CN102594841B - Distributed multi-tenant node digital authentication system for cloud computing environment - Google Patents
Distributed multi-tenant node digital authentication system for cloud computing environment Download PDFInfo
- Publication number
- CN102594841B CN102594841B CN201210075227.3A CN201210075227A CN102594841B CN 102594841 B CN102594841 B CN 102594841B CN 201210075227 A CN201210075227 A CN 201210075227A CN 102594841 B CN102594841 B CN 102594841B
- Authority
- CN
- China
- Prior art keywords
- node
- certificate
- tenant
- cloud computing
- computing environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention relates to the technical field of authentication, and particularly discloses a distributed multi-tenant node digital authentication system for a cloud computing environment. The distributed multi-tenant node digital authentication system for the cloud computing environment comprises a center management server for keys and certificates, and is characterized in that: the center management server is established and configured by a root administrator in a multi-tenant environment; a host certificate applicable to a physical node is issued by using a strictly protected 2,048-bit root certificate; and a guest certificate applicable to a virtual node is used for encryption and signature for the transmission of all information between the virtual node and the physical node. The system is highly open and free of platform relevance; multiple protection over digital certificates can be realized; and both a user and a node are digitally authenticated, so that the system is high in confidentiality and security.
Description
(1) technical field
The present invention relates to network authentication techniques field, particularly a kind of for the distributed multi-tenant node digital authentication system under cloud computing environment.
(2) background technology
In modern data communication systems, safety is one of subject matter.Along with more and more information to operate in data communication system transmission and the user application more and more with security critical information on the device be connected with this type of communication system, catastrophic effect can be had to the destruction of communication system invasion or safe related mechanism.In order to prevent the supply or nowadays of malice user, in many communication networks, require that user verified before the access node via communication network starts data communication.
Increasingly mature along with cloud computing technology, following cloud computing environment will more and more based on distributed multi-tenant environment; Under multi-tenant environment, there is not basic trusting relationship between each node, safety problem faces huge challenge.
Safety problem under multi-tenant environment concentrates on mutual certification between node, and information transmit encryption and signature.
(3) summary of the invention
The present invention in order to make up the deficiencies in the prior art, provide a kind of opening, without platform dependency for the distributed multi-tenant node digital authentication system under cloud computing environment.
The present invention is achieved through the following technical solutions:
A kind of for the distributed multi-tenant node digital authentication system under cloud computing environment; comprise the center management server of key and certificate; it is characterized in that: described center management server is set up and configuration by the highest keeper of multi-tenant environment, use 2048 root certificate issuances of strict protection to be suitable for the main symptom book C of physical node
h, all information transmission between dummy node and physical node all use the objective certificate C being suitable for dummy node
gbe encrypted and sign.
In the present invention, cloud computing node certification is not only to user, and can do digital authenticating by node itself; It possesses very large opening, without platform dependency, supports Windows, Linux and other operating system; It, by unique Central Radical certificate, carries out certification to all resources in cloud computing system.
Automated procedure during objective certificate issuance in the present invention, this is also the key of this digital authenticating system.
During described objective certificate issuance, physical node creates dummy node, physical node generates the temporary key possessing timeliness, and adopts file implanted prosthetics that temporary key is implanted dummy node, and dummy node is before transmission information, first use temporary key ciphering signature visitor certificate request, and physical node is issued in request, physical node uses temporary key to be decrypted objective certificate request, and certifying signature, by rear, formally issue objective certificate and be returned to dummy node.
The encryption that information between described dummy node is transmitted and signature are for optional, and receives information node can determine according to security configuration the information whether receiving unencryption and signature.
The timeliness of described temporary key is no more than 120 seconds.
The present invention has good opening, without platform dependency, has multiple protective to digital authenticating, and not only to user, and do digital authenticating to node itself, good confidentiality, fail safe is high.
(4) accompanying drawing explanation
Below in conjunction with accompanying drawing, the present invention is further illustrated.
Fig. 1 is main flow schematic diagram of the present invention;
Fig. 2 is the present invention visitor certificate issuance schematic flow sheet;
Fig. 3 is that user of the present invention logs in dummy node schematic flow sheet;
Fig. 4 is that user of the present invention logs in dummy node failure procedures schematic diagram.
