CN102457509A - Safe access method, device and system of cloud computing resource - Google Patents

Safe access method, device and system of cloud computing resource Download PDF

Info

Publication number
CN102457509A
CN102457509A CN2010105302226A CN201010530222A CN102457509A CN 102457509 A CN102457509 A CN 102457509A CN 2010105302226 A CN2010105302226 A CN 2010105302226A CN 201010530222 A CN201010530222 A CN 201010530222A CN 102457509 A CN102457509 A CN 102457509A
Authority
CN
China
Prior art keywords
resource
information
user
service provider
accessed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010105302226A
Other languages
Chinese (zh)
Other versions
CN102457509B (en
Inventor
陈小华
周扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201010530222.6A priority Critical patent/CN102457509B/en
Publication of CN102457509A publication Critical patent/CN102457509A/en
Application granted granted Critical
Publication of CN102457509B publication Critical patent/CN102457509B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a safe access method of a cloud computing resource, comprising the following steps of: providing relevant information of a resource to a logging-in user by a resource information principle server; after a cloud computing service provider server receives a resource access request which is sent by a user, confirming whether the resource access request carries an access certificate of a resource to be accessed; if no, acquiring service provider server information of the resource to be accessed and sending an authentication request to a service provider server of the resource to be accessed, wherein the authentication request carries identification information of a user, resource information to be accessed and the like; carrying out identity authentication and access control on the user by the service provider server and issuing access control information of the resource to be accessed; authenticating the access control information of the resource to be accessed by the cloud computing service provider server and supplying the resource to be accessed to the user after passing the authentication. The invention discloses a safe access device of the cloud computing resource. According to the safe access method, device and system of the cloud computing resource, the access efficiency of the user to access the service resource is improved.

