CN104468580A - Authentication method suitable for distributed storage - Google Patents
Authentication method suitable for distributed storage Download PDFInfo
- Publication number
- CN104468580A CN104468580A CN201410757487.8A CN201410757487A CN104468580A CN 104468580 A CN104468580 A CN 104468580A CN 201410757487 A CN201410757487 A CN 201410757487A CN 104468580 A CN104468580 A CN 104468580A
- Authority
- CN
- China
- Prior art keywords
- authentication
- module
- information
- log
- applicable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an authentication method suitable for distributed storage. The method comprises the steps that an authentication module receives a login request sent by a login module, searches for storage nodes according to the login request, obtains fragmentation information from the storage nodes, and transmits authentication question information in the fragmentation information to the login module, the fragmentation information comprises the authentication question information and authentication answer information, the authentication module receives the authentication calculation result obtained through calculation which is carried out on the authentication question information by the login module through a login secret key, and the authentication module compares the authentication calculation result with the authentication answer information to obtain the authentication result, and transmits the authentication result to the login module. According to the authentication method, the fragmentation information high in independence is distributed and stored in the different nodes, information exchange of the minimum degree is just carried out between the modules, and the method has the advantages of being high in safety and fault tolerance.
Description
Technical field
The present invention relates to technical field of network security, particularly relate to a kind of authentication method being applicable to distributed storage.
Background technology
At present, one of the confidentiality and the most popular authentication method of safety issue of resolution system is used to based on the certification of password.Traditional based in the model of password authentication scheme, in order to apply for resource, first user sends request message to remote server, the identity ID comprising user and the password value through Hash operation.After receiving request, search in the access list of remote server in the database of this locality and whether there is the right of the request coupling submitted to user, if exist, server will authorize user ID access rights, otherwise denied access.
The solution of existing authentication method and system many employings centralised storage, usually leave concentratedly at server end after the authentication information (being generally password) of user being carried out Hash, after authentication information user provided when carrying out certification carries out Hash again, compare with the authentication information of server end.Some schemes can defend attack meanses such as " hitting storehouse " to a certain extent by cipher modes such as " salt addings ", but and unresolved once the cryptographic Hash of server end is acquired the drawback that will cause and divulge a secret.
Summary of the invention
Provide hereinafter about brief overview of the present invention, to provide about the basic comprehension in some of the present invention.Should be appreciated that this general introduction is not summarize about exhaustive of the present invention.It is not that intention determines key of the present invention or pith, and nor is it intended to limit the scope of the present invention.Its object is only provide some concept in simplified form, in this, as the preorder in greater detail discussed after a while.
The invention provides a kind of authentication method being applicable to distributed storage, in order to the characteristic dispersion of key is stored at different node, avoid loss of data on minority node to cause divulging a secret, give full play to the advantage of distributed storage, reduce security risk.
The invention provides a kind of authentication method being applicable to distributed storage, described method comprises:
Log-in module sends log on request to authentication module.
Described log-in module receives described authentication module and searches memory node in memory module according to described log on request and from the authentication question information the burst information that described memory node obtains.Described burst information comprises authentication question information and certification answer information.
The described log-in module authentication question information received described in double secret key that logs in held calculates, and obtains authentication calculations result, and described authentication calculations result is sent to described authentication module.
Described log-in module receive that described authentication module sends by contrasting obtained authentication result to the certification answer information comprised in the burst information of described authentication calculations result and described acquisition.
The present invention also provides a kind of authentication method being applicable to distributed storage, and described method comprises:
Authentication module receives the log on request that log-in module sends.
Described authentication module searches the memory node in memory module according to described log on request, from described memory node, obtain burst information, and sends the authentication question information in described burst information to described log-in module.Described burst information comprises authentication question information and certification answer information.
Described authentication module receives the described log-in module authentication question information logging in authentication module transmission described in double secret key held to carry out calculating obtained authentication calculations result.
Described authentication module contrasts the certification answer information comprised in the authentication calculations result of described reception and the burst information of described acquisition, the authentication result obtained, and described authentication result is sent to described log-in module.
The authentication method being applicable to distributed storage provided by the invention has following beneficial effect: the present invention leaves the distribution of the burst information of secret generating in different node, avoids the excessive risk of the storage information that to be stolen when being stored in single node.The present invention by the Computation distribution of verification process in log-in module, Registering modules/authentication module, memory module, during registration, to be sent to each burst information of memory module only relevant to key each several part for Registering modules, when logging in, user name only need be sent to authentication module by log-in module, each intermodule only carries out MIN information interchange, effectively improves the fail safe of system.Each burst information of the present invention only uses part of key feature to generate; protect the independence between many parts of burst information; the loss of part burst information does not affect all the other burst information and carries out certification, possesses stronger fault-tolerance, has very strong adaptive capacity for severe network environment.Sliced fashion of the present invention and algorithm are determined by the log-in module of user side, reduce by the risk of resolving inversely.