In figure, C center management server, H physical node, C
hmain symptom book, G dummy node, C
gvisitor's certificate.
(5) embodiment
Accompanying drawing is a kind of specific embodiment of the present invention.This embodiment comprises the center management server C of key and certificate, and described center management server C is set up and configuration by the highest keeper of multi-tenant environment, uses 2048 root certificate issuances of strict protection to be suitable for the main symptom book C of physical node H
h, all information transmission between dummy node G and physical node H all use the objective certificate C being suitable for dummy node G
gbe encrypted and sign; Described objective certificate C
gwhen signing and issuing, physical node H creates dummy node G, physical node H generates the temporary key possessing timeliness, and adopts file implanted prosthetics that temporary key is implanted dummy node G, and dummy node G, before transmission information, first uses temporary key ciphering signature visitor certificate C
grequest, and physical node H is issued in request, physical node H uses temporary key to objective certificate C
grequest is decrypted, and certifying signature, by rear, formally issue objective certificate C
gand be returned to dummy node G; The encryption that information between described dummy node G is transmitted and signature are for optional; The timeliness of described temporary key is no more than 120 seconds.
As shown in Figure 3, dummy node G obtains objective certificate C
gafter, user asks to log in.Dummy node G returns objective certificate C
g.User obtains root certificate (root certificate also can be contained in client in advance) from center certificate server, with root certification authentication visitor certificate C
g.After being verified, user is trusted depending on dummy node G, provides log-on message and Successful login.
As shown in Figure 4, dummy node G obtains objective certificate C
gafter, user asks to log in.Meanwhile, under same environment, another dummy node G ' suffers to attack rear falling into enemy hands.G ' adopts the means such as ARP cheats to gain the network address of G by cheating.When user asks to log in G, user is actual is directed to G '.Because G ' only has objective certificate C
g', so can only C be submitted
g' to user.User obtains root certificate from center certificate server, with root certification authentication visitor certificate C
g'.This authentication failed, user's refusal provides log-on message.
Claims (3)
1. one kind for the distributed multi-tenant node digital authentication system under cloud computing environment; comprise the center management server (C) of key and certificate; it is characterized in that: described center management server (C) is set up and configuration by the highest keeper of multi-tenant environment, use 2048 root certificate issuances of strict protection to be suitable for the main symptom book (C of physical node (H)
h), all information transmission between dummy node (G) and physical node (H) all use the objective certificate (C being suitable for dummy node (G)
g) be encrypted and sign; During described objective certificate issuance, physical node (H) creates dummy node (G), physical node (H) generates the temporary key possessing timeliness, and adopt file implanted prosthetics that temporary key is implanted dummy node (G), dummy node (G), before transmission information, first uses temporary key ciphering signature visitor certificate (C
g) request, and physical node (H) is issued in request, physical node (H) uses temporary key to objective certificate (C
g) request is decrypted, and certifying signature, by rear, formally issue objective certificate (C
g) and be returned to dummy node (G).
2. according to claim 1 for the distributed multi-tenant node digital authentication system under cloud computing environment, it is characterized in that: the encryption that the information between described dummy node (G) is transmitted and signature are for optional.