Description

Cloud computing resource security access method, device and system
Technical Field
The invention relates to a resource access technology, in particular to a method, a device and a system for safely accessing cloud computing resources.
Background
Cloud computing is a technology combining distributed processing, parallel processing, grid computing and the like. The core idea of cloud computing is to uniformly manage and schedule a large number of computing resources connected by a network to form a computing resource pool for users to serve as required.
By using the cloud computing service, the service provider can reduce the operation cost of enterprises and provide reliable resource access service for users. More and more business providers have chosen cloud computing services to provide relevant business services to users.
The service provider rents the service of the cloud computing service provider, and then stores the service resources in the cloud computing service provider. Currently, a main way for a service provider to provide services to a user by using a cloud computing service is that the user firstly logs in a service provider website, obtains service resources from the cloud computing provider through the service provider, and then the service provider sends the services to the user.
This approach has a number of disadvantages. First, the business manner in which service providers provide services to subscribers is limited. All services of the service provider are provided via the service provider. Second, service providers are required to have greater service providing capabilities. The service provider needs to provide a service equivalent to one resource relay station for many users, which increases the load pressure of the service provider, and in a cloud environment, the service provider wants to utilize the cloud, simply deploy and reduce the cost, which is contrary to the requirement and increases the burden of the service provider. Finally, the way in which users can flexibly use service-providing business resources is limited. The user can obtain the resources rented by the corresponding service provider at the cloud computing service provider only by logging in the service provider.
However, with the development of cloud computing service applications, service providers desire to provide resources to users in various ways, and users desire to flexibly access the cloud computing service providers anytime and anywhere, so as to obtain services provided by the service providers through the cloud computing service providers. However, as a user resource which is a main service support of the service provider, the service provider certainly wants to prohibit the user from directly accessing the cloud computing service provider, so that the user resource portion is protected from being leaked to the cloud computing service provider. Therefore, a better security scheme for cloud computing service application needs to be provided for not only providing a service provider with a convenient service providing manner and providing a user with a flexible resource accessing manner, but also protecting the user resources of the service provider.
Therefore, a resource technical scheme is urgently needed at present, which not only provides a flexible resource access way for users, but also can protect user resources of a service provider server. Unfortunately, as the cloud computing technology is still in the discussion stage, no relevant technical solution is available at present.
Disclosure of Invention
In view of this, the main objective of the present invention is to provide a method, an apparatus, and a system for secure access to cloud computing resources, which are convenient for users to access service resources and protect user resources of service providers.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a secure access method for cloud computing resources comprises the following steps:
the resource information consignor server provides the relevant information of the service provider resource for the login user;
after receiving a resource access request sent by a user, a cloud computing service provider server confirms whether the resource access request carries an access control voucher of a resource to be accessed, if not, the cloud computing service provider server acquires service provider server information to which the resource to be accessed belongs according to related information of the resource to be accessed carried in the resource access request, and sends the resource access control request to a service provider server to which the resource to be accessed belongs; the service provider server performs identity authentication and access control on the user according to the identification information of the user and issues access control information of resources to be accessed; the resource access control request carries identification information of the user and information of resources to be accessed; the resource access control information to be accessed comprises authorization information of the resource to be accessed;
the cloud computing service provider server authenticates the access control information of the resources to be accessed, which is received and sent by the user or the service provider server, and provides the resources to be accessed to the user after the authentication is passed; or the cloud computing service provider server authenticates the received access control information of the resource to be accessed, which is sent by the user or the service provider server, and provides the access authority information of the resource to be accessed for the user after the authentication is passed; and after receiving the access authority information of the resource to be accessed, which is sent by the user, the cloud computing service provider server provides the resource to be accessed for the user.
Preferably, the resource information consignor server is a service provider server, a cloud computing service provider server or an independent enterprise server, and is used for providing the resource information of the service provider for the user.
Preferably, the access control information for issuing the resource to be accessed is specifically:
issuing access control information of resources to be accessed to the user or the cloud computing service provider server; and when the resource access control information is issued to the user, the user sends the access control information of the resource to be accessed to the cloud computing service provider server.
Preferably, before the resource information consignor server provides the relevant information of the resource for the login user, the method further includes:
the service provider server receives a registration request of the user and provides a registration identifier and an access password for the user;
the resource information consignor server provides the relevant information of the resource for the login user specifically as follows:
the resource information consignor server represents a service provider to display resource information to a user;
and the service provider server shares the registration identification and the access password information of the user with the resource information consignor server, and the resource information consignor server provides the relevant information of the resource for the user when verifying that the registration identification and the access password information input by the user are correct.
Preferably, the method further comprises:
and after verifying that the registration identification and the access password input by the user are correct, the resource information consignor server displays the resource information of the service provider to the user.
Preferably, the related information of the resource includes user number information, resource number information, and service provider server identification information set for the user by the service provider server.
Preferably, the related information of the resource further includes valid time information of the resource;
the service provider server identification information includes the IP address information of the service provider server, and name information of the service provider server, or provides communication port identification information, or hardware identification information.
Preferably, the access authorization comprises: service provider server identification information, resource number, resource storage path, resource access constraints, and time limits for accessing the resource.
A cloud computing resource security access device comprises a first providing unit, a first receiving unit, a determining unit, a first authentication unit, a second authentication unit and a second providing unit, wherein,
the first providing unit is used for providing related information of resources for the login user;
the first receiving unit is used for receiving a resource access request sent by a user; the resource access request carries identification information of the user and information of resources to be accessed;
the determining unit is used for determining whether the resource access request carries an access control certificate of the resource to be accessed or not, and triggering the first authentication unit if the resource access request does not carry the access control certificate of the resource to be accessed;
