CN101296230A - Web service security control mechanism based on PKI and PMI - Google Patents
Web service security control mechanism based on PKI and PMI Download PDFInfo
- Publication number
- CN101296230A CN101296230A CNA2008100622644A CN200810062264A CN101296230A CN 101296230 A CN101296230 A CN 101296230A CN A2008100622644 A CNA2008100622644 A CN A2008100622644A CN 200810062264 A CN200810062264 A CN 200810062264A CN 101296230 A CN101296230 A CN 101296230A
- Authority
- CN
- China
- Prior art keywords
- web service
- pmi
- user
- pki
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000007246 mechanism Effects 0.000 title claims abstract description 16
- 238000007689 inspection Methods 0.000 claims description 9
- 238000007726 management method Methods 0.000 claims description 7
- 238000012550 audit Methods 0.000 claims description 4
- 230000027455 binding Effects 0.000 claims description 3
- 238000009739 binding Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 description 10
- 239000000344 soap Substances 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000000034 method Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000036632 reaction speed Effects 0.000 description 1
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a safety control mechanism based on the Web service of PKI and PMI, which comprises a PKI system, a PMI system and a safety system of the Web service. Users apply for a letter of identification by the PKI system, and then apply for an attribute certificate in the PMI system according to the letter of identification. The attribute certificate relates to the user identification with one or more roles. The roles are then bond to one or more Web services by a strategy certificate pre-defined by the PMI system. When the users use the Web service, the safety system of Web helps the PKI system to check the legality of the letter of identification and helps the PMI system to check whether the user has the right to call the Web service or not. When all checks pass through successfully, the user can access the Web service so as to realize the safety calling of the Web service. The mechanism of the invention provides a set of identification authentication and access control system with strong integrity, thereby ensuring the confidentiality, the integrity and the non-repudiation of the calling information of the Web service.
Description
Technical field
The present invention relates to the Web service security fields, is a kind of Web service controling mechanism based on PKI and PMI that is used to Web service that authentication and control of authority are provided.
Background technology
PKI (Public Key Infrastructure) is a kind of key management platform, and it can provide needed key of cryptographic service and certificate managements such as encryption and digital signature.Utilize digital signature technology, PKI can provide following four kinds of main services: the one, and authentication confirms that to an entity another entity is himself really; The 2nd, integrality guarantees that to an entity data are had a mind to or modification unintentionally; The 3rd, confidentiality guarantees except the recipient that to an entity nobody can understand the key component of data; The 4th, non repudiation confirms that to an entity this operation is that another entity is finished.
PMI (Privilege Management Infrastructure) is a kind of control of authority management platform, it verifies user's identity based on the PKI system, the use attribute certificate is preserved user's access rights, and can prove that what resource the user can visit and can do what operation to this resource.
Web service (Web Service) is that a kind of design is used for being supported on the network software systems of interoperability between the machine and machine.In essence, Web service is exactly the addressable network AP I of a cover, and it calls, and to carry out be on the remote system that the request service is being provided.
Existing Web service security solution based on HTTPS can't provide strong authentication and control of authority, and for e-commerce and e-government, is absolutely necessary at these 2.
Summary of the invention
Technical problem to be solved by this invention provides a kind of Web service controling mechanism based on PKI and PMI, it calls for Web service a complete strong authentication of cover and an authority control system is provided, and has guaranteed confidentiality, integrality and the non-repudiation of Web service message call.
The present invention addresses the above problem the technical scheme that is adopted: this controlling mechanism comprises the PKI system, PMI system and Web service safety system, implementation step is: the user is by PKI system application letter of identity, letter of identity according to oneself removes PMI system application Attribute certificate again, Attribute certificate is associated with user's identity on one or more roles, the predefined tactful certificate of PMI system goes role bindings to one or more Web services, when the user uses Web service, the Web service safety system helps the legitimacy of PKI systems inspection letter of identity, help PMI systems inspection user whether to have authority to call this Web service again, when all inspections are all passed through, allow the user capture Web service, call to realize safe Web service.