Accompanying drawing explanation
Below with reference to the accompanying drawings illustrate embodiments of the invention, above and other objects, features and advantages of the present invention can be understood more easily.Parts in accompanying drawing are just in order to illustrate principle of the present invention.In the accompanying drawings, same or similar technical characteristic or parts will adopt same or similar Reference numeral to represent.
Fig. 1 is the flow chart being applicable to a kind of execution mode of authentication method of distributed storage of the present invention;
Fig. 2 is the flow chart being applicable to the another kind of execution mode of authentication method of distributed storage of the present invention;
Fig. 3 for of the present invention be applicable to a kind of execution mode of authentication method of distributed storage the structural representation of system that is suitable for.
Embodiment
With reference to the accompanying drawings embodiments of the invention are described.The element described in an accompanying drawing of the present invention or a kind of execution mode and feature can combine with the element shown in one or more other accompanying drawing or execution mode and feature.It should be noted that for purposes of clarity, accompanying drawing and eliminate expression and the description of unrelated to the invention, parts known to persons of ordinary skill in the art and process in illustrating.
Fig. 1 is the flow chart that the present invention is applicable to a kind of execution mode of authentication method of distributed storage.
As shown in Figure 1, in present embodiment, the authentication method being applicable to distributed storage comprises:
S10: log-in module sends log on request to authentication module.Particularly, log-in module have sent the log on request comprising login username to authentication module.
S20: log-in module receives authentication module and searches memory node in memory module according to log on request and authentication question information in the burst information therefrom obtained.Particularly, after log-in module sends log on request to authentication module, authentication module searches relevant memory node according to described log on request, and to the memory node request burst information found.Memory node sends burst information to authentication module after receiving request.Authentication question information Q is comprised in burst information
iwith certification answer information A
i.Log-in module receives the authentication question information Q comprised from the burst information that memory node obtains that authentication module sends
i.
S30: the log-in module authentication question information logging in double secret key reception held calculates, and obtains authentication calculations result, and is sent to authentication module.Particularly, log-in module combine hold log in key K ' and the authentication question information Q that receives
icalculate, obtain authentication calculations result A
i', by authentication calculations result A
i' be sent to authentication module.
S40: what log-in module reception authentication module sent contrasts obtained authentication result by the certification answer information comprised in the burst information to authentication calculations result and acquisition.Particularly, log-in module receives the authentication calculations result A passed through receiving that authentication module sends
i' with obtain burst information in authentication result information A
icarry out contrasting obtained authentication result.
In a preferred embodiment, log-in module sends registration request to Registering modules, the calculating that the login key that described registration request comprises is undertaken by described Registering modules generates burst information, and the burst information of described generation is stored in the memory node of described memory module respectively.Particularly, described registration request comprises registered user name and login key, registered user name and login key are sent to Registering modules request registration by log-in module, whether Registering modules inspection registered user name is occupied, if occupied, return information, if unoccupied, then described login key is calculated, generate N number of burst information, and described burst information is stored in N number of memory node of memory module respectively.Burst information quantity N is set to 8 or 16 usually.In the present embodiment, N is set to 8.Described burst information comprises authentication question information Q
i(i=1 ... 8) and certification answer information A
i(i=1 ... 8).
The present invention leaves the distribution of the burst information of secret generating in different node, avoids the excessive risk of the storage information that to be stolen when being stored in single node.
In a preferred embodiment, the burst information of described generation comprises the first authentication question information and the first certification answer information, described first authentication question information is generated by the first random number and random salt by described Registering modules, and described first certification answer information is carried out calculating by cryptographic algorithm to described login key, described first random number and described random salt by described Registering modules and generated.Particularly, Registering modules is by the first random number P
i(i=1 ... 8) and random salt S
i(i=1 ... 8) the first authentication question information Q is generated
i(i=1 ... 8), Q
i=(P
i, S
i), (i=1 ... 8).Log-in module by cryptographic algorithm to login key, the first random number P
i(i=1 ... 8) and random salt S
i(i=1 ... 8) calculating generation first certification answer information A is carried out
i(i=1 ... 8).
