The content of the invention
The purpose of the present invention is achieved through the following technical solutions.
According to the embodiment of the present invention, propose a kind of cloud security safeguards system, the system include cloud central processing unit,
Multiple distributed computer clusters, multiple cluster gateways, Reliability factor arithmetic unit, run on the distributed computer
On analog machine, Reliability factor memory cell, wherein,
The cluster gateway is used to perform the safety between multiple analog machines of multiple distributed computer clusters
Communication;
The Reliability factor arithmetic unit is used for the analog machine and cloud central processing unit for performing multiple distributed computer clusters
Between secure communication;
The Reliability factor memory cell stores the password to carry out analog machine identification;
Each distributed computer cluster includes a cluster gateway, and the distributed computer cluster leads to successively
Cross on cluster gateway, Reliability factor arithmetic unit connection cloud central processing unit, the distributed computer and run analog machine
With Reliability factor memory cell.
According to the embodiment of the present invention, the cluster gateway performs the multiple of multiple distributed computer clusters
Secure communication between analog machine is specifically included:
First analog machine in A1, a distributed computer cluster is into another distributed computer cluster
One the second analog machine initiates data communications requests;
The cluster gateway of distributed computer cluster is according to the data communication where A2, first analog machine
The safe identification code of first analog machine included in request decides whether to do risk processing, when needing to do risk processing
When, next step is performed, otherwise determines whether directly to receive the request message or refusal, if directly receiving, is then transferred to
Step A4, if refusal, then abandon the packet of the request message;
The cluster gateway of distributed computer cluster where A3, first analog machine is according to the described first simulation
Machine searches whether there is corresponding predetermined safety chain with the safe identification code of second analog machine, if being not present, and creates new
Predetermined safety chain, then perform next step, otherwise, directly perform next step;
A4, the packet that the information in the safe identification code of first analog machine is write to the data communications requests
Packet, is then forwarded to the Distributed Calculation where second analog machine by address field by the predetermined safety chain
Machine cluster, by the cluster gateway of distributed computer cluster where second analog machine via the predetermined theft-resistant link chain
Road receives the packet;
A5, the safe identification code by second analog machine and the safe identification code of first analog machine obtain secure side
Case, by the secure side of the cluster gateway of distributed computer cluster where the safety approach and first analog machine
Case is compared, the packet of being let pass on the premise of comparative result is consistent, otherwise abandons the packet;
A6, second analog machine are received after packet, according to the safe identification code of first analog machine, described
The safe identification code and data communication control program of two analog machines judge first analog machine to second analog machine
Class of operation, inquiry or copy of first analog machine to second analog machine are realized according to the class of operation.
According to the embodiment of the present invention, connected between the cluster net of distributed computer cluster where first analog machine
The cluster gateway of device and distributed computer cluster where second analog machine is each carried out to transmitted message
Encryption, the message received is decrypted.
According to the embodiment of the present invention, described data communication control program includes:According to the default safety of analog machine
Rank judges the operating right that both sides are communicated, including search access right, copy authority, forbids accessing.
According to the embodiment of the present invention, the Reliability factor arithmetic unit performs the simulation of multiple distributed computer clusters
Secure communication between machine and cloud central processing unit is specifically included:
B1, analog machine set up communication strategy and using depositing by being proposed between Reliability factor arithmetic unit and cloud central processing unit
The password for being stored in Reliability factor memory cell carries out authentication;
B2, analog machine are conversated ciphersuite negotiation by Reliability factor arithmetic unit and central processing unit;
The data transfer of B3, execution from analog machine to central processing unit.
The cloud security safeguards system of the present invention is realized by the setting of cluster gateway and Reliability factor arithmetic unit
The simulation of secure communication and multiple distributed computer clusters between multiple analog machines of multiple distributed computer clusters
Secure communication between machine and cloud central processing unit, reliability and stability are high.
Embodiment
The illustrative embodiments of the disclosure are more fully described below with reference to accompanying drawings.Although showing this public affairs in accompanying drawing
The illustrative embodiments opened, it being understood, however, that may be realized in various forms the disclosure without the reality that should be illustrated here
The mode of applying is limited.Conversely it is able to be best understood from the disclosure there is provided these embodiments, and can be by this public affairs
The scope opened completely convey to those skilled in the art.
