CN105376242A - Cloud terminal data access authentication method, cloud terminal data access authentication system and cloud terminal management system - Google Patents
Cloud terminal data access authentication method, cloud terminal data access authentication system and cloud terminal management system Download PDFInfo
- Publication number
- CN105376242A CN105376242A CN201510847030.0A CN201510847030A CN105376242A CN 105376242 A CN105376242 A CN 105376242A CN 201510847030 A CN201510847030 A CN 201510847030A CN 105376242 A CN105376242 A CN 105376242A
- Authority
- CN
- China
- Prior art keywords
- access
- data
- person
- data access
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a cloud terminal data access authentication method, a cloud terminal data access authentication system and a cloud terminal management system. The cloud terminal data access authentication method comprises the following steps: S1, sending an alarm to a corresponding client side while detecting an access request of a data visitor; and S2, analyzing the access permission of the data visitor according to the access request, performing a corresponding operation according to an analysis result, determining that the access manner is a normal access when a private key or a public key in a key pair is carried in the access request, and authorizing the data visitor to access. In the invention, when the data request is detected, whether the data request carries a key or not can be judged, such that the identity of the data visitor can be verified; when the data request carries the key, the data visitor is the normal visitor, such that the data visitor is authorized to access; when the data request does not carry the key, the data visitor is an illegal visitor, such that the access request is refused; and the key pair is used for data encryption and decryption, such that the data security can be ensured.
Description
Technical field
The present invention relates to a kind of networking technology area, particularly relate to the management system of the authentication method of a kind of cloud terminal data access, system and cloud terminal.
Background technology
Cloud computing is one of hot issue of current information technical field, is industrial circle, the focus all extremely paid close attention to of academia, all circles such as government.The thought that it embodies " network is exactly computer ", links together a large amount of computational resource, storage resources and software resource, forms the shared virtual I T resource pool of huge size.
But, use cloud computing service, user be not know the Entrust Server place that the data of oneself are concrete position and specifically by which server admin.Such as the storage of data in cloud service is shared, namely not for user opens up separate, stored district.Therefore data have potential hazard; Again such as, user adopts data encryption mode to share data substantially in a network at present, but fail the data of oneself and the data isolation of other users to open, thus there is certain hidden danger in the privacy of data and the Secure isolation of data, and the special storage organization of cloud makes privacy preservation become a crucial safety problem.
The maximum method of current application is exactly obscure the data uploading to cloud terminal and encrypt, but password can due to too simple or meet certain rule and identified, and server is easily accessed by disabled user and causes the dangerous of data.
Summary of the invention
The shortcoming of prior art in view of the above, the management system of the authentication method, system and the cloud terminal that the object of the present invention is to provide a kind of cloud terminal data to access, easily accessed and cause unsafe problem for solving in prior art the data being stored in cloud terminal.
For achieving the above object and other relevant objects, the invention provides the management system of the authentication method of a kind of cloud terminal data access, system and cloud terminal; Wherein, the authentication method of described cloud terminal data access comprises the following steps: the access request of S1, the person that detects data access, sends alarm to corresponding client; S2, analyze the access rights of described data access person according to described access request, corresponding operating is performed according to analysis result, when described access request carries private key or the PKI of cipher key pair, confirm that this access mode is for normal access, authorizes described data access person to conduct interviews.
In one embodiment of the present invention, described step S1 specifically comprises: S11, the identity information of client user is converted into digital code, and form described double secret key, described double secret key comprises the private key of PKI and correspondence; S12, to be encrypted based on the data of described double secret key to described client, to obtain enciphered data; The access request of S13, the person that detects data access, sends alarm based on this access request to corresponding client.
In one embodiment of the present invention, described step S12 is specially: be encrypted described data according to described PKI, obtains enciphered data; Described step S2 specifically comprises: S21, analyze described access request, judges whether described access request carries described private key, when judged result is yes, confirms as normal access, forward step S22 to, otherwise confirm as unauthorized access, forward step S23 to; S22, described data access person to be authorized, allow described data access person to carry out data access; S23, refuse the access request of this data access person.
In one embodiment of the present invention, described step S12 is specially: be encrypted described data according to described private key, obtains enciphered data; Described step S2 specifically comprises: S81, analyze described access request, judges whether described access request carries described PKI, when judged result is yes, confirms as normal access, forward step S82 to, otherwise confirm as unauthorized access, forward step S83 to; S82, described data access person to be authorized, allow described data access person to carry out data access; S83, refuse the access request of described data access person.
In one embodiment of the present invention, described in forbid to described data access person access request step after, also comprise: the visit information of described data access person is stored.