In a preferred embodiment, described login key expands to key sequence by expansion algorithm, in described key sequence with the described first random number value that is sequence number for certification answer, described first certification answer information is carried out calculating by described cryptographic algorithm to described certification answer and described random salt and is generated.Particularly, login key K is expanded to key sequence E (K) by expansion algorithm E () by Registering modules, gets in key sequence E (K) with described first random number P
i(i=1 ... 8) for the value of sequence number is certification answer K
i=E (K) [P
i], (i=1 ... 8), by cryptographic algorithm H () to described certification answer K
i(i=1 ... 8) and described random salt S
i(i=1 ... 8) carry out calculating and generate described first certification answer information A
i(i=1 ... 8).A
i=H(S
i,K
i),(i=1,…8)。
In a preferred embodiment, described log-in module specifies the described expansion algorithm kind and described cryptographic algorithm kind of selecting described Registering modules to support.Particularly, log-in module specifies the described expansion algorithm E () and cryptographic algorithm H () of selecting described Registering modules to support.Sliced fashion and algorithm are determined by the log-in module of user side, reduce by the risk of resolving inversely, improve fail safe.
In a preferred embodiment, the authentication question information that described log-in module receives is the second authentication question information, described second authentication question information adds the second random number by described memory node in stored burst information, is generated by described second random number and described first authentication question information; The second certification answer information corresponding with described second authentication question information is generated by described second random number and described first certification answer information.Particularly, memory module adds the second random number R in stored burst information
i(i=1 ... 8), by the second random number R
i(i=1 ... 8) and the first authentication question information Q
i(i=1 ... 8) the second authentication question information q is generated
i(i=1 ... 8), q
i=(P
i, S
i, R
i), (i=1 ... 8); By described second random number R
i(i=1 ... 8) and described first certification answer information A
i(i=1 ... 8) the second certification answer information a is generated
i(i=1 ... 8), a
i=H (R
i, A
i), (i=1 ... 8).Described log-in module receives the second authentication question information q
i=(P
i, S
i, R
i), (i=1 ... 8).
In a preferred embodiment, described log-in module pass through described in log in authentication calculations result described in key, described first random number, described random salt, described second generating random number.Particularly, log-in module is by logging in key K ', the first random number P
i(i=1 ... 8), random salt S
i(i=1 ... 8), the second random number R
i(i=1 ... 8) authentication calculations result a is generated
i' (i=1 ... 8).To key K be logged in ' expand to key sequence E (K ' by expansion algorithm E ()), K
i'=E (K ') [P
i], (i=1 ... 8), A
i'=H (S
i, K
i'), (i=1 ... 8), a
i'=H (R
i, A
i'), (i=1 ... 8).
In a preferred embodiment, the authentication result that described log-in module receives is contrasted by described authentication module one by one described authentication calculations result and described second certification answer information and draws; Comparing result is identical quantity when being not less than systemic presupposition constant value, and authentication result is for passing through; Comparing result is identical quantity when being less than systemic presupposition constant value, and authentication result is not for pass through.Particularly, authentication module is by authentication calculations result a
i' (i=1 ... 8) with the second certification answer information a
i(i=1 ... 8) contrast one by one, comparing result is identical quantity when being not less than systemic presupposition constant value M, and authentication result is for passing through; Comparing result is identical quantity when being less than systemic presupposition constant value M, and authentication result is not for pass through.Burst information quantity N is set to 8 or 16 usually, and the attack type that systemic presupposition constant value M is vulnerable to according to system is usually arranged between 1-4.In the present embodiment, M is set to 2.Each burst information of the present invention only uses part of key feature to generate; protect the independence between many parts of burst information; the loss of part burst information does not affect all the other burst information and carries out certification; in the present embodiment; being verified of only two burst information need being had to carry out can complete certification; thus the present invention possesses stronger fault-tolerance, has very strong adaptive capacity for severe network environment.
In a preferred embodiment, the registration request that described log-in module sends to Registering modules also comprises registered user name, described registered user name is calculated by described Registering modules and generates memory address, and described burst information is stored in described memory address memory node corresponding in the distributed hashtable of described memory module.Particularly, memory module manages described memory node by distributed hashtable (DHT), XOR is carried out by a high position of registered user name UID and i, generate the memory address UIDi of i-th burst information, i-th burst information is stored in memory address UIDi memory node corresponding in distributed hashtable (DHT).
In a preferred embodiment, described log-in module comprises login user name to the log on request that authentication module sends, described login user name calculates generated query address by described authentication module, and the authentication question information that described log-in module receives is obtained from the memory node corresponding the distributed hashtable of described memory module of described inquire address by described authentication module.Particularly, described log on request only comprises login user name UID ', authentication module is by login user name UID ' generated query address UIDi ', search the memory node that inquire address UIDi ' is corresponding in distributed hashtable (DHT), obtain burst information to found memory node.When logging in, user name only need be sent to authentication module by log-in module, effectively improves fail safe.
Fig. 2 is the flow chart being applicable to the another kind of execution mode of authentication method of distributed storage of the present invention.
As shown in Figure 2, in present embodiment, the authentication method being applicable to distributed storage comprises:
S60: authentication module receives the log on request that log-in module sends.Particularly, authentication module have received the log on request comprising login username that log-in module sends.
S70: authentication module searches the memory node in memory module according to log on request, and therefrom obtains burst information, sends the authentication question information in burst information to log-in module.Particularly, authentication module searches relevant memory node according to described log on request after receiving log on request, and to the memory node request burst information found.Memory node sends burst information to authentication module after receiving request.Authentication question information Q is comprised in burst information
iwith certification answer information A
i.Authentication module sends from the authentication question information Q the burst information that memory node obtains to log-in module
i.
S80: authentication module receives the log-in module authentication question information logging in the transmission of double secret key authentication module held to carry out calculating obtained authentication calculations result.Particularly, what authentication module received that the combination that sends of log-in module holds logs in key K ' and the authentication question information Q that receives
icarry out calculating obtained authentication calculations result A
i'.
S90: authentication module contrasts the certification answer information comprised in the authentication calculations result of reception and the burst information of acquisition, obtains authentication result, and is sent to log-in module.Particularly, authentication module will receive authentication calculations result A
i' with obtain burst information in authentication result information A
icontrast, obtain authentication result, and be sent to log-in module.
In a preferred embodiment, Registering modules receives the registration request that described log-in module sends, carry out calculating generation burst information to the login key that described registration request comprises, the burst information of described generation is stored in the memory node of described memory module respectively.Particularly, described registration request comprises registered user name and login key, registered user name and login key are sent to Registering modules request registration by log-in module, whether Registering modules inspection registered user name is occupied, if occupied, return information, if unoccupied, then described login key is calculated, generate N number of burst information, and described burst information is stored in N number of memory node of memory module respectively.Burst information quantity N is set to 8 or 16 usually.In the present embodiment, N is set to 16.Described burst information comprises authentication question information Q
i(i=1 ... 16) and certification answer information A
i(i=1 ... 16).
The present invention leaves the distribution of the burst information of secret generating in different node, avoids the excessive risk of the storage information that to be stolen when being stored in single node.
In a preferred embodiment, the burst information of described generation comprises the first authentication question information and the first certification answer information, described first authentication question information is generated by the first random number and random salt by described Registering modules, and described first certification answer information is carried out calculating by cryptographic algorithm to described login key, described first random number and described random salt by described Registering modules and generated.Particularly, Registering modules is by the first random number P
i(i=1 ... 16) and random salt S
i(i=1 ... 16) the first authentication question information Q is generated
i(i=1 ... 16), Q
i=(P
i, S
i), (i=1 ... 16).Log-in module by cryptographic algorithm to login key, the first random number P
i(i=1 ... 16) and random salt S
i(i=1 ... 16) calculating generation first certification answer information A is carried out
i(i=1 ... 16).
In a preferred embodiment, described login key expands to key sequence by expansion algorithm, in described key sequence with the described first random number value that is sequence number for certification answer, described first certification answer information is carried out calculating by described cryptographic algorithm to described certification answer and described random salt and is generated.Particularly, login key K is expanded to key sequence E (K) by expansion algorithm E () by Registering modules, gets in key sequence E (K) with described first random number P
i(i=1 ... 16) for the value of sequence number is certification answer K
i=E (K) [P
i], (i=1 ... 16), by cryptographic algorithm H () to described certification answer K
i(i=1 ... 16) and described random salt S
i(i=1 ... 16) carry out calculating and generate described first certification answer information A
i(i=1 ... 16).A
i=H(S
i,K
i),(i=1,…16)。
In a preferred embodiment, the described expansion algorithm kind that uses of described Registering modules and described cryptographic algorithm kind are specified by described log-in module and are selected.Particularly, the described expansion algorithm E () that uses of described Registering modules and cryptographic algorithm H () are specified by log-in module and select.Sliced fashion and algorithm are determined by the log-in module of user side, reduce by the risk of resolving inversely, improve fail safe.
In a preferred embodiment, described memory node adds the second random number in stored burst information, generate the second authentication question information by described second random number and described first authentication question information, generate the second certification answer information by described second random number and described first certification answer information; Described authentication module comprises described second authentication question information and described second certification answer information from the burst information that described memory node obtains, and described authentication module sends described second authentication question information to described log-in module.Particularly, memory module adds the second random number R in stored burst information
i(i=1 ... 16), by the second random number R
i(i=1 ... 16) and the first authentication question information Q
i(i=1 ... 16) the second authentication question information q is generated
i(i=1 ... 16), q
i=(P
i, S
i, R
i), (i=1 ... 16); By described second random number R
i(i=1 ... 16) and described first certification answer information A
i(i=1 ... 16) the second certification answer information a is generated
i(i=1 ... 16), a
i=H (R
i, A
i), (i=1 ... 16).Described authentication module sends the second authentication question information q to described log-in module
i=(P
i, S
i, R
i), (i=1 ... 16).