3. according to claim 1 for the distributed multi-tenant node digital authentication system under cloud computing environment, it is characterized in that: the timeliness of described temporary key is no more than 120 seconds.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210075227.3A CN102594841B (en) | 2012-03-21 | 2012-03-21 | Distributed multi-tenant node digital authentication system for cloud computing environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210075227.3A CN102594841B (en) | 2012-03-21 | 2012-03-21 | Distributed multi-tenant node digital authentication system for cloud computing environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102594841A CN102594841A (en) | 2012-07-18 |
| CN102594841B true CN102594841B (en) | 2015-01-07 |
Family
ID=46483042
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210075227.3A Active CN102594841B (en) | 2012-03-21 | 2012-03-21 | Distributed multi-tenant node digital authentication system for cloud computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594841B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10063537B2 (en) * | 2014-12-19 | 2018-08-28 | Microsoft Technology Licensing, Llc | Permission architecture for remote management and capacity instances |
| US9787690B2 (en) | 2014-12-19 | 2017-10-10 | Microsoft Technology Licensing, Llc | Security and permission architecture |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1345494A (en) * | 1999-03-26 | 2002-04-17 | 摩托罗拉公司 | Secure wireless electronic commerce system with digital product cortificates and digital license certificates |
| CN1791116A (en) * | 2005-12-26 | 2006-06-21 | 北京航空航天大学 | Credential protection handling method facing service |
| CN102333077A (en) * | 2011-07-21 | 2012-01-25 | 上海互联网软件有限公司 | Safety verification system for electronic document office system and method thereof |
-
2012
- 2012-03-21 CN CN201210075227.3A patent/CN102594841B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1345494A (en) * | 1999-03-26 | 2002-04-17 | 摩托罗拉公司 | Secure wireless electronic commerce system with digital product cortificates and digital license certificates |
| CN1791116A (en) * | 2005-12-26 | 2006-06-21 | 北京航空航天大学 | Credential protection handling method facing service |
| CN102333077A (en) * | 2011-07-21 | 2012-01-25 | 上海互联网软件有限公司 | Safety verification system for electronic document office system and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102594841A (en) | 2012-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Abdullah et al. | Blockchain based approach to enhance big data authentication in distributed environment | |
| CN101401387B (en) | Access control protocol for embedded devices | |
| KR100831437B1 (en) | Method, apparatuses and computer program product for sharing cryptographic key with an embedded agent on a network endpoint in a network domain | |
| US8533806B2 (en) | Method for authenticating a trusted platform based on the tri-element peer authentication(TEPA) | |
| Dacosta et al. | Trust no one else: Detecting MITM attacks against SSL/TLS without third-parties | |
| CN105162808B (en) | A kind of safe login method based on national secret algorithm | |
| CN104601593A (en) | Anti-tracking method in network electronic identity authentication process based on challenge modes | |
| CN104660605A (en) | Multi-factor identity authentication method and system | |
| CN108173827B (en) | Block chain thinking-based distributed SDN control plane security authentication method | |
| CN102215221A (en) | Methods and systems for secure remote wake, boot, and login to a computer from a mobile device | |
| CN101741842A (en) | Method for realizing dependable SSH based on dependable computing | |
| CN106230594B (en) | A method of user authentication is carried out based on dynamic password | |
| CN102868702B (en) | System login device and system login method | |
| CN104320389A (en) | Fusion identify protection system and fusion identify protection method based on cloud computing | |
| US9455977B1 (en) | Remote management interface using credentials associated with respective access control intervals | |
| CN104683306A (en) | Safe and controllable internet real-name certification mechanism | |
| CN101610150A (en) | Third party's digital signature method and data transmission system | |
| CN105471901A (en) | Industrial information security authentication system | |
| WO2010128451A2 (en) | Methods of robust multi-factor authentication and authorization and systems thereof | |
| CN106789845A (en) | A kind of method of network data security transmission | |
| Slaughter et al. | Information security plan for flight simulator applications | |
| CN104158807A (en) | PaaS-based secure cloud computing method and PaaS-based secure cloud computing system | |
| CN102594841B (en) | Distributed multi-tenant node digital authentication system for cloud computing environment | |
| Oksiiuk et al. | Security technique for authentication process in the cloud environment | |
| Hieb et al. | Security enhancements for distributed control systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: SHANDONG LVJISUAN ELECTRON TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: SHANDONG JIXINIC ELECTRONICS CO., LTD. Effective date: 20140930 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C53 | Correction of patent for invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Ding Li Inventor before: Chen Qikai Inventor before: Jiang Tianchen |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: CHEN QIKAI JIANG TIANCHEN TO: DING LI Free format text: CORRECT: ADDRESS; FROM: 250101 JINAN, SHANDONG PROVINCE TO: 250000 JINAN, SHANDONG PROVINCE |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20140930 Address after: 250000 Shandong city of Ji'nan province high tech Zone Shun Road No. 2000 Shun Tai Plaza Building 8 floor A block 9 Applicant after: SHANDONG GREEN COMPUTING ELECTRONICS TECHNOLOGY CO., LTD. Address before: 250101 Shandong city of Ji'nan province high tech Zone Shun Road No. 2000 Shun Tai Plaza Building 8 East Room 903 Applicant before: Shandong Jixinic Electronics Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |