Search

CN-122001694-A - High concurrency trusted computing remote proving method and system based on equipment type adaptation

CN122001694ACN 122001694 ACN122001694 ACN 122001694ACN-122001694-A

Abstract

The invention discloses a high concurrency trusted computing remote proving method and a system based on equipment type adaptation, and relates to the technical scheme of the method and the system, wherein the key points of the technical scheme are that a registration request containing equipment type identifiers sent by a client is received; creating a thread pool, packaging a received registration request as a registration processing task, scheduling the registration processing task, analyzing a device type field in the registration request, storing a mapping relation between a client identifier and a device type into a local configuration file, inquiring the device type of the client from the local configuration file in a challenge proving stage, selecting an adaptive remote proving protocol according to a preset mapping rule, packaging a response verification operation of the server to the client as a proving processing task, and submitting the proving processing task to the thread pool for high concurrency scheduling. The method and the device can adapt to the multi-form client requests and simultaneously can efficiently process large-scale concurrent remote certification requests.

Inventors

  • ZHANG YE
  • ZHANG NANXIN
  • WU HUAIGU
  • ZHA MING

Assignees

  • 天府绛溪实验室

Dates

Publication Date
20260508
Application Date
20260410

Claims (10)

  1. 1. The high concurrency trusted computing remote proving method based on equipment type adaptation is characterized by being applied to a server and comprising the following steps of: Receiving a registration request containing a device type identifier sent by a client, wherein the registration request contains a device type field, and the device type field is dynamically injected by the client according to the attribute of the device; creating a thread pool, packaging the received registration request as a registration processing task, scheduling the registration processing task, analyzing a device type field in the registration request, and storing a mapping relation between a client identifier and a device type into a local configuration file; In the challenge proving stage, inquiring the equipment type of the client from the local configuration file, and selecting an adaptive remote proving protocol according to a preset mapping rule; and packaging response verification operation of the server side to the client side into a proving processing task, and submitting the proving processing task to the thread pool for high concurrency scheduling.
  2. 2. The high concurrency trusted computing remote attestation method based on device type adaptation of claim 1, wherein the generation of the registration request is configured to: if the equipment type is a virtual machine, acquiring an endorsement key certificate and a proving key public key from a virtual trusted root driver of a virtualization platform, and newly adding an equipment type field in a registration request message and taking the value as the virtual machine; If the equipment type is the physical trusted computing equipment, reading an endorsement key certificate and a proving key public key from the physical trusted computing module, and adding an equipment type field in a registration request message and taking the value as the physical trusted computing equipment.
  3. 3. The device type adaptation based high concurrency trusted computing remote attestation method of claim 1, wherein the configuration parameters of the thread pool include core thread number, maximum thread number, task queue, thread survival time, and rejection policy; The maximum thread number is 2 times of the core thread number, the task queue is a bounded blocking queue, and the rejection policy is a caller operation policy.
  4. 4. The high concurrency trusted computing remote attestation method based on device type adaptation of claim 1, wherein the preset mapping rules are configured to: If the device type is a virtual machine, selecting a virtualized trusted root lightweight certification protocol; And if the device type is the physical trusted computing device, selecting a physical trusted computing module complete proof protocol.
  5. 5. The device type adaptation based high concurrency trusted computing remote attestation method of claim 1, wherein during the challenge attestation phase, the server encapsulates each client's challenge construct as an independent task, the challenge construct configured to: If the equipment type is a virtual machine, constructing a lightweight random number challenge message; if the device type is a physical trusted computing device, a challenge message containing a platform configuration register index is constructed.
  6. 6. The high concurrency trusted computing remote attestation method of claim 1, wherein the response verification operation is configured to: If the equipment type is a virtual machine, verifying a reference signature of a virtual trusted root and a virtualized platform endorsement credential; If the device type is a physical trusted computing device, the endorsement key/attestation key certificate chain, the reference signature, and the platform configuration register value are verified.
  7. 7. The high concurrency trusted computing remote attestation method based on device type adaptation of claim 1, wherein the high concurrency schedule is configured to: when the concurrency request quantity is smaller than or equal to the core thread number, the core thread directly processes the task; when the concurrent request quantity is larger than the number of the core threads and smaller than or equal to the capacity of the task queue, the task is temporarily stored in the task queue and sequentially processed by the core threads; when the concurrent request amount is larger than the capacity of the task queue, creating a temporary thread to process excess tasks, and destroying the temporary thread after the idle thread survives.
  8. 8. The device type adaptation based high concurrency trusted computing remote attestation method of claim 1, wherein the high concurrency schedule is configured to be uniformly scheduled and dispatched by the thread pool for processing by the adapted attestation processing tasks in accordance with their respective device types when concurrent requests are simultaneously initiated by multiple types of clients, including virtual machines and physical trusted computing devices, in a mixed architecture environment.
  9. 9. The device type adaptation based high concurrency trusted computing remote attestation method of claim 1, wherein the local configuration file stores the mapping relationship between the client identity and the device type in JSON format, and wherein the data structure includes at least a hostname field and a device type field.
  10. 10. The high concurrency trusted computing remote proving system based on equipment type adaptation is characterized by being deployed at a server side and comprising the following components: The request receiving module is configured to receive a registration request containing equipment type identifiers sent by a client, wherein the registration request contains equipment type fields which are dynamically injected by the client according to own equipment attributes; The thread pool scheduling module is configured to create a thread pool, encapsulate the received registration request into a registration processing task and schedule the registration processing task, analyze a device type field in the registration request, and store a mapping relation between a client identifier and a device type into a local configuration file; The challenge proving module is configured to query the equipment type of the client from the local configuration file in a challenge proving stage, and select an adaptive remote proving protocol according to a preset mapping rule; And the concurrency scheduling module is configured to encapsulate the response verification operation of the server to the client into a proving processing task, and submit the proving processing task to the thread pool for high concurrency scheduling.