In a preferred embodiment, the authentication calculations result that described authentication module receives logs in key, described first random number, described random salt and described second random number and calculates generation described in described log-in module is passed through.Particularly, log-in module is by logging in key K ', the first random number P
i(i=1 ... 16), random salt S
i(i=1 ... 16), the second random number R
i(i=1 ... 16) authentication calculations result a is generated
i' (i=1 ... 16).To key K be logged in ' expand to key sequence E (K ' by expansion algorithm E ()), K
i'=E (K ') [P
i], (i=1 ... 16), A
i'=H (S
i, K
i'), (i=1 ... 16), a
i'=H (R
i, A
i'), (i=1 ... 16).Authentication module receives the authentication calculations result a that log-in module sends
i' (i=1 ... 16).
In a preferred embodiment, described authentication module contrasts one by one described authentication calculations result and described second certification answer information and draws authentication result; Comparing result is identical quantity when being not less than systemic presupposition constant value, and authentication result is for passing through; Comparing result is identical quantity when being less than systemic presupposition constant value, and authentication result is not for pass through.Particularly, authentication module is by authentication calculations result a
i' (i=1 ... 16) with the second certification answer information a
i(i=1 ... 16) contrast one by one, comparing result is identical quantity when being not less than systemic presupposition constant value M, and authentication result is for passing through; Comparing result is identical quantity when being less than systemic presupposition constant value M, and authentication result is not for pass through.Burst information quantity N is set to 8 or 16 usually, and the attack type that systemic presupposition constant value M is vulnerable to according to system is usually arranged between 1-4.In the present embodiment, M is set to 4.Each burst information of the present invention only uses part of key feature to generate; protect the independence between many parts of burst information; the loss of part burst information does not affect all the other burst information and carries out certification; in the present embodiment; being verified of only four burst information need being had to carry out can complete certification; thus the present invention possesses stronger fault-tolerance, has very strong adaptive capacity for severe network environment.
In a preferred embodiment, the registration request that described Registering modules receives also comprises registered user name, described Registering modules carries out calculating to described registered user name and generates memory address, described burst information is stored in described memory address memory node corresponding in the distributed hashtable of described memory module; Described memory module is by distributed hashtable managed storage node.Particularly, memory module manages described memory node by distributed hashtable (DHT), XOR is carried out by a high position of registered user name UID and i, generate the memory address UIDi of i-th burst information, i-th burst information is stored in memory address UIDi memory node corresponding in distributed hashtable (DHT).
In a preferred embodiment, the log on request that described authentication module receives comprises login user name, described authentication module carries out calculating generated query address to described login user name, from the memory node that described inquire address is corresponding the distributed hashtable of described memory module, obtain burst information.Particularly, described log on request only comprises login user name UID ', authentication module is by login user name UID ' generated query address UIDi ', search the memory node that inquire address UIDi ' is corresponding in distributed hashtable (DHT), obtain burst information to found memory node.When logging in, user name only need be sent to authentication module by log-in module, effectively improves fail safe.
Fig. 3 for of the present invention be applicable to a kind of execution mode of authentication method of distributed storage the structural representation of system that is suitable for.
As shown in Figure 3, in present embodiment, be applicable to the authentication method of distributed storage the system that is suitable for comprise: authentication module 10, Registering modules 20, authentication module 30, memory module 40.
Log-in module 10, for sending registration request, log on request, calculating by the authentication question information logging in double secret key authentication module 30 transmission held, obtaining authentication calculations result.In the present embodiment, log-in module 10 is arranged in the client.
Registering modules 20, is arranged in registrar, for receive log-in module 10 registration request, detect user UID and whether exist, key K is generated burst information and distributed store in the memory node of memory module 40.Described burst information comprises authentication question information Q
iwith certification answer information A
i.
Authentication module 30, be arranged in certificate server, for receiving the log on request of log-in module 10, searching the memory node that stores the burst information relevant to described log on request and obtaining burst information, sending to log-in module 10 the authentication question information Q that the burst information that obtains comprises
i, receive the authentication calculations result A that log-in module 10 sends
i' and the authentication result information A comprised with obtained burst information
icontrast, obtain authentication result, and described authentication result is sent to log-in module 10.
Memory module 40, arranging in a peer-to-peer network, for storing described burst information, and returning burst information to authentication module 30.
The present invention by the Computation distribution of verification process in log-in module, Registering modules/authentication module, memory module, during registration, to be sent to each burst information of memory module only relevant to key each several part for Registering modules, each intermodule only carries out MIN information interchange, effectively improves the fail safe of system.
In a preferred embodiment, described log-in module is arranged in certificate server by actual demand.
In a preferred embodiment, described registrar, described certificate server are the nodes in described peer-to-peer network.
In a preferred embodiment, memory module 40 is also for encrypting further described burst information.Particularly, memory module 40 adds the second random number R in stored burst information
i.
In sum, the present invention takes full advantage of the advantage of distributed storage, has possessed higher fail safe and stronger fault-tolerance.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (22)
1. be applicable to an authentication method for distributed storage, it is characterized in that, described method comprises:
Log-in module sends log on request to authentication module;
Described log-in module receives described authentication module and searches memory node in memory module according to described log on request and from the authentication question information the burst information that described memory node obtains; Described burst information comprises authentication question information and certification answer information;
The described log-in module authentication question information received described in double secret key that logs in held calculates, and obtains authentication calculations result, and described authentication calculations result is sent to described authentication module;
Described log-in module receive that described authentication module sends by contrasting obtained authentication result to the certification answer information comprised in the burst information of described authentication calculations result and described acquisition.
2. the authentication method being applicable to distributed storage according to claim 1, it is characterized in that, described log-in module sends registration request to Registering modules, the calculating that the login key that described registration request comprises is undertaken by described Registering modules generates burst information, and the burst information of described generation is stored in the memory node of described memory module respectively.
3. the authentication method being applicable to distributed storage according to claim 2, it is characterized in that, the burst information of described generation comprises the first authentication question information and the first certification answer information, described first authentication question information is generated by the first random number and random salt by described Registering modules, and described first certification answer information is carried out calculating by cryptographic algorithm to described login key, described first random number and described random salt by described Registering modules and generated.
4. the authentication method being applicable to distributed storage according to claim 3, it is characterized in that, described login key expands to key sequence by expansion algorithm, in described key sequence with the described first random number value that is sequence number for certification answer, described first certification answer information is carried out calculating by described cryptographic algorithm to described certification answer and described random salt and is generated.
5. the authentication method being applicable to distributed storage according to claim 4, is characterized in that, described log-in module specifies the described expansion algorithm kind and described cryptographic algorithm kind of selecting described Registering modules to support.
6. the authentication method being applicable to distributed storage according to claim 4, it is characterized in that, the authentication question information that described log-in module receives is the second authentication question information, described second authentication question information adds the second random number by described memory node in stored burst information, is generated by described second random number and described first authentication question information; The second certification answer information corresponding with described second authentication question information is generated by described second random number and described first certification answer information.
7. the authentication method being applicable to distributed storage according to claim 6, is characterized in that, described log-in module pass through described in log in authentication calculations result described in key, described first random number, described random salt, described second generating random number.
8. the authentication method being applicable to distributed storage according to claim 7, is characterized in that, the authentication result that described log-in module receives is contrasted by described authentication module one by one described authentication calculations result and described second certification answer information and draws; Comparing result is identical quantity when being not less than systemic presupposition constant value, and authentication result is for passing through; Comparing result is identical quantity when being less than systemic presupposition constant value, and authentication result is not for pass through.
9. the authentication method being applicable to distributed storage according to claim 8, is characterized in that, it is 8 or 16 that described login key calculates the burst information quantity generated, and the attack type that described systemic presupposition constant value is vulnerable to according to system is arranged between 1-4.
10. according to the authentication method being applicable to distributed storage in claim 2 to 9 described in any one claim, it is characterized in that, the registration request that described log-in module sends to Registering modules also comprises registered user name, described registered user name is calculated by described Registering modules and generates memory address, and described burst information is stored in described memory address memory node corresponding in the distributed hashtable of described memory module.
11. authentication methods being applicable to distributed storage according to claim 10, it is characterized in that, described log-in module comprises login user name to the log on request that authentication module sends, described login user name calculates generated query address by described authentication module, and the authentication question information that described log-in module receives is obtained from the memory node corresponding the distributed hashtable of described memory module of described inquire address by described authentication module.
12. 1 kinds of authentication methods being applicable to distributed storage, it is characterized in that, described method comprises:
Authentication module receives the log on request that log-in module sends;
Described authentication module searches the memory node in memory module according to described log on request, from described memory node, obtain burst information, and sends the authentication question information in described burst information to described log-in module; Described burst information comprises authentication question information and certification answer information;
Described authentication module receives the described log-in module authentication question information logging in authentication module transmission described in double secret key held to carry out calculating obtained authentication calculations result;
Described authentication module contrasts the certification answer information comprised in the authentication calculations result of described reception and the burst information of described acquisition, obtains authentication result, and described authentication result is sent to described log-in module.
13. authentication methods being applicable to distributed storage according to claim 12, it is characterized in that, Registering modules receives the registration request that described log-in module sends, carry out calculating generation burst information to the login key that described registration request comprises, the burst information of described generation is stored in the memory node of described memory module respectively.