PKI of the present invention system provides the public and private key management for the user, and the user fills the application list, and after being passed through by keeper's audit, the user can download its public and private key, and public key certificate wherein will upload on the Ldap server; The PKI system externally provides all users' public key certificate to download, and can verify the legitimacy of client public key certificate.
PMI of the present invention system provides resource access control, at first the keeper is responsible for defining the resource that needs control and resource type, the operation that can carry out resource, the role and the tactful certificate of different access authority, and tactful certificate is uploaded on the Ldap server; The letter of identity that the user holds the PKI system to be provided enters PMI system application Attribute certificate, treat the keeper examine pass through after, will generate corresponding Attribute certificate, Attribute certificate also will upload on the Ldap server; The PMI system externally provides the resource access control interface, and parameter comprises user's letter of identity, the operation that needs accessed resources and this resource is carried out.
Web Service safety system of the present invention is responsible for the server end that Web service calls and the safety of client, the Web service of calling according to the user, Web Service safety system meeting helping service device end and client are verified the other side's identity mutually, simultaneously server end can determine whether this user has authority to call this Web service according to the configuring condition of the resource access control of PMI system.
The present invention compared with prior art, have following beneficial effect: (1) Web service is under the distributed environment of isomery, relatively more difficult to the client identity authentication authentication, when calling the Web service of an enterprise, this Web service may can go to call the Web service of another enterprise again, how realizing the authentication of Web service under this cross-domain environment, is a problem that must solve; The PKI system can make the computer user need not under the situation of as offered, verify the other side's identity mutually, for the authentication under the Web service provides solution, the Web service authentication model of this controlling mechanism is promptly finished based on PKI, the client and server end all obtains the other side's public key certificate by the PKI system, check the validity of public key certificate by the PKI system, and verify the other side's identity by public key certificate.(2) general Web application all needs to decide open which type of resource according to different users, equally for Web service, its service that provides itself is exactly a resource, not all Web service can both be opened to all users, may be divided at two kinds of paying customer and domestic consumers as the Web service of enterprise-level, and, how to realize that the control of authority of Web Services just becomes a requisite link for the paying customer provides reaction speed faster, higher accuracy and more system resource; The PMI system provides cross-domain unified authority control system for enterprise-level Web uses, it can guarantee the integrality and the unforgeable of authority relevant information, set up the trusting relationship between a plurality of enterprises simultaneously, made things convenient for the Web application access between the multiple enterprises, the Web service control of authority model of this controlling mechanism is promptly finished based on the PMI system, before the server process SOAP of Web service request message, call the interface of PMI, check whether this user has authority to call this Web service, if this authority is arranged, just continue to carry out, otherwise directly return error response message, and need not Web service do any processing.To sum up, this controlling mechanism adopts the technology based on PKI and PMI to provide strong authentication and access control for Web service,
Description of drawings
The flow chart of Fig. 1 for carrying out authentication based on the PKI system.
The flow chart of Fig. 2 for carrying out control of authority based on the PMI system.
Embodiment
Main design philosophy of the present invention is: carry out authentication by PKI, carry out control of authority by PMI, realize the safety that safe Web service is called with this.
Performing step is: the user is by PKI system application letter of identity, letter of identity according to oneself removes PMI system application Attribute certificate again, Attribute certificate is associated with user's identity on one or more roles, the predefined tactful certificate of PMI system goes role bindings to one or more Web services, when the user uses Web service, go earlier the legitimacy of PKI systems inspection letter of identity, go PMI systems inspection user whether to have authority to call this Web service again, when all inspections are all passed through, allow the user capture Web service, call to realize safe Web service.
This controlling mechanism comprises: PKI system, PMI system and Web Service safety system.
The PKI system provides public and private key management for the user, and the user fills the application list, comprises organization name, user name, and valid expiration date or the like, after being passed through by keeper's audit, the user can download its public and private key, and public key certificate wherein will upload on the Ldap server.The PKI system externally provides all users' public key certificate to download, and can verify the legitimacy of client public key certificate.
