CN103490899A - Application cloud safety certification method based on third-party service - Google Patents
Application cloud safety certification method based on third-party service Download PDFInfo
- Publication number
- CN103490899A CN103490899A CN201310446268.3A CN201310446268A CN103490899A CN 103490899 A CN103490899 A CN 103490899A CN 201310446268 A CN201310446268 A CN 201310446268A CN 103490899 A CN103490899 A CN 103490899A
- Authority
- CN
- China
- Prior art keywords
- cloud
- service
- user
- application
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides an application cloud safety certification method based on a third-party service. The application cloud safety certification method based on the third-party service specifically comprises the steps that (1) a cloud user submits service demand information to a signature certification service cloud; (2) the signature certification service cloud receives the service demand information of the cloud user, and verifies validity of a certificate of the cloud user according to a third-party catalogue certification service cloud, carries out sign and issue on a ciphertext user login token and a digital envelope through an application portal catalogue service cloud, carries out certification service sign on the ciphertext user login token signed and issued through the application portal catalogue service cloud and the digital envelope signed and issued through the application portal catalogue service cloud, and sends the ciphertext user login token and the digital envelope back to the cloud user; (3) the cloud user carries out user sign on the obtained ciphertext user login token, the digital envelope and the certification service sign information, and submits the ciphertext user login token, the digital envelope and the certification service sign information to an application service to demand for the corresponding service; (4) the application service provides the corresponding service for the cloud user after being verified. Compared with the prior art, the application cloud safety certification method based on the third-party service ensures authenticity and non-repudiation of information sources, and improves safety of the process of information transmission.
Description
Technical field
The present invention relates to the cloud computing technology field, specifically a kind of can be applicable in the cloud service fields such as E-Government, ecommerce, industry and the application cloud security authentication method based on third party's service.
Background technology
Cloud computing is as an emerging network application mode, extraordinary application and development prospect is arranged, and cloud computing is as a kind of emerging business model, research to it is scarcely out of swaddling-clothes, also have a lot of problems to wait to solve, its safety problem is particularly outstanding, and one of subject matter of authentication and access control management cloud computing safety just, the cloud service provided on the cloud computing basis, the same existence is badly in need of the safety problem solved, safety problem has become one of cloud computing and cloud service popularization and has hindered greatly, be mainly derived from the safety problem that data sharing brings, the potential hazard that visitor's identity is uncertain and super privilege cloud service provider causes.For this reason, characteristics according to data storage in cloud computing, cloud service and cloud user group, third party's service will be best selection scheme, the cloud visitor need pass through third party's authentication, the different access main body is taked to the different access control strategy, so that the security feature of classification to be provided, make cloud service provider no longer enjoy super privilege, make high in the clouds data access person and access security need not depend on the definitely credible of server, for cloud computing provides more reliable security feature.
Summary of the invention
Technical assignment of the present invention is to solve the deficiencies in the prior art, and a kind of practical, application cloud security authentication method based on third party's service is provided.
Technical scheme of the present invention realizes in the following manner, this kind of application cloud security authentication method based on third party's service, and its concrete steps are:
One, the cloud user submits request service information to signature authentication service cloud;
Two, after signature authentication service cloud receives the cloud user request information, to the validity of third party's catalogue authentication service cloud checking cloud user certificate;
Three, sign and issue the ciphertext user through application door directory service cloud and login token and digital envelope, the ciphertext user who then application door directory service cloud is signed and issued logins token and digital envelope carries out the authentication service signature;
Four, the ciphertext user in step 3 logins token and digital envelope loopback to the cloud user, the cloud user logins token, digital envelope and authentication service signing messages to the ciphertext user who obtains and carries out digital signature, interim uniqueness solicited message as login application service cloud, and this request is submitted to the application service cloud, request is service accordingly;
Five, the corresponding signature of application service cloud checking and token information, for the cloud user provides corresponding service;
If, when six users do not access this service over certain hour, User Status is set to and stops, and needs afterwards repetition one to five step again to login.
Cloud user request service information in described step 1 comprises: customer digital certificate, cloud user ask login application gateway information.
The detailed process of described step 3 is: signature authentication service cloud is submitted to application door directory service cloud by user request information and the token term of validity, through application door directory service cloud Authority Verification, to after user certificate, the token term of validity, User Status, application gateway information, be encrypted to such an extent that ciphertext user logins token after being verified, adopt application door directory service PKI that the session secret key encryption is produced to digital envelope simultaneously.
Encryption method session key in described step 3, adopt SM1, DES or 3DES algorithm for encryption.
Digital Signature Algorithm in described step 4 adopts RSA, SM2 or ECC algorithm.
The detailed process of described step 5 is: the application service cloud is received user request information, at first authentication of users signature and signature authentication service cloud are signed, then open digital envelope, the decrypting ciphertext user logins token, and again with the checking of the user certificate in token cloud user's signature, check the token term of validity, detect User Status, comparison application gateway information, the application service cloud is all to be verified, for the user opens application permission, provide corresponding service.
The beneficial effect that the present invention compared with prior art produced is:
A kind of application cloud security authentication method based on third party's service of the present invention solves the problem of authentication in existing application cloud service, unified management, signature authentication is served to cloud, Third Party Authentication directory service cloud, application door directory service cloud and application service cloud to combine, unified cloud authentication and the rights management of application door have been realized, for the cloud user provides safe and reliable Third Party Authentication service, really solved the difficult problem of safety of cloud service aspect; Whole cloud service process and third party's service are combined closely, authenticity, the legitimacy of checking cloud user identity, authenticity and the non repudiation of information source guaranteed in the application of signature technology, ciphertext user logins the fail safe that token and Digital Envelope Technology have been reinforced message transmitting procedure, practical, be easy to promote.
The accompanying drawing explanation
Accompanying drawing 1 is safety certifying method illustraton of model of the present invention.
Accompanying drawing 2 is cloud User Token information schematic diagrames of the present invention.
Embodiment
Below in conjunction with accompanying drawing, a kind of application cloud security authentication method based on third party's service of the present invention is elaborated.
As shown in accompanying drawing 1, Fig. 2, a kind of application cloud security authentication method based on third party's service now is provided, its concrete steps are:
One, the cloud user submits request service information to signature authentication service cloud;
Two, after signature authentication service cloud receives the cloud user request information, to the validity of third party's catalogue authentication service cloud checking cloud user certificate;
Three, sign and issue the ciphertext user through application door directory service cloud and login token and digital envelope, the ciphertext user who then application door directory service cloud is signed and issued logins token and digital envelope carries out the authentication service signature;
Four, the ciphertext user in step 3 logins token and digital envelope loopback to the cloud user, the cloud user logins token, digital envelope and authentication service signing messages to the ciphertext user who obtains and carries out digital signature, interim uniqueness solicited message as login application service cloud, and this request is submitted to the application service cloud, request is service accordingly;
Five, the corresponding signature of application service cloud checking and token information, for the cloud user provides corresponding service;
If, when six users do not access this service over certain hour, User Status is set to and stops, and needs afterwards repetition one to five step again to login.
Cloud user request service information in described step 1 comprises: customer digital certificate, cloud user ask login application gateway information.
The detailed process of described step 3 is: signature authentication service cloud is submitted to application door directory service cloud by user request information and the token term of validity, through application door directory service cloud Authority Verification, to after user certificate, the token term of validity, User Status, application gateway information, be encrypted to such an extent that ciphertext user logins token after being verified, adopt application door directory service PKI that the session secret key encryption is produced to digital envelope simultaneously.
Encryption method session key in described step 3, adopt SM1, DES or 3DES algorithm for encryption.
Digital Signature Algorithm in described step 4 adopts RSA, SM2 or ECC algorithm.
The detailed process of described step 5 is: the application service cloud is received user request information, at first authentication of users signature and signature authentication service cloud are signed, then open digital envelope, the decrypting ciphertext user logins token, and again with the checking of the user certificate in token cloud user's signature, check the token term of validity, detect User Status, comparison application gateway information, the application service cloud is all to be verified, for the user opens application permission, provide corresponding service.
Its concrete implementation process is:
The 1st step, the cloud user sends request information (solicited message comprises: cloud customer digital certificate, cloud user ask application service cloud domain name or the service ip address of login) to signature authentication service cloud.
The 2nd step, signature authentication service cloud sends to Third Party Authentication directory service cloud by the cloud user request information and carries out authentication, if digital certificate is revoked, nullifies, reports the loss or the expired invalid certificates that is, if verify invalid, return to the invalid request of cloud user, the cloud user asks to finish.
The 3rd step, signature authentication service cloud sends to application door directory service cloud by the cloud user request information and carries out Authority Verification, at first application door directory service cloud verifies that whether correct the cloud user ask the application service cloud domain name of login or serve the ip address, if mistake is returned to authentication failed, if correctly applying door directory service cloud comprises cloud user's solicited message: the cloud user certificate, the token term of validity, User Status (validated user, unactivated state), the information such as application gateway information are encrypted (uses session key, adopt the SM1 algorithm for encryption), obtain the ciphertext user and login token, adopt application door directory service PKI that the session secret key encryption is produced to digital envelope simultaneously, the ciphertext user is logined to token and digital envelope and send signature authentication service cloud back to.
The 4th step, signature authentication service cloud will apply that ciphertext user that door directory service cloud returns logins token and digital envelope carries out digital signature (RSA or SM2 or ECC for signature algorithm), and loopback is to the cloud user in the lump.
The 5th step, the cloud user logins token, digital envelope and authentication service signature to the ciphertext user who obtains and carries out digital signature, and as the interim uniqueness solicited message of login application service cloud, then the cloud user sends request information on services to the application service cloud.
The 6th step, the application service cloud is received user request information, and at first authentication of users signature and signature authentication service cloud signature, then open digital envelope, the decrypting ciphertext user logins token, authentication of users application gateway information matching, and, again with the checking of the user certificate in token cloud user's signature, check the token term of validity, detect User Status, if all Information Authentications are passed through, for the user opens application permission (User Status is set to ' activation '), provide corresponding service.
If the user surpasses certain hour during access application service cloud, User Status is set to ' stopping ', needs afterwards the logging request service again of repetition 1-6 step.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.
Claims (6)
1. the application cloud security authentication method based on third party's service, is characterized in that, its concrete steps are:
One, the cloud user submits request service information to signature authentication service cloud;
Two, after signature authentication service cloud receives the cloud user request information, to the validity of third party's catalogue authentication service cloud checking cloud user certificate;
Three, sign and issue the ciphertext user through application door directory service cloud and login token and digital envelope, the ciphertext user who then application door directory service cloud is signed and issued logins token and digital envelope carries out the authentication service signature;
Four, the ciphertext user in step 3 logins token and digital envelope loopback to the cloud user, the cloud user logins token, digital envelope and authentication service signing messages to the ciphertext user who obtains and carries out digital signature, interim uniqueness solicited message as login application service cloud, and this request is submitted to the application service cloud, request is service accordingly;
Five, the corresponding signature of application service cloud checking and token information, for the cloud user provides corresponding service;
If, when six users do not access this service over certain hour, User Status is set to and stops, and needs afterwards repetition one to five step again to login.
2. a kind of application cloud security authentication method based on third party's service according to claim 1, is characterized in that, the cloud user request service information in described step 1 comprises: customer digital certificate, cloud user ask login application gateway information.
3. a kind of application cloud security authentication method based on third party service according to claim 1, it is characterized in that, the detailed process of described step 3 is: signature authentication service cloud is submitted to application door directory service cloud by user request information and the token term of validity, through application door directory service cloud Authority Verification, to after user certificate, the token term of validity, User Status, application gateway information, be encrypted to such an extent that ciphertext user logins token after being verified, adopt application door directory service PKI that the session secret key encryption is produced to digital envelope simultaneously.
4. a kind of application cloud security authentication method based on third party's service according to claim 3, is characterized in that the encryption method session key in described step 3 adopts SM1, DES or 3DES algorithm for encryption.
5. a kind of application cloud security authentication method based on third party's service according to claim 1, is characterized in that, the Digital Signature Algorithm in described step 4 adopts RSA, SM2 or ECC algorithm.
