certificates.

A schematic diagram for acquiring credentials and authentication information according to some embodiments of the application is described below in connection with fig. 6. As illustrated in fig. 6, first, after the first authentication server 114 receives the request for obtaining the credential sent by the virtual machine manager of the physical host 102, the credential management module 506 of the first authentication server 114 sends a random number nonce to the key and credential management module 504 of the physical host 102. The key and credential management module 504, upon receiving the nonce, inputs the previously generated N pairs of key pairs into the hash function along with the nonce, obtains a hash value h, then invokes the hardware root of trust RoT108 (e.g., TPM) interface and passes h as a parameter to the hardware root of trust 108. The hardware trust root 108 packages the self-stored remote attestation information for signing and sends back to the key and credential management module 504. The key and credential management module 504 then sends the above-described list of attestation information and public keys to the credential management module 506. The credential management module 506 of the first authentication server 114 processes the received remote attestation information and generates a credential including an evaluation of the physical platform, a time stamp, the original remote attestation information, a certificate and signature of the first authentication server, and an indication of the public key list. For example, the indication information of the public key list may be the public key list itself or a root value generated by the public key list input accumulator. The credential is then sent to a key and credential management module 504 on the physical host 102. When the physical host 102 starts a virtual machine, the virtual machine manager 106 selects a pair of keys (PKi, SKi) from a set of key pairs corresponding to the public key list, and sends the keys and credentials to the virtual trusted root vRoT. When the virtual trusted root 110 receives an external remote attestation request, the virtual trusted root 110 may provide signed remote attestation information for the virtual machine 104. Alternatively or additionally, a policy to provide information is also included in the request. In one example, when the policy indicates that remote attestation information for the virtual machine and the credentials are provided, the remote attestation information provided by the virtual trusted root is sent by the virtual machine 104 to the second validation server 112 along with the credentials. In another example, where the policy indicates that only remote attestation information for the virtual machine is provided, the virtual machine 104 provides only remote attestation information provided by the virtual trusted root described above to the second validation server 112, and the second validation server 112 then obtains the credential through the virtual machine manager. The above examples are merely for the purpose of describing the present disclosure and are not intended to be a specific limitation thereof.

For the previously described document, it may be a remote proof passport. Fig. 7 shows two examples of two credentials. One example is a public key list based remote proof passport 702 and an accumulator based remote proof passport. Wherein the public key list based remote proof passport 702 comprises: a passport type; timestamp: remotely proving the passport generation time; validity period: a deadline for the passport to be usable beyond which it is deemed invalid; evaluation results: the server evaluates the remote proving material provided by the physical host and gives a result; physical host remote attestation material: original remote attestation material provided by physical host: including a signature certificate (AIK) of the physical host, a platform configuration register (Platform Configuration Register, PCR) value, and an AIK certificate signature, wherein the PCR value is a value of a register in the TPM hardware that stores a software and hardware trusted record; key chaining evidence: the main function is to associate the signing key of vRoT (vTPM) with the signing key of physical RoT, thus achieving the continuity of trust transfer, the linking evidence comprising: public key algorithm type, public key list, random number nonce provided by the server when generating the passport, remote attestation service IP address and remote authentication client (Remote Attestation Client, RAC) port number of the virtual machine manager VMM, etc.; a server certificate; server signatures, etc. The accumulator-based remote proof passport 704 is similar to the public key list-based remote proof passport 702, but does not store a public key list, but uses the root value output by the accumulator as a passport verifying whether a public key belongs to the root value designation.

Schematic diagrams of certificates and the architecture and flow for obtaining certificates and verifying certificates according to embodiments of the present disclosure are described above in connection with fig. 5-7. The process of interaction between the physical host 102, the authentication server 114, and the authentication server in the above architecture is described below in connection with fig. 8-11. The above-described interaction process is performed by physical hosts 102, authentication server 114, and authentication server 112 in FIG. 5, or any suitable computing device.

As shown in fig. 8, an example of a credential at a physical host 102 is shown, according to some embodiments of the application. At block 802, a request to obtain credentials is sent to an authentication server at a physical host. For example, the physical host 102 may first send a request to the authentication server 114 to obtain credentials, and at block 804, a random number is obtained from the authentication server. The authentication server 114 generates a random number upon receipt of the request and then transmits it to the physical host 102. In some embodiments, the virtual machine manager in the physical host also generates a set of key pairs, and then forms a set of public keys from the public keys of the set of key pairs.

At block 806, signed remote attestation information is obtained from a hardware root of trust of the physical host based on the random number and a set of public keys. The virtual machine manager of the physical host generates a target hash value from the random number and a set of public keys. In some embodiments, physical host 102 generates a string from a random number and a set of public keys. The physical host then generates a target hash value from the string. In one example, the physical host, when generating the string, forms the string by linking a random number, a set of public keys, an internet protocol address of the virtual machine manager in the physical host mechanism, and a port number of a remote authentication service of the virtual machine manager. In another example, when generating a string, the physical host enters a set of public keys into an accumulator to obtain a root value. And then generating a character string by adopting the root value and the random number. Additionally, the computing device forms the string by linking the random number, the root value, the internet protocol address of the virtual machine manager, and the port number of the remote authentication service of the virtual machine manager. The above examples are merely for the purpose of describing the present disclosure and are not intended to be a specific limitation thereof. The signed remote attestation information includes a signed certificate for a hardware trusted root. Alternatively, the signed remote attestation information further includes a signature by the signed certificate and the target hash value. The physical host 102 passes the target hash value to the hardware root of trust, which obtains local attestation information for the hardware root of trust, including signed certificates, alternatively additionally, information collected by the physical host, such as information about the hardware, information of the operating system, etc.; remote attestation information is then generated based on the target hash value and the local attestation information. For example, an information list is formed from the target hash value and the local certification information. The remote attestation information is then signed using a signing private key corresponding to the signing certificate.

At block 808, a reply message is sent to the authentication server. Wherein the reply message includes signed remote attestation information, indication information regarding a set of public keys, and a random number. For example, the physical host 102 sends a reply message to the authentication server 114 that includes signed remote attestation information, indication information about a set of public keys, and a random number. Alternatively or additionally, the reply message further includes an internet protocol address of a virtual machine manager in the physical host and a port number of a remote authentication service of the virtual machine manager. At block 810, credentials are obtained from an authentication server. The credential indicates the trustworthiness of a set of public keys, e.g., indicating that a set of public keys is deemed trusted due to hardware trust root trustworthiness. After receiving the reply message, the authentication server 114 authenticates the received message. After passing the verification, a credential is generated and sent to the physical host 102. In some embodiments, wherein the indication information includes a root value, the root value is obtained by inputting a set of public keys into the accumulator. In some embodiments, wherein the indication information comprises a set of public keys.

Additionally, the physical host 102 may also register a virtual machine with the validation server 112 based on the acquired credentials. In some embodiments, physical host 102, upon launching the virtual machine and corresponding virtual trusted root, may select a key pair assigned to the virtual trusted root from a set of key pairs generated upon acquiring the credentials, the key pair comprising a public key and a private key. The physical host 102 then obtains a signed certificate for the public key. The physical host 102 may obtain a signed certificate for the public key based on existing techniques. The physical host 102 then sends a request to the authentication server 112 to register the virtual machine, including the identity of the virtual machine. The authentication server 112, upon receiving a request to register the virtual machine, generates a random number and then transmits it to the physical host 102. The physical host 102 receives a request from the authentication server 112 to obtain attestation information, the request including a random number generated by a second authentication server. The physical host then obtains signed remote attestation information based on the random number, which may also be referred to as second remote attestation information for descriptive convenience. The physical host 102 then sends signed second remote attestation information for the virtual machine to the validation server 112 for use in determining the trusted status of the virtual machine, the signed second remote attestation information including the signed certificate and a corresponding second signature.

In some embodiments, the physical host, upon receiving the random number, may utilize the random number to obtain local information about the virtual machine from the virtual machine, such as a signed certificate for the virtual machine, as well as other information about the virtual machine, such as a software system used by the virtual machine, and the like. The random number and the local to the virtual machine are then signed with a private key corresponding to the signing certificate of the virtual machine to generate signed second remote attestation information. The physical host 102 then sends the signed second remote attestation information to the validation server 112 to determine the trusted status of the virtual machine.

