Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
It should be noted that, the embodiments of the present disclosure refer to ordinal terms such as "first," "second," etc. for distinguishing a plurality of objects, and are not used to define an order, a timing, a priority, or an importance of the plurality of objects, and the descriptions of "first," "second," and the like do not necessarily define that the objects are different.
The secure communication method between virtual machines provided by the embodiment of the disclosure can be applied to an application environment as shown in fig. 1. The cloud platform management domain comprises a control platform, a cloud management platform and a public key infrastructure (Public Key Infrastructure, PKI). The cloud platform service domain includes any number of service nodes, each service node including any number of virtual machines.
Specifically, the cloud platform can be a cloud platform scene such as OpenStack, VMware, and the control platform can be a micro-isolation control platform, and comprises a virtual machine access connection relation module, a signature verification rule generation module and a strategy engine module. The virtual machine access connection relation module is used for interfacing with the cloud management platform through the customized interface, and the virtual machine life cycle information and access service connection relation is obtained and stored from the cloud management platform. The policy engine module is used for providing policy control management, internally butting the virtual machine access connection relation module, acquiring the connection relation between the virtual machine life cycle information and the access service, externally receiving the session request information of the virtual machine, carrying out policy matching calculation, deciding whether to allow the establishment of the session between the sender and the receiver, generating an access control rule and sending the access control rule to the signature verification rule generation module. And the signature verification rule generation module is responsible for generating a signature certificate and generating a signature verification rule. And the cloud management platform is used for managing the connection relation between the life cycle information of each virtual machine and the access service. PKI is a framework for managing and distributing digital certificates. It provides a reliable way to verify identity, encrypt data and secure communications.
The virtual machine may include a micro isolation agent, for example, a micro isolation agent is installed in each virtual machine, data transmission can be performed between different virtual machines through a cloud platform network, the virtual machine as a data sender performs data packet signature based on the micro isolation agent, and the virtual machine as a data receiver performs data packet verification based on the micro isolation agent.
At present, virtual machine data packets transmitted among different virtual machines in a cloud platform have risks of being counterfeited, tampered or replay-attacked, and all service systems deployed on the cloud platform are required to independently carry out relevant configuration of rules such as data packet signature verification and the like, so that the reliability and the safety of virtual machine communication are poor.
The following detailed description of embodiments of the present disclosure refers to the accompanying drawings.
Fig. 2 is a flow chart illustrating a secure communication method between virtual machines applied to a control platform in an embodiment of the disclosure. As shown in fig. 2, in an embodiment of the present disclosure, a secure communication method between virtual machines is provided, and the method may be applied to a control platform. The following steps may be included.
In step S201, a session establishment request for communication with the second virtual machine, which is transmitted by the first virtual machine, is received.
The first virtual machine and the second virtual machine are any two different virtual machines in the cloud platform, and the control platform is a micro-isolation control platform in the cloud platform. Optionally, the virtual machine includes a micro quarantine agent, and in this embodiment, the steps performed by the virtual machine are performed by the micro quarantine agent installed in the virtual machine.
When the first virtual machine needs to establish communication with the second virtual machine, namely, the first virtual machine needs to send a data packet to the second virtual machine, the first virtual machine serving as a data packet sender sends a session establishment request to a control platform in the cloud platform, and correspondingly, the control platform receives the session establishment request. The session establishment request contains the relevant information of the corresponding data packet sender and the data packet receiver.
In an exemplary embodiment, the session establishment request may carry the identifier of the first virtual machine, that is, the identifier information corresponding to the first virtual machine, for example, the identifier information such as the IP/MAC address (Internet Protocol/Media Access Control Address). The session establishment request may also carry a second virtual machine identifier.
Optionally, the first virtual machine may send a corresponding session establishment request to the control platform only when communication with the second virtual machine needs to be established for the first time, or may send a corresponding session establishment request to the control platform each time communication with the second virtual machine needs to be established.
In step S202, in response to the session establishment request, a corresponding first signature verification rule and second signature verification rule are generated.
The control platform responds to the session establishment request, and generates a signature verification rule corresponding to the session establishment request based on the related information of the corresponding data packet sender and the data packet receiver contained in the session establishment request. For example, the control platform determines a first virtual machine as a data packet sender and a second virtual machine as a data packet receiver, and generates a corresponding signature verification rule when it is determined that the first virtual machine is allowed to communicate with the second virtual machine.
Optionally, the control platform acquires a signing policy of the first virtual machine and a signing policy of the second virtual machine, and further determines to allow the first virtual machine to communicate with the second virtual machine and generates a corresponding signature verification rule under the condition that the signing policy of the first virtual machine and the signing policy of the second virtual machine both meet communication requirements.
Meanwhile, the first virtual machine and the second virtual machine are respectively used as a sender and a receiver of the data packet, so that the corresponding signature verification rules are also different. The generated signature verification rules include a first signature verification rule corresponding to the first virtual machine and a second signature verification rule corresponding to the second virtual machine, respectively. The first signature verification rule is used for indicating the first virtual machine to sign the data packet. The second signature verification rule is used for indicating the second virtual machine to verify the signed data packet.
In step S203, the first signature verification rule is sent to the first virtual machine; the first signature verification rule is used for indicating the first virtual machine to sign the data packet based on a prestored private key and sending the signed data packet to the second virtual machine.
In the embodiment of the disclosure, the control platform sends a corresponding first signature verification rule to the first virtual machine. The first signature verification rule is used for indicating the first virtual machine to sign the data packet based on a prestored private key. In the embodiment of the disclosure, each virtual machine has a private key stored locally in advance before initiating a session establishment request. And responding to the first signature verification rule, the first virtual machine reads the prestored private key, and signs the data packet based on the private key. Meanwhile, the first signature verification rule is further used for indicating the first virtual machine to send the signed data packet to the second virtual machine.
In an exemplary embodiment, each virtual machine in the cloud platform service domain needs to generate a set of corresponding private and public keys when applying for registration. The private key is stored in the local virtual machine in advance, and the public key is sent to the control platform. The private key corresponding to each virtual machine is independently generated, and the private key cannot be transmitted in the network, so that the security of the private key is enhanced. The private key is used to sign packets sent locally to other virtual devices during packet transmission.
In step S204, the second signature verification rule is sent to the second virtual machine; the second signature verification rule comprises a public key signature certificate corresponding to the private key; the second signature verification rule is used for indicating the second virtual machine to verify the signed data packet based on the public key signature certificate.
In the embodiment of the disclosure, the control platform sends a corresponding second signature verification rule to the second virtual machine. The second signature verification rule includes the public key signature certificate corresponding to the private key of the first virtual machine in step S203. The public key signature certificate is a public key signature certificate generated based on a public key corresponding to the private key and is used for carrying out signature verification on a data packet signed based on the private key. The control platform may have previously stored a public key signature certificate corresponding to the private key. The second signature verification rule is used for indicating the second virtual machine to verify the data packet signed by the first virtual machine based on the public key signature certificate.
As previously described, the private key and the public key are a set of corresponding keys that were previously generated for the first virtual machine. The public key signature certificate can be used for carrying out signature verification on the data packet signed based on the private key. And the control platform sends the public key signature certificate to the second virtual machine through a second signature verification rule so that the second virtual machine can verify the data packet signed by the first virtual machine.
According to the secure communication method between the virtual machines, the control platform receives the session establishment request sent by the first virtual machine and used for communicating with the second virtual machine, and further generates the first signature verification rule and the second signature verification rule corresponding to the session establishment request, and sends the first signature verification rule to the first virtual machine so as to instruct the first virtual machine to sign the data packet based on the private key; and sending a second signature verification rule to the second virtual machine to instruct the second virtual machine to verify the signed data packet based on the public key signature certificate. According to the method and the device, a control platform with a unified signature verification rule management function is newly added and deployed, and specific signature verification rules are provided for each virtual machine, so that a first virtual machine serving as a sender performs data packet signature based on the first signature verification rules, and a second virtual machine serving as a receiver performs data packet verification based on the second signature verification rules, and reliability and safety of data packet transmission among the virtual machines are achieved.
In order to ensure the reliability of secure communication between virtual machines, in one embodiment, based on the basic information of the virtual machines, whether the virtual machines meet the communication conditions may be determined, and then a corresponding signature verification rule may be generated, as shown in fig. 3, where S202 may include:
in step S301, basic information of a first virtual machine and basic information of a second virtual machine are acquired.
The basic information comprises life cycle information and service connection relation. The life cycle information of the virtual machine refers to life cycle information of the corresponding service virtual machine. The service connection relationship of the virtual machine can be an access service connection relationship of the virtual machine in the cloud platform, an access relationship between the virtual machine and physical resources, or a service connection relationship between the virtual machine and other virtual machines. Wherein, the service connection relation can be expressed in a form of view.
Optionally, the basic information of the first virtual machine and the basic information of the second virtual machine are acquired from the cloud management platform through the custom interface. The control platform is in butt joint with the cloud management platform through the customized interface, so that the basic information of the first virtual machine and the basic information of the second virtual machine are obtained from the cloud management platform under the condition that the first virtual machine serving as a data packet sender and the second virtual machine serving as a data packet receiver are determined.
For example, the control platform acquires basic information of the first virtual machine and basic information of the second virtual machine from the cloud management platform based on the virtual machine access connection relation module, and further transmits the basic information of the first virtual machine and the basic information of the second virtual machine from the virtual machine access connection relation module to the policy causing module through an internal interface of the control platform.
In step S302, it is determined whether the first virtual machine is allowed to communicate with the second virtual machine based on the basic information of the first virtual machine and the basic information of the second virtual machine.
The basic information also includes an ACL (Access Control List ) and the like, and the ACL can be used for subscription policy matching and calculation. Based on the basic information of the first virtual machine and the basic information of the second virtual machine, combining the signing policy of the first virtual machine and the signing policy of the second virtual machine, and then deciding whether to allow the first virtual machine to communicate with the second virtual machine.
For example, the control platform makes a policy-based module decision whether to allow the first virtual machine to communicate with the second virtual machine and transmits the decision result to the signature verification rule generation module via the internal interface. If the life cycle information of the first virtual machine and the second virtual machine meets the communication condition, and the service connection relation of the first virtual machine and the second virtual machine accords with a preset subscription policy, determining to allow the first virtual machine to communicate with the second virtual machine; otherwise, if any of the conditions is not met, determining that the first virtual machine and the second virtual machine are not allowed to communicate.
In step S303, in response to determining that the first virtual machine is allowed to communicate with the second virtual machine, the corresponding first signature verification rule and second signature verification rule are generated.
Specifically, the control platform dynamically generates a signature verification rule based on the basic information of the first virtual machine and the basic information of the second virtual machine. For example, the control platform generates a signature verification rule comprising the first signature verification rule and a second signature verification rule based on a signature verification rule generation module. The first signature verification rule may indicate what manner the first virtual machine signs the data packet to be sent, and what path is used to send the signed data packet to the second virtual machine. The second signature verification rule may instruct the second virtual machine to verify the signed data packet in what manner the second virtual machine receives the signed data packet sent by the first virtual machine.
