CN102916965A - Safety authentication mechanism and safety authentication system thereof for cloud service interfaces - Google Patents
Safety authentication mechanism and safety authentication system thereof for cloud service interfaces Download PDFInfo
- Publication number
- CN102916965A CN102916965A CN2012104200224A CN201210420022A CN102916965A CN 102916965 A CN102916965 A CN 102916965A CN 2012104200224 A CN2012104200224 A CN 2012104200224A CN 201210420022 A CN201210420022 A CN 201210420022A CN 102916965 A CN102916965 A CN 102916965A
- Authority
- CN
- China
- Prior art keywords
- user
- information
- client
- security
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a way of adding safety header information through a soap (simple object access protocol). User information of certificate files is automatically loaded to a protocol safety header at each time of calling a cloud interface service. Accordingly, automatic management of certificate information is realized, and safety of the user information of certificates in network transmission is improved. Further, a server user authority limit attribute rule base is established, user authentication and limit authority granting and separating are realized, the defects in acquiring authority limit of conventional authentication are overcome, and safety of resource operation is improved.
Description
Technical field
The present invention relates to the cloud field, particularly relate to a kind of security authentication mechanism and Verification System thereof of cloud service interface.
Background technology
Cloud is as the important application in the Internet technology, when popularizing use on a large scale, because the numerous users that relate to use, so seem extremely important at secure context, therefore need to adopt Authentication mechanism that the user is verified, at present, authentication security mechanism mainly contains two kinds of more traditional technology: 1, based on the authentication mode of user and password.Server is preserved user's username and password information.When the user provides the password of correct user name and coupling, the authenticating user identification success.This be the most ancient also be the widest Authentication mechanism of current application; 2, based on the authentication mode of certificate file.The validated user that server give to be authorized generate one can authenticated user information certificate file.Certificate file has comprised user's relevant information usually, and encrypts with specific form.When the user provides corresponding certificate file application server identity authentication, provide identity corresponding to certificate file user and authority to the application user after server verification certificate is legal.
But the authentication of password and certificate form all is disposable long Authorized operation, namely just authorizes the lawful authority of the long-time multioperation of user after the one-time identity authentication success.At the B/S(browser/server) set up the session session after showing as authentication in the program of structure, identity limiting operation afterwards all carries out based on this session; The C/S(client/server) program of structure shows as, and an authentication interface is arranged, and after by this flow process interface of authentication, namely enters the authority that has obtained other flow process interface operations.
The transmission way of legacy user's information is as the parameter of call function method, to transmit in communication simultaneously.The drawback of way is like this, and user profile (comprising the responsive information such as password) is exposed in program code and the communication process with the mode that shows.
For, the actual conditions of cloud service expansion interface.The cloud service expansion interface normally mode such as web service offers the external program functional method and calls.Do not set up the session session, do not have the control of authentication interface flow process yet.So, if adopt traditional password and certificate file to carry out authentication, need in each functional method parameter, comprise password or certificate information.There is very large challenge in this management to password and certificate, and key certificate is is also intercepted and captured in Internet Transmission easily and cracked.
Summary of the invention
In order to overcome the deficiencies in the prior art, a technical purpose of the present invention provides a kind of security authentication mechanism of cloud service interface of Effective Raise cloud service interface security.
In order to overcome the deficiencies in the prior art, another technical purpose of the present invention provides a kind of security certification system of cloud service interface of Effective Raise cloud service interface security.
For realizing above-mentioned first technical purpose, the technical solution used in the present invention is as follows:
A kind of security authentication mechanism of cloud service interface is used for being connected of client and service end, comprises client certificate and two steps of mandate, and service end is authorized after to client certificate again, and described authentication is further comprising the steps of:
When client was initiated connection request, the digital certificate information that soap protocol communication information is added client was as security header, and sent to service end;
Service end is carried out legitimate verification to the security header of soap protocol communication information.
Preferably, described digital certificate information is service end PKI and client private key, and described digital certificate information is the unified generation of service end and is issued in the client.
Preferably, described legitimate verification is for adopting security system unsymmetrical key authenticated encryption standard X.509.
Preferably, described mandate is: service end is mated judgement by the user's that obtains attribute information and the default user property rules of competence storehouse of server end, authorize user and the corresponding source of this attribute information operating right according to user's specific object information, described user's attribute information is default userspersonal information.
Preferably, described coupling is judged to be: attribute and all the user property rules of competence in the user property rules of competence storehouse of presetting according to the user are carried out real-time judgement, match the user property rules of competence that user's attribute information meets, and authorize the corresponding source of user operating right according to the user property rules of competence.
Preferably, described coupling is judged also and is comprised: as mating dynamically judgement according to the current time in conjunction with user's attribute information and the user property rules of competence.
For realizing above-mentioned second technical purpose, the technical solution used in the present invention is as follows:
A kind of security certification system of cloud service interface, be used for being connected of client and service end, it is characterized in that, comprise the security header add-on module, described complete add-on module is arranged on client, described security header add-on module be used for to be intercepted and captured the communication information of soap agreement, and the certificate information of client appended in the soap protocol communication information as security header information sends to together service end, and service end is carried out legitimate verification to security header.
Preferably, described digital certificate information is service end PKI and client private key, and described digital certificate information is the unified generation of service end and is issued in the client.
Preferably, also comprise authorization module, described authorization module is arranged on service end, and described authorization module carries out the legitimate verification result according to the end of being engaged in to security header, and client is authorized.
Preferably, described authorization module comprises: user property rules of competence storehouse, described user property rules of competence storehouse is used for service end and mates judgement by the user's that obtains attribute information and the default user property rules of competence storehouse of server end, authorize user and the corresponding source of this attribute information operating right according to user's specific object information, described user's attribute information is default userspersonal information.
Compared with prior art, the invention has the advantages that:
What technical solution of the present invention advantage one, user authentication information did not show is exposed in program code and the transport communication process, and has realized the automatic management of subscriber identity information, has conveniently improved the management of user certificate information, the fail safe that has improved communication.Advantage two, realized that authenticating user identification separates with authorization, has improved fail safe.After having separated user's authentication and authorization, even user identity obtains authentication, the user also needs could obtain corresponding resource operation authority by the property rights rule, has improved fail safe and has reduced risk.
Description of drawings
Fig. 1 is the flow chart of authentication mechanism of the present invention;
Fig. 2 is functional block diagram of the present invention.
Embodiment
The present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.Should be appreciated that specific embodiment described herein only is used for explaining invention, and be not used in the restriction invention.
The cloud service interface adopts the forms such as webservice usually, external program is provided the functional method interface of one group of cloud resource operation.There is not operation interface in the cloud service interface, and the external client's program of also getting along well is set up long the connection.External program by authentication after, obtain the independently call operation power of cloud resource operation method at every turn.
Shown in Fig. 1~2, the invention provides a kind of security authentication mechanism of cloud service interface, be used for being connected of client and service end, comprise client certificate and two steps of mandate, service end is authorized after to client certificate again, and described authentication is further comprising the steps of:
When client was initiated connection request, the digital certificate information that soap protocol communication information is added client was as security header, and sent to service end;
Service end is carried out legitimate verification to the security header of soap protocol communication information.
For being applied in client and the process that service end is connected, described client be the terminal to Cloud Server request connection in one embodiment, and service end is the arbitrary equipment of node server or cloud inside that responds connection request in the Cloud Server.
The connection procedure of client and service end is as follows:
S1) client connects to the service end request;
S2) end is tested the client and is demonstrate,proved whether have the digital certificate corresponding with service end, then turns step S4 if having), if then do not turn step S3);
S3) service end is provided digital certificate to client, and records this certificate;
Wherein, certificate key distribution: utilize the instrument keytool(certificates constructing method of JDK to be not limited to this), generate a pair of certificate.Server certificate comprises: privacy key and client public key information; Client certificate comprises: server public key and client private key information; And client certificate is distributed to client.
S4) client soap protocol communication information is added client digital certificate information as security header, and send to service end;
S5) service end is obtained security header;
S6) service end authentication of users information is carried out user's authentication; If not by then returning step S1), if by then forwarding step S7 to);
Wherein, when client is carried out the cloud service interface interchange, this module is intercepted and captured the communication information of soap agreement automatically, and the certificate information of client (server public key and client private key) appended in the soap protocol communication information as security header information occurs to together server end.After server end gets access to the soap communication information, at first analyze security header subscriber identity information legitimacy.Verification process to the user in above-mentioned is observed security system unsymmetrical key authenticated encryption standard X.509, and communication process is as follows:
1, client send information to service end; With client file certificate client private key user profile and the communication information are encrypted, send to server end.
2, server end receives client communication information, obtains the client user, then uses client PKI decrypt communication information.By the communication information (private key, public key match) with client PKI enabling decryption of encrypted, finish the authentication to the client legal identity.
3, in like manner, server is encrypted return information to the client return information with privacy key, and client-side program is finished authentication and communicated by letter with the server public key deciphering.
S7) client is carried out the operation of service end business function.
Wherein in security header, except signature digest and the enciphered message that certificate file is arranged, also adopt the hmac scheduling algorithm to the user, password, the key messages such as attribute have carried out obscuring cryptographic operation.Accomplished the combination of user certificate signature and the encryption of public and private key and legacy user's password password authentication.
Technical solution of the present invention, the safety certification that mainly solves the cloud service interface is managed and the authority acquiring problem.The authentication prototype adopts the certificate file mode, but has utilized the additional automatically management of soap security header information, and empowerment management is carried out in server user property rules of competence storehouse.So that more automation of subscriber information management is oversimplified; Also strengthened the fail safe of user profile and cloud resource.
Server by above-mentioned authentication after, and legal authenticated user, the operating right of cloud resource directly authorized useless.It comprises the judgement of step S61 user right between step S6 and S7, server mates by the user's that obtains attribute information and the user property rules of competence storehouse of server end, authorizes the user legal cloud resource operation extent of competence according to user's specific object.So just by customer attribute information, realized that authentication separates with authorization, improved the fail safe of cloud resource operation.
Wherein, described authorisation step is: service end is mated judgement by the user's that obtains attribute information and the default user property rules of competence storehouse of server end, authorize user and the corresponding source of this attribute information operating right according to user's specific object information, described user's attribute information is default userspersonal information.
Wherein, user's attribute refers to user's dynamic attribute.Such as: age of user, according to user's date of birth calculating age of user, the rule base restriction just had authority to access corresponding resource in full 18 years old.Such rule is different from traditional list of access rights.He is dynamic flexible, can not access related resource 17 years old this year such as the user, can calculate the user according to user's date of birth and just can access related resource in 18 years old when next year, and need not system convention is made any modification, user right has just obtained embodiment.Obtaining of respective user date of birth attribute can use external interface (such as public security identity card data-interface) safer.Again such as user's login time attribute, rules of competence storehouse regulation only has at 8 o'clock to 18 o'clock, the work hours user just has the resource access authority, system more user's login time obtains system time and gives the user resources access rights, and the relative system acquisition time has provisional and can not the property revised also improve fail safe.User ip address for another example, the attributes such as subscriber payment.In a word, what rule base embodied is not user's authority, but the authority of user property.Have so disposablely, can not revise, flexibly, the characteristics of safety.
Preferably, described coupling is judged to be: attribute and all the user property rules of competence in the user property rules of competence storehouse of presetting according to the user are carried out real-time judgement, match the user property rules of competence that user's attribute information meets, and authorize the corresponding source of user operating right according to the user property rules of competence.
Preferably, described coupling is judged also and is comprised: as mating dynamically judgement according to the current time in conjunction with user's attribute information and the user property rules of competence.
Claims (10)
1. the security authentication mechanism of a cloud service interface is used for being connected of client and service end, comprises client certificate and two steps of mandate, it is characterized in that, service end is authorized after to client certificate again, and described authentication is further comprising the steps of:
When client was initiated connection request, the digital certificate information that soap protocol communication information is added client was as security header, and sent to service end;
Service end is carried out legitimate verification to the security header of soap protocol communication information.
2. the security authentication mechanism of cloud service interface according to claim 1 is characterized in that, described digital certificate information is service end PKI and client private key, and described digital certificate information is the unified generation of service end and is issued in the client.
3. the security authentication mechanism of cloud service interface according to claim 1 is characterized in that, described legitimate verification is for adopting security system unsymmetrical key authenticated encryption standard X.509.
4. the security authentication mechanism of cloud service interface according to claim 1, it is characterized in that, described mandate is: service end is mated judgement by the user's that obtains attribute information and the default user property rules of competence storehouse of server end, authorize user and the corresponding source of this attribute information operating right according to user's specific object information, described user's attribute information is default userspersonal information.
5. the security authentication mechanism of cloud service interface according to claim 4, it is characterized in that, described coupling is judged to be: attribute and all the user property rules of competence in the user property rules of competence storehouse of presetting according to the user are carried out real-time judgement, match the user property rules of competence that user's attribute information meets, and authorize the corresponding source of user operating right according to the user property rules of competence.