14. authentication methods being applicable to distributed storage according to claim 13, it is characterized in that, the burst information of described generation comprises the first authentication question information and the first certification answer information, described first authentication question information is generated by the first random number and random salt by described Registering modules, and described first certification answer information is carried out calculating by cryptographic algorithm to described login key, described first random number and described random salt by described Registering modules and generated.
15. authentication methods being applicable to distributed storage according to claim 14, it is characterized in that, described login key expands to key sequence by expansion algorithm, in described key sequence with the described first random number value that is sequence number for certification answer, described first certification answer information is carried out calculating by described cryptographic algorithm to described certification answer and described random salt and is generated.
16. authentication methods being applicable to distributed storage according to claim 15, is characterized in that, the described expansion algorithm kind that described Registering modules uses and described cryptographic algorithm kind are specified by described log-in module and selected.
17. authentication methods being applicable to distributed storage according to claim 15, it is characterized in that, described memory node adds the second random number in stored burst information, generate the second authentication question information by described second random number and described first authentication question information, generate the second certification answer information by described second random number and described first certification answer information; Described authentication module comprises described second authentication question information and described second certification answer information from the burst information that described memory node obtains, and described authentication module sends described second authentication question information to described log-in module.
18. authentication methods being applicable to distributed storage according to claim 17, it is characterized in that, the authentication calculations result that described authentication module receives logs in key, described first random number, described random salt and described second random number and calculates generation described in described log-in module is passed through.
19. authentication methods being applicable to distributed storage according to claim 18, is characterized in that, described authentication module contrasts one by one described authentication calculations result and described second certification answer information and draws authentication result; Comparing result is identical quantity when being not less than systemic presupposition constant value, and authentication result is for passing through; Comparing result is identical quantity when being less than systemic presupposition constant value, and authentication result is not for pass through.
20. authentication methods being applicable to distributed storage according to claim 19, it is characterized in that, it is 8 or 16 that described login key calculates the burst information quantity generated, and the attack type that described systemic presupposition constant value is vulnerable to according to system is arranged between 1-4.
21. according to claim 13 to the authentication method being applicable to distributed storage described in any one claim in 20, it is characterized in that, the registration request that described Registering modules receives also comprises registered user name, described Registering modules carries out calculating to described registered user name and generates memory address, described burst information is stored in described memory address memory node corresponding in the distributed hashtable of described memory module; Described memory module is by distributed hashtable managed storage node.
22. authentication methods being applicable to distributed storage according to claim 21, it is characterized in that, the log on request that described authentication module receives comprises login user name, described authentication module carries out calculating generated query address to described login user name, from the memory node that described inquire address is corresponding the distributed hashtable of described memory module, obtain burst information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410757487.8A CN104468580B (en) | 2014-12-10 | 2014-12-10 | Suitable for the authentication method of distributed storage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410757487.8A CN104468580B (en) | 2014-12-10 | 2014-12-10 | Suitable for the authentication method of distributed storage |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104468580A true CN104468580A (en) | 2015-03-25 |
| CN104468580B CN104468580B (en) | 2017-08-11 |
Family
ID=52913952
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410757487.8A Active CN104468580B (en) | 2014-12-10 | 2014-12-10 | Suitable for the authentication method of distributed storage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104468580B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017128044A1 (en) * | 2016-01-26 | 2017-08-03 | 华为技术有限公司 | User identity authentication method and server |
| CN107770261A (en) * | 2017-10-13 | 2018-03-06 | 郑州云海信息技术有限公司 | A kind of computational methods and relevant apparatus based on distributed memory system |
| CN109885536A (en) * | 2019-02-26 | 2019-06-14 | 深圳众享互联科技有限公司 | One kind is based on the storage of distributed data fragment and fuzzy search method |