the first authentication unit is used for acquiring the information of the service provider server to which the resource to be accessed belongs according to the relevant information of the resource to be accessed carried in the resource access request, and sending an access control request to the service provider server to which the resource to be accessed belongs; the access control request carries identification information of the user and information of resources to be accessed; the service provider server performs identity authentication and access control on the user according to the identification information of the user and issues access control information of resources to be accessed;
the second authentication unit is used for authenticating the received access control information of the resource to be accessed, which is sent by the user or the service provider;
the second providing unit is used for providing the resource to be accessed for the user after the authentication of the second authentication unit is completed; or after the second authentication unit finishes authentication, providing the access authority information of the resource to be accessed for the user, and after receiving the access authority information of the resource to be accessed sent by the user, providing the resource to be accessed for the user.
Preferably, the access control information of the access authorization includes: service provider server identification information, resource number, resource storage path, resource access constraints, and time limits for accessing the resource.
A cloud computing resource safety access system comprises a resource information consignor server, a service provider server and a cloud computing service provider server; wherein,
the resource information consignor server is used for providing related information of resources for the login user;
the cloud computing service provider server is used for confirming whether the resource access request carries an access control certificate of the resource to be accessed or not after receiving the resource access request sent by the user, acquiring the service provider server information of the resource to be accessed according to the relevant information of the resource to be accessed carried in the resource access request if not, and sending the resource access control request to the service provider server of the resource to be accessed; the authentication request carries identification information of the user and information of resources to be accessed; and authenticating the received access control information of the resource to be accessed, which is sent by the user or the service provider, and providing the resource to be accessed for the user after the authentication is passed; or, the access control module is configured to authenticate the access control information of the resource to be accessed, which is received from the user or the service provider server, and provide the access authority information of the resource to be accessed to the user after the authentication is passed; after receiving the access authority information of the resource to be accessed, which is sent by the user, providing the resource to be accessed for the user;
and the service provider server is used for carrying out identity authentication and access control on the user according to the identification information of the user and issuing access control information of resources to be accessed.
Preferably, before the resource information consignor server provides the relevant information of the resource for the login user, the service provider server receives the registration request of the user and provides the registration identifier and the access password for the user;
and the service provider server shares the registration identification and the access password information of the user with the resource information consignor server, and the resource information consignor server provides the relevant information of the resource for the user when verifying that the registration identification and the access password input by the user are correct.
Preferably, the access authorization comprises: service provider server identification information, resource number, resource storage path, resource access constraints, and time limits for accessing the resource.
In the invention, a user firstly performs registration login through the resource information consignor server to obtain the relevant information of the resource to be accessed, and accesses the resource to be accessed through the cloud computing server according to the relevant information of the resource to be accessed. The invention can provide a simple and easy resource access means for the user, reduces the cost of system setting, is beneficial to the user to flexibly access resources, and improves the efficiency of resource access.
Drawings
FIG. 1 is a schematic diagram of a configuration of a cloud computing resource security access system according to the present invention;
FIG. 2 is a flowchart of a secure access method for cloud computing resources according to the present invention;
fig. 3 is a schematic structural diagram of the cloud computing resource security access apparatus according to the present invention.
Detailed Description
The basic idea of the invention is that the resource information consignor server provides the relevant information of the resource for the login user; after receiving a resource access request sent by a user, the cloud computing service provider server confirms whether the resource access request carries a resource access control certificate to be accessed, and if not, the cloud computing service provider server acquires service provider server information to which the resource to be accessed belongs according to related information of the resource to be accessed carried in the resource access request, and sends an authentication request to the service provider server to which the resource to be accessed belongs; the authentication request carries identification information of the user and resource information to be accessed, and the service provider server performs identity authentication and access control on the user according to the identification information of the user and issues resource access control information to be accessed. And the cloud computing service provider server authenticates the received to-be-accessed resource access control information sent by the service provider, and provides the to-be-accessed resource for the user after the authentication is passed.
Fig. 1 is a schematic diagram illustrating a configuration of a cloud computing resource security access system according to the present invention, and as shown in fig. 1, the cloud computing resource security access system according to the present invention includes a resource information consignor server, a service provider server, and a cloud computing provider server; wherein,
the resource information consignor server is used for providing related information of resources for the login user;
the cloud computing service provider server is used for confirming whether the resource access request carries an access control certificate of the resource to be accessed or not after receiving the resource access request sent by the user, acquiring the service provider server information of the resource to be accessed according to the relevant information of the resource to be accessed carried in the resource access request if not, and sending the resource access control request to the service provider server of the resource to be accessed; the authentication request carries identification information of the user and information of resources to be accessed; and authenticating the received access control information of the resource to be accessed, which is sent by the user or the service provider, and providing the resource to be accessed for the user after the authentication is passed; or, the access control module is configured to authenticate the access control information of the resource to be accessed, which is received from the user or the service provider server, and provide the access authority information of the resource to be accessed to the user after the authentication is passed; after receiving the access authority information of the resource to be accessed, which is sent by the user, providing the resource to be accessed for the user;
and the service provider server is used for carrying out identity authentication and access control on the user according to the identification information of the user and issuing access control information of resources to be accessed.
In the invention, the resource information consignor provides resource information for users on behalf of the service provider for the information platform of the resources provided by the service provider. The service provider itself may act as a resource information consignor here. Of course, the cloud computing service provider may serve as a resource information consignor, and the resource information consignor may also be an independent third-party company. The service provider server can tell the resource information consignor server about the provided resource service and resource information, and the resource information consignor server can show the resource information to the user, and can also develop some resource information combinations on the basis of the obtained resource information to show the resource information to the user. Here, the resource information may be some basic resource units or a combination of some resource units, where the resource includes service elements, computing resources and other resources provided by a service provider, and in terms of services, for example, a telecommunications company can provide some services and some service packages.
