1. A method for measuring initial credibility of a fog node is characterized by comprising the following steps:

s1, establishing a management and auditing system;

the management and audit system is provided by a credible third party and is used for auditing the initial credibility measurement information of the fog node to form an audit report;

s2, registering the request;

the management and auditing system receives a registration request, wherein the registration request comprises a fog node digital certificate and a trusted platform digital certificate, and the trusted platform measures the trusted information of the fog node;

s3, registration and verification;

the management and audit system sends the digital certificate of the fog node and the digital certificate of the trusted platform to a Certificate Authority (CA), and the CA verifies the validity of the digital certificate and returns the result;

s4, receiving software running information;

the fog node sends the running information of the software to the trusted platform, and after the running information is measured by the trusted platform, the running information is signed by a digital certificate issued by CA and then sent to the management and auditing system for receiving;

s5, receiving evaluation information;

the management and audit system receives software evaluation information sent by an evaluation mechanism;

s6, generating an audit report;

and the management and audit system generates an audit report by comparing the software operation information with the software evaluation information, wherein the audit report is used for indicating the credibility of the fog nodes.

2. The method of claim 1, wherein the software operation information in the step S4 includes a current operation index of the software and operation version information of the software, and the software evaluation information includes a software safety operation index and software evaluation version information.

3. The method of claim 2, wherein the software running information in step S4 includes virtual machine identification information, and the virtual machine identification information describes a correspondence between a user and a virtual machine identification.

4. The method of claim 3, wherein the management and audit system sends the relevant audit report to the user corresponding to the virtual machine identifier according to the virtual machine identifier information.

5. The method of claim 2, wherein the software running information comprises a running log and an operation log.

6. The method of claim 2, wherein the evaluation information of the software comprises a digital fingerprint of the software.

Background

The mobile fog computing platform may allow users to access a dynamically configurable pool of shared computing resources, including network devices, servers, storage devices, and services, through ubiquitous, convenient acquisition networks. The mobile fog computing platform can realize the rapid distribution and release of the configurable computing resources with less management cost or lower interaction complexity of a user and a service provider.

After the user moves the data to the fog node, ownership and control of the data are separated, the user is the owner of the data, but the control of the data is given to the fog node, and all resource operations such as calculation, storage and the like related to the data are completed by the user through the fog node. Therefore, the fog calculation needs to be really developed and applied in a large scale, and the safety problem of the fog node needs to be solved firstly.

In the process of measuring the credibility of the fog nodes, the user can establish indirect trust on the fog nodes through direct trust on the verification server and trust on the fog nodes by the verification server, as shown in fig. 1. In the process of establishing trust between the verification server and the fog node, the verification server can technically trust the fog node through the hardware capability of a Trusted Platform Module (TPM) security chip, a Central Processing Unit (CPU)/Basic Input Output System (BIOS) and the specification of Trusted Computing Group (TCG) arranged in the fog node, that is, the fog node can technically ensure that the current operation index of software sent to the verification server is real.

However, since the verification server and the fog node are both managed and controlled by the provider of the fog computing service, the credibility measurement process of the fog node can be realized by an internal remote certification and auditing system, and the internal remote certification and auditing process is opaque to the user and is not supervised by a credible third party authority.

Disclosure of Invention

The invention provides a method for measuring initial credibility of a fog node, which improves the transparency of a credibility measurement process of the fog node and increases the credibility of a user on the fog node.

The invention discloses a method for measuring initial state credibility of a fog node, which comprises the following steps:

s1, establishing a management and auditing system;

the management and audit system is provided by a credible third party and is used for auditing the initial credibility measurement information of the fog node to form an audit report;

s2, registering the request;

the management and auditing system receives a registration request, wherein the registration request comprises a fog node digital certificate and a trusted platform digital certificate, and the trusted platform measures the trusted information of the fog node;

s3, registration and verification;

the management and audit system sends the digital certificate of the fog node and the digital certificate of the trusted platform to a Certificate Authority (CA), and the CA verifies the validity of the digital certificate and returns the result;

s4, receiving software running information;

the fog node sends the running information of the software to the trusted platform, and after the running information is measured by the trusted platform, the running information is signed by a digital certificate issued by CA and then sent to the management and auditing system for receiving;

s5, receiving evaluation information;

the management and audit system receives software evaluation information sent by an evaluation mechanism;

s6, generating an audit report;

and the management and audit system generates an audit report by comparing the software operation information with the software evaluation information, wherein the audit report is used for indicating the credibility of the fog nodes.

Further, the software operation information in the step S4 includes a current operation index of the software and operation version information of the software, and the software evaluation information includes a software safe operation index and software evaluation version information.

Further, the software running information in step S4 includes virtual machine identification information, where the virtual machine identification information describes a correspondence between the user and the virtual machine identification.

Further, the management and audit system sends the related audit report to the user corresponding to the virtual machine identifier according to the virtual machine identifier information.

Further, the software running information comprises a running log and an operation log.

Further, the evaluation information of the software includes a digital fingerprint of the software.

According to the invention, the credibility of the fog node is measured through the credible management and audit system, the original current operation index of the software obtained after the credibility of the fog node is measured is compared with the safe operation index of the software evaluated by the safety organization, and an audit report is obtained, so that the credible measurement process of the fog node is open and transparent. The risk that the current operation index of software is possibly tampered due to certificate replacement in the process of performing credibility measurement on the fog node through an internal management and auditing system in the prior art is avoided, the authenticity of the credibility measurement of the fog node is improved, and therefore the trust of a user on the fog node is improved.

Drawings

FIG. 1 is a diagram illustrating a prior art architecture for performing confidence metrics on a fog node;

fig. 2 is a schematic flow chart of a confidence measurement method of a fog node in the invention.

Detailed Description

The definition of TGG to "trusted" is: an entity is trusted if its behavior is always as expected when it achieves a given goal. This definition separates trusted computing from current security technologies: the trusted emphasising behaviour results are expected, but not equal to, that the validation behaviour is secure, which is two different concepts. For example, a user knows that there are viruses in their computer, when they are about to be outbreak, and knows the consequences that will be produced, and that the viruses are indeed doing so, so the computer is trusted. From the definition of TCG, trust actually also encompasses the concept of reliability in fault-tolerant computing. Reliability guarantees that hardware or software systems perform predictably.

In the prior art, in order to improve the trust sense of a user on a fog node, a trusted computing technology is introduced in the process of establishing trust between a verification server and the fog node. The key application of the trusted computing technology is to protect the integrity of software, the TPM security chip is a key component of trusted computing, the trusted computing chip takes a cryptographic technology as a core, has computing and storage functions, supports data protection, identity authentication, integrity measurement and the like, can measure the integrity of the software and provide a measurement report, has the capabilities of preventing attack, tampering and detection in the aspect of physical security, and can ensure that the TPM and internal data are not attacked illegally. In terms of technical security, the TPM employs a variety of cryptographic and access control techniques. In the aspect of management security, the TPM belongs to commercial cipher products in China, and the development, production, sale and use of the TPM are effectively managed according to the national commercial cipher products. These protective measures ensure the security of the TPM itself, and thus can be the root of trust of hardware storage of the fog node and the root point of trust of the fog node.

The fog node can use a TPM security chip deployed in a BIOS or a CPU as a trust root, follows the principle of 'measuring first and then executing', and establishes an operating system from the TPM security chip to the fog node and then from the operating system to running software by a first-level measurement authentication and a first-level trust, thereby realizing the credible measurement of the fog node.

In order to avoid the risk that measurement information is tampered because a provider may replace an internal digital certificate in the prior art, after the mist node is subjected to trusted measurement, a trusted measurement report can be sent to a management and auditing system, and the trust of a user on the mist node is improved through the auditing report generated by the management and auditing system. Fig. 2 is a schematic flow chart of a confidence measurement method for a fog node in the present invention, and the present invention is further described in detail with reference to fig. 2. The method comprises the following specific steps:

step one, establishing a management and audit system

The management and auditing system is provided by a credible third party and is used for auditing the initial credible measurement information of the fog nodes to form an auditing report. The audit report is used for indicating the credibility of the fog node, so that the credibility measurement process of the fog node is more transparent, and the credibility of the user on the fog node is improved.

Step two, registration request

The management and auditing system receives a registration request, which contains a fog node digital certificate and a trusted platform digital certificate. The trusted platform measures the trusted information of the fog nodes by an internal system;

the management and auditing system can receive 2 registration requests sent by the fog nodes, wherein the 2 registration requests respectively comprise a fog node digital certificate and a trusted platform digital certificate; the management and auditing system can also receive a 1-time registration request sent by the fog node, wherein the registration request comprises a digital certificate of the fog node and a digital certificate of a trusted platform.

Step three: registration verification

The management and audit system sends the digital certificate of the fog node and the digital certificate of the trusted platform to a Certificate Authority (CA), and the CA verifies the validity of the digital certificate and returns the result; and if the fog node is valid, the management and audit system sends confirmation information to the fog node, and the confirmation information indicates that the fog node is successfully registered in the management and audit system.

Step four, receiving software running information

The fog node sends the running information of the software to the trusted platform, and after the running information is measured by the trusted platform, the running information is signed by a digital certificate issued by a CA and then sent to the management and auditing system for receiving.

The software running information includes measurement data at the time of software startup and at the time of running. Because the types of the software measurement data are different, the time periods for the fog nodes to send the measurement information can also be different, for example, the measurement data when the software is started can be directly sent after the software is started; the measurement data of the software operation can be sent in a preset period.

In order to enable the management and auditing system to work in a performance-priority working mode, the software running information sent by the fog node can be stored and then sent to the management and auditing system at the same time.

The software running information comprises current running indexes of the fog node software and running version information of the fog node software.

In addition, the software running information may further include a running log or an operation log of the fog node.

Fifthly, receiving evaluation information

The management and auditing system receives software evaluation information sent by an evaluation mechanism, wherein the evaluation information comprises a fog node software safe operation index and evaluation version information of the fog node software, and can also comprise a digital fingerprint of the software.

Generating an audit report;

the management and audit system generates an audit report by comparing the software operation information with the evaluation information, for example, the management and audit system generates an audit report according to the current operation index of the fog node software, the safe operation index of the fog node software, the operation version information of the fog node software and the evaluation version information of the fog node software. The audit report can be obtained by a user, and the problem that in the prior art, the running version and the evaluation version of software used in the fog node are inconsistent by a provider of the fog computing service is solved.

As a further improvement, in step four, the software running information may further include virtual machine identification information, where the virtual machine identification information describes a correspondence between the user and the virtual machine identification.

The management and audit system associates the audit report to the user using the virtual machine according to the virtual machine identification information, so that each user can obtain the audit report related to the user. Of course, the management and audit system may also send the audit report to the bulletin board for the user to review, which is not specifically limited in the present invention.

In addition, the software running information can be signed through a cloud platform digital certificate, and the same effect is achieved.

The above embodiments are only for explaining and explaining the technical solution of the present invention, but should not be construed as limiting the scope of the claims. It should be clear to those skilled in the art that any simple modification or replacement based on the technical solution of the present invention may be adopted to obtain a new technical solution, which falls within the scope of the present invention.