6. a kind of application cloud security authentication method based on third party service according to claim 1, it is characterized in that, the detailed process of described step 5 is: the application service cloud is received user request information, at first authentication of users signature and signature authentication service cloud are signed, then open digital envelope, the decrypting ciphertext user logins token, and again with the checking of the user certificate in token cloud user's signature, check the token term of validity, detect User Status, comparison application gateway information, the application service cloud is all to be verified, for the user opens application permission, corresponding service is provided.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310446268.3A CN103490899A (en) | 2013-09-27 | 2013-09-27 | Application cloud safety certification method based on third-party service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310446268.3A CN103490899A (en) | 2013-09-27 | 2013-09-27 | Application cloud safety certification method based on third-party service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103490899A true CN103490899A (en) | 2014-01-01 |
Family
ID=49830873
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310446268.3A Pending CN103490899A (en) | 2013-09-27 | 2013-09-27 | Application cloud safety certification method based on third-party service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103490899A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243452A (en) * | 2014-08-20 | 2014-12-24 | 宇龙计算机通信科技(深圳)有限公司 | Method and system for cloud computing access control |
| CN104935606A (en) * | 2015-07-07 | 2015-09-23 | 成都睿峰科技有限公司 | Terminal login method in cloud computing network |
| CN104980401A (en) * | 2014-04-09 | 2015-10-14 | 北京亿赛通科技发展有限责任公司 | Secure data storage system and secure data storage and reading method of NAS server |
| WO2016101745A1 (en) * | 2014-12-23 | 2016-06-30 | 飞天诚信科技股份有限公司 | Activating mobile terminal token method |
| CN106339597A (en) * | 2016-08-31 | 2017-01-18 | 孟玲 | Intelligent medical remote monitor system based on cloud computing |
| CN106375334A (en) * | 2016-09-28 | 2017-02-01 | 郑州云海信息技术有限公司 | Authentication method for distributed system |
| CN106682028A (en) * | 2015-11-10 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Method, device and system for obtaining web application |
| CN107425983A (en) * | 2017-08-08 | 2017-12-01 | 北京明朝万达科技股份有限公司 | A kind of unified identity authentication method and system platform based on WEB service |
| CN108965230A (en) * | 2018-05-09 | 2018-12-07 | 深圳市中信网安认证有限公司 | A kind of safety communicating method, system and terminal device |
| CN109214159A (en) * | 2018-08-31 | 2019-01-15 | 武汉文楚智信科技有限公司 | A kind of user information protection system and method for terminal recognition of face cloud service |
| CN109525583A (en) * | 2018-11-26 | 2019-03-26 | 中国科学院数据与通信保护研究教育中心 | A kind of false voucher detection method and system of the service system that Identity Management is provided for third party |
| CN110493301A (en) * | 2019-06-19 | 2019-11-22 | 莫毓昌 | The generic structure platform delivered for cloud combination and cloud user negotiation service |
| CN110519236A (en) * | 2019-08-07 | 2019-11-29 | 武汉金百瑞科技股份有限公司 | A kind of method of safe account and permission control under website cluster |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060099797A (en) * | 2005-03-15 | 2006-09-20 | 주식회사 트루씨 | Method and system for providing service login many internet-sites in bulk at the same time |
| CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
| CN103248481A (en) * | 2012-02-10 | 2013-08-14 | 工业和信息化部电信传输研究所 | Open-end API (application program interface) public license access control method based on digital application signature certification |
-
2013
- 2013-09-27 CN CN201310446268.3A patent/CN103490899A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060099797A (en) * | 2005-03-15 | 2006-09-20 | 주식회사 트루씨 | Method and system for providing service login many internet-sites in bulk at the same time |
| CN103248481A (en) * | 2012-02-10 | 2013-08-14 | 工业和信息化部电信传输研究所 | Open-end API (application program interface) public license access control method based on digital application signature certification |
| CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980401B (en) * | 2014-04-09 | 2018-05-01 | 北京亿赛通科技发展有限责任公司 | Nas server date safety storing system, secure storage and read method |
| CN104980401A (en) * | 2014-04-09 | 2015-10-14 | 北京亿赛通科技发展有限责任公司 | Secure data storage system and secure data storage and reading method of NAS server |
| CN104243452A (en) * | 2014-08-20 | 2014-12-24 | 宇龙计算机通信科技(深圳)有限公司 | Method and system for cloud computing access control |
| CN104243452B (en) * | 2014-08-20 | 2018-02-02 | 宇龙计算机通信科技(深圳)有限公司 | A kind of cloud computing access control method and system |