The user can obtain some resource information from the resource information consignor (or service provider) server, then accesses the resource to the cloud computing service provider server, or after obtaining the resource information, the user assembles the resource information according to the requirement to form a resource combination, thereby achieving the requirement of obtaining the service, and then sends the resource information combination to the cloud computing service provider server.
And the service provider server authenticates the identity of the user according to the requirements of the cloud computing provider server, and issues access control information according to some application behavior results of the user.
After the cloud computing service provider server initiates an authentication request to the service provider server, the service provider server sends access control information to the cloud computing service provider server, and the cloud computing service provider server provides resource services such as services and the like for the user according to the access control information.
Before the resource information consignor server provides relevant information of resources for a login user, the service provider server receives a registration request of the user and provides a registration identifier and an access password for the user;
and the service provider server shares the registration identification and the access password information of the user with the resource information consignor server, and the resource information consignor server provides the relevant information of the resource for the user when verifying that the registration identification and the access password information input by the user are correct.
And the service provider server issues access control information for accessing resources for the user and sends the access control information to the cloud computing service provider.
The access right information includes: service provider server identification information, resource number, resource storage path, resource access constraints, and time limits for accessing the resource.
The related information of the resources comprises user number information, resource number information and service provider server identification information which are set for the user by the service provider server.
The related information of the resource also comprises effective time information of the resource; the service provider server identification information includes the IP address information of the service provider server, and name information of the service provider server, or provides communication port identification information, or hardware identification information.
In the invention, the cloud computing resources comprise cloud storage resources and the like.
The following describes in detail how the user of the present invention accesses the resources of the service provider located on the service provider server through the cloud computing provider server.
Fig. 2 is a flowchart of the secure access method for cloud computing resources according to the present invention, and as shown in fig. 2, the secure access method for cloud computing resources according to the present invention specifically includes the following steps:
in step 201, a user obtains related information of a resource to be accessed.
Specifically, in step 201, first, a user inputs a user name and a password at a client to log in at a resource information client server. And after the resource information consignor server authenticates the identity of the user, a resource information list is sent to the user, the user selects the resource information to be accessed, and the resource information consignor server sends corresponding resource information to the user.
The communication flow between the client and the resource information client server is as follows:
the user starts the client program to input the user name and the user password. The client program logs in the authentication server by a Secure Socket Layer (SSL) protocol, initiates a session, and then sends a user name and a corresponding password to the resource information consignor server.
The login password may be encrypted by the customer using the MD5 encryption algorithm when the user registers with the service provider server. In this case, the client sends the password processed by MD5 to the resource information client server. The user password is not leaked by using MD5 matching at the resource information client server.
And the service provider server shares the user name and the MD5 value of the password which are saved when the user registers to the resource information consignor server. At this time, the resource information consignor server matches the MD5 values of the user name and password, and if not, returns an error prompt. And if the data is matched with the data, returning to a resource information list resourcelist of the service provider server.
And the user selects resource information to be accessed from the resource list and sends the resource information to the resource information consignor server, and the resource information consignor server returns the corresponding resource information ticket to the user. The resource information ticket may be encrypted by the system key. System key KSAnd the shared key is a shared key of the resource information consignor server, the service provider server and the cloud computing service provider server. The resource information consignor server also carries out IP (Internet protocol) on the cloud computing service provider serverCAnd sending the data to the user.
The resource information ticket contains a user number NUResource number N, service provider server IDSIP of service provider serverSAnd may also include the time value of the resource that the user may use the ticket to access. I.e., ticket ═ NU,N,IDS,IPS,time}KS
Then, the user receives the resource information ticket and stores the resource information ticket locally for backup access to the IP of the cloud computing service provider serverCAnd the session between them ends.
The conversation process between the client and the resource information client server is as follows:
the client sends { username + [ password ] MD5} SSL to the resource information consignor server;
the resource information client server sends { resourcelist } SSL to the client;
the client sends { N } SSL to the resource information consignor server;
resource information consignor server sends IP to clientCTicket } SSL; wherein ticket is { N ═ NU,N,IDS,IPS,time}KS
The username mentioned above represents the login username of the user, password represents the corresponding password, and [ password ] MD5 represents the password processed by MD5, and the session is transmitted by SSL protocol. The resource number N may be a large set of resource information.
Step 202, the user obtains an authorization token of the resource to be accessedv
In step 202, after obtaining the relevant information of the resource to be accessed, the user still cannot access the resource to be accessed directly through the information, and needs to obtain an access token of the resource to be accessed. The following details how a user obtains an authorization token for a resource to be accessedv
Cloud computing service provider server IP sent by user through resource information consignor serverCAnd initiating a resource access request, and sending a resource access ticket to the cloud computing service provider server.
Cloud computing server utilizing system key (K)S) Unpack the ticket (ticket) and obtain the ID of the service provider serverSAnd IPSAnd a user number NU. ID of cloud computing service provider server to service provider serverSAnd IPSTo carry outAnd (4) authenticating and finding out the registration information of the service provider server. And if the authentication is passed, an unauthorized token is issued and sent to the user. Unauthorized tokens can be represented by a system key (K)S) Encryption is performed.
Unauthorized tokeneIncluding ID of cloud computing serverCAnd IPCThe resource number N is accessed and also includes the time value time that the token can be used. I.e. unauthorized token ═ { ID }C,IPC,N,time}KS
Of course, if the user obtains an authorized tokenvThen, the cloud computing service provider server sends the authorization token to the uservRequest PT. To confirm whether the user has obtained an authorized token before sending the resource access request to the cloud computing serverv. If the user already has access to the tokenvThe last flow to access the resource may be performed.
Following unauthorized token acquisition by the uservThe process of (1).
The user will not authorize the tokeneSending the request to a cloud computing service provider server to request to acquire an authorization tokenv. The cloud computing service provider server sends a request to the service provider server to request the service provider server to provide access control information for the user to access the resource. And the service provider server inquires the resource access authority of the user and sends the resource access authority value V to the cloud computing provider server.
The basic flow between the cloud computing service provider server and the service provider server is as follows:
the user will not authorize the tokeneSending the data to a cloud computing service provider server;