The public key signature certificate corresponding to the private key stored in each virtual machine is pre-stored in the control platform. And reading the public key signature certificate corresponding to the first virtual machine according to the first virtual machine identifier in the session establishment request. The public key signature certificate is contained in the second signature verification rule, so that the second virtual machine can verify the signed data packet sent by the first virtual machine.
In this embodiment, the control platform obtains the basic information of the first virtual machine and the basic information of the second virtual machine, determines whether to allow the first virtual machine to communicate with the second virtual machine based on the basic information of the first virtual machine and the basic information of the second virtual machine, and further generates the signature verification rule corresponding to the session request under the condition that the first virtual machine and the second virtual machine are determined to be allowed to communicate, so that the generation of the signature verification rule under the condition that the virtual machines cannot communicate with each other can be avoided, unified management of the cloud platform signature verification rule is achieved, and related configuration of the signature verification rule is not required to be independently performed by a service system deployed on the cloud platform.
In order to configure signature verification compatible with virtual machines of different service systems, in an embodiment, access control rules corresponding to the virtual machines may be generated first, and then signature verification rules may be generated based on the access control rules, as shown in fig. 4, S303 may include:
in step S401, a corresponding access control rule is generated based on the session establishment request, and the basic information of the first virtual machine and the basic information of the second virtual machine.
The service interview requirement between the first virtual machine and the second virtual machine can be determined based on the session establishment request, meanwhile, the communication path which can be realized between the first virtual machine and the second virtual machine can be determined based on the service connection relation in the basic information of the first virtual machine and the service connection relation in the basic information of the second virtual machine, and the corresponding access control rule is generated by combining the service interview requirement between the first virtual machine and the second virtual machine and the communication path which can be realized.
For example, the control platform obtains basic information of the first virtual machine and basic information of the second virtual machine from the virtual machine access connection relation module through an internal interface based on the policy engine module, and further dynamically generates access control rules in combination with service interview requirements indicated by the session request establishment.
In step S402, based on the access control rule, the corresponding first signature verification rule and second signature verification rule are generated.
Further, the signature verification rule generating module of the control platform applies for access control rules from the policy engine module through the internal interface and generates the signature verification rules based on the access control rules.
Signature verification rules include, but are not limited to, the first signature verification rule and the second signature verification rule. The first signature verification rule may indicate what manner the first virtual machine signs the data packet to be sent, and what path is used to send the signed data packet to the second virtual machine. The second signature verification rule may instruct the second virtual machine to verify the signed data packet in what manner the second virtual machine receives the signed data packet sent by the first virtual machine.
In this embodiment, the control node generates the corresponding access control rule based on the session establishment request, the basic information of the first virtual machine and the basic information of the second virtual machine, and generates the signature verification rule corresponding to the session establishment request based on the access control rule, so that the reliability of dynamically generating the signature verification rule by the control platform can be increased, and unified linkage management of the cloud platform on the access control rule and the signature verification rule is realized.
In an alternative embodiment, the signature verification rule is further used to instruct the first virtual machine to repackage the data packet, insert a session counter field into the repackaged data packet, and sign the data packet inserted into the session counter field based on the session key.
After the first virtual machine receives the first signature verification rule, the data packet to be sent to the second virtual machine is repackaged under the instruction of the signature verification rule, a session counter field is inserted into the data packet, and then a signature field is inserted into the data packet, so that the signature flow of the data packet to be sent is realized. The session counter field is used for preventing replay attack, and the signature information is used for signing the whole data packet. In an exemplary embodiment, the session counter field and the signature information may be contained in a 32-bit field, respectively.
In an alternative embodiment, the second signature verification rule is used to instruct the second virtual machine to perform the first verification on the received data packet based on the standard value corresponding to the session counter field. The second signature verification rule is further used for performing second verification on the received data packet based on the public key signature certificate.
And after the second virtual machine receives the second signature verification rule and the signed data packet, under the instruction of the second signature verification rule, performing session counter verification and signature verification, namely first verification and second verification, on the signed data packet.
The second virtual machine obtains a standard value corresponding to the session counter field, wherein the standard value can be carried in a second signature verification rule, and then the actual value corresponding to the session counter field is compared with the standard value, so that the first verification of the data packet is realized. If the actual value accords with the standard value, judging that the first check passes; if the actual value does not accord with the standard value, the data packet is judged to be intercepted, and the first check is not passed.
Further, the second virtual machine also obtains a public key signature certificate, where the public key signature certificate is included in the second signature verification rule. The second virtual machine signs the certificate based on the public key, and performs a second check on the signed data packet sent by the first virtual machine. And if the second verification is not passed, judging that the data packet is tampered, discarding the data packet and disconnecting the communication with the first virtual machine.
Based on the foregoing embodiment, in one embodiment, as shown in fig. 5, the secure communication method between virtual machines further includes:
in step S501, a public key sent by the first virtual machine is received; the public key is generated by the first virtual machine based on a first virtual machine identification and corresponds to the private key.
As described above, before the first virtual machine sends the session establishment request, the first virtual machine generates in advance a set of corresponding private and public keys. The set of private and public keys is generated based on the first virtual machine identification. The private key is stored in the local virtual machine in advance, and the public key is sent to the control platform. The private key is used to sign the data packet, and the corresponding public key can perform signature verification on the signed data packet.
In an exemplary embodiment, each virtual machine in the cloud platform service domain needs to generate the above-mentioned set of corresponding private key and public key when applying for registration. The private key is stored in the local virtual machine along with the virtual machine registration process, and the corresponding public key is sent to the control platform.
In step S502, the public key is signed by PKI to generate the public key signed certificate.
In the embodiment of the disclosure, a signature verification rule generation module in the control platform is responsible for generating the signature certificate. The signature verification rule generating module receives the public key uploaded by the first virtual machine and sends the public key to the PKI to sign the public key. As previously mentioned, PKI is a framework for managing and distributing digital certificates. It provides a reliable way to verify identity, encrypt data and secure communications. Signing the public key using the PKI generates a public key signature certificate that can be assured to belong to the owner of the associated claim without tampering. The public key signature certificate can carry out signature verification on the data packet subjected to signature processing by the corresponding private key.
In step S503, a correspondence table between the first virtual machine and the public key signature certificate is stored.
In the embodiment of the disclosure, the public key signature certificates corresponding to the virtual machines are stored in the control platform. Therefore, a correspondence table between each virtual machine and the public key signature certificate needs to be maintained and maintained, so as to ensure that the public key signature certificate corresponding to the first virtual machine is called to generate a corresponding second signature verification rule in response to the session establishment request sent by the first virtual machine.
Based on the foregoing embodiment, based on the correspondence table between the first virtual machine and the public key signature certificate stored in step S503, as shown in fig. 6, the generating the second signature verification rule in step S202 may include:
in step S601, the public key signature certificate corresponding to the first virtual machine is searched according to the correspondence table.
In the embodiment of the disclosure, public key signature certificates corresponding to all virtual machines are pre-stored in a control platform, and a corresponding relation table between all virtual machines and the public key signature certificates is maintained and stored. And searching the public key signature certificate corresponding to the first virtual machine according to the corresponding relation table. The public key signature certificate can be used for carrying out signature verification on a data packet which is subjected to signature processing by a private key stored in the first virtual machine in advance.
In step S602, the second signature verification rule is generated according to the found public key signature certificate.
In the embodiment of the disclosure, the control platform generates a second signature verification rule according to the searched public key signature certificate, and the second signature verification rule is sent to the second virtual machine for signature verification. It should be noted that the second signature verification rule includes the public key signature certificate corresponding to the first virtual machine, but is not limited thereto. Other indication information or other verification information can be contained in the second signature verification rule. For example, the second signature verification rule may further include a standard value corresponding to the session counter field, so that the second virtual machine may perform the first verification on the received data packet.
According to the secure communication method between virtual machines provided by the embodiment of the disclosure, the private key and the public key pair are generated in advance in each virtual machine, wherein the private key is stored in the virtual machine, and the public key is sent to the control platform to generate the corresponding public key signature certificate. In the process of secure communication between virtual machines, a sender signs a data packet based on a local prestored private key, and a receiver verifies the signed data packet based on a corresponding public key signature certificate acquired from a control platform. In the whole communication process, the private key for signing the data packet is not transmitted in the network, so that the safety of the private key is further enhanced, and the safety of the communication of the virtual machine is further improved.
In one embodiment, as shown in fig. 7, a secure communication method between virtual machines is provided, which is applied to a first virtual machine, and includes the following steps:
s701, sending a session establishment request for requesting communication with the second virtual machine to the control platform.
The first virtual machine and the second virtual machine are any two different virtual machines in the cloud platform, and the control platform is a micro-isolation control platform in the cloud platform. Optionally, the first virtual machine includes a micro quarantine agent, and the execution body of the method is the micro quarantine agent installed in the first virtual machine.
When the first virtual machine needs to establish communication with the second virtual machine, namely, the first virtual machine needs to send a data packet to the second virtual machine, the first virtual machine serving as a data packet sender sends a session establishment request to a control platform in the cloud platform. The session establishment request contains the related information of the corresponding data packet sender and the data packet receiver. Specifically, the session establishment request carries the identifier of the first virtual machine, that is, identifier information corresponding to the first virtual machine, such as the identifier information of an IP/MAC address, etc. The session establishment request may also carry a second virtual machine identifier.
Optionally, the first virtual machine may send a corresponding session establishment request to the control platform only when communication with the second virtual machine needs to be established for the first time, or may send a corresponding session establishment request to the control platform each time communication with the second virtual machine needs to be established.
S702, receiving a first signature verification rule sent by the control platform.
The control platform responds to the session establishment request, and generates a signature verification rule corresponding to the session establishment request based on the related information of the corresponding data packet sender and the data packet receiver contained in the session establishment request. For example, the control platform determines a first virtual machine as a data packet sender and a second virtual machine as a data packet receiver, and generates a corresponding signature verification rule when it is determined that the first virtual machine is allowed to communicate with the second virtual machine.
Meanwhile, the generated signature verification rules respectively comprise a first signature verification rule corresponding to the first virtual machine and a second signature verification rule corresponding to the second virtual machine. The first signature verification rule is used for indicating the first virtual machine to sign the data packet.
S703, signing the data packet based on a prestored private key according to the first signature verification rule, and sending the signed data packet to the second virtual machine.
And according to the first signature verification rule, the first virtual machine signs the data packet to be sent to the second virtual machine based on a prestored private key, and sends the signed data packet to the second virtual machine after the signing is completed.
Optionally, the first signature verification rule may instruct the first virtual machine to sign the data packet to be sent in what manner, and send the signed data packet to the second virtual machine through what path.
According to the scheme, the first virtual machine sends a session establishment request for requesting communication with the second virtual machine to the control platform, receives the signature verification rule sent by the control platform, signs the data packet based on the signature verification rule, and sends the signed data packet to the second virtual machine. According to the embodiment, the control platform with the unified signature verification rule management function is newly added and deployed, so that a specific signature verification rule is provided for the first virtual machine, and the first virtual machine serving as a sender performs data packet signature based on the signature verification rule, so that reliability and safety of data packet transmission among the virtual machines are realized.