6. the security authentication mechanism of cloud service interface according to claim 4 is characterized in that, described coupling is judged also and comprised: as mating dynamically judgement according to the current time in conjunction with user's attribute information and the user property rules of competence.
7. the security certification system of a cloud service interface, be used for being connected of client and service end, it is characterized in that, comprise the security header add-on module, described complete add-on module is arranged on client, described security header add-on module be used for to be intercepted and captured the communication information of soap agreement, and the certificate information of client appended in the soap protocol communication information as security header information sends to together service end, and service end is carried out legitimate verification to security header.
8. the security certification system of cloud service interface according to claim 7 is characterized in that, described digital certificate information is service end PKI and client private key, and described digital certificate information is the unified generation of service end and is issued in the client.
9. the security certification system of cloud service interface according to claim 7, it is characterized in that also comprise authorization module, described authorization module is arranged on service end, described authorization module carries out the legitimate verification result according to the end of being engaged in to security header, and client is authorized.
10. the security certification system of cloud service interface according to claim 9, it is characterized in that, described authorization module comprises: user property rules of competence storehouse, described user property rules of competence storehouse is used for service end and mates judgement by the user's that obtains attribute information and the default user property rules of competence storehouse of server end, authorize user and the corresponding source of this attribute information operating right according to user's specific object information, described user's attribute information is default userspersonal information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012104200224A CN102916965A (en) | 2012-10-29 | 2012-10-29 | Safety authentication mechanism and safety authentication system thereof for cloud service interfaces |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012104200224A CN102916965A (en) | 2012-10-29 | 2012-10-29 | Safety authentication mechanism and safety authentication system thereof for cloud service interfaces |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102916965A true CN102916965A (en) | 2013-02-06 |
Family
ID=47615199
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012104200224A Pending CN102916965A (en) | 2012-10-29 | 2012-10-29 | Safety authentication mechanism and safety authentication system thereof for cloud service interfaces |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102916965A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103177592A (en) * | 2013-03-12 | 2013-06-26 | 四川省宁潮科技有限公司 | Vehicle cloud intelligence system and implementing method thereof |
| CN105187449A (en) * | 2015-09-30 | 2015-12-23 | 北京恒华伟业科技股份有限公司 | Interface calling method and device |
| CN106991298A (en) * | 2016-01-21 | 2017-07-28 | 阿里巴巴集团控股有限公司 | Access method, the authorization requests method and device of application program docking port |
| CN108616540A (en) * | 2018-05-09 | 2018-10-02 | 聚龙股份有限公司 | A kind of platform authentication method and system filtering certification with statement formula based on cross-platform Encryption Algorithm |
| CN109446224A (en) * | 2018-09-25 | 2019-03-08 | 中交广州航道局有限公司 | Data push method, device, computer equipment and readable storage medium storing program for executing |
| CN109587100A (en) * | 2017-09-29 | 2019-04-05 | 阿里巴巴集团控股有限公司 | A kind of cloud computing platform user authentication process method and system |
| CN111967014A (en) * | 2020-07-16 | 2020-11-20 | 北京轩宇信息技术有限公司 | Method and device for defending StarBleed vulnerability |
| CN112491886A (en) * | 2020-11-27 | 2021-03-12 | 北京明朝万达科技股份有限公司 | Security control method, system, device and storage medium based on network system |
| CN113794729A (en) * | 2021-09-17 | 2021-12-14 | 上海仙塔智能科技有限公司 | Communication processing method and device for AVP (Audio video tape Audio video protocol) equipment, electronic equipment and medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102263809A (en) * | 2010-05-31 | 2011-11-30 | 中国移动通信集团贵州有限公司 | Method for realizing service safety control based on enterprise service bus and apparatus thereof |
-
2012
- 2012-10-29 CN CN2012104200224A patent/CN102916965A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102263809A (en) * | 2010-05-31 | 2011-11-30 | 中国移动通信集团贵州有限公司 | Method for realizing service safety control based on enterprise service bus and apparatus thereof |
Non-Patent Citations (1)
| Title |
|---|
| SAM THOMPSON: "实现WS-Security", 《IBM官网/DEVELOPERWORKS/WEBSERVICES》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103177592B (en) * | 2013-03-12 | 2017-04-26 | 上海金融云服务集团安全技术有限公司 | Vehicle cloud intelligence system and implementing method thereof |
| CN103177592A (en) * | 2013-03-12 | 2013-06-26 | 四川省宁潮科技有限公司 | Vehicle cloud intelligence system and implementing method thereof |
| CN105187449B (en) * | 2015-09-30 | 2018-10-02 | 北京恒华伟业科技股份有限公司 | A kind of interface call method and device |
| CN105187449A (en) * | 2015-09-30 | 2015-12-23 | 北京恒华伟业科技股份有限公司 | Interface calling method and device |
| US10878066B2 (en) | 2016-01-21 | 2020-12-29 | Banma Zhixing Network (Hongkong) Co., Limited | System and method for controlled access to application programming interfaces |
| CN106991298A (en) * | 2016-01-21 | 2017-07-28 | 阿里巴巴集团控股有限公司 | Access method, the authorization requests method and device of application program docking port |
| CN106991298B (en) * | 2016-01-21 | 2021-02-02 | 斑马智行网络(香港)有限公司 | Access method of application program to interface, authorization request method and device |
| CN109587100A (en) * | 2017-09-29 | 2019-04-05 | 阿里巴巴集团控股有限公司 | A kind of cloud computing platform user authentication process method and system |
| CN108616540A (en) * | 2018-05-09 | 2018-10-02 | 聚龙股份有限公司 | A kind of platform authentication method and system filtering certification with statement formula based on cross-platform Encryption Algorithm |
| CN109446224A (en) * | 2018-09-25 | 2019-03-08 | 中交广州航道局有限公司 | Data push method, device, computer equipment and readable storage medium storing program for executing |
| CN111967014A (en) * | 2020-07-16 | 2020-11-20 | 北京轩宇信息技术有限公司 | Method and device for defending StarBleed vulnerability |
| CN111967014B (en) * | 2020-07-16 | 2023-08-11 | 北京轩宇信息技术有限公司 | Method and device for defending StarBleed vulnerability |
| CN112491886A (en) * | 2020-11-27 | 2021-03-12 | 北京明朝万达科技股份有限公司 | Security control method, system, device and storage medium based on network system |
| CN113794729A (en) * | 2021-09-17 | 2021-12-14 | 上海仙塔智能科技有限公司 | Communication processing method and device for AVP (Audio video tape Audio video protocol) equipment, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8532620B2 (en) | Trusted mobile device based security | |
| CN102916965A (en) | Safety authentication mechanism and safety authentication system thereof for cloud service interfaces | |
| US9699167B1 (en) | Distributed authentication | |
| CN102377788B (en) | Single sign-on (SSO) system and single sign-on (SSO) method | |
| EP2391083B1 (en) | Method for realizing authentication center and authentication system | |
| US10050791B2 (en) | Method for verifying the identity of a user of a communicating terminal and associated system | |
| US10133861B2 (en) | Method for controlling access to a production system of a computer system not connected to an information system of said computer system | |
| US20150281958A1 (en) | Method and Apparatus for Securing a Connection in a Communications Network | |
| CN103973736A (en) | Data sharing method and device | |
| CA2942765C (en) | Persistent authentication system incorporating one time pass codes | |
| US11811739B2 (en) | Web encryption for web messages and application programming interfaces | |
| CN114765534B (en) | Private key distribution system and method based on national secret identification cryptographic algorithm | |
| CN104702562B (en) | Terminal fused business cut-in method, system and terminal | |
| US20160057141A1 (en) | Network system comprising a security management server and a home network, and method for including a device in the network system | |
| JP4847483B2 (en) | Personal attribute information providing system and personal attribute information providing method | |
| CN104243435A (en) | Communication method for HTTP based on OAuth | |
| CN112953711B (en) | Database security connection system and method | |
| CN112800448A (en) | Database secure connection method, proxy server and storage medium | |
| CN108616530B (en) | Unified identity authentication system and method based on Internet Web end | |
| CN110225011B (en) | Authentication method and device for user node and computer readable storage medium | |
| CN111107038B (en) | Encryption method, decryption method and device | |
| WO2014125572A1 (en) | Common key sharing system and method | |
| You et al. | Research and design of web single sign-on scheme | |
| CN106059759A (en) | Architecture method for CP-ABE (Ciphertext-Policy Attribute-Based Encryption) ciphertext access control | |
| Grishchenko et al. | Overview of authentication algorithms in distributed software systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130206 |