Alternatively or additionally, receiving a request from the verification server 112 to obtain attestation information also includes obtaining the policies of attestation information. The physical host 102 sends information to the authentication server 112 according to the policy. The policy includes obtaining only attestation information for the virtual machine or obtaining attestation information for the virtual machine and the credentials described above. In some embodiments, when the policy indicates that only attestation information for the virtual machine is to be obtained, the physical host 102 obtains signed second remote attestation information from the virtual trusted root based on the random number, wherein the signed second remote attestation information further includes an internet protocol address of a virtual machine manager in the physical host and a port number of a remote authentication service of the virtual machine manager. The physical host 102 then sends the signed second remote attestation information to the verification server 112. The verification server 112 verifies the remote attestation information after receiving the second remote attestation information. After the remote attestation information is verified, the verification server 112 sends a request to the virtual machine manager of the physical host 112 to obtain the credentials, the request including an internet protocol address, a port number, and a signed certificate. Upon receiving the request to obtain the credential, the physical host 102 obtains the credential from the public key in the signed certificate. For example, the virtual machine manager of the physical host may look up a credential having the public key or supporting the public key from among a plurality of credentials in the virtual machine manager based on the public key in the signed certificate. The physical host then sends credentials to the validation server 112 for determining the trusted status of the virtual machine. The validation server 112, upon receiving the credentials, may utilize the acquired credentials to determine the trusted state of the virtual machine. The server signature of the credential is verified, for example, by a public key in a server certificate in the credential, such as with a public key of a server certificate generated by the verification server 114. The verification server 112 then also verifies whether the public key in the virtual machine's signed certificate is supported by the credential, e.g., whether the public key is contained in the credential, or whether it is supported by the root value of the verification server, etc.

In some embodiments, the policy indicates that attestation information and credentials for the virtual machine are obtained. If the policy indicates that attestation information and credentials for the virtual machine are to be obtained, the physical host 102 obtains signed second remote attestation information from the virtual trusted root. The physical host 102 may also obtain credentials from the virtual machine manager based on the public key for the virtual machine. The physical host 102 then sends the signed second remote attestation information and credentials to the validation server 112 for determining the trusted status of the virtual machine.

An example of a method at a physical host 102 for obtaining credentials is described above in connection with fig. 8. The process of provisioning credentials is described below in connection with fig. 9, which shows a schematic flow chart diagram for provisioning credentials according to some embodiments of the application. The above-described process is performed by the authentication server 114 in fig. 5 or any suitable computing device.

As shown in fig. 9, the authentication server 114 generates a random number upon receiving a request for acquiring a credential from a physical host. The authentication server 114 then sends the random number to the physical host. As depicted in fig. 8, the physical host generates a reply message based on the random number and sends the reply message to the authentication server 114.

At block 902, a reply message is received from a physical host at an authentication server. The reply message includes signed remote attestation information including a signed certificate for a hardware trusted root of the physical host, indication information about a set of public keys, and a random number. Additionally, the signed remote attestation information further includes a signature by the signed certificate and a target hash value, the target hash value generated based on the random number and a set of public keys from a set of key pairs generated in the physical host.

At block 904, the signed remote attestation information is verified. For example, the verification server 114, upon receiving the reply message, verifies the signed remote attestation information. In some embodiments, in verifying the signed remote attestation information, verification server 114 verifies the signature in the signed remote attestation information with a public key in the signed certificate. If the signature fails verification, the operation of obtaining the credential is ended. If the signature passes the verification, the verification server generates a verification hash value according to the random number and the indication information in the reply. The target hash value and the verification hash value are then compared to verify the signed remote attestation information. In some embodiments, the indication information includes a set of public keys, and in generating the verification hash value, the verification server 114 generates a string from the random number and the set of public keys. The string is then hashed to generate a verification hash value. Alternatively or additionally, the reply message further includes an internet protocol address of a virtual machine manager in the physical host, a port number of a remote authentication service of the virtual machine manager; the authentication server 114 forms a string by linking a random number, a set of public keys, an internet protocol address, and a port number. In some embodiments, the indication information includes a root value obtained by inputting a set of public keys into the accumulator, and in generating the verification hash value, the verification server 114 generates the string based on the random number and the root value. Authentication server 114 then generates an authentication hash value based on the string. Additionally, wherein the reply message further includes an internet protocol address of a virtual machine manager in the physical host, a port number of a remote authentication service of the virtual machine manager; the authentication server 114 forms a string by linking the random number, root value, internet protocol address, and port number.

At block 906, a determination is made as to whether the signed remote attestation information is verified. It may be determined whether the signed remote attestation information is verified by the verification operations described above. Upon verification of the signed remote attestation information, at block 908, based on the remote attestation information and the indication information, a credential is generated that indicates the trustworthiness of the set of public keys, e.g., that the set of public keys is deemed trustworthy due to the hardware root of trust. Alternatively or additionally the credentials also include an internet protocol address and a port number. In some embodiments, the validation server 114, when generating the credential, also generates an evaluation result by evaluating the remote attestation information; and adding the evaluation result into the certificate. For example, the performance and the operating system of the physical host are evaluated, and a corresponding evaluation result is generated and added into the certificate. In some embodiments, the validation server 114, upon generating the credentials, evaluates the remote attestation information to generate an evaluation result. It is then determined whether the evaluation result meets a predetermined requirement, for example, whether the evaluated hardware meets the requirement. If the evaluation result does not meet the predetermined requirement, the operation is ended. If the evaluation result meets the predetermined requirement, generating a credential, the credential including the evaluation result. At block 910, the validation server 114 sends the credential to the physical host.

An example of a process at the authentication server 114 for provisioning credentials is described above in connection with fig. 9. The process for verifying information is described below in conjunction with fig. 10, which shows a schematic flow chart for verifying information according to some embodiments of the application. The above-described process is performed by the authentication server 112 in fig. 5 or any suitable computing device.

At block 1002, it is determined whether a first request to register a virtual machine in a physical host is received from the physical host. For example, the validation server 112 determines whether a request to register a virtual machine in a physical host is received from the physical host 102. If a first request to register a virtual machine in a physical host is received from the physical host, at block 1004, a random number is generated at the authentication server. At block 1006, the authentication server sends a second request to the physical host for obtaining attestation information, the second request including a random number. Additionally, the second request further includes a policy. For example, the authentication server determines a policy for the physical host to obtain the attestation information. Such as obtaining the remote information for the virtual machine only from the virtual machine or obtaining the remote information for the virtual machine and the credentials described above from the virtual machine. As in the description of fig. 8, upon receiving the second request to obtain attestation information, the physical host may provide signed remote attestation information and credentials for the virtual machine to verification server 1112 based on the policy.

Signed remote attestation information and credentials for a virtual machine are received from a physical host at block 1008. Wherein the signed remote attestation information includes a signed certificate and a corresponding signature, the signed certificate being a certificate for a public key selected from a set of public keys assigned to the virtual machine. The credential indicates the trustworthiness of a set of public keys, e.g., indicating that the set of public keys is deemed trusted due to the hardware trust root of the physical host being trusted, where the set of public keys is from a set of key pairs generated by a virtual machine manager of the physical host. At block 1010, a trusted state of the virtual machine is determined based on the signed remote attestation information and the credential.

In some embodiments, wherein the signed remote attestation information further includes an internet protocol address of a virtual machine manager in the physical host and a port number of a remote authentication service of the virtual machine manager. If the policy indicates that only attestation information for the virtual machine is to be obtained, validation server 1112 first receives the signed remote attestation information. The verification server then verifies the signed remote attestation information. The signature is verified, for example, using a public key in a signature certificate for the virtual machine included in the signed remote attestation information. If the signed remote attestation information fails verification, the operation ends. If the signed remote attestation information is verified, the verification server obtains a signed certificate, an Internet protocol address, and a port number from the signed remote attestation information. The validation server 112 then sends a third request to the virtual machine manager of the physical host to obtain credentials, the third request including an internet protocol address, a port number, and a signed certificate. Upon receiving a request to send a get credential, the physical host 102 gets the credential based on the internet protocol address, port number, and signed certificate as described with respect to fig. 8. The physical host 102 then sends the credentials to the authentication server 112 so that the authentication server 112 receives the credentials from the physical host 102. After receiving the signed remote attestation information and the credentials, the validation server 112 validates the credentials. The server signature of the credential is verified, for example, by a public key in a signed certificate in the credential, such as with a public key of a server certificate generated by the verification server 114. If the credential is not validated, the operation ends. If the credential is authenticated, it is determined whether the public key in the signed certificate is supported by the credential. Such as whether the public key is contained in the credential or supported by the root value of the authentication server, etc. If the public key is not supported by the credential, the operation ends. If the public key is supported by the credential, it is determined that the virtual machine is trusted.

In some embodiments, wherein the policy indicates that attestation information and credentials for the virtual machine are obtained. At this point, the verification server 112 first receives the signed remote attestation information and the credential. The verification server then needs to verify the signed remote attestation information and the credential to determine if the signed remote attestation information and the credential are verified. If the signed remote attestation information and the credential are not verified, the operation is ended. If the signed remote attestation information and the credential pass verification, the signed remote attestation information obtains a signed certificate. The validation server 112 now needs to determine whether the public key in the signed certificate is supported by the credential. If the public key is not supported, the validation process ends. If the public key is supported by the credential, it is determined that the virtual machine is trusted. In one example, in determining whether the public key is supported by the credential, the authentication server determines whether the public key is present in the credential. In another example, the credential includes a root value that is obtained by inputting a set of public keys into an accumulator, and the authentication server 112 extracts the root value in the credential when determining whether the public keys are supported by the credential. The verification server 112 then determines from the root value and the public key whether the public key is supported by the credential, e.g., if the root value is divisible by the public key, indicating that the public key is supported by the root value; if the root value is not divisible by the public key, it is indicated that the public key is not supported by the root value.

A schematic flow chart for verifying information at the verification server 112 according to some embodiments of the application is described above in connection with fig. 10. Another process for verifying information is described below in conjunction with fig. 11, which shows a schematic flow chart for verifying information in accordance with some embodiments of the application. The above-described process is performed by the authentication server 112 in fig. 5 or any suitable computing device.

At block 1102, it is determined whether a first request to register a virtual machine in a physical host is received from the physical host. If a first request to register a virtual machine in a physical host is received from the physical host, at block 1104, a second request to obtain attestation information is sent to the physical host at a first authentication server. Wherein the second request includes a random number. For example, the validation server 112 sends a second request to the physical host 102 to obtain attestation information. Signed remote attestation information for the virtual machine is then received at block 1106. The remote attestation information includes a signed certificate, which is a certificate for a public key assigned to the virtual machine selected from a set of public keys. The physical host as described in fig. 8, upon receiving the request, generates signed remote attestation information to authentication server 112. At block 1108, a determination is made as to whether the signed remote attestation information is verified. The process of verifying signed remote attestation information may be found in the foregoing description. If the verification is not passed, the operation is ended. If the signed remote attestation information is verified, at block 1110, a signed certificate is obtained.

At block 1112, a third request to obtain the credential is sent to the second validation server, the third request including the signed certificate. The authentication server 112 generates a request for acquiring a credential using the signed certificate and then sends to the authentication server 114. At block 1114, the credential is obtained from the second authentication server. The validation server 114, upon receiving the request, will use the signed certificate in the request to obtain the credential. In the authentication server 114, a plurality of credentials are stored as it is. Thus, the public key in the signed certificate may be utilized to find the credentials that support the public key. In one example, the credential includes the public key. In another example, the root value in the credential is generated by the public key. The above examples are merely for the purpose of describing the present disclosure and are not intended to be a specific limitation thereof.

At block 1116, a trusted state of the virtual machine is determined based on the credentials. The credential indicates the trustworthiness of a set of public keys, e.g., the credential indicates that a set of public keys is deemed trusted because the hardware trust root of the physical host is trusted. Additionally, the set of public keys is from a set of key pairs. In some embodiments, upon determining the trusted status, the validation server 112 validates the credential upon receipt of the credential. If the credential is not validated, the operation ends. If the credential is authenticated, it is determined whether the public key of the signed certificate is supported by the credential. If the public key is not supported by the credential, the operation ends. If the public key is supported by the credential, it is determined that the virtual machine is trusted. In one example, in determining whether the public key of the signed certificate is supported by the credential, the verification server 112 determines whether the public key is present in the credential. In another example, the credential includes a root value obtained by inputting a set of public keys into an accumulator, and the verification server 112 extracts the root value in the credential when determining whether the public key of the signed certificate is supported by the credential. The authentication server then determines whether the public key is supported by the credential based on the root value and the public key.

The process of interacting between the physical hosts 102 and the authentication server 114 and the authentication server 112 in the system architecture is described above in connection with fig. 8-11. Four examples for acquiring credentials and verification information in accordance with embodiments of the present disclosure are described below in connection with fig. 12-17. FIGS. 12-13 depict a first example for obtaining credentials and verification information; fig. 14-15 describe a second example for acquiring credentials and verification information. FIG. 16 depicts a third example for obtaining credentials and verification information; fig. 17 depicts a fourth example for acquiring credentials and verification information. The example processes described above are performed by physical hosts 102, authentication server 114, and authentication server 112 in fig. 5, or any suitable computing device.

Fig. 12 and 13 provide a first example process for remotely proving a passport based on credential acquisition of a virtual trusted root. The main function of the credential is to provide a binding of the key pair in the signed certificate AIK of the virtual trusted root to the hardware trusted root RoT of the platform. The example process is split into two parts, the first part being that the virtual machine manager obtains credentials from the cloud pipe. The second part is that the virtual machine uses the certificate obtained before to prove the trust of the hardware platform and the relevance of the hardware platform and the signature certificate vAIK provided by the virtual trust root in the remote proving process.

As shown in fig. 12, there is a hardware root of trust 1202, a virtual machine manager 1204, and a cloud pipe 1206. In the first partial flow, at block 1208, the virtual machine manager generates N pairs of keys { pk_i, sk_i }, i=1, 2, …, N, where N is a positive integer. The virtual machine manager then sends 1210 a remote attestation passport acquisition request to the cloud pipe. After receiving the request, the remote attestation management module of the cloud management server generates a random number nonce1 and sends 1212 the random number to the virtual machine manager. After receiving noce1, the virtual machine manager, at block 1214, compares noce1, public key pk_i, i=1, 2, …, and N, and information such as IP addresses, port numbers and the like of the virtual machine manager are linked to form a character string s, wherein s=nonce1|PK1|PK2| … |IP|port numbers. At block 1216, the virtual machine manager inputs the string s into a hash function, obtaining a hash value, h1=hash(s), where hash () represents the hash function. The virtual machine manager sends 1218 h1 to the hardware root of trust RoT (e.g., TPM) over a physical interface (e.g., system call interface) to request the remote attestation information stored in the hardware root of trust. At block 1220, the hardware trusted root takes h1 as input, generates the current remote attestation material RA1, and signs the remote attestation material RA1 using a trusted reporting root (Root for Trust Report, RTR) maintained in the hardware trusted root. For example, according to existing specifications, RA1 contains RTR certificates, such as the signed certificate AIK in the TPM specification or other signed certificates, such as access key (ACCESS KEY, AK) certificates. The hardware trusted root sends the signed remote attestation information back to the virtual machine manager. The virtual machine manager sends 1224 the signed remote attestation material information RA1, nonce1, public key list (pk_1, pk_2, …, pk_n), virtual machine manager IP address, virtual machine manager remote attestation service port number to cloud pipe 1206. At block 1226, the cloud tube 1206 verifies the signed remote attestation RA1 and generates h1 'using the methods in 1214 and 1216, and compares h1' to h1 contained in RA1, and if consistent, the verification passes. At block 1228, the cloud management server evaluates the remote attestation material in RA1 and forms an evaluation result. The cloud management server combines and signs the remote proof material, the evaluation result, the nonce1, the public key list, the virtual machine manager IP address, the port number, the server certificate and other information according to a remote proof passport format. The cloud management server sends 1230 the formed remote proof passport to the virtual machine manager. At block 1232, the virtual machine manager stores the remote proof passport received in 1230.

Fig. 13 shows a second portion of the present example, including a virtual machine manager 1302, a virtual trusted root 1304, a virtual machine 1306, a cloud pipe 1308, and a network management 1310. The network manager, the virtual machine and the physical host use the remote certification passport to complete the remote certification of the virtual machine and the physical host bearing the virtual machine. At block 1312, the physical host completes the trusted boot and the virtual machine manager enters an operational state, and at block 1314, the virtual machine manager applies to the cloud management server and obtains a remote proof passport, a specific method of obtaining a remote proof passport is described with reference to fig. 12. When the virtual machine manager starts the virtual machine and the virtual trusted root, the virtual machine manager 1302 selects a pair of pk_i, sk_i from a set of key pairs that were previously generated as credentials or passports, and then passes 1316 to the virtual trusted root. At block 1318, the virtual machine applies for a remote attestation certificate, vaik_i, for the virtual root of trust. The virtual machine then sends 1320 a virtual machine registration request to the network management server. The webmaster server sends 1322 a remote attestation request to the virtual machine and provides a random number nonce2 and designates the policy as VM Only, i.e. provides information Only for the virtual machine. At 1324, upon receiving the remote attestation request, the virtual machine sends nonce2 to the virtual root of trust. The virtual trusted root generates signed remote attestation information for the virtual machine and sends back to the virtual machine. The signed remote attestation information includes the vAIK_i certificate and the signature performed by the vAIK_i certificate. The virtual machine sends 1326 signed remote attestation information to the network manager, where the signed remote attestation information includes virtual machine attestation information provided by the virtual trusted root, the vAIK_i certificate, the IP address and port number of the virtual machine manager remote attestation service. At block 1328, the network manager verifies the signed remote attestation information provided by the virtual machine. At block 1330, the network manager extracts the vaik_i certificate, the virtual machine manager remote attestation service's IP address and port number from the message. The network manager then sends 1332 to the virtual machine manager, based on the IP address and port number obtained at block 1130, a remote attestation request to obtain the passport and the public key vaik_i. At block 1334, the virtual machine manager, upon receiving the request, obtains the corresponding remote proof passport using pk_i in vaik_i. The virtual machine manager sends 1336 the remote proof passport to the network manager. At block 1338, the network administrator verifies the remote proof passport. After verification is passed, the webmaster extracts the linking evidence from the remote proof passport and verifies if pk_i is one of the public keys endorsed by the passport at block 1340. If not, the operation is ended. If so, the entire remote attestation process ends.

The remote proof passport is defined, a secure association relation is established for the virtual trusted root and the hardware trusted root, the trust chain is expanded, and the embodiment expands the existing remote verification protocol aiming at the characteristics of the remote proof passport, so that a complete solution is provided for remote verification of the virtual machine.

Fig. 14 and 15 provide a second example process for remotely proving a passport based on a credential acquisition virtual trusted root vRoT. As shown in fig. 14, it includes a hardware root of trust 1402, a virtual machine manager 1404, and a cloud pipe 1406. Operations 1408, 1410, and 1412 in this process are the same as the corresponding operations in fig. 12. Next, at block 1414, the virtual machine manager inputs pk_i, i=1, 2, …, N into an accumulator, obtaining the root value. Then, at block 1416, the virtual machine manager links the root value, nonce1, and other related information, such as the virtual machine manager's IP address, the port number of the remote authentication service, etc., into a string and inputs into a hash function h to obtain a hash value h1. The following operations 1418, 1420, and 1422 are the same as example one. The virtual machine manager sends 1424 the signed remote attestation information, nonce1, root value, and other relevant information, the virtual machine manager's IP address, port number of the remote authentication service, etc., to the cloud management server. At block 1426, the remote proof passport management module on the cloud management server verifies the signed remote proof information RA1 and validates nonce1, root value, IP address of virtual machine manager, remote verification service port number, etc. for hash value generation. At block 1428, the cloud management server evaluates the remote proof of verification and outputs the result and generates a remote proof passport with the remote proof of evidence RA1, nonce1, root values and algorithms, virtual machine manager IP address and port number, server certificate, etc. information. The cloud tube then signs the remote verification passport. Operations 1430 and 1432 are the same as the corresponding operations in fig. 12.

Fig. 15 shows how a network management server, virtual machine, physical host can use a remote proof passport with privacy protection to complete remote proof of the virtual machine and the physical host carrying the virtual machine. Operations 1512 and 1514 are the same as the corresponding operations in fig. 13 in the first example. When the virtual machine manager starts vRoT, a key pair (pk_i, sk_i) is assigned to the RoT and sent 1516 to the virtual trusted root. Operations 1518, 1520, 1522, 1524, 1526, 1528, 1530, 1532, 1534, 1536, 1538 are the same as the corresponding operations in fig. 13. At block 1540, the network manager extracts the root value from the remote proof passport's linked evidence provided by the virtual machine manager, verifies if pk_i in vaik_i is involved in root value generation, and if so, completes the verification of the physical host and virtual. Otherwise, the verification fails.

Fig. 16 provides a third example process for remotely proving a passport based on a credential acquisition virtual trusted root vRoT. As shown in fig. 16, it includes virtual machine manager 1602, virtual trusted root 1604, virtual machine 1606, cloud pipe 1608, and network pipe 1610. Wherein operations 1612, 1614, 1616, 1618, and 1620 are the same as corresponding operations described in fig. 13. The network manager sends 1622 a remote attestation request to the VM, the request including a random number, and the policy specifies that the virtual machine can send the remote attestation information of the virtual machine together with the remote attestation passport of the physical host. The virtual machine notification 1624 the virtual trusted root provides remote attestation information for the virtual machine and remote attestation passports for the physical hosts. The virtual trusted root sends 1626 a request to the virtual machine manager asking for a remote attestation passport associated with the vaik_i certificate. At block 1628, the virtual machine manager looks up the corresponding remote proof passport using the public key pk_i in the vaik_i certificate. The virtual machine manager sends 1630 the found remote proof passport to the virtual root of trust. The virtual trusted root generates signed remote attestation information for the virtual machine and sends 1632 the signed remote attestation information with the remote attestation passport to the network administrator. At block 1634, the webmaster server validates the VM remote validation material. At block 1636, the network management server obtains the virtual machine manager IP, the remote authentication client (Remote Attestation Client, RAC) port, and pk_i in the vaik_i certificate from the signed remote attestation information. At block 1638, the webmaster server verifies the remote proof passport, the verification method being the same as the previous example. At block 1640, the webmaster server extracts the linking evidence from the remote attestation passport, verifies whether the public key pk_i of the vaik_i certificate is directly or indirectly contained in the remote attestation passport, and if so, completes the attestation, confirming the trusted status of the virtual machine/virtual network function module. If not, the operation is ended. Through the method, the association relation between the virtual trusted root and the hardware trusted root is realized, and the performance problem caused by the hardware trusted root equipment when the virtualization platform performs depth certification is solved, so that the user experience is improved.

Fig. 17 provides a fourth example process for remotely proving a passport based on a credential acquisition virtual trusted root vRoT. As shown in fig. 17, trusted boot is completed at operation 1712. At block 1714, a remote proof passport is generated, the process of which is described in example one with respect to FIG. 13. In addition, the cloud tube stores the corresponding remote proof passport during the generation of the remote proof passport. Operations 1718, 1720, 1722, 1724, 1726, 1730, 1732 in fig. 17 are the same as corresponding operations in fig. 14. The webmaster sends a remote attestation passport acquisition request to cloud pipe 1734 and carries the vaik_i certificate. The cloud tube looks up the corresponding remote proof passport and returns 1736 to the network manager. At block 1738, the network administrator verifies the remote proof passport. At block 1740, the network administrator verifies if pk_i in the vaik_i certificate is directly or indirectly contained in the connection evidence provided by the remote authentication passport. If the virtual machine is included, the certification is completed, the trusted state of the virtual machine is confirmed, and if the virtual machine is not included, the verification is ended. Through the method, the association relation between the virtual trusted root and the hardware trusted root is realized, and the performance problem caused by the hardware trusted root equipment when the virtualization platform performs depth certification is solved, so that the user experience is improved.

Fig. 18 further illustrates a block diagram of an apparatus 1800 for determining a target vehicle, the apparatus 1800 may include a plurality of modules for performing corresponding steps in the process 200 as discussed in fig. 2, according to an embodiment of the application. As shown in fig. 18, the apparatus 1800 includes a request transmitting unit 1802 configured to transmit a request for acquiring an encryption certificate to an authentication server at a physical host, the request including a target public key for a virtual root of trust of a virtual machine; a random number acquisition unit 1804 configured to acquire a random number encrypted by the target public key from the authentication server; a remote attestation information acquisition unit 1806 configured to acquire signed remote attestation information from a hardware root of trust of a physical host based on the encrypted random number, the signed remote attestation information including a signature certificate for the hardware root of trust; and a certification information and public key transmission unit 1808 configured to transmit the signed remote certification information and target public key to the authentication server; an encryption certificate receiving unit 1810 configured to receive an encryption certificate for a target public key from an authentication server.

In some embodiments, the apparatus 1800 further comprises: and a start-up generation unit configured to generate a target public key from the virtual trusted root in response to the virtual trusted root being started up.

In some embodiments, wherein the remote attestation information acquisition unit 1806 includes: a decryption unit configured to decrypt the encrypted random number using a target private key corresponding to the target public key; and a local information acquisition unit configured to acquire local attestation information for the hardware root of trust based on the decrypted random number, the local attestation information including a signature certificate; an information generation unit based on the random number configured to generate remote certification information based on the decrypted random number and the local certification information; and a naming unit configured to sign the remote attestation information using a signature private key corresponding to the signature certificate.

In some embodiments, wherein the authentication server is a first authentication server and the signature credential is a first signature credential, the apparatus 1800 further comprises: and a second signature certificate acquisition unit configured to transmit the encrypted certificate to the second authentication server to acquire the second signature certificate from the second authentication server.

Fig. 19 further illustrates a block diagram of an apparatus 1900 for providing credentials, the apparatus 1900 may include a plurality of modules for performing corresponding steps in the process 300 as discussed in fig. 3, according to an embodiment of the application. As shown in fig. 1900, the apparatus 1900 comprises a random number generation unit 1902 configured to generate, at the authentication server, a random number in response to receiving a request from the physical host for obtaining an encryption certificate, the request comprising a target public key for a virtual root of trust of the virtual machine; an encryption unit 1904 configured to encrypt the random number using the target public key; a random number transmission unit 1906 configured to transmit the encrypted random number to the physical host; a remote attestation information receiving unit 1908 configured to receive a target public key and signed remote attestation information from a physical host, the signed remote attestation information including a signed certificate for a hardware root of trust of the physical host; and a certificate transmission unit 1910 configured to transmit an encryption certificate to the physical host in response to the signed remote attestation information being authenticated, the encryption certificate being for the target public key.

In some embodiments, the location 1900 further comprises: a verification unit configured to verify the signed remote attestation information by: verifying the signature using the verification public key in the signature certificate; and determining whether the signed remote attestation information includes a random number; and a verification determination unit configured to determine that the signed remote attestation information is verified in response to the signature being verified and the signed remote attestation information including a random number.

Fig. 20 further illustrates a block diagram of an apparatus 2000 for acquiring credentials, the apparatus 2000 may include a plurality of modules for performing corresponding steps in a process 800 as discussed in fig. 8, in accordance with an embodiment of the present application. As shown in fig. 20, the apparatus 2000 includes a request transmitting unit 2002 configured to transmit a request for acquiring a credential to an authentication server at a physical host; a random number acquisition unit 2004 configured to acquire a random number from the authentication server; a remote attestation information acquisition unit 2006 configured to acquire signed remote attestation information from a hardware root of trust of a physical host based on a random number and a set of public keys, the signed remote attestation information including a signature certificate for the hardware root of trust; and a reply information transmitting unit 2008 configured to transmit reply information including signed remote attestation information, instruction information on a set of public keys, and a random number to the authentication server, the credential acquisition unit 2010 configured to acquire from the authentication server that the credential indicates that the set of public keys is deemed trusted due to hardware trusted root trustworthiness.

In some embodiments, the apparatus 2000 further comprises: a set of public key generation units configured to generate a set of public keys by a virtual machine manager in a physical host.

In some embodiments, wherein the remote attestation information retrieval unit 2006 includes: a character string generation unit configured to generate a character string based on the random number and a set of public keys; and a first hash value generation unit configured to generate a target hash value based on the character string; a first attestation information acquisition unit configured to acquire signed remote attestation information from a hardware root of trust of the physical host based on the target hash value.

In some embodiments, wherein the character string generation unit comprises: a first linking unit configured to form a string by linking the random number, a set of public keys, an internet protocol address of the virtual machine manager, and a port number of a remote authentication service of the virtual machine manager.

In some embodiments, wherein the character string generation unit comprises: an accumulation unit configured to obtain a root value by inputting a set of public keys into the accumulator; and a first character string generation unit configured to generate a character string based on the root value and the random number.

In some embodiments, wherein the first character string generating unit comprises: and a second linking unit configured to form a character string by linking the random number, the root value, the internet protocol address of the virtual machine manager, and the port number of the remote authentication service of the virtual machine manager.

In some embodiments, wherein the indication information includes a root value.

In some embodiments, wherein the indication information comprises a set of public keys.

In some embodiments, wherein the first attestation information acquisition unit includes: a local attestation information acquisition unit configured to acquire local attestation information for a hardware root of trust, the local attestation information including a signature certificate, based on a target hash value; a first remote certification information generating unit configured to generate remote certification information based on the target hash value and the local certification information; and a signature unit configured to sign the remote attestation information using a signature private key corresponding to the signature certificate.

In some embodiments, wherein the request is a first request, the signed remote attestation information is a first signed remote attestation information, the verification server is a first verification server, the signature is a first signature, the apparatus 2000 further comprises: an allocation unit configured to select a public key allocated to the virtual trusted root from a set of public keys in response to starting the virtual machine and the corresponding virtual trusted root; a certificate acquisition unit configured to acquire a signature certificate for a public key; a second request transmitting unit configured to transmit a second request for registering the virtual machine to a second authentication server, the second request including an identification of the virtual machine; a third request receiving unit configured to receive a third request for acquiring the certification information from the second authentication server, the third request including a random number generated by the second authentication server; and a remote attestation information sending unit configured to send signed second remote attestation information for the virtual machine to a second verification server for determining a trusted state of the virtual machine, the signed second remote attestation information including the signed certificate and a corresponding second signature.

In some embodiments, wherein the third request further includes a policy to obtain attestation information; wherein the remote certification information transmitting unit includes: and a policy-based transmitting unit configured to transmit the signed second remote attestation information based on the policy.

In some embodiments, wherein the policy-based transmitting unit comprises: a unit to obtain signed attestation information configured to obtain only attestation information for a virtual machine in response to a policy indication, obtain signed second remote attestation information from a virtual trusted root based on a random number, the signed second remote attestation information further including an internet protocol address of a virtual machine manager in a physical host and a port number of a remote authentication service of the virtual machine manager; a signed information transmitting unit configured to transmit the signed second remote attestation information to the second verification server; a credential acquisition unit configured to acquire a credential based on a public key in the signed certificate in response to receiving a fourth request for acquiring the credential, the fourth request including an internet protocol address, a port number, and the signed certificate; and a credential transmitting unit configured to transmit a credential to the second authentication server to determine a trusted state of the virtual machine.

In some embodiments, wherein the policy-based transmitting unit comprises: a signed information obtaining unit configured to obtain attestation information and credentials for the virtual machine in response to the policy directive, obtain signed second remote attestation information from the virtual trusted root; credential acquisition information based on the public key configured to acquire credentials from the virtual machine manager based on the public key; and an information and credential transmitting unit configured to transmit the signed second remote attestation information and credential to the second verification server for determining a trusted state of the virtual machine.

Fig. 21 further illustrates a block diagram of an apparatus 2100 for providing credentials, in accordance with an embodiment of the present application, the apparatus 2100 may include a plurality of modules for performing corresponding steps in the process 900 as discussed in fig. 9. As shown in fig. 21, the apparatus 2100 includes a reply message receiving unit 2102 configured to receive, at the authentication server, a reply message from the physical host, the reply message including signed remote attestation information, indication information regarding a set of public keys, and a random number, the signed remote attestation information including a signature certificate for a hardware root of trust of the physical host; a verification unit 2104 configured to verify the signed remote attestation information; a credential generation unit 2106 configured to generate a credential indicating the trustworthiness of a set of public keys based on the remote attestation information and the indication information in response to the signed remote attestation information passing the verification; and a credential transmitting unit 2108 configured to transmit the credential to the physical host.

In some embodiments, wherein the signed remote attestation information includes further includes a target hash value, the verification unit 2104 includes: a hash value verification unit configured to verify the signed remote attestation information and the target hash value by: a signature verification unit configured to verify a signature in the signed remote attestation information by a public key in the signature certificate; a verification hash value generation unit configured to generate a verification hash value based on the random number and the instruction information in response to the signature passing verification; and a comparison verification unit configured to verify the signed remote attestation information by comparing the target hash value and the verification hash value.

In some embodiments, wherein the indication information comprises a set of public keys, wherein the verification hash value generation unit comprises: a character string generation unit configured to generate a character string based on the random number and a set of public keys; and a hash value generation unit based on the character string configured to generate a verification hash value based on the character string.

In some embodiments, wherein the reply message further includes an internet protocol address of a virtual machine manager in the physical host, a port number of a remote authentication service of the virtual machine manager; wherein the first character string generation unit includes: a first linking unit configured to form a character string by linking a random number, a set of public keys, an internet protocol address, and a port number.

In some embodiments, wherein the indication information comprises a root value obtained by inputting a set of public keys into the accumulator, wherein the verification hash value generation unit comprises: a second character string generation unit configured to generate a character string based on the random number and the root value; and a verification hash value generation unit configured to generate a verification hash value based on the character string.

In some embodiments, wherein the reply message further includes an internet protocol address of a virtual machine manager in the physical host, a port number of a remote authentication service of the virtual machine manager; wherein the second character string generating unit includes: and a second linking unit configured to form a character string by linking the random number, the root value, the internet protocol address, and the port number.

In some embodiments, the credentials further include an internet protocol address and a port number.

In some embodiments, wherein the credential generation unit 2106 comprises: a first evaluation result generation unit configured to generate an evaluation result by evaluating the remote attestation information; and a joining unit configured to join the evaluation result to the certificate.

In some embodiments, wherein the credential generation unit 2106 comprises: a second evaluation result generation unit configured to generate an evaluation result by evaluating the remote attestation information; and a decision generating unit configured to generate a credential including the evaluation result in response to the evaluation result satisfying a predetermined requirement.

In some embodiments, the apparatus 2100 further comprises: a random number generation unit configured to generate a random number in response to receiving a request for acquiring a credential from a physical host; and a random number transmitting unit configured to transmit the random number to the physical host.

Fig. 22 further illustrates a block diagram of an apparatus 2200 for verifying information, in accordance with an embodiment of the present application, the apparatus 2200 may include a plurality of modules for performing the corresponding steps in the process 1000 as discussed in fig. 10. As shown in fig. 22, the apparatus 2200 includes a random number generation unit 2202 configured to generate a random number at the authentication server in response to receiving a first request from the physical host to register a virtual machine in the physical host; a certification information acquiring unit 2204 configured to transmit a second request for acquiring certification information to the physical host, the second request including a random number; and a certification information and credential receiving unit 2206 configured to receive, from the physical host, signed remote certification information and credentials for the virtual machine, the signed remote certification information including a signed certificate and a corresponding signature, the signed certificate being a certificate for a public key selected from a set of public keys assigned to the virtual machine, the credentials indicating the trustworthiness of the set of public keys; the trusted state determination unit 2208 is configured to determine the trusted state of the virtual machine based on the signed remote attestation information and the credentials.

In some embodiments, wherein the signed remote attestation information further comprises an internet protocol address of a virtual machine manager in the physical host and a port number of a remote authentication service of the virtual machine manager, wherein the second request further comprises a policy to obtain attestation information from the physical host, the policy indicating that only attestation information for the virtual machine is obtained, wherein attestation information and credential receiving unit 2206 comprises: a first receiving unit configured to receive signed remote attestation information; a first verification unit configured to verify the signed remote attestation information; an acquisition unit configured to acquire a signature certificate, an internet protocol address, and a port number from the signed remote attestation information in response to the signed remote attestation information passing verification; a request transmitting unit configured to transmit a third request to acquire a credential to the physical host, the third request including an internet protocol address, a port number, and a signature certificate; a credential receiving unit configured to receive the credential from the physical host.

In some embodiments, trusted status determination unit 2208 includes a credential verification unit configured to verify credentials; a first support determination unit configured to determine whether a public key in the signed certificate is supported by the certificate in response to the certificate passing verification; and a first virtual machine trust determination unit configured to determine that the virtual machine is trusted in response to the public key being supported by the credential.

In some embodiments, wherein the second request further comprises a policy to obtain attestation information from the physical host, the policy indicating that attestation information and credentials for the virtual machine are obtained, wherein the trusted status determination unit 2208 comprises: a second verification unit configured to verify the signed remote attestation information and the credential; a signature certificate acquisition unit configured to acquire a signature certificate from the signed remote attestation information in response to the signed remote attestation information and the credential passing verification; a second support determining unit configured to determine whether the public key in the signed certificate is supported by the certificate; and a second virtual machine trust determination unit configured to determine that the virtual machine is trusted in response to the public key being supported by the credential.

In some embodiments, wherein the first support determination unit or the second support determination unit comprises: and a public key presence determining unit configured to determine whether the public key is present in the certificate.

In some embodiments, wherein the credential includes a root value obtained by inputting a set of public keys into the accumulator, wherein the first support determination unit or the second support determination unit comprises: an extraction unit configured to extract a root value in the certificate; and a third support determining unit configured to determine whether the public key is supported by the certificate based on the root value and the public key.

Fig. 23 further illustrates a block diagram of an apparatus 2300 for verifying information, in accordance with an embodiment of the application, the apparatus 2300 may include a plurality of modules for performing corresponding steps in a process 1100 as discussed in fig. 11. As shown in fig. 23, the apparatus 2300 includes a credential information acquisition unit 2302 configured to transmit, at the first authentication server, a second request to acquire credential information to the physical host in response to receiving a first request from the physical host to register a virtual machine in the physical host, the second request including a random number; a remote attestation information receiving unit 2304 configured to receive signed remote attestation information for a virtual machine, the remote attestation information including a signed certificate, the signed certificate being a certificate for a public key assigned to the virtual machine selected from a set of public keys; a certificate acquisition unit 2306 configured to acquire a signature certificate in response to the remote attestation information passing verification; a request sending unit 2308 configured to send a third request for acquiring credentials to the second authentication server, the request including a signed certificate; a credential acquisition unit 2310 configured to acquire a credential from a second authentication server; the trusted state determination unit 2312 is configured to determine the trusted state of the virtual machine based on a credential indicating the trustworthiness of a set of public keys.

In some embodiments, wherein the trusted status determination unit 2312 includes: a verification unit configured to verify the credential in response to receiving the credential; a support determination unit configured to determine whether a public key of the signed certificate is supported by the certificate in response to the certificate passing the verification; and a trusted determination unit configured to determine that the virtual machine is trusted in response to the public key being supported by the credential.

In some embodiments, wherein the support determination unit comprises: a public key determination presence unit configured to determine whether the public key is present in the credential.

In some embodiments, wherein the credential includes a root value obtained by inputting a set of public keys into the accumulator, wherein the support determination unit comprises: an extraction unit configured to extract a root value in the certificate; and a public key support determining unit configured to determine whether the public key is supported by the certificate based on the root value and the public key.

Fig. 24 shows a schematic block diagram of an example device 2400 that can be used to implement an embodiment of the present disclosure. For example, the physical host 102, the first authentication server 114, and the second authentication server 112 in FIG. 1, the physical host 102, the first authentication server 114, and the second authentication server 112 in FIG. 5, according to embodiments of the application, may be implemented by the example device 2400. As shown, device 2400 includes a Central Processing Unit (CPU) 2401 that can perform various suitable actions and processes in accordance with computer program instructions stored in a Read Only Memory (ROM) 2402 or loaded from a storage unit 2408 into a Random Access Memory (RAM) 2403. In the RAM2403, various programs and data required for the operation of the device 2400 can also be stored. The CPU 2401, ROM 2402, and RAM2403 are connected to each other through a bus 2404. An input/output (I/O) interface 2405 is also connected to bus 2404.

Various components in device 2400 are connected to I/O interface 2405, including: an input unit 2406 such as a keyboard, a mouse, or the like; an output unit 2407 such as various types of displays, speakers, and the like; a storage unit 2408 such as a magnetic disk, an optical disk, or the like; and a communication unit 2409 such as a network card, a modem, a wireless communication transceiver, and the like. The communication unit 2409 allows the device 2400 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.

Various processes and treatments described above, such as processes 200, 300, 800, 900, 1000, and 1100, may be performed by the processing unit 2401. For example, in some embodiments, processes 200, 300, 800, 900, 1000, and 1100 may be implemented as computer software programs tangibly embodied on a machine-readable medium, such as storage unit 2408. In some embodiments, some or all of the computer programs may be loaded and/or installed onto device 2400 via ROM 2402 and/or communications unit 2409. When the computer program is loaded into RAM 2403 and executed by CPU 2401, one or more of the acts of processes 200, 300, 800, 900, 1000, and 1100 described above may be performed.

The present application may be a method, apparatus, system, chip and/or computer program product. The chip may include a processing unit and a communication interface, and the processing unit may process program instructions received from the communication interface. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for performing various aspects of the present application.

The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: portable computer disks, hard disks, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static Random Access Memory (SRAM), portable compact disk read-only memory (CD-ROM), digital Versatile Disks (DVD), memory sticks, floppy disks, mechanical coding devices, punch cards or in-groove structures such as punch cards or grooves having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media, as used herein, are not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical pulses through fiber optic cables), or electrical signals transmitted through wires.

The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.

Computer program instructions for carrying out operations of the present application may be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as SMALLTALK, C ++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present application are implemented by personalizing electronic circuitry, such as programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or Programmable Logic Arrays (PLAs), with state information for computer readable program instructions, which can execute the computer readable program instructions.

Various aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer readable program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The foregoing description of embodiments of the application has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the improvement of technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims

1. A method for obtaining credentials, comprising:

transmitting, at a physical host, a request to a validation server for obtaining an encryption certificate, the request including a target public key for a virtual root of trust of a virtual machine;

receiving a random number encrypted by the target public key from the authentication server;

obtaining signed remote attestation information from a hardware root of trust of the physical host based on the encrypted random number, the signed remote attestation information including a signed certificate for the hardware root of trust;

sending the signed remote attestation information and the target public key to the verification server; and

An encryption certificate for the target public key is received from the authentication server.

2. The method of claim 1, wherein obtaining the signed remote attestation information comprises:

Decrypting the encrypted random number using a target private key corresponding to the target public key; and

Obtaining local attestation information for the hardware root of trust based on the decrypted random number, the local attestation information comprising the signed certificate;

generating remote attestation information based on the decrypted random number and the local attestation information;

the remote attestation information is signed using a signing private key corresponding to the signing certificate.

3. The method of claim 1, wherein the validation server is a first validation server, the signature credential is a first signature credential, the method further comprising:

the encrypted certificate is sent to a second authentication server to obtain a second signed certificate from the second authentication server.

4. A method for providing credentials, comprising:

Generating, at the authentication server, a random number in response to receiving a request from the physical host for obtaining an encryption certificate, the request including a target public key for a virtual trusted root of the virtual machine;

encrypting the random number using the target public key;

sending the encrypted random number to the physical host;

Receiving the target public key and signed remote attestation information from the physical host, the signed remote attestation information including a signed certificate for a hardware trusted root of the physical host; and

In response to the signed remote attestation information being verified, sending an encryption certificate to the physical host, the encryption certificate being for the target public key.

5. The method of claim 4, the method further comprising:

verifying the signed remote attestation information by:

Verifying the signature using a verification public key in the signature certificate; and

Determining whether the signed remote attestation information includes the random number; and

In response to the signature being verified and the signed remote attestation information including the random number, determining that the signed remote attestation information is verified.

6. A method for acquiring credentials, comprising:

Transmitting, at the physical host, a request to the authentication server for obtaining the credential;

Obtaining a random number from the authentication server;

Obtaining signed remote attestation information from a hardware root of trust of the physical host based on the random number and a set of public keys, the signed remote attestation information including a signed certificate for the hardware root of trust;

Transmitting reply information to the authentication server, the reply information including the signed remote attestation information, indication information regarding the set of public keys, and the random number; and

The credentials are obtained from the authentication server, the credentials indicating the trustworthiness of the set of public keys.

7. The method of claim 6, obtaining signed remote attestation information from a hardware root of trust of the physical host comprises:

generating a string based on the random number and the set of public keys; and

Generating a target hash value based on the string;

based on the target hash value, signed remote attestation information is obtained from a hardware root of trust of the physical host.

8. The method of claim 7, wherein generating the string comprises:

The string is formed by linking the random number with the set of public keys, an internet protocol address of a virtual machine manager, a port number of a remote authentication service of the virtual machine manager.

9. The method of claim 7, wherein generating the string comprises:

Obtaining a root value by inputting the set of public keys into an accumulator; and

And generating the character string based on the root value and the random number.

10. The method of claim 9, wherein generating the string based on the root value and the random number comprises:

The string is formed by linking the random number, the root value, an internet protocol address of a virtual machine manager, and a port number of a remote authentication service of the virtual machine manager.

11. The method of claim 7, wherein obtaining signed remote attestation information from a hardware root of trust of the physical host based on the target hash value comprises:

Based on the target hash value, acquiring local attestation information for the hardware trusted root, wherein the local attestation information comprises the signature certificate;

Generating remote attestation information based on the target hash value and the local attestation information;

12. The method of claim 6, wherein the request is a first request, the signed remote attestation information is a first signed remote attestation information, the verification server is a first verification server, the signature is a first signature, the method further comprising:

selecting a public key assigned to a virtual trusted root from the set of public keys in response to starting the virtual machine and the corresponding virtual trusted root;

acquiring a signature certificate for the public key;

Sending a second request for registering the virtual machine to a second verification server, wherein the second request comprises the identification of the virtual machine;

receiving a third request from the second authentication server for obtaining attestation information, the third request including a random number generated by the second authentication server; and

And sending signed second remote attestation information for the virtual machine to the second verification server for determining a trusted state of the virtual machine, the signed second remote attestation information including the signed certificate and a corresponding second signature.

13. The method of claim 12, wherein the third request further includes a policy to obtain attestation information;

Wherein transmitting the signed second remote attestation information includes:

the signed second remote attestation information is sent based on the policy.

14. The method of claim 13, wherein sending the signed second remote attestation information based on the policy comprises:

Obtaining, in response to the policy indication, only attestation information for a virtual machine, the signed second remote attestation information from the virtual trusted root based on the random number, the signed second remote attestation information further including an internet protocol address of a virtual machine manager in the physical host and a port number of a remote authentication service of the virtual machine manager;

Sending the signed second remote attestation information to the second verification server;

Obtaining the credential based on a public key in the signed credential in response to receiving a fourth request for obtaining the credential, the fourth request including the internet protocol address, the port number, and the signed credential; and

The credentials are sent to the second authentication server to determine a trusted state of the virtual machine.

15. The method of claim 13, wherein sending the signed second remote attestation information based on the policy comprises:

obtaining the signed second remote attestation information from the virtual trusted root in response to the policy indication obtaining attestation information for a virtual machine and the credentials;

obtaining the credentials from the virtual machine manager based on the public key; and

The signed second remote attestation information and the credentials are sent to the second validation server for determining a trusted state of the virtual machine.

16. A method for providing credentials, comprising:

Receiving, at a verification server, reply information from a physical host, the reply information including signed remote attestation information, indication information regarding a set of public keys, and a random number, the signed remote attestation information including a signed certificate for a hardware trusted root of the physical host;

verifying the signed remote attestation information;

Generating the credential based on the remote attestation information and the indication information in response to the signed remote attestation information passing verification, the credential indicating the trustworthiness of the set of public keys; and

And sending the certificate to the physical host.

17. The method of claim 16, wherein the signed remote attestation information further comprises a target hash value, wherein verifying the signed remote attestation information comprises:

Verifying a signature in the signed remote attestation information by a public key in the signed certificate;

Generating a verification hash value based on the random number and the indication information in response to the signature passing verification; and

Verifying the signed remote attestation information by comparing the target hash value and the verification hash value.

18. The method of claim 17, wherein the indication information comprises the set of public keys, wherein generating the verification hash value comprises:

generating a string based on the random number and the set of public keys; and

The verification hash value is generated based on the string.

19. The method of claim 18, wherein the reply message further includes an internet protocol address of a virtual machine manager in the physical host, a port number of a remote authentication service of the virtual machine manager;

wherein generating the character string comprises:

The string is formed by linking the random number, the set of public keys, the internet protocol address, and the port number.

20. The method of claim 17, wherein the indication information comprises a root value obtained by inputting the set of public keys into an accumulator, wherein generating the verification hash value comprises:

generating a character string based on the random number and the root value; and

The verification hash value is generated based on the string.

21. The method of claim 20, wherein the reply message further includes an internet protocol address of a virtual machine manager in the physical host, a port number of a remote authentication service of the virtual machine manager;

wherein generating the character string comprises:

The character string is formed by linking the random number, the root value, the internet protocol address, and the port number.

22. The method of claim 16, wherein generating the credential comprises:

generating an evaluation result by evaluating the remote attestation information;

generating the credential in response to the evaluation result satisfying a predetermined requirement, the credential including comparing the evaluation result.

23. A method for verifying information, comprising:

Generating a random number at an authentication server in response to receiving a first request from a physical host to register a virtual machine in the physical host;

Transmitting a second request for acquiring certification information to the physical host, wherein the second request comprises the random number; and

Receiving, from the physical host, signed remote attestation information for the virtual machine, the signed remote attestation information including a signed certificate and a corresponding signature, the signed certificate being a certificate for a public key selected from a set of public keys assigned to the virtual machine, the certificate indicating trustworthiness of the set of public keys;

based on the signed remote attestation information and the credentials, a trusted state of the virtual machine is determined.

24. The method of claim 23, wherein the signed remote attestation information further comprises an internet protocol address of a virtual machine manager in the physical host and a port number of a remote authentication service of the virtual machine manager, wherein the second request further comprises a policy to obtain attestation information from the physical host, the policy indicating that only attestation information for a virtual machine is obtained, wherein receiving the signed remote attestation information and credentials for the virtual machine comprises:

receiving the signed remote attestation information;

verifying the signed remote attestation information;

Obtaining the signed certificate, the internet protocol address, and the port number from the signed remote attestation information in response to the signed remote attestation information passing the verification;

sending a third request to the physical host to obtain credentials, the third request comprising the internet protocol address, the port number, and the signed certificate;

The credential is received from the physical host.

25. The method of claim 24, wherein determining the trusted state of the virtual machine comprises:

Verifying the certificate;

Determining, in response to the credential passing verification, whether a public key in the signed certificate is supported by the credential; and

In response to the public key being supported by the credential, determining that the virtual machine is trusted.

26. The method of claim 23, wherein the second request further comprises a policy to obtain attestation information from the physical host, the policy indicating that attestation information and the credentials are to be obtained for a virtual machine, wherein determining a trusted state of the virtual machine comprises:

verifying the signed remote attestation information and the credentials;

obtaining the signed certificate from the signed remote attestation information in response to the signed remote attestation information and the credential passing verification;

determining whether a public key in the signed certificate is supported by the credential; and

27. The method of claim 25 or 26, wherein determining whether the public key is supported by the credential comprises:

a determination is made as to whether the public key is present in the credential.

28. The method of claim 25 or 26, wherein the credential includes a root value obtained by inputting the set of public keys into an accumulator, wherein determining whether the public key is supported by the credential comprises:

Extracting a root value in the certificate; and

Based on the root value and the public key, it is determined whether the public key is supported by the credential.

29. A method for verifying information, comprising:

in response to receiving a first request from a physical host to register a virtual machine in the physical host, sending, at a first authentication server, a second request to the physical host to obtain attestation information, the second request including a random number;

receiving signed remote attestation information for the virtual machine, the remote attestation information including a signed certificate, the signed certificate being a certificate for a public key assigned to the virtual machine selected from a set of public keys;

acquiring the signature certificate in response to the signed remote attestation information passing verification;

Sending a third request to a second authentication server for obtaining credentials, the third request comprising the signed certificate;

Obtaining the credentials from the second authentication server;

a trusted state of the virtual machine is determined based on the credentials, the credentials indicating the trustworthiness of a set of public keys.

30. The method of claim 29, wherein determining the trusted status comprises:

validating the credential in response to receiving the credential;

Determining, in response to the credential passing the verification, whether a public key of the signed certificate is supported by the credential; and

31. An apparatus for obtaining a certificate, the apparatus comprising:

a request transmitting unit configured to transmit a request for acquiring an encryption certificate to an authentication server at a physical host, the request including a target public key for a virtual trusted root of a virtual machine;

a random number acquisition unit configured to acquire a random number encrypted by the target public key from the authentication server;

A remote attestation information acquisition unit configured to acquire signed remote attestation information from a hardware root of trust of the physical host based on the encrypted random number, the signed remote attestation information including a signature certificate for the hardware root of trust;

A certification information and public key transmission unit configured to transmit the signed remote certification information and the target public key to the authentication server; and

An encryption certificate receiving unit configured to receive an encryption certificate for the target public key from the authentication server.

32. An apparatus for providing credentials, the apparatus comprising:

a random number generation unit configured to generate a random number at the authentication server in response to receiving a request from the physical host for obtaining an encryption certificate, the request including a target public key for a virtual root of trust of the virtual machine;

An encryption unit configured to encrypt the random number using the target public key;

a random number transmitting unit configured to transmit the encrypted random number to the physical host;

A remote attestation information receiving unit configured to receive the target public key and signed remote attestation information from the physical host, the signed remote attestation information including a signed certificate for a hardware root of trust of the physical host; and

A certificate sending unit configured to send an encryption certificate to the physical host in response to the signed remote attestation information being verified, the encryption certificate being for the target public key.

33. An apparatus for acquiring credentials, the apparatus comprising:

a request transmitting unit configured to transmit a request for acquiring a credential to the authentication server at the physical host;

A random number acquisition unit configured to acquire a random number from the authentication server;

A remote attestation information acquisition unit configured to acquire signed remote attestation information from a hardware root of trust of the physical host based on the random number and a set of public keys, the signed remote attestation information including a signed certificate for the hardware root of trust;

A reply information transmitting unit configured to transmit reply information to the authentication server, the reply information including the signed remote attestation information, indication information about the set of public keys, and the random number; and

A credential acquisition unit configured to acquire the credential from the authentication server, the credential indicating trustworthiness of the set of public keys.

34. An apparatus for providing credentials, the apparatus comprising:

A reply information receiving unit configured to receive, at a verification server, reply information from a physical host, the reply information including signed remote attestation information, indication information regarding a set of public keys, and a random number, the signed remote attestation information including a signature certificate for a hardware trusted root of the physical host;

a verification unit configured to verify the signed remote attestation information;

A credential generation unit configured to generate the credential based on the remote attestation information and the indication information in response to the signed remote attestation information being verified, the credential indicating the trustworthiness of the set of public keys; and

And a credential transmitting unit configured to transmit the credential to the physical host.

35. An apparatus for verifying information, the apparatus comprising:

A random number generation unit configured to generate a random number at an authentication server in response to receiving a first request from a physical host to register a virtual machine in the physical host;

A certification information acquisition unit configured to transmit a second request for acquiring certification information to the physical host, the second request including the random number; and

A attestation information and credential receiving unit configured to receive, from the physical host, signed remote attestation information and credentials for the virtual machine, the signed remote attestation information including a signed certificate and a corresponding signature, the signed certificate being a certificate for a public key selected from a set of public keys assigned to the virtual machine, the credentials indicating trustworthiness of the set of public keys;

A trusted state determination unit configured to determine a trusted state of the virtual machine based on the signed remote attestation information and the credential.

36. An apparatus for verifying information, the apparatus comprising:

a certification information acquisition unit configured to transmit, at a first authentication server, a second request to acquire certification information to a physical host in response to receiving a first request from the physical host to register a virtual machine in the physical host, the second request including a random number;

a remote attestation information receiving unit configured to receive signed remote attestation information for the virtual machine, the remote attestation information including a signed certificate, the signed certificate being a certificate for a public key assigned to the virtual machine selected from a set of public keys;

A certificate acquisition unit configured to acquire the signed certificate in response to the signed remote attestation information passing verification;

A request transmitting unit configured to transmit a third request for acquiring a credential to a second authentication server, the third request including the signature certificate;

a credential acquisition unit configured to acquire the credential from the second authentication server;

a trusted state determination unit configured to determine a trusted state of the virtual machine based on the credentials, the credentials indicating the trustworthiness of a set of public keys.

37. An electronic device, comprising:

at least one computing unit;

at least one memory coupled to the at least one computing unit and storing instructions for execution by the at least one computing unit, the instructions when executed by the at least one computing unit cause the apparatus to perform the method of any one of claims 1-30.

38. A computer readable storage medium having stored thereon a computer program which when executed by a processor implements the method according to any of claims 1-30.

39. A computer program product comprising computer executable instructions which when executed by a processor implement the method of any one of claims 1-30.