| CN109981268A (en) * | 2019-03-28 | 2019-07-05 | 成都知道创宇信息技术有限公司 | A kind of anti-verification code generation method cracked |
| CN112948780A (en) * | 2021-01-05 | 2021-06-11 | 浪潮云信息技术股份公司 | Distributed database authentication method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030859A (en) * | 2007-02-06 | 2007-09-05 | 上海交通大学 | Method and system for verifying distributed network |
| CN101771537A (en) * | 2008-12-26 | 2010-07-07 | 中国移动通信集团公司 | Processing method and certificating method for distribution type certificating system and certificates of certification thereof |
| CN102143134A (en) * | 2010-08-05 | 2011-08-03 | 华为技术有限公司 | Method, device and system for distributed identity authentication |
| WO2013078611A1 (en) * | 2011-11-29 | 2013-06-06 | 华为技术有限公司 | Data processing method, device and client in distributed storage system |
| CN103916366A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团公司 | Login method, maintenance terminal, data management service equipment and login system |
-
2014
- 2014-12-10 CN CN201410757487.8A patent/CN104468580B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030859A (en) * | 2007-02-06 | 2007-09-05 | 上海交通大学 | Method and system for verifying distributed network |
| CN101771537A (en) * | 2008-12-26 | 2010-07-07 | 中国移动通信集团公司 | Processing method and certificating method for distribution type certificating system and certificates of certification thereof |
| CN102143134A (en) * | 2010-08-05 | 2011-08-03 | 华为技术有限公司 | Method, device and system for distributed identity authentication |
| WO2013078611A1 (en) * | 2011-11-29 | 2013-06-06 | 华为技术有限公司 | Data processing method, device and client in distributed storage system |
| CN103916366A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团公司 | Login method, maintenance terminal, data management service equipment and login system |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017128044A1 (en) * | 2016-01-26 | 2017-08-03 | 华为技术有限公司 | User identity authentication method and server |
| CN107455003A (en) * | 2016-01-26 | 2017-12-08 | 华为技术有限公司 | A kind of method for authenticating user identity and server |
| CN107455003B (en) * | 2016-01-26 | 2020-09-18 | 华为技术有限公司 | User identity authentication method and server |
| CN107770261A (en) * | 2017-10-13 | 2018-03-06 | 郑州云海信息技术有限公司 | A kind of computational methods and relevant apparatus based on distributed memory system |
| CN109885536A (en) * | 2019-02-26 | 2019-06-14 | 深圳众享互联科技有限公司 | One kind is based on the storage of distributed data fragment and fuzzy search method |
| CN109981268A (en) * | 2019-03-28 | 2019-07-05 | 成都知道创宇信息技术有限公司 | A kind of anti-verification code generation method cracked |
| CN109981268B (en) * | 2019-03-28 | 2021-07-16 | 成都知道创宇信息技术有限公司 | Anti-cracking verification code generation method |
| CN112948780A (en) * | 2021-01-05 | 2021-06-11 | 浪潮云信息技术股份公司 | Distributed database authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104468580B (en) | 2017-08-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104468579A (en) | Authentication system suitable for distributed storage | |
| CN104468580A (en) | Authentication method suitable for distributed storage | |
| CN104980477B (en) | Data access control method and system under cloud storage environment | |
| EP3316544B1 (en) | Token generation and authentication method, and authentication server | |
| US9059989B2 (en) | Hash synchronization for preventing unauthorized server access using stolen passwords | |
| CN104735164A (en) | Method and device for saving file information | |
| KR20160048114A (en) | Applying circuit delay-based physically unclonable functions (pufs) for masking operation of memory-based pufs to resist invasive and clone attacks | |
| CN113206741B (en) | Anti-machine learning security authentication method and device based on strong PUF | |
| CN105871553A (en) | Identity-free three-factor remote user authentication method | |
| CN104917766A (en) | Security authentication method for two-dimension code | |
| CN105721153A (en) | System and method for key exchange based on authentication information | |
| WO2016018298A1 (en) | Key search token for encrypted data | |
| CN108924103A (en) | The on-line/off-line of identity-based towards cloud storage can search for encryption method | |
| CN105743854A (en) | Security authentication system and method | |
| CN105827571A (en) | UAF (Universal Authentication Framework) protocol based multi-modal biological characteristic authentication method and equipment | |
| Fan et al. | Verifiable attribute-based multi-keyword search over encrypted cloud data in multi-owner setting | |
| CN114629713B (en) | Identity verification method, device and system | |
| CN116204923A (en) | Data management and data query methods and devices | |
| WO2017020669A1 (en) | Method and device for authenticating identity of node in distributed system | |
| CN106612274A (en) | Homogeneity-based shared data verification algorithm in cloud computing | |
| CN104506532B (en) | A kind of remote certification method suitable for emergency relief platform | |
| CN109936562A (en) | A kind of scalable accessing control method calculated towards mist | |
| US11182470B2 (en) | Online account access recovery system and method utilizing secret splitting | |
| CN102209066A (en) | Network authentication method and equipment | |
| CN104468570B (en) | The safety certifying method of sensing layer in a kind of manufacture Internet of Things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220304 Address after: 315899 room a812, No. 2, Xingye Avenue, Ningbo Free Trade Zone, Zhejiang Province (No. d356, trusteeship of Yongbao business secretary company) Patentee after: Ningbo Zhongxiang Yulian Technology Co.,Ltd. Address before: 100083 No. c-1810-028, 15th floor, building 1, No. 18, Zhongguancun East Road, Haidian District, Beijing Patentee before: BEIJING PEERSAFE TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right |