IP from cloud computing service provider server to service provider serverSInitiating access, and sending resource information N to be accessed and resource access authority request P to service provider serverVAnd a user number NU. The resource access rightThe limited request information may be a system key (K)S) And (4) encrypting.
Service provider server application system key (K)S) Decrypting the resource access authority request information and obtaining the user number NUInquiring to obtain the IP of the user according to the numberCAnd IP to the userCAnd initiating access, and requiring the user to provide resource access authority application information.
The user service provider server provides resource access authority application. Specifically, in the invention, the service provider server sends the page jump action to the user clientiThe user may be required to log on to the service provider server website. At this point, the client may jump to the service provider server website. And the user inputs a user name username and a password to log in the service server website. The service provider server verifies the username and password and compares them with the database user's registration information, and if they are consistent, the user is allowed access. Service provider server sends page jump action to user clienteSkipping to the authorization page of the resource N to be accessed, and the user can select the right request action such as paymentvRequesting the service provider server to allow it to access resource N.
And the service provider server issues the resource access authority V according to the application, and sends the authority value V to the cloud computing provider server. System key (K) for transmission processS) And (4) encrypting.
Cloud computing service provider server application system key (K)S) Decrypting to obtain a resource access authority value V, and packaging the authority value V into an authorization tokenvAnd will authorize tokenvAnd sending the data to the user. Sending authorization tokenvMay pass through the system key (K)S) Encryption is performed.
Authorization tokenvMay include a service provider server IDCService provider server IPCResource number N, authority value V and the authorization token can be usedvTime limit time. Namely, it isAuthorization tokenv={IDC,IPC,N,time,V,}KS
The session flow utilization parameters between the cloud computing service provider server, the service provider server and the client can be expressed as follows:
the user sends { ticket } to a cloud computing service provider server through a client;
cloud computing service provider server sends { P } to user clientT,tokene}
User sends { token to cloud computing service provider server through cliente}SSL;
The cloud computing service provider server sends { { N, N to the service provider serverU,PV}KS}SSL;
Service provider service sends { action to user client endi}SSL;
The user sends { username, password } SSL to the service provider server through the client;
service provider service sends { action to user client ende}SSL;
User sends { { N, action to service provider server through clientv}KC}SSL;
The service provider server sends { { N, V } K to the cloud computing service provider serverS}SSL;
Service provider server sends { token to user clientv}SSL;
tokenv={IDC,IPC,N,time,V}KS
Step 203, the user obtains a resource access tokenaAnd accessing the related resource to be accessed.
In step 203, the userUtilizing access tokensvSending a request to a cloud computing server, the cloud computing server authenticating an access tokenvAnd sends a resource access token to the useraThe user receives the resource access tokenaThereafter, the token can be accessed with the resourceaAnd extracting the resource from the cloud computing service provider server.
The basic flow between the user and the cloud computing service provider server is as follows:
the client will access the tokenvSending the request to a cloud computing server and requesting a resource access token from the cloud computing servera. Access tokenvAnd the tokenvThe contents are the same.
Cloud computing service provider server application system key decryption access tokenvAuthenticating resource access authority information, and issuing corresponding access token after authentication is passedaAnd sends an access token to the usera. Access tokenaMay include identification information ID of the service provider serverCResource number N, resource storage path D, resource access constraint L, and time limit at which the resource can be accessed. I.e. access authorization tokena={IDC,N,D,L,time}KS
User receives access tokenaUsing access tokensaAnd sending a resource access request to a cloud computing service provider server.
Cloud computing service provider server application system key decryption access tokenaAnd checking the resource access constraint information L, if the resource access constraint information L passes the resource locating, positioning the resource according to the L, providing the resource to be accessed to the user by the cloud computing service provider server, and sending the resource corresponding to the resource number to the user.
The session flow utilization parameters between the cloud computing service provider server and the client can be expressed as follows:
user sends { { token to cloud computing service provider server through clientv}KS}SSL;
Cloud computing service provider server sends { token to user client usera}SSL;
User sends { token to cloud computing service provider server through clienta}SSL;
The cloud computing service provider server sends { resource } SSL to the user client; wherein, tokena={IDC,N,D,L,time}KS
Fig. 3 is a schematic diagram of a composition structure of the cloud computing resource security access apparatus of the present invention, and as shown in fig. 3, the cloud computing resource security access apparatus of the present invention includes a first providing unit 30, a first receiving unit 31, a determining unit 32, a first authenticating unit 33, a second authenticating unit 34, and a second providing unit 35, wherein,
a first providing unit 30, configured to provide relevant information of resources for a login user;
a first receiving unit 31, configured to receive a resource access request sent by a user; the resource access request carries identification information of the user and information of resources to be accessed;
a determining unit 32, configured to determine whether the resource access request carries an access control credential of a resource to be accessed, and trigger the first authentication unit if the resource access request does not carry the access control credential of the resource to be accessed;
the first authentication unit 33 is configured to obtain, according to the relevant information of the resource to be accessed, carried in the resource access request, information of a service provider server to which the resource to be accessed belongs, and send an access control request to the service provider server to which the resource to be accessed belongs; the access control request carries identification information of the user and information of resources to be accessed; the service provider server performs identity authentication and access control on the user according to the identification information of the user and issues access control information of resources to be accessed;
a second authentication unit 34, configured to authenticate access control information of the resource to be accessed, which is sent by the user, and provide access right information of the resource to be accessed to the user after the authentication is passed;
a second providing unit 35, configured to provide the resource to be accessed for the user after the authentication of the second authentication unit 34 is completed; or after the second authentication unit 34 completes authentication, the access right information of the resource to be accessed is provided to the user, and after the access right information of the resource to be accessed sent by the user is received, the resource to be accessed is provided to the user.
The related information of the resources comprises user number information, resource number information and service provider server identification information which are set for the user by the service provider server. The related information of the resource also comprises effective time information of the resource;
the service provider server identification information includes the IP address information of the service provider server, and name information of the service provider server, or provides communication port identification information, or hardware identification information.
The access authorization includes: service provider server identification information, resource number, resource storage path, resource access constraints, and time limits for accessing the resource.
It should be understood by those skilled in the art that the cloud computing resource security access apparatus shown in fig. 3 of the present invention is designed to implement the foregoing cloud computing resource security access method, and the implementation functions of the foregoing processing units may be understood by referring to the description related to the foregoing method. The functions of the processing units in the figures may be implemented by a program running on a processor, or may be implemented by specific logic circuits.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (13)