Description

High concurrency trusted computing remote proving method and system based on equipment type adaptation Technical Field The invention relates to the technical field of trusted computing, in particular to a high concurrency trusted computing remote proving method and a high concurrency trusted computing remote proving system based on equipment type adaptation. Background The remote attestation mechanism of the trusted computing is a core technology for guaranteeing the credibility of the terminal equipment, and the terminal provides the credible credentials of hardware and software states for the server through the terminal, so that the identity and the state of the terminal are verified by the server. The remote proof flow in the prior art has the key defects that (1) equipment type identification is lost in a registration stage, and if a registration request (such as enrollRequest) initiated by an existing client to a server only contains basic information such as a host name, a TCM manufacturer, an EK certificate and the like, the equipment type identification is not carried. The remote certification requirements of different types of clients (such as a Virtual Machine (VM) and a physical trusted computing device (tipu)) are significantly different, namely the virtual machine relies on a virtual trusted root (vTCM) to provide certification certificates, the certification process of the certification is required to adapt to a lightweight interactive protocol of a virtualization platform, and in addition, the physical trusted computing device relies on a physical TCM module, and the certification is required to be completed through a complete EK/AK certificate chain and a Quote signature. In the prior art, the service end cannot distinguish the device types, only a unified proving mode can be adopted, so that flow redundancy (occupying extra bandwidth and computing resources) is caused for the virtual machine, a safety verification link is possibly lost for the physical device, and the complete verification logic of the TCM cannot be adapted. (2) When the existing server processes the concurrent requests of multiple clients, two modes are generally adopted, namely 1) single line Cheng Chuanhang processing is adopted, only one request can be processed at the same time, response delay is extremely high (for example, response time of 100 concurrent requests exceeds 5 s) when the large-scale clients are faced, 2) no-boundary thread pool processing is adopted, independent threads are created for each request, when the request quantity is increased sharply (for example, 200 requests peak), the number of threads expands limitlessly, CPU context switching overhead is increased sharply, memory resources are exhausted, and finally the server is caused to be down. Therefore, research and design of a device type adaptation-based high concurrency trusted computing remote proving method and system capable of overcoming the defects are the problems which are urgently needed to be solved at present. Disclosure of Invention In order to solve the defects in the prior art, the invention aims to provide the high concurrency trusted computing remote proving method and the system based on equipment type adaptation, which can adapt to multi-form client requests, can efficiently process large-scale concurrency remote proving requests, can be suitable for a mixed architecture trusted computing environment comprising a Virtual Machine (VM) and physical trusted computing equipment tipu, and can realize the suitability optimization of remote proving and the efficient concurrency scheduling of a server. The technical aim of the invention is realized by the following technical scheme: In a first aspect, a high concurrency trusted computing remote attestation method based on device type adaptation is provided, and the method is applied to a server and comprises the following steps: Receiving a registration request containing a device type identifier sent by a client, wherein the registration request contains a device type field, and the device type field is dynamically injected by the client according to the attribute of the device; creating a thread pool, packaging the received registration request as a registration processing task, scheduling the registration processing task, analyzing a device type field in the registration request, and storing a mapping relation between a client identifier and a device type into a local configuration file; In the challenge proving stage, inquiring the equipment type of the client from the local configuration file, and selecting an adaptive remote proving protocol according to a preset mapping rule; and packaging response verification operation of the server side to the client side into a proving processing task, and submitting the proving processing task to the thread pool for high concurrency scheduling. Further, the generation of the registration request is configured to: if the equipment type is a