In an alternative embodiment, the first signature verification rule is generated by the control platform in a case where it is determined to allow the first virtual machine to communicate with the second virtual machine based on the base information of the first virtual machine and the base information of the second virtual machine.
The basic information includes life cycle information and service connection relation. The life cycle information of the virtual machine refers to life cycle information of the corresponding service virtual machine. The service connection relationship of the virtual machine can be an access service connection relationship of the virtual machine in the cloud platform, an access relationship between the virtual machine and physical resources, or a service connection relationship between the virtual machine and other virtual machines. Wherein, the service connection relation can be expressed in a form of view.
The basic information also includes ACLs, etc., which can be used for subscription policy matching and calculation. Based on the basic information of the first virtual machine and the basic information of the second virtual machine, the control platform combines the signing policy of the first virtual machine and the signing policy of the second virtual machine, so as to decide whether to allow the first virtual machine to communicate with the second virtual machine.
Further, under the condition that the first virtual machine is determined to be allowed to communicate with the second virtual machine, the control platform dynamically generates a signature verification rule based on the basic information of the first virtual machine and the basic information of the second virtual machine. The signature verification rule comprises a first signature verification rule and a second signature verification rule. The first signature verification rule is used for indicating the first virtual machine to sign the data packet based on a prestored private key and sending the signed data packet to the second virtual machine. The second signature verification rule is used for indicating the second virtual machine to verify the signed data packet based on the public key signature certificate.
Therefore, the generation of the signature verification rule under the condition that the virtual machines cannot communicate with each other can be avoided, so that the reliability of the dynamic generation of the signature verification rule by the control platform is improved, unified management of the cloud platform signature verification rule is realized, and the service system deployed on the cloud platform is not required to independently perform relevant configuration of the signature verification rule.
In order to enhance the security of the data packet transmitted in the secure communication flow between the virtual machines, in one embodiment, the processing may be performed in combination with the session counter and the data signature, as shown in fig. 8, and S703 may include:
s801, the data packet is repackaged based on the first virtual machine, and a session counter field is inserted into the data packet.
And after the first virtual machine receives the first signature verification rule, the data packet to be sent to the second virtual machine is repackaged under the instruction of the first signature verification rule. For example, the original data is converted into binary data, the binary data is divided into data segments, and the TCP header and the IP header are encapsulated to obtain a data packet of the network layer.
Further, a session counter field is inserted in the repackaged data packet, where the session counter field may include 32 bits. An attacker sends a data packet which is received by the second virtual machine to carry out communication authentication, so that the safety of communication is destroyed, the actual value of the session counter field is used for indicating the number of times of the session, and in the process that the first virtual machine communicates with the second virtual machine, the actual value of the session counter field is increased along with the number of times of the session, so that the data packet inserted into the session counter field can prevent replay attack.
S802, signing the data packet inserted into the session counter field by adopting the private key.
At the end of the data packet inserted into the session counter field, a signature information field obtained by encryption of the session key is added, wherein the signature information field is used for signing the whole data packet, and the signature information field can contain 32 bits. The embodiment does not limit the specific encryption method.
Optionally, as shown in fig. 9, the signed packet structure includes version 4 bits, header 4 bits, service type 8 bits, package total length, reassembly identifier 16 bits, flag 3 bits, segment offset 13 bits, time-to-live TTL8 bits, protocol 8 bits, checksum 16 bits, source IP address 32 bits, destination IP address 32 bits, optional option, user data, session counter field 32 bits, and signature field 32 bits. Wherein the total length of the package is updated from the original 16 bits to increase the length of the session counter field and the signature field.
In this embodiment, not only is a session counter field inserted into the data packet to realize replay attack prevention, but also a signature field is inserted to allow the second virtual machine to determine whether the data packet is tampered, thereby comprehensively improving the security of virtual machine communication.
Based on the foregoing embodiment, in one embodiment, as shown in fig. 10, the virtual machine communication method further includes:
In step S1001, the private key and the public key corresponding to each other are generated based on the first virtual machine identification.
As described above, before the first virtual machine sends the session establishment request, the first virtual machine generates in advance a set of corresponding private and public keys. The set of private and public keys is generated based on the first virtual machine identification. The private key is stored in the local virtual machine in advance, and the public key is sent to the control platform. The private key is used to sign the data packet, and the corresponding public key can perform signature verification on the signed data packet.
In an exemplary embodiment, each virtual machine in the cloud platform service domain needs to generate the above-mentioned set of corresponding private key and public key when applying for registration. The private key is stored in the local virtual machine along with the virtual machine registration process, and the corresponding public key is sent to the control platform.
In step S1002, the private key is stored in advance.
The first virtual machine stores the private key therein in the local virtual machine for signing the data packet.
In step S1003, the public key is sent to the control platform.
The first virtual machine sends the public key thereof to the control platform. The control platform sends the public key to the PKI to sign the public key, generating a public key signature certificate. The public key signature certificate can carry out signature verification on the data packet subjected to signature processing by the corresponding private key.
According to the secure communication method between virtual machines provided by the embodiment of the disclosure, the private key and the public key pair are generated in advance in each virtual machine, wherein the private key is stored in the virtual machine, and the public key is sent to the control platform to generate the corresponding public key signature certificate. In the process of secure communication between virtual machines, a sender signs a data packet based on a local prestored private key, and a receiver verifies the signed data packet based on a corresponding public key signature certificate acquired from a control platform. In the whole communication process, the private key for signing the data packet is not transmitted in the network, so that the safety of the private key is further enhanced, and the safety of the communication of the virtual machine is further improved.
In one embodiment, as shown in fig. 11, there is provided a secure communication method between virtual machines, applied to a second virtual machine, including the steps of:
s1101, receiving a second signature verification rule sent by a control platform; the second signature verification rule comprises a public key signature certificate corresponding to a private key pre-stored in the first virtual machine.
The first virtual machine and the second virtual machine are any two different virtual machines in the cloud platform, and the control platform is a micro-isolation control platform in the cloud platform. Optionally, the second virtual machine includes a micro quarantine agent, and the execution body of the method is the micro quarantine agent installed in the second virtual machine.
The first virtual machine identifier is carried in a session establishment request sent to the control platform by the first virtual machine for communication with the second virtual machine, and the first virtual machine identifier, namely, the identifier information corresponding to the first virtual machine, can be identifier information such as an IP/MAC address.
The control platform generates a first signature verification rule and a second signature verification rule under the condition that the first virtual machine is allowed to communicate with the second virtual machine, sends the first signature verification rule to the first virtual machine, and sends the second signature verification rule to the second virtual machine. The second signature verification rule includes a public key signature certificate corresponding to a private key pre-stored in the first virtual machine. The public key signature certificate can carry out signature verification on the data packet subjected to signature processing by the corresponding private key.
S1102, receiving the signed data packet sent by the first virtual machine; the signed data packet is obtained by signing the first virtual machine based on a first signature verification rule and the private key sent by the control platform.
The signed data packet is obtained by signing the first virtual machine based on a first signature verification rule sent by the control platform and a prestored private key. After receiving a first signature verification rule sent by the control platform, the first virtual machine signs the data packet by adopting a prestored private key under the instruction of the first signature verification rule, and sends the signed data packet to the second virtual machine. Correspondingly, the second virtual machine receives the signed data packet.
S1103, based on the second signature verification rule, verifying the signed data packet.
And under the instruction of a second signature verification rule, the second virtual machine verifies the signed data packet. Wherein the verification includes a session counter verification and a signature verification.
According to the scheme, the second virtual machine receives the second signature verification rule sent by the control platform, receives the signed data packet sent by the first virtual machine, and verifies the signed data packet based on the second signature verification rule. According to the embodiment, the control platform with the unified signature verification rule management function is newly added and deployed, so that a specific signature verification rule is provided for the second virtual machine, the second virtual machine serving as a receiver performs data packet verification based on the signature verification rule, reliability and safety of data packet transmission among the virtual machines are achieved, and signature and verification are performed by adopting a pre-generated private key and a pre-generated public key, so that the communication safety of the virtual machines can be further improved.
In an alternative embodiment, the second signature verification rule is generated by the control platform in determining that the first virtual machine is allowed to communicate with the second virtual machine based on the base information of the first virtual machine and the base information of the second virtual machine.
The basic information includes life cycle information and service connection relation. The life cycle information of the virtual machine refers to life cycle information of the corresponding service virtual machine. The service connection relationship of the virtual machine can be an access service connection relationship of the virtual machine in the cloud platform, an access relationship between the virtual machine and physical resources, or a service connection relationship between the virtual machine and other virtual machines. Wherein, the service connection relation can be expressed in a form of view.
The basic information also includes ACLs, etc., which can be used for subscription policy matching and calculation. Based on the basic information of the first virtual machine and the basic information of the second virtual machine, the control platform combines the signing policy of the first virtual machine and the signing policy of the second virtual machine, so as to decide whether to allow the first virtual machine to communicate with the second virtual machine.
Further, the control platform dynamically generates a second signature verification rule based on the base information of the first virtual machine and the base information of the second virtual machine under the condition that the first virtual machine is determined to be allowed to communicate with the second virtual machine. Based on the first virtual machine, searching a public key signature certificate corresponding to the first virtual machine, further generating a second signature verification rule, and verifying through the public key signature certificate.
Therefore, the generation of the signature verification rule under the condition that the virtual machines cannot communicate with each other can be avoided, so that the reliability of the dynamic generation of the signature verification rule by the control platform is improved, unified management of the cloud platform signature verification rule is realized, and the service system deployed on the cloud platform is not required to independently perform relevant configuration of the signature verification rule.
In order to enhance the security of the data packet transmitted in the communication flow of the virtual machine, in an embodiment, the processing may be performed in combination with the session counter and the data signature, as shown in fig. 12, and S1103 may include:
and S1201, performing a first verification on the signed data packet based on the standard value corresponding to the session counter field in the second signature verification rule.
After receiving the second signature verification rule and the signed data packet, the second virtual machine performs session counter verification, namely first verification, on the signed data packet under the instruction of the second signature verification rule.
Specifically, the second virtual machine obtains a standard value corresponding to the session counter field, where the standard value may be carried in a second signature verification rule, and finds the session counter field from the signed data packet to obtain an actual value of the session counter field, and further compares the actual value corresponding to the session counter field with the standard value, so as to implement first verification on the data packet.
An attacker sends a data packet which is received by the second virtual machine to carry out communication authentication, so that the safety of communication is destroyed, the actual value of the session counter field is used for indicating the number of times of the session, and in the process that the first virtual machine communicates with the second virtual machine, the actual value of the session counter field is increased along with the number of times of the session, so that the data packet inserted into the session counter field can prevent replay attack.
In an alternative embodiment, comparing the actual value of the session counter field in the signed data packet with the standard value corresponding to the session counter field in the signature verification rule; if the actual value accords with the standard value, determining that the signed data packet first check passes, and if the actual value does not accord with the standard value, determining that the signed data packet first check does not pass. In other words, when the actual value of the session counter field is equal to the standard value, it is indicated that the current session is not at risk of a session replay attack.
S1202, based on the public key signature certificate in the second signature verification rule, performing second verification on the signed data packet.
And signing the certificate based on the public key in the second signature verification rule, and performing second verification on the signed data packet. Specifically, the signature information field obtained by the encryption of the session key is found at the tail end of the data packet, and the signature information field obtained by the encryption of the corresponding private key is verified by adopting the public key signature certificate. Wherein the signature information field is used for signing the whole data packet, and the signature information field may comprise 32 bits.
And if the second verification is not passed, judging that the data packet is tampered, discarding the data packet and disconnecting the communication with the first virtual machine.
In this embodiment, the first verification is performed based on the standard value corresponding to the session counter field, and the second verification is performed based on the public key signature certificate, so that not only can replay attack be prevented, but also whether the data packet is tampered can be checked, and the security of virtual machine communication is comprehensively improved.
According to the secure communication method between virtual machines provided by the embodiment of the disclosure, the private key and the public key pair are generated in advance in each virtual machine, wherein the private key is stored in the virtual machine, and the public key is sent to the control platform to generate the corresponding public key signature certificate. In the process of secure communication between virtual machines, a sender signs a data packet based on a local prestored private key, and a receiver verifies the signed data packet based on a corresponding public key signature certificate acquired from a control platform. In the whole communication process, the private key for signing the data packet is not transmitted in the network, so that the safety of the private key is further enhanced, and the safety of the communication of the virtual machine is further improved.
In one embodiment, an alternative example of a secure communication method between virtual machines is provided, as shown in fig. 13, including a micro isolation client a corresponding to a first virtual machine, a micro isolation client B corresponding to a second virtual machine, and a cloud management platform, a PKI, and a control platform. The micro-isolation client A is a data transmitting end, and the micro-isolation client B is a data receiving end.
Specifically, the process of the secure communication method between virtual machines is as follows:
in the first step, a micro isolation client A and a micro isolation client B are respectively provided with a micro isolation agent.
And the second step, the micro isolation client A and the micro isolation client B respectively send a virtual machine registration request to the control platform.
And thirdly, the micro isolation client A and the micro isolation client B respectively generate a private key/public key pair based on the respective virtual machine identifiers, wherein the private key is stored locally, and the public key is sent to the control platform.
And a fourth step, the control platform sends the public key to the PKI to generate a public key signature certificate.
And fifthly, the control platform stores the public key signature certificate.
And sixthly, the cloud management platform sends virtual machine life cycle information and service connection relation to the control platform.
And seventh step, the control platform generates an access control rule based on the life cycle information and the service connection relation.
And eighth step, the micro isolation client A sends a session establishment request to the control platform.
And a ninth step, responding to the session establishment request, wherein the control platform generates a first signature verification rule and a second signature verification rule based on the access control rule.
And tenth, the control platform respectively micro-isolates the first signature verification rule and the second signature verification rule from the client A and the micro-isolated client B.
And eleventh step, the micro isolation client A repackages the data packet based on the first signature verification rule, inserts a session counter field, and signs the data packet by adopting a private key.
And twelfth step, the micro isolation client A sends the signed data packet to the micro isolation client B.
And thirteenth step, the micro isolation client B performs session counter verification and signature verification on the signed data packet based on the second signature verification rule.
The specific process of the above steps may refer to the description of the above method embodiments, and its implementation principle and technical effects are similar, and are not repeated herein.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiments of the present disclosure provide a secure communication device between virtual machines, as described in the following embodiments. Since the principle of solving the problem of the embodiment of the apparatus is similar to that of the embodiment of the method, the real-time implementation of the embodiment of the apparatus can be referred to the implementation of the embodiment of the method, and the repetition is not repeated.
Fig. 14 is a schematic structural diagram of a secure communication device between virtual machines configured on a control platform according to an embodiment of the disclosure. As shown in fig. 14, the inter-virtual machine secure communication apparatus 1400 configured on the control platform may include: a first receiving module 1410, a generating module 1420, a first transmitting module 1430, a second transmitting module 1440.
The first receiving module 1410 is configured to receive a session establishment request sent by the first virtual machine and requesting to communicate with the second virtual machine.
A generation module 1420 is configured to generate corresponding first and second signature verification rules in response to the session establishment request.
A first sending module 1430 configured to send the first signature verification rule to the first virtual machine; the first signature verification rule is used for indicating the first virtual machine to sign the data packet based on a prestored private key and sending the signed data packet to the second virtual machine.
A second sending module 1440 configured to send the second signature verification rule to the second virtual machine; the second signature verification rule comprises a public key signature certificate corresponding to the private key; the second signature verification rule is used for indicating the second virtual machine to verify the signed data packet based on the public key signature certificate.
In an exemplary embodiment, the generating module 1420 is further configured to obtain the base information of the first virtual machine and the base information of the second virtual machine; wherein, the basic information comprises life cycle information and service connection relation; determining whether to allow the first virtual machine to communicate with the second virtual machine based on the basic information of the first virtual machine and the basic information of the second virtual machine; in response to determining that the first virtual machine is permitted to communicate with the second virtual machine, the corresponding first signature verification rule and second signature verification rule are generated.
In an exemplary embodiment, the generating module 1420 is further configured to generate a corresponding access control rule based on the session establishment request, and the basic information of the first virtual machine and the basic information of the second virtual machine; and generating the corresponding first signature verification rule and second signature verification rule based on the access control rule.
In an exemplary embodiment, the generating module 1420 is further configured to obtain, through a custom interface, the base information of the first virtual machine and the base information of the second virtual machine from a cloud management platform.
In an exemplary embodiment, the inter-virtual machine secure communication apparatus 1400 is further configured such that the first signature verification rule is further used to instruct the first virtual machine to repackage the data packet; inserting a session counter field in the data packet, and signing the data packet inserted into the session counter field based on the private key; the second signature verification rule is further used for indicating the second virtual machine to perform first verification on the received data packet based on the standard value corresponding to the session counter field; and performing a second check on the received data packet based on the public key signature certificate.
In an exemplary embodiment, the inter-virtual machine secure communication apparatus 1400 is further configured to receive a public key sent by the first virtual machine; the public key is generated by the first virtual machine based on a first virtual machine identifier and corresponds to the private key; signing the public key through a public key infrastructure to generate the public key signature certificate; and storing a corresponding relation table of the first virtual machine and the public key signature certificate.
In an exemplary embodiment, the generating module 1420 is further configured to look up the public key signature certificate corresponding to the first virtual machine according to the correspondence table; and generating the second signature verification rule according to the searched public key signature certificate.
Fig. 15 is a schematic structural diagram of an inter-virtual machine secure communication device configured in a first virtual machine according to an embodiment of the disclosure. As shown in fig. 15, the inter-virtual machine secure communication apparatus 1500 configured in the first virtual machine may include: a third sending module 1510, a second receiving module 1520, a signing module 1530.
A third sending module 1510 is configured to send a session establishment request to the control platform requesting communication with the second virtual machine.
A second receiving module 1520 configured to receive the first signature verification rule transmitted by the control platform.
The signing module 1530 is configured to sign the data packet based on a pre-stored private key according to the first signature verification rule, and send the signed data packet to the second virtual machine.
In an exemplary embodiment, the inter-virtual machine secure communication apparatus 1500 is further configured such that the first signature verification rule is generated by the control platform in a case where it is determined to allow the first virtual machine to communicate with the second virtual machine based on the basic information of the first virtual machine and the basic information of the second virtual machine; the basic information comprises life cycle information and service connection relation.
In an exemplary embodiment, the signing module 1530 is further configured to repackage a data packet based on the first virtual machine, inserting a session counter field in the data packet; and signing the data packet inserted into the session counter field by adopting the private key.
In an exemplary embodiment, the inter-virtual machine secure communication apparatus 1500 is further configured to generate the corresponding private and public keys based on the first virtual machine identification; and pre-storing the private key and sending the public key to the control platform.
Fig. 16 is a schematic structural diagram of an inter-virtual machine secure communication device configured in a second virtual machine according to an embodiment of the disclosure. As shown in fig. 16, the inter-virtual machine secure communication apparatus 1600 configured in the second virtual machine may include: the third receiving module 1610, the fourth receiving module 1620, and the verification module 1630.
A third receiving module 1610 configured to receive a second signature verification rule sent by the control platform; the second signature verification rule comprises a public key signature certificate corresponding to a private key pre-stored in the first virtual machine.
A fourth receiving module 1620 configured to receive the signed data packet sent by the first virtual machine; the signed data packet is obtained by signing the first virtual machine based on a first signature verification rule and the private key sent by the control platform.
And a verification module 1630 configured to verify the signed data packet based on the second signature verification rule.
In an exemplary embodiment, the inter-virtual machine secure communication apparatus 1600 is further configured such that the second signature verification rule is generated by the control platform if it is determined to allow the first virtual machine to communicate with the second virtual machine based on the base information of the first virtual machine and the base information of the second virtual machine; the basic information comprises life cycle information and service connection relation.
In an exemplary embodiment, the verification module 1630 is further configured to perform a first verification on the signed data packet based on a standard value corresponding to a session counter field in the second signature verification rule; and carrying out second verification on the signed data packet based on the public key signature certificate in the second signature verification rule.
In an exemplary embodiment, the verification module 1630 is further configured to compare the actual value of the session counter field included in the signed data packet with the standard value corresponding to the session counter field in the second signature verification rule; and if the comparison result shows that the actual value accords with the standard value, determining that the signed data packet passes the first check.
Fig. 17 shows a schematic diagram of an electronic device suitable for use in implementing exemplary embodiments of the present disclosure. An electronic device 1700 according to such an embodiment of the invention is described below with reference to fig. 17. The electronic device 1700 shown in fig. 17 is merely an example and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 17, the electronic device 1700 is in the form of a general purpose computing device. The components of electronic device 1700 may include, but are not limited to: the at least one processing unit 1710, the at least one storage unit 1720, a bus 1730 connecting different system components (including the storage unit 1720 and the processing unit 1710), and a display unit 1740.
Wherein the storage unit stores program code that is executable by the processing unit 1710, such that the processing unit 1710 performs the steps according to various exemplary embodiments of the present invention described in the above section of the "exemplary method" of the present specification.
The storage unit 1720 may include a readable medium in the form of a volatile storage unit, such as a random access memory unit (RAM) 17201 and/or a cache memory unit 17202, and may further include a read only memory unit (ROM) 17203.
The storage unit 1720 may also include a program/utility 17204 having a set (at least one) of program modules 17205, such program modules 17205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 1730 may be one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, a graphics accelerator port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 1700 may also communicate with one or more external devices 1770 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 1700, and/or any device (e.g., router, modem, etc.) that enables the electronic device 1700 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 1750. Also, electronic device 1700 can communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, for example, the Internet, through network adapter 1760. As shown, network adapter 1760 communicates with other modules of electronic device 1700 via bus 1730. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 1700, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
A program product for implementing the above-described method according to an embodiment of the present invention may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may be run on a terminal device such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.