According to the embodiment of the present invention, a kind of cloud security safeguards system is proposed, as shown in Figure 1, the system includes
Connect between cloud central processing unit, multiple distributed computer clusters (shown in the drawings of a detailed cluster), multiple cluster nets
Device, Reliability factor arithmetic unit, the analog machine run on the distributed computer, Reliability factor memory cell are connect, wherein,
The cluster gateway is used to perform the safety between multiple analog machines of multiple distributed computer clusters
Communication;
The Reliability factor arithmetic unit is used for the analog machine and cloud central processing unit for performing multiple distributed computer clusters
Between secure communication;
The Reliability factor memory cell stores the password to carry out analog machine identification;
Each distributed computer cluster includes a cluster gateway, and the distributed computer cluster leads to successively
Cross on cluster gateway, Reliability factor arithmetic unit connection cloud central processing unit, the distributed computer and run analog machine
With Reliability factor memory cell.
According to the embodiment of the present invention, the cluster gateway performs the multiple of multiple distributed computer clusters
Secure communication between analog machine is specifically included:
First analog machine in A1, a distributed computer cluster is into another distributed computer cluster
One the second analog machine initiates data communications requests;
The cluster gateway of distributed computer cluster is according to the data communication where A2, first analog machine
The safe identification code of first analog machine included in request decides whether to do risk processing, when needing to do risk processing
When, next step is performed, otherwise determines whether directly to receive the request message or refusal, if directly receiving, is then transferred to
Step A4, if refusal, then abandon the packet of the request message;Wherein,
The safe identification code includes harbour part and gathered with safe ID, and the safe ID set includes at least one peace
Full ID, the safe ID described in one describe at least one safe identification code implementation strategy;The safe ID includes safe ID classes
Not, the safe ID classifications are one kind in confidentiality, integrality and availability;
The cluster gateway of distributed computer cluster where A3, first analog machine is according to the described first simulation
Machine searches whether there is corresponding predetermined safety chain with the safe identification code of second analog machine, if being not present, and creates new
Predetermined safety chain, then perform next step, otherwise, directly perform next step;
A4, the packet that the information in the safe identification code of first analog machine is write to the data communications requests
Packet, is then forwarded to the Distributed Calculation where second analog machine by address field by the predetermined safety chain
Machine cluster, by the cluster gateway of distributed computer cluster where second analog machine via the predetermined theft-resistant link chain
Road receives the packet;
A5, the safe identification code by second analog machine and the safe identification code of first analog machine obtain secure side
Case, by the secure side of the cluster gateway of distributed computer cluster where the safety approach and first analog machine
Case is compared, the packet of being let pass on the premise of comparative result is consistent, otherwise abandons the packet;
A6, second analog machine are received after packet, according to the safe identification code of first analog machine, described
The safe identification code and data communication control program of two analog machines judge first analog machine to second analog machine
Class of operation, inquiry or copy of first analog machine to second analog machine are realized according to the class of operation.
Between described step A1 and step A2, in addition to:
The cluster gateway of distributed computer cluster is to the data communication where A11, first analog machine
The packet of request message does path tracing processing, searches link-state list, value of feedback is obtained, if its value of feedback represents to have tied up
Surely arrive a certain path and meet Link State, then directly perform step A4, if its value of feedback is newly-built state, then search first
The safe identification code of analog machine, then performs step A2, if its value of feedback represents to be tied to a certain path, but does not meet the path
State, then discharge this packet;
In described step A2, in addition to:When the request message is rejected, safe identification code is dynamically bound to logical
Letter connection, sets up link-state list;
Between described step A4 and step A5, in addition to:
Step A41, to the packet carry out path tracing processing, value of feedback is obtained, if the value of feedback is expressed as
Through being tied to a certain path and meeting Link State, directly packet is handled according to the processing mode in Link State;
If value of feedback is newly-built state, step A5 is performed;If value of feedback is has been bound to a certain path and does not meet Link State,
Discard bag;
Also include in the step A5:After the packet is abandoned, safe identification code is dynamically bound into communication link
Connect, set up link-state list.
In described step A3, the new predetermined safety chain of described establishment includes:
The cluster gateway of distributed computer cluster sends and sets up pre- Dingan County where A31, first analog machine
Cluster gateway of the request message of full link to distributed computer cluster where second analog machine;The request disappears
Breath includes the safe information of identification code of first analog machine, the identification information of second analog machine;
The cluster gateway of distributed computer cluster searches second mould where A32, second analog machine
The safe identification code of plan machine, decides whether to allow to set up the predetermined theft-resistant link chain with reference to the safe identification code of first analog machine
Road, if allowing, sends cluster gateway of the response message to distributed computer cluster where first analog machine;Institute
State predetermined safety chain parameter of the response message including the rank of the predetermined safety chain, algorithm;
The cluster gateway of distributed computer cluster obtains predetermined theft-resistant link chain where A33, first analog machine
After the parameter of road, the cluster gateway of distributed computer cluster returns to confirmation message where to second analog machine, builds
Found described predetermined safety chain.