| WO2016101745A1 (en) * | 2014-12-23 | 2016-06-30 | 飞天诚信科技股份有限公司 | Activating mobile terminal token method |
| CN104935606A (en) * | 2015-07-07 | 2015-09-23 | 成都睿峰科技有限公司 | Terminal login method in cloud computing network |
| CN106682028A (en) * | 2015-11-10 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Method, device and system for obtaining web application |
| WO2017080385A1 (en) * | 2015-11-10 | 2017-05-18 | 阿里巴巴集团控股有限公司 | Webpage application acquiring method, device and system |
| CN106682028B (en) * | 2015-11-10 | 2021-01-26 | 阿里巴巴集团控股有限公司 | Method, device and system for acquiring webpage application |
| CN106339597A (en) * | 2016-08-31 | 2017-01-18 | 孟玲 | Intelligent medical remote monitor system based on cloud computing |
| CN106375334A (en) * | 2016-09-28 | 2017-02-01 | 郑州云海信息技术有限公司 | Authentication method for distributed system |
| CN107425983A (en) * | 2017-08-08 | 2017-12-01 | 北京明朝万达科技股份有限公司 | A kind of unified identity authentication method and system platform based on WEB service |
| CN108965230A (en) * | 2018-05-09 | 2018-12-07 | 深圳市中信网安认证有限公司 | A kind of safety communicating method, system and terminal device |
| CN108965230B (en) * | 2018-05-09 | 2021-10-15 | 深圳市中信网安认证有限公司 | Secure communication method, system and terminal equipment |
| CN109214159A (en) * | 2018-08-31 | 2019-01-15 | 武汉文楚智信科技有限公司 | A kind of user information protection system and method for terminal recognition of face cloud service |
| CN109214159B (en) * | 2018-08-31 | 2021-11-02 | 武汉文楚智信科技有限公司 | User information protection system and method for terminal face recognition cloud service |
| CN109525583A (en) * | 2018-11-26 | 2019-03-26 | 中国科学院数据与通信保护研究教育中心 | A kind of false voucher detection method and system of the service system that Identity Management is provided for third party |
| CN109525583B (en) * | 2018-11-26 | 2021-03-12 | 中国科学院数据与通信保护研究教育中心 | False certificate detection method and system for third-party identity management providing service system |
| CN110493301A (en) * | 2019-06-19 | 2019-11-22 | 莫毓昌 | The generic structure platform delivered for cloud combination and cloud user negotiation service |
| CN110519236A (en) * | 2019-08-07 | 2019-11-29 | 武汉金百瑞科技股份有限公司 | A kind of method of safe account and permission control under website cluster |
| CN110519236B (en) * | 2019-08-07 | 2022-05-24 | 武汉金百瑞科技股份有限公司 | Method for controlling safe account and authority under website cluster |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103490899A (en) | Application cloud safety certification method based on third-party service | |
| US11170093B2 (en) | Authentication device and system | |
| CN105577665B (en) | Identity and access control management system and method under a kind of cloud environment | |
| CN104753881B (en) | A kind of WebService safety certification access control method based on software digital certificate and timestamp | |
| CN103780618B (en) | A kind of based on across the isomery territory authentication accessing mandate bill and session cipher negotiating method | |
| CN103856478B (en) | A kind of certificate issuance of trustable network, authentication method and corresponding equipment | |
| US9026789B2 (en) | Trusted certificate authority to create certificates based on capabilities of processes | |
| CN101938473B (en) | Single-point login system and single-point login method | |
| CN102377788B (en) | Single sign-on (SSO) system and single sign-on (SSO) method | |
| CN101286843B (en) | Single-point login method under point-to-point model | |
| CN106341232B (en) | A kind of anonymous entity discrimination method based on password | |
| CN105791272A (en) | Method and device for secure communication in Internet of Things | |
| WO2012018528A2 (en) | Methods for anonymous authentication and key agreement | |
| CN108206821A (en) | A kind of identity authentication method and system | |
| CN103152179A (en) | Uniform identity authentication method suitable for multiple application systems | |
| CN102546173B (en) | Digital signature system and signature method based on certificate | |
| CN105516119A (en) | Cross-domain identity authentication method based on proxy re-signature | |
| WO2014110877A1 (en) | Mobile terminal device and user authentication method based on pki technology | |
| KR101491553B1 (en) | Secure SmartGrid Communication System and Method using DMS based on Certification | |
| CN113536347A (en) | Bidding method and system based on digital signature | |
| CN110891067B (en) | Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system | |
| US9716707B2 (en) | Mutual authentication with anonymity | |
| CN110855442A (en) | PKI (public key infrastructure) technology-based inter-device certificate verification method | |
| CN105471579B (en) | A kind of trust login method and device | |
| CN103916358B (en) | A kind of key diffusion and method of calibration and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140101 |