Professional Documents
Culture Documents
Property-Based Remote Attestation Oriented To Cloud Computing
Property-Based Remote Attestation Oriented To Cloud Computing
Property-Based Remote Attestation Oriented To Cloud Computing
Siyuan Xin
Yong Zhao, Yu Li
Keywords-cloud
computing;
property-based
attestation; security property; attestation proxy
I.
II.
remote
INTRODUCTION
1028
III.
A. Outlines
In the cloud computing service pattern, before the user
passes the important data or complex computation duty to
the cloud, the user needs to carry on the attestation on the
trusted status of cloud computings virtual environment, so
that he can make sure the computing platform providing
service is credible and trusted. After the user has completed
the cloud computing platforms trusted attestation, the trust
of cloud computing service can be established, and the user
can enjoy the cloud computing service to accomplish the
computation duty, and pay due to the amount of service.
In order to study the remote attestation process and the
method in cloud computing environment, we first describe
the scene we research. The user requests service from the
cloud computing provider, and the user request to confirm
the security property of cloud computing service platform. In
this kind of scene, both sides have the following trust policy
and confidential policy: the verifier (user) is willing to
publicize its trust policy, but is not willing to publicize his
concrete safety request; but the attesters(clouding
computing platform) confidential policy requests to prohibit
the verifier receiving its configuration information, namely
platform measurement log.
1029
B. Overall Structure
The structure of remote attestation oriented cloud
computing is shown in fig.1, it includes:
Cloud Computing Administrative Center (CCAC): The
CCAC accepts the service and attestation requests, assigns
the computing task to certain other platform through certain
dispatch algorithm, and transmits the attestation request and
the assigned computing platforms AIK public key to
attestation proxy according to dispatching algorithm and
AIK directory which is constructed in the could nodes
register process.
C. Assumption
The attestation proxy is the key element of remote
attestation, which is in the core of remote attestation trust.
The attester platform needs to trust the attestation proxys
operation correctness, authentication reliability as well as
secrecy. Thus the verifier needs to trust the attestation
proxys integrity and reliability and believes the attester
platforms security property information. In addition, the
verifier also should know attestation proxys signature
verifying key.
We describe the trust relations between various entities
through signature verifying key.
The attestation proxy has its signature key pair VP.
Attester platform has the status key build-in TPM Attestation
Identity Key (AIK), and knows the attestation proxy public
key VP. The attester trusts VPs owner protects its platform
configuration measure information secrecy. And the
attestation proxy is the only entity to which the attester is
willing to disclose its configuration information. The cloud
computing administrative center knows the attestation proxy
public key VP, which is used in confirming the attestation
proxys message and encryption of information transmitted
to the attestation proxy. The administrative center knows the
AIK public key of the computing platform actually carrying
on the computation task, and it believes the measure
information signed and issued by represents platform
configuration information assured by the TPM, even if it has
not seen the configuration information.
1030
CONCLUSION
ACKNOWLEDGMENT
This research is funded by 863 National High Tech
Research and Develop Plan Project (2009AA01Z437), 973
National Key Fundamental Research Development Plan
Project (2007CB311100), Open Research Project of State
Key Laboratory of Information Security in Institute of
1031
[3]
[4]
REFERENCES
[1]
[2]
[5]
1032