1. A cloud computing resource security access method, the method comprising:
the resource information consignor server provides the relevant information of the service provider resource for the login user;
after receiving a resource access request sent by a user, a cloud computing service provider server confirms whether the resource access request carries an access control voucher of a resource to be accessed, if not, the cloud computing service provider server acquires service provider server information to which the resource to be accessed belongs according to related information of the resource to be accessed carried in the resource access request, and sends the resource access control request to a service provider server to which the resource to be accessed belongs; the service provider server performs identity authentication and access control on the user according to the identification information of the user and issues access control information of resources to be accessed; the resource access control request carries identification information of the user and information of resources to be accessed; the resource access control information to be accessed comprises authorization information of the resource to be accessed;
the cloud computing service provider server authenticates the access control information of the resources to be accessed, which is received and sent by the user or the service provider server, and provides the resources to be accessed to the user after the authentication is passed; or the cloud computing service provider server authenticates the received access control information of the resource to be accessed, which is sent by the user or the service provider server, and provides the access authority information of the resource to be accessed for the user after the authentication is passed; and after receiving the access authority information of the resource to be accessed, which is sent by the user, the cloud computing service provider server provides the resource to be accessed for the user.
2. The method of claim 1, wherein the resource information consignor server is a service provider server or a cloud computing server or an independent third party server for providing the resource information of the service provider to the user.
3. The method according to claim 1, wherein the access control information for issuing the resource to be accessed is specifically:
issuing access control information of resources to be accessed to the user or the cloud computing service provider server; and when the resource access control information is issued to the user, the user sends the access control information of the resource to be accessed to the cloud computing service provider server.
4. The method of claim 1, wherein before the resource information consignor server provides the information about the resource to the logged-on user, the method further comprises:
the service provider server receives a registration request of the user and provides a registration identifier and an access password for the user;
the resource information consignor server provides the relevant information of the resource for the login user specifically as follows:
the resource information consignor server represents a service provider to display resource information to a user;
and the service provider server shares the registration identification and the access password information of the user with the resource information consignor server, and the resource information consignor server provides the relevant information of the resource for the user when verifying that the registration identification and the access password information input by the user are correct.
5. The method of claim 4, further comprising:
and after verifying that the registration identification and the access password input by the user are correct, the resource information consignor server displays the resource information of the service provider to the user.
6. The method according to claim 1, wherein the information related to the resource comprises user number information, resource number information, and service provider server identification information set for the user by the service provider server.
7. The method of claim 6, wherein the information related to the resource further comprises valid time information of the resource;
the service provider server identification information includes the IP address information of the service provider server, and name information of the service provider server, or provides communication port identification information, or hardware identification information.
8. The method of claim 1, wherein the access authorization comprises: service provider server identification information, resource number, resource storage path, resource access constraints, and time limits for accessing the resource.
9. A cloud computing resource security access apparatus, comprising a first providing unit, a first receiving unit, a determining unit, a first authenticating unit, a second authenticating unit, and a second providing unit, wherein,
the first providing unit is used for providing related information of resources for the login user;
the first receiving unit is used for receiving a resource access request sent by a user; the resource access request carries identification information of the user and information of resources to be accessed;
the determining unit is used for determining whether the resource access request carries an access control certificate of the resource to be accessed or not, and triggering the first authentication unit if the resource access request does not carry the access control certificate of the resource to be accessed;
the first authentication unit is used for acquiring the information of the service provider server to which the resource to be accessed belongs according to the relevant information of the resource to be accessed carried in the resource access request, and sending an access control request to the service provider server to which the resource to be accessed belongs; the access control request carries identification information of the user and information of resources to be accessed; the service provider server performs identity authentication and access control on the user according to the identification information of the user and issues access control information of resources to be accessed;
the second authentication unit is used for authenticating the received access control information of the resource to be accessed, which is sent by the user or the service provider;
the second providing unit is used for providing the resource to be accessed for the user after the authentication of the second authentication unit is completed; or after the second authentication unit finishes authentication, providing the access authority information of the resource to be accessed for the user, and after receiving the access authority information of the resource to be accessed sent by the user, providing the resource to be accessed for the user.
10. The apparatus of claim 9, wherein the access control information of the access grant comprises: service provider server identification information, resource number, resource storage path, resource access constraints, and time limits for accessing the resource.
11. A cloud computing resource security access system is characterized by comprising a resource information consignor server, a service provider server and a cloud computing provider server; wherein,
the resource information consignor server is used for providing related information of resources for the login user;
the cloud computing service provider server is used for confirming whether the resource access request carries an access control certificate of the resource to be accessed or not after receiving the resource access request sent by the user, acquiring the service provider server information of the resource to be accessed according to the relevant information of the resource to be accessed carried in the resource access request if not, and sending the resource access control request to the service provider server of the resource to be accessed; the authentication request carries identification information of the user and information of resources to be accessed; and authenticating the received access control information of the resource to be accessed, which is sent by the user or the service provider, and providing the resource to be accessed for the user after the authentication is passed; or, the access control module is configured to authenticate the access control information of the resource to be accessed, which is received from the user or the service provider server, and provide the access authority information of the resource to be accessed to the user after the authentication is passed; after receiving the access authority information of the resource to be accessed, which is sent by the user, providing the resource to be accessed for the user;
and the service provider server is used for carrying out identity authentication and access control on the user according to the identification information of the user and issuing access control information of resources to be accessed.
12. The system of claim 11, wherein before the resource information consignor server provides the relevant information of the resource for the logged-in user, the service provider server receives the registration request of the user, and provides the user with the registration identifier and the access password;
and the service provider server shares the registration identification and the access password information of the user with the resource information consignor server, and the resource information consignor server provides the relevant information of the resource for the user when verifying that the registration identification and the access password input by the user are correct.
13. The system of claim 11, wherein the access authorization comprises: service provider server identification information, resource number, resource storage path, resource access constraints, and time limits for accessing the resource.
CN201010530222.6A 2010-11-02 2010-11-02 Cloud computing resources safety access method, Apparatus and system Active CN102457509B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010530222.6A CN102457509B (en) 2010-11-02 2010-11-02 Cloud computing resources safety access method, Apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010530222.6A CN102457509B (en) 2010-11-02 2010-11-02 Cloud computing resources safety access method, Apparatus and system

Publications (2)

Publication Number Publication Date
CN102457509A true CN102457509A (en) 2012-05-16
CN102457509B CN102457509B (en) 2015-09-16

Family

ID=46040171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010530222.6A Active CN102457509B (en) 2010-11-02 2010-11-02 Cloud computing resources safety access method, Apparatus and system

Country Status (1)

Country Link
CN (1) CN102457509B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102750472A (en) * 2012-05-31 2012-10-24 华为软件技术有限公司 Authentication method, authentication device and authentication system
CN102891856A (en) * 2012-10-18 2013-01-23 中国科学院信息工程研究所 Safe access method between plural entity and plural entity identity relaying party
CN103107985A (en) * 2012-12-04 2013-05-15 百度在线网络技术(北京)有限公司 Cloud terminal authentication method, system and device
CN103152425A (en) * 2013-03-15 2013-06-12 苏州九光信息科技有限公司 Safety management system for mobile device based on cloud technology
CN103780580A (en) * 2012-10-23 2014-05-07 中国电信股份有限公司 Method, server and system for providing capability access strategy
CN103795690A (en) * 2012-10-31 2014-05-14 华为技术有限公司 Cloud access control method, proxy server, and cloud access control system
CN104954330A (en) * 2014-03-27 2015-09-30 华为软件技术有限公司 Method of accessing data resources, device and system
CN105025041A (en) * 2015-08-25 2015-11-04 北京百度网讯科技有限公司 File upload method, file upload apparatus and system
CN105099690A (en) * 2014-05-19 2015-11-25 江苏博智软件科技有限公司 OTP and user behavior-based certification and authorization method in mobile cloud computing environment
CN106330899A (en) * 2016-08-22 2017-01-11 深圳市先河系统技术有限公司 Private cloud device account management method and system, electronic device and server
CN107113340A (en) * 2015-01-08 2017-08-29 国际商业机器公司 Parallel data stream between application and massively parallel system based on cloud
CN110663040A (en) * 2016-12-21 2020-01-07 奥恩全球运营有限公司,新加坡分公司 Method and system for securely embedding a dashboard into a content management system
CN112035810A (en) * 2020-08-19 2020-12-04 绿盟科技集团股份有限公司 Access control method, device, medium and equipment
CN112632508A (en) * 2020-12-28 2021-04-09 中金数据(武汉)超算技术有限公司 Identity recognition method and device based on cloud computing
CN113553600A (en) * 2020-04-23 2021-10-26 华为技术有限公司 Resource acquisition method, system, server and storage medium
CN114650183A (en) * 2022-04-11 2022-06-21 远景智能国际私人投资有限公司 Resource management method, device, server and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350710A (en) * 2007-07-16 2009-01-21 华为技术有限公司 Network system, authority issuing server, authority issuing and executing method
US20100131949A1 (en) * 2008-11-26 2010-05-27 James Michael Ferris Methods and systems for providing access control to user-controlled resources in a cloud computing environment
WO2010117587A2 (en) * 2009-04-09 2010-10-14 Alcatel-Lucent Usa Inc. Identity management services provided by network operator

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350710A (en) * 2007-07-16 2009-01-21 华为技术有限公司 Network system, authority issuing server, authority issuing and executing method
US20100131949A1 (en) * 2008-11-26 2010-05-27 James Michael Ferris Methods and systems for providing access control to user-controlled resources in a cloud computing environment
WO2010117587A2 (en) * 2009-04-09 2010-10-14 Alcatel-Lucent Usa Inc. Identity management services provided by network operator

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张云勇 等: "云计算安全关键技术分析", 《电信科学》, no. 9, 30 September 2010 (2010-09-30), pages 64 - 69 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102750472B (en) * 2012-05-31 2015-09-09 华为软件技术有限公司 A kind of method for authenticating, Apparatus and system
CN102750472A (en) * 2012-05-31 2012-10-24 华为软件技术有限公司 Authentication method, authentication device and authentication system
CN102891856A (en) * 2012-10-18 2013-01-23 中国科学院信息工程研究所 Safe access method between plural entity and plural entity identity relaying party
CN102891856B (en) * 2012-10-18 2015-03-11 中国科学院信息工程研究所 Safe access method between plural entity and plural entity identity relaying party
CN103780580B (en) * 2012-10-23 2017-05-10 中国电信股份有限公司 Method, server and system for providing capability access strategy
CN103780580A (en) * 2012-10-23 2014-05-07 中国电信股份有限公司 Method, server and system for providing capability access strategy
CN103795690A (en) * 2012-10-31 2014-05-14 华为技术有限公司 Cloud access control method, proxy server, and cloud access control system
CN103107985B (en) * 2012-12-04 2016-01-20 百度在线网络技术(北京)有限公司 A kind of cloud terminal authentication, system and device
CN103107985A (en) * 2012-12-04 2013-05-15 百度在线网络技术(北京)有限公司 Cloud terminal authentication method, system and device
CN103152425A (en) * 2013-03-15 2013-06-12 苏州九光信息科技有限公司 Safety management system for mobile device based on cloud technology
CN103152425B (en) * 2013-03-15 2016-03-23 苏州九光信息科技有限公司 Based on the safety management system of the mobile device of cloud
WO2015143855A1 (en) * 2014-03-27 2015-10-01 华为技术有限公司 Method, apparatus and system for accessing data resources
CN104954330A (en) * 2014-03-27 2015-09-30 华为软件技术有限公司 Method of accessing data resources, device and system
CN105099690A (en) * 2014-05-19 2015-11-25 江苏博智软件科技有限公司 OTP and user behavior-based certification and authorization method in mobile cloud computing environment
CN107113340A (en) * 2015-01-08 2017-08-29 国际商业机器公司 Parallel data stream between application and massively parallel system based on cloud
CN107113340B (en) * 2015-01-08 2020-11-10 国际商业机器公司 Parallel data flow between cloud-based applications and massively parallel systems
CN105025041A (en) * 2015-08-25 2015-11-04 北京百度网讯科技有限公司 File upload method, file upload apparatus and system
CN105025041B (en) * 2015-08-25 2019-03-12 北京百度网讯科技有限公司 The methods, devices and systems that file uploads
CN106330899A (en) * 2016-08-22 2017-01-11 深圳市先河系统技术有限公司 Private cloud device account management method and system, electronic device and server
CN110663040A (en) * 2016-12-21 2020-01-07 奥恩全球运营有限公司,新加坡分公司 Method and system for securely embedding a dashboard into a content management system
CN110663040B (en) * 2016-12-21 2023-08-22 奥恩全球运营有限公司,新加坡分公司 Method and system for securely embedding dashboard into content management system
CN113553600A (en) * 2020-04-23 2021-10-26 华为技术有限公司 Resource acquisition method, system, server and storage medium
CN112035810A (en) * 2020-08-19 2020-12-04 绿盟科技集团股份有限公司 Access control method, device, medium and equipment
CN112632508A (en) * 2020-12-28 2021-04-09 中金数据(武汉)超算技术有限公司 Identity recognition method and device based on cloud computing
CN112632508B (en) * 2020-12-28 2023-10-20 中金数据(武汉)超算技术有限公司 Identity recognition method and device based on cloud computing
CN114650183A (en) * 2022-04-11 2022-06-21 远景智能国际私人投资有限公司 Resource management method, device, server and storage medium

Also Published As

Publication number Publication date
CN102457509B (en) 2015-09-16

Similar Documents

Publication Publication Date Title
CN102457509B (en) Cloud computing resources safety access method, Apparatus and system
CN109787988B (en) Identity strengthening authentication and authorization method and device
US8302163B2 (en) System and method for secure communication
CN106534175B (en) Open platform authorization identifying system and method based on OAuth agreement
CN105187362B (en) Method and device for connection authentication between desktop cloud client and server
CN102457507B (en) Cloud computing resources secure sharing method, Apparatus and system
CN101202753B (en) Method and device for accessing plug-in connector applied system by client terminal
CN102739708B (en) System and method for accessing third party application based on cloud platform
CN111615105B (en) Information providing and acquiring method, device and terminal
JP5626816B2 (en) Method and apparatus for partial encryption of digital content
US20140189799A1 (en) Multi-factor authorization for authorizing a third-party application to use a resource
CN103685282A (en) Identity authentication method based on single sign on
CN112000951B (en) Access method, device, system, electronic equipment and storage medium
CN105991614B (en) It is a kind of it is open authorization, resource access method and device, server
CN114788226A (en) Unmanaged tool for building decentralized computer applications
CN108833507B (en) Authorization authentication system and method for shared product
CN106302606B (en) Across the application access method and device of one kind
KR101690989B1 (en) Method of electric signature using fido authentication module
CN110730077A (en) Method and system for micro-service identity authentication and interface authentication
CN100365974C (en) Device and method for controlling computer access
CN106161475B (en) Method and device for realizing user authentication
JP5452192B2 (en) Access control system, access control method and program
WO2012176506A1 (en) Single sign-on system, single sign-on method, and authentication server linking program
CN101924634A (en) Verification portal
CN115396205A (en) Integrated authorization system and method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant