基于UEFI的虚拟机及其在数字签名上的应用
|
摘要
数字签名的安全性必需建立在密钥安全的基础上,存储在计算机系统中的密钥容易被计算机病毒等恶意程序窃取并伪造数字签名破坏数字签名方案的有效性。本文在分析比较当前几种数字签名的软件和硬件的实现方案优劣势的基础上,结合对UEFI和基于UEFI的虚拟机的研究,提出了利用虚拟机技术提高数字签名的密钥安全性的方法。本文在分析说明基于UEFI的虚拟机的结构框架以及将其应用于数字签名的方案模型的同时,还给出了数字签名服务、应用系统库程序以及消息传输协议等关键技术的实现算法及数据结构。最后本文综合分析了基于虚拟机的数字签名技术的功能特点并给出了综合性能评价。
The security of digital signature is largely based on the safety of cipher key. In normal cases, a cipher key is stored in the computer system, which can be easily obtained by vicious computer programs like computer virus etc. These vicious computer programs can then fabricate another digital signature, and wreck the validity of digital signature system. This paper studied UEFI and UEFI based virtual machine, and then proposed an approach to improve the safety of digital signature with the application of virtual machine technology. At the same time this paper also gives detailed illumination of data structures and Algorithms of several critical techniques like the digital signature service, application support programs and message transmission protocols. Finally this paper systematically analyzed the characteristics of digital signature based on an UEFI virtual machine, and provides performance evaluations.
The security of digital signature is largely based on the safety of cipher key. In normal cases, a cipher key is stored in the computer system, which can be easily obtained by vicious computer programs like computer virus etc. These vicious computer programs can then fabricate another digital signature, and wreck the validity of digital signature system. This paper studied UEFI and UEFI based virtual machine, and then proposed an approach to improve the safety of digital signature with the application of virtual machine technology. At the same time this paper also gives detailed illumination of data structures and Algorithms of several critical techniques like the digital signature service, application support programs and message transmission protocols. Finally this paper systematically analyzed the characteristics of digital signature based on an UEFI virtual machine, and provides performance evaluations.
引文
[0][1] 秦志光. 密码算法的现状和发展研究. 计算机应用. 2004.02 24(2):1-4
[2] 杨茂磷,葛勇. 密码算法及其在军事通信中的应用. 火力与指挥控制 2006.03 31(3):68-71
[3] 冯登国. 密码学原理与实践(第二版) 北京:电子工业出版社 2005: 233-236
[4] 程若非. Apache 与电子商务. 开放系统世界. 2002(7): 47-49
[5] 孔维广. TPM 的工作模型. 武汉科技学院学报 2005.01 18(1):45-47
[6] 赵泽良,沈昌祥 IPSec 与 IP 加密机设计中要注意的问题. 信息安全与通信保密. 2001(11): 36-39
[7] 魏仲山. 多虚拟机研究. 计算机工程与应用. 1983(9): 39-46
[8] E.Bugnion. Running commodity operating systems on scalable multiprocessors. Sixteenth ACM Symposium on Operating System Principles. 1997.10:78-86
[9] J.E. Smith, Ravi Nair. An Overview of Virtual Machines Architectures. Elsevier Science(USA) 2003.11
[10] 谢文砚. 虚拟技术现实全景. 网络世界 2006.12 22
[11] 王汝传, 黄良俊. 基于虚拟技术的入侵检测系统攻击仿真平台的研究和实现. 电子信息学报. 2004.10 26(10)
[12] Intel Corporation. Extensible Firmware Interface Specification Version 1.10. 2002(12)
[13] 曾宪伟,张智军. 基于虚拟机的启发式扫描反病毒技术. 计算机应用与软件. 2005.09 22(9):125-126
[14] Puketza N, A software platform for testing intrusion detection system. IEEE Software Magazine 1997, 14(5): 43-51
[15] Unified EFI, Inc. Platform Initialization Specification version 1.0
[16] W A Arbaugh, D J Farber. ASecure and Reliable Boot-strap Architecture. Preceedings of the IEEE Symposium on Security and Privacy. 1997: 78-80
[17] Intel Corporation. Multi-Processor Specification Version 1.4. 1997. 5
[18] T. Borden, J.Hennessy. Multiple operating systems on one processor complex. IBM Systems journal 1989, 28(1) 104-123
[19] E.Bugnion, S.Devine. Running Commodity operating system on scalable multiprocessors. In proceedings of the 16th ACM Symposium on Operating Systems Principles. 1997.10 143-156
[20] C. A. Waldspurger. Memory Resource Management in VMware ESX Server. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation 2002.11
[21] 吴松青,王典洪. 基于 UEFI 的 Application 和 Driver 的分析与开发. 计算机应用与软件.2007 24(2): 98-100
[22] Intel Corporation Mobile Platform Usage of UEFI and the Framework Technology 2006.9
[23] 蒋艳凰,白晓敏,杨雪军. 数字签名技术及其发展动态. 计算机应用研究. 2000 (9):1-3
[24] 张淼,杨昌. 可信计算平台中的密钥管理. 楚雄示范学院学报 2006.9 21(9):45-48
[25] 曲英杰. 可编程移动电脑加密机的设计方法. 计算机工程与应用 2007.05(43):99-101
[26] 秦中元,胡爱群. 可信计算系统及其研究现状. 计算机工程 2006.07 32(1):111-113
[27] FIPS PUB February 1, 1993, Digital signature Standard
[28] Rivest R L, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystem. Common ACM 1978(21): 120-126
[29] M. O. Rabin Digitized Signatures and public-key functions as intractable as factorization. MIT Laboratory for Computer Science Technical Report LCS/TR-212 1979
[30] Douglas R.Stinson Cryptography Theory and Practice Publishing House of Electronics Industry 2005.2: 236-237
[31] 杜谦,张文霞. 多语言可实现的 SHA-1 散列算法. 武汉理工大学学报. 2007.7 29(7)
[32] 张卫清,张红南,谢冬青. 实用的数字签名方案进展. 计算机技术与自动化. 1997.1: 76-79
[33] 方妮, 郭超. DSA 数字签名算法研究及软件实现. 中国工程物理研究院科技年报. 2001.7
[34] 贺纲. Linux字符设备驱动程序. 信息工程大学学报. 2001.7
[35] Denning, P.J. Virtual Memory. Computing Surveys, vol2 1970.9 153-161
[36] 王鹏, 尤晋元. 操作系统设计与实现. 北京:电子工业出版社 1998.8: 116-120
[37] Andrew S. Tanenbaum Albert S. Woodhull, Operating Systems Design and Implementation, publish House of Electronics Industry 228-229
[38] 李晋, 葛敬国. Linux 下互斥机制及其分析. 计算机应用研究. 2005.8
[39] 彭正文. 基于 SMP 的 Linux 内核自旋锁分析. 江西教育学院学报. 2005.7
[40] Cheriton, D.R. An Experiment on Fast Message-Based Interprocess Communication. Operating System Review 1984 vol.18 12-20
[41] Andrew Grissonnanche. Security and Protection in Information Systems. Published by Elsevier Science Publishers 1989 37-39
[42] TCG.. TPM Design Principles V1.2 004.06
[43] 陈开颜, 赵强. 集成电路芯片信息泄漏旁路分析模型. 微计算机信息. 2006 22(6): 74-76
[44] 李欣, 范明钰. 能量分析攻击及其防御策略. 信息安全与通信保密 2005.7 :103-107
[45] Professor Jaege. Virtual Machine Security www.cse.psu.edu/~tjaeger/cse497b-s07/
[2] 杨茂磷,葛勇. 密码算法及其在军事通信中的应用. 火力与指挥控制 2006.03 31(3):68-71
[3] 冯登国. 密码学原理与实践(第二版) 北京:电子工业出版社 2005: 233-236
[4] 程若非. Apache 与电子商务. 开放系统世界. 2002(7): 47-49
[5] 孔维广. TPM 的工作模型. 武汉科技学院学报 2005.01 18(1):45-47
[6] 赵泽良,沈昌祥 IPSec 与 IP 加密机设计中要注意的问题. 信息安全与通信保密. 2001(11): 36-39
[7] 魏仲山. 多虚拟机研究. 计算机工程与应用. 1983(9): 39-46
[8] E.Bugnion. Running commodity operating systems on scalable multiprocessors. Sixteenth ACM Symposium on Operating System Principles. 1997.10:78-86