The PMI system provides resource access control, and at first the keeper is responsible for defining the resource that needs control and resource type, the operation that can carry out resource, the role and the tactful certificate of different access authority.The strategy certificate comprises what resource what operation what role can carry out to, and will upload on the Ldap server.The letter of identity that the user holds the PKI system to be provided enters PMI system application Attribute certificate, comprises valid expiration date, applies for which role or the like, treat the keeper examine pass through after, will generate corresponding Attribute certificate, Attribute certificate also will upload on the Ldap server.The PMI system externally provides the resource access control interface, and parameter comprises user's letter of identity, the operation that needs accessed resources and this resource is carried out.
Web Service safety system is responsible for the server end that Web service calls and the safety of client, the Web service of calling according to the user, Web Service safety system meeting helping service device end and client are verified the other side's identity mutually, simultaneously server end can determine whether this user has authority to call this Web service according to the configuring condition of the resource access control of PMI system.
Referring to Fig. 1, the idiographic flow that carries out authentication based on the PKI system is:
(1) user enters the PKI system and fills in the request list, the application letter of identity;
(2) keeper's audit is by certificate request, and the public key certificate with the user uploads on the Ldap server simultaneously;
(3) user enters the PKI system to obtain public and private key right;
(4) user sends SOAP request message expressly, Web Service safety system is used user's encrypted private key request message, obtain the public key certificate of server from the PKI system request message is signed, and the request message of encrypting and signed is sent to server end;
(5) server end obtains after the request message, Web Service safety system is obtained user's public key certificate earlier from the PKI system, message is verified, judge whether request message is distorted and destroyed, private key with server oneself is decrypted request message then, the final request message expressly that obtains;
(6) server is finished after Web service calls, return SOAP response message expressly, Web Service safety system is used the encrypted private key response message of server, uses user's letter of identity that response message is signed, and the response message of encrypting and signed is sent to client;
(7) client is received after the response message of server end, Web Service safety system uses the public key certificate of server that response message is verified, judge whether response message is distorted and destroyed, private key with oneself is decrypted response message then, the final response message expressly that obtains.
Referring to Fig. 2, the idiographic flow that carries out control of authority based on the PMI system is:
(1) keeper will need the Web service of access control to be defined as a resource in the PMI system, and be tactful certificate of this resources definition, make a clear distinction what role and can carry out which operation to this resource, and should upload on the Ldap server by the strategy certificate;
(2) user enters the PMI system, fills in list, and the application Attribute certificate is to show the authority that oneself needs which role;
(3) keeper is responsible for examining user's application information, simultaneously the attribute of user certificate is uploaded on the Ldap server;
(4) user sends the SOAP request message after server end, Web Service safety system is according to user's letter of identity, obtain this attribute of user certificate from the PMI system, from the PMI system, obtain the tactful certificate of the resource of user capture simultaneously, two certificates are mated, whether visit this Web service with authority with the decision user.
Claims (4)
1, a kind of Web service controling mechanism based on PKI and PMI, it is characterized in that: this controlling mechanism comprises the PKI system, PMI system and Web service safety system, implementation step is: the user is by PKI system application letter of identity, letter of identity according to oneself removes PMI system application Attribute certificate again, Attribute certificate is associated with user's identity on one or more roles, the predefined tactful certificate of PMI system goes role bindings to one or more Web services, when the user uses Web service, the Web service safety system helps the legitimacy of PKI systems inspection letter of identity, help PMI systems inspection user whether to have authority to call this Web service again, when all inspections are all passed through, allow the user capture Web service, call to realize safe Web service.
2, the Web service controling mechanism based on PKI and PMI according to claim 1, it is characterized in that: described PKI system provides the public and private key management for the user, the user fills the application list, after passing through by keeper audit, the user can download its public and private key, and public key certificate wherein will upload on the Ldap server; The PKI system externally provides all users' public key certificate to download, and can verify the legitimacy of client public key certificate.
3, the Web service controling mechanism based on PKI and PMI according to claim 1, it is characterized in that: described PMI system provides resource access control, at first the keeper is responsible for defining the resource that needs control and resource type, the operation that can carry out resource, the role and the tactful certificate of different access authority, and tactful certificate is uploaded on the Ldap server; The letter of identity that the user holds the PKI system to be provided enters PMI system application Attribute certificate, treat the keeper examine pass through after, will generate corresponding Attribute certificate, Attribute certificate also will upload on the Ldap server; The PMI system externally provides the resource access control interface, and parameter comprises user's letter of identity, the operation that needs accessed resources and this resource is carried out.
4, the Web service controling mechanism based on PKI and PMI according to claim 1, it is characterized in that: described Web Service safety system is responsible for the server end that Web service calls and the safety of client, the Web service of calling according to the user, Web Service safety system meeting helping service device end and client are verified the other side's identity mutually, simultaneously server end can determine whether this user has authority to call this Web service according to the configuring condition of the resource access control of PMI system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100622644A CN101296230B (en) | 2008-06-17 | 2008-06-17 | Web service security control mechanism based on PKI and PMI |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100622644A CN101296230B (en) | 2008-06-17 | 2008-06-17 | Web service security control mechanism based on PKI and PMI |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101296230A true CN101296230A (en) | 2008-10-29 |
| CN101296230B CN101296230B (en) | 2011-05-11 |
Family
ID=40066244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100622644A Expired - Fee Related CN101296230B (en) | 2008-06-17 | 2008-06-17 | Web service security control mechanism based on PKI and PMI |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101296230B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035849A (en) * | 2010-12-23 | 2011-04-27 | 华为技术有限公司 | Method, equipment and system for realizing resource management in cloud computing |
| CN102088350A (en) * | 2009-12-08 | 2011-06-08 | 长春吉大正元信息技术股份有限公司 | Directory service-based authorization management system and implementation method thereof |
| CN103391286A (en) * | 2013-07-11 | 2013-11-13 | 北京天地互连信息技术有限公司 | Full IP remote monitoring network system and safety authentication method |
| CN106992988A (en) * | 2017-05-11 | 2017-07-28 | 浙江工商大学 | A kind of cross-domain anonymous resource sharing platform and its implementation |
| CN107231346A (en) * | 2017-05-03 | 2017-10-03 | 北京海顿中科技术有限公司 | A kind of method of cloud platform identification |
| CN107276965A (en) * | 2016-04-07 | 2017-10-20 | 阿里巴巴集团控股有限公司 | The authority control method and device of service discovery component |
| CN107948182A (en) * | 2017-12-06 | 2018-04-20 | 上海格尔安全科技有限公司 | A kind of WEB application configuration file tamper resistant method based on PKI |
| CN111953491A (en) * | 2020-09-01 | 2020-11-17 | 杭州视洞科技有限公司 | SSHCertite and LDAP based two-step authentication auditing system |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580195B (en) * | 2014-12-31 | 2018-07-17 | 上海格尔软件股份有限公司 | A kind of permission publication acquisition control method based on software digital Credential-Security |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1352434A (en) * | 2001-11-29 | 2002-06-05 | 上海维豪信息安全技术有限公司 | Electronic government affairs safety platform system based on trust and authorization service |
| CN100542092C (en) * | 2006-09-21 | 2009-09-16 | 上海交通大学 | Distributed access control method in multistage securities |
-
2008
- 2008-06-17 CN CN2008100622644A patent/CN101296230B/en not_active Expired - Fee Related
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102088350B (en) * | 2009-12-08 | 2014-04-16 | 长春吉大正元信息技术股份有限公司 | Directory service-based authorization management system and implementation method thereof |
| CN102088350A (en) * | 2009-12-08 | 2011-06-08 | 长春吉大正元信息技术股份有限公司 | Directory service-based authorization management system and implementation method thereof |
| WO2011147361A1 (en) * | 2010-12-23 | 2011-12-01 | 华为技术有限公司 | Method, device and system for implementing resource management in cloud computing |
| CN102035849A (en) * | 2010-12-23 | 2011-04-27 | 华为技术有限公司 | Method, equipment and system for realizing resource management in cloud computing |
| CN102035849B (en) * | 2010-12-23 | 2013-12-18 | 华为技术有限公司 | Method, equipment and system for realizing resource management in cloud computing |
| CN103391286B (en) * | 2013-07-11 | 2016-05-18 | 北京天地互连信息技术有限公司 | Safety authentication method applied to all-IP remote monitoring network system |
| CN103391286A (en) * | 2013-07-11 | 2013-11-13 | 北京天地互连信息技术有限公司 | Full IP remote monitoring network system and safety authentication method |
| CN107276965A (en) * | 2016-04-07 | 2017-10-20 | 阿里巴巴集团控股有限公司 | The authority control method and device of service discovery component |
| CN107231346A (en) * | 2017-05-03 | 2017-10-03 | 北京海顿中科技术有限公司 | A kind of method of cloud platform identification |
| CN106992988A (en) * | 2017-05-11 | 2017-07-28 | 浙江工商大学 | A kind of cross-domain anonymous resource sharing platform and its implementation |
| CN106992988B (en) * | 2017-05-11 | 2020-12-08 | 浙江工商大学 | Cross-domain anonymous resource sharing platform and implementation method thereof |
| CN107948182A (en) * | 2017-12-06 | 2018-04-20 | 上海格尔安全科技有限公司 | A kind of WEB application configuration file tamper resistant method based on PKI |
| CN107948182B (en) * | 2017-12-06 | 2021-03-19 | 上海格尔安全科技有限公司 | WEB application configuration file tamper-proof method based on PKI |
| CN111953491A (en) * | 2020-09-01 | 2020-11-17 | 杭州视洞科技有限公司 | SSHCertite and LDAP based two-step authentication auditing system |
| CN111953491B (en) * | 2020-09-01 | 2022-06-10 | 杭州视洞科技有限公司 | SSH Certificate and LDAP based two-step authentication auditing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101296230B (en) | 2011-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101296230B (en) | Web service security control mechanism based on PKI and PMI | |
| US10027670B2 (en) | Distributed authentication | |
| US10862892B2 (en) | Certificate system for verifying authorized and unauthorized secure sessions | |
| CN102377788B (en) | Single sign-on (SSO) system and single sign-on (SSO) method | |
| US8843415B2 (en) | Secure software service systems and methods | |
| CN102984127B (en) | User-centered mobile internet identity managing and identifying method | |
| CN107425983A (en) | A kind of unified identity authentication method and system platform based on WEB service | |
| US20090077373A1 (en) | System and method for providing verified information regarding a networked site | |
| CN105791272A (en) | Method and device for secure communication in Internet of Things | |
| JP2005521279A (en) | Secure service access providing system and method | |
| CN110493237A (en) | Identity management method, device, computer equipment and storage medium | |
| CN109741068A (en) | Internetbank inter-bank contracting method, apparatus and system | |
| CN102055766B (en) | Webservice service management method and system | |
| CN112200496A (en) | Laboratory detection report management system based on block chain | |
| CN113515756B (en) | High-credibility digital identity management method and system based on block chain | |
| CN106845986A (en) | The signature method and system of a kind of digital certificate | |
| CN1859149A (en) | Method for realizing stream medium business service | |
| CN112235276B (en) | Master-slave equipment interaction method, device, system, electronic equipment and computer medium | |
| Lou et al. | Blockchain-based privacy-preserving data-sharing framework using proxy re-encryption scheme and interplanetary file system | |
| CN113869901B (en) | Key generation method, key generation device, computer-readable storage medium and computer equipment | |
| Kumagai et al. | Distributed Public Key Certificate‐Issuing Infrastructure for Consortium Certificate Authority Using Distributed Ledger Technology | |
| CN115526703A (en) | Enterprise user authentication and authorization method and system | |
| CN113329003B (en) | Access control method, user equipment and system for Internet of things | |
| US9281947B2 (en) | Security mechanism within a local area network | |
| JP2010028689A (en) | Server, method, and program for providing open parameter, apparatus, method, and program for performing encoding process, and apparatus, method, and program for executing signature process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20081029 Assignee: Hundsun Technologies Inc. Assignor: Zhejiang University Contract record no.: 2013330000107 Denomination of invention: Web service security control mechanism based on PKI and PMI Granted publication date: 20110511 License type: Common License Record date: 20130426 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110511 Termination date: 20200617 |