According to the embodiment of the present invention, connected between the cluster net of distributed computer cluster where first analog machine
The cluster gateway of device and distributed computer cluster where second analog machine is each carried out to transmitted message
Encryption, the message received is decrypted.
In described step A4, lead to the information in the safe identification code of first analog machine is write into the data
After the address field of packet for believing request, in addition to the operation that the packet is encrypted, verifies, encapsulated, Ran Houzai
Packet is forwarded to the distributed computer cluster where second analog machine by the predetermined safety chain;
In the step A4, the cluster gateway of distributed computer cluster where second analog machine via
When the predetermined safety chain receives the packet, the operation that also decrypt, verify, decapsulate to the packet.
Described data communication control program includes:
The operating right that both sides are communicated, including search access right, copy are judged according to the default level of security of analog machine
Authority, forbid access etc..
According to the embodiment of the present invention, the Reliability factor arithmetic unit performs the simulation of multiple distributed computer clusters
Secure communication between machine and cloud central processing unit is specifically included:
B1, analog machine set up communication strategy and using depositing by being proposed between Reliability factor arithmetic unit and cloud central processing unit
The password for being stored in Reliability factor memory cell carries out authentication, including:
B11, Reliability factor arithmetic unit obtain correspondence analog machine Reliability factor memory cell be used for authentication it is close
Code electronic ID card, and send the cryptography electronic identity card to cloud central processing unit;
B12, cloud central processing unit verify whether the electronic ID card is expired, after checking, to Reliability factor computing
Device sends the cryptography electronic identity card for authentication of itself, while producing identifying code N1 (32), uses analog machine
Identification password key encrypts N1, and is sent to Reliability factor arithmetic unit, and the identification password of only analog machine is symmetrically close
Key could correctly be decrypted and obtain this identifying code;
Whether B13, Reliability factor arithmetic unit checking cloud central processing unit identification password electronic ID card are expired, checking
By rear, a yard N1, Reliability factor arithmetic unit are verified using the identification password symmetric key decryption of correspondence analog machine
An identifying code N2 is produced, N2 and N1 is encrypted using cloud central processing unit identification password key, then with the body of analog machine
Part checking cryptographic symmetric keys signature, is sent to cloud central processing unit;
Whether the N1 that B14, the checking of cloud central processing unit are received is what oneself sent, is if it is tested using simulation identity
Cryptographic key encryption N2 is demonstrate,proved, then with the identification password symmetric key signatures of oneself, Reliability factor arithmetic unit is sent to;
Whether the N2 that B15, the checking of Reliability factor arithmetic unit are received is what oneself sent, and if it is both sides' authentication is complete
Into;
B2, analog machine are conversated ciphersuite negotiation by Reliability factor arithmetic unit and central processing unit, including:
B21, Reliability factor arithmetic unit and cloud central processing unit consult two systems and disclose parameter a and q, and wherein a is integer,
Q is prime number, and a is q plain root;
B22, Reliability factor arithmetic unit select an identifying code s, calculate a key A, A=asMod q, are sent to cloud
Central processing unit;
B23, cloud central processing unit select an identifying code d, calculate key a B, B=adMod q, are sent to reliable
Factor arithmetic unit;
B24, Reliability factor arithmetic unit calculate shared password K1, K1=B according to BsMod q, and shared password K1 is carried out
Hash operations, are sent to cloud central processing unit, and cloud central processing unit calculates shared password K2, K2=A according to AdMod q, and
Hash operations are carried out to shared password K2, whether the hashed value for comparing and receiving is identical, and if the same session password is effective;
The data transfer of B3, execution from analog machine to central processing unit, including:
Data are encrypted the shared password that B31, analog machine are calculated using Reliability factor arithmetic unit, while producing one
Identifying code, encrypted result constitutes a packet with identifying code, carries out hash calculating to packet, hashed value is together with packet
It is sent to cloud central processing unit;
B32, cloud central processing unit are received after message, carry out integrity verification, and cloud center is notified if being proved to be successful
Processor, data receiver is normal.
The foregoing is only a preferred embodiment of the present invention, but protection scope of the present invention be not limited thereto,
Any one skilled in the art the invention discloses technical scope in, the change or replacement that can be readily occurred in,
It should all be included within the scope of the present invention.Therefore, protection scope of the present invention should the protection model with claim
Enclose and be defined.