[9] J.E. Smith, Ravi Nair. An Overview of Virtual Machines Architectures. Elsevier Science(USA) 2003.11
[10] 谢文砚. 虚拟技术现实全景. 网络世界 2006.12 22
[11] 王汝传, 黄良俊. 基于虚拟技术的入侵检测系统攻击仿真平台的研究和实现. 电子信息学报. 2004.10 26(10)
[12] Intel Corporation. Extensible Firmware Interface Specification Version 1.10. 2002(12)
[13] 曾宪伟,张智军. 基于虚拟机的启发式扫描反病毒技术. 计算机应用与软件. 2005.09 22(9):125-126
[14] Puketza N, A software platform for testing intrusion detection system. IEEE Software Magazine 1997, 14(5): 43-51
[15] Unified EFI, Inc. Platform Initialization Specification version 1.0
[16] W A Arbaugh, D J Farber. ASecure and Reliable Boot-strap Architecture. Preceedings of the IEEE Symposium on Security and Privacy. 1997: 78-80
[17] Intel Corporation. Multi-Processor Specification Version 1.4. 1997. 5
[18] T. Borden, J.Hennessy. Multiple operating systems on one processor complex. IBM Systems journal 1989, 28(1) 104-123
[19] E.Bugnion, S.Devine. Running Commodity operating system on scalable multiprocessors. In proceedings of the 16th ACM Symposium on Operating Systems Principles. 1997.10 143-156
[20] C. A. Waldspurger. Memory Resource Management in VMware ESX Server. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation 2002.11
[21] 吴松青,王典洪. 基于 UEFI 的 Application 和 Driver 的分析与开发. 计算机应用与软件.2007 24(2): 98-100
[22] Intel Corporation Mobile Platform Usage of UEFI and the Framework Technology 2006.9
[23] 蒋艳凰,白晓敏,杨雪军. 数字签名技术及其发展动态. 计算机应用研究. 2000 (9):1-3
[24] 张淼,杨昌. 可信计算平台中的密钥管理. 楚雄示范学院学报 2006.9 21(9):45-48
[25] 曲英杰. 可编程移动电脑加密机的设计方法. 计算机工程与应用 2007.05(43):99-101
[26] 秦中元,胡爱群. 可信计算系统及其研究现状. 计算机工程 2006.07 32(1):111-113
[27] FIPS PUB February 1, 1993, Digital signature Standard
[28] Rivest R L, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystem. Common ACM 1978(21): 120-126
[29] M. O. Rabin Digitized Signatures and public-key functions as intractable as factorization. MIT Laboratory for Computer Science Technical Report LCS/TR-212 1979
[30] Douglas R.Stinson Cryptography Theory and Practice Publishing House of Electronics Industry 2005.2: 236-237
[31] 杜谦,张文霞. 多语言可实现的 SHA-1 散列算法. 武汉理工大学学报. 2007.7 29(7)
[32] 张卫清,张红南,谢冬青. 实用的数字签名方案进展. 计算机技术与自动化. 1997.1: 76-79
[33] 方妮, 郭超. DSA 数字签名算法研究及软件实现. 中国工程物理研究院科技年报. 2001.7
[34] 贺纲. Linux字符设备驱动程序. 信息工程大学学报. 2001.7
[35] Denning, P.J. Virtual Memory. Computing Surveys, vol2 1970.9 153-161
[36] 王鹏, 尤晋元. 操作系统设计与实现. 北京:电子工业出版社 1998.8: 116-120
[37] Andrew S. Tanenbaum Albert S. Woodhull, Operating Systems Design and Implementation, publish House of Electronics Industry 228-229
[38] 李晋, 葛敬国. Linux 下互斥机制及其分析. 计算机应用研究. 2005.8
[39] 彭正文. 基于 SMP 的 Linux 内核自旋锁分析. 江西教育学院学报. 2005.7
[40] Cheriton, D.R. An Experiment on Fast Message-Based Interprocess Communication. Operating System Review 1984 vol.18 12-20
[41] Andrew Grissonnanche. Security and Protection in Information Systems. Published by Elsevier Science Publishers 1989 37-39
[42] TCG.. TPM Design Principles V1.2 004.06
[43] 陈开颜, 赵强. 集成电路芯片信息泄漏旁路分析模型. 微计算机信息. 2006 22(6): 74-76
[44] 李欣, 范明钰. 能量分析攻击及其防御策略. 信息安全与通信保密 2005.7 :103-107
[45] Professor Jaege. Virtual Machine Security www.cse.psu.edu/~tjaeger/cse497b-s07/