The Verification System that the present invention also provides a kind of cloud terminal data to access, described Verification System comprises: detecting module, for the detecting real-time person that whether has data access to the data access of the server of cloud terminal, when the access request of the person that detects data access, send alarm to corresponding client; The access control module be connected with described detecting module, for analyzing the access rights of described data access person according to described access request, corresponding operating is performed according to analysis result, when described access request carries private key or the PKI of cipher key pair, confirm that this access mode is for normal access, authorizes described data access person to conduct interviews.
In one embodiment of the present invention, described detecting module specifically comprises: conversion unit, and for the identity information of client user is converted into digital code, form described double secret key, described double secret key comprises the private key of PKI and correspondence; The ciphering unit be connected with described conversion unit, for being encrypted based on the data of described double secret key to described client, obtains enciphered data; The detecting unit be connected with described ciphering unit, for the detecting real-time person that whether has data access to the data access of the server of cloud terminal, when the access request of the person that detects data access, sends alarm to corresponding client.
In one embodiment of the present invention, described ciphering unit, specifically for being encrypted based on the data of described PKI to described client, obtains enciphered data; Described access control module specifically comprises: the first judging unit, for analyzing described access request, judges whether described access request carries described private key, when judged result is for being confirm as normal access, otherwise confirms as unauthorized access; The first granted unit be connected with described first judging unit, for when confirm as normally access time, described data access person is authorized, allows described data access person to carry out data access; Be connected with described first judging unit first refuses unit, for when confirming as unauthorized access, refuses the access request of this data access person.
In one embodiment of the present invention, described ciphering unit, specifically for being encrypted based on the data of described private key to described client, obtains enciphered data;
Described access control module specifically comprises: the second judging unit, for analyzing described access request, judging whether described access request carries described PKI, when judged result is yes, confirms as normal access, otherwise confirming as unauthorized access; The second granted unit be connected with described second judging unit, for when confirm as normally access time, described data access person is authorized, allows described data access person to carry out data access; Be connected with described second judging unit second refuses unit, for when confirming as unauthorized access, refuses the access request of this data access person.
The present invention also provides a kind of management system of cloud terminal, described management system comprises the Verification System of cloud terminal data access, described Verification System comprises: detecting module, for the detecting real-time person that whether has data access to the data access of the server of cloud terminal, when the access request of the person that detects data access, send alarm to corresponding client; The access control module be connected with described detecting module, for analyzing the access rights of described data access person according to described access request, corresponding operating is performed according to analysis result, when described access request carries private key or the PKI of cipher key pair, confirm that this access mode is for normal access, authorizes described data access person to conduct interviews.
The management system of authentication method, system and cloud terminal that a kind of cloud terminal data of the present invention is accessed, at least has following beneficial effect:
When having detected request of data, analyze this request of data and whether carry key, to carry out identity verification to data visitor, the secret key when this request of data is carried, this data access person is normal visitor, granted access is carried out to it, when this access request does not carry key, its data access person is unauthorized access, refuses its access request, owing to using double secret key to carry out data encryption and deciphering, the fail safe of data can be ensured.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of authentication method one embodiment of a kind of cloud terminal data access of the present invention;
Fig. 2 is the particular flow sheet of the step S1 of the authentication method of a kind of cloud terminal data access of the present invention;
Fig. 3 is the particular flow sheet of the step S2 of a preferred embodiment of the authentication method of a kind of cloud terminal data access of the present invention;
Fig. 4 is the particular flow sheet of the step S2 of another preferred embodiment of the authentication method of a kind of cloud terminal data access of the present invention;
Fig. 5 is the structural representation of Verification System one embodiment that the invention provides the access of a kind of cloud terminal data;
Fig. 6 is the concrete structure figure of the detecting module 1 of the Verification System of a kind of cloud terminal data access of the present invention;
Fig. 7 is the concrete structure figure of the access control module 2 of a preferred embodiment of the Verification System of a kind of cloud terminal data access of the present invention;
Fig. 8 is the concrete structure figure of the access control module 2 of another preferred embodiment of the Verification System of a kind of cloud terminal data access of the present invention.
Element numbers illustrates:
1 detecting module
2 access control modules
3 memory modules
11 conversion units
12 ciphering units
13 detecting units
21 first judging units
22 first granted units
23 first refusal unit
81 second judging units
82 second granted units
83 second refusal unit
S1 ~ S43 step
Embodiment
Below by way of specific instantiation, embodiments of the present invention are described, those skilled in the art the content disclosed by this specification can understand other advantages of the present invention and effect easily.The present invention can also be implemented or be applied by embodiments different in addition, and the every details in this specification also can based on different viewpoints and application, carries out various modification or change not deviating under spirit of the present invention.It should be noted that, when not conflicting, the feature in following examples and embodiment can combine mutually.
It should be noted that, the diagram provided in following examples only illustrates basic conception of the present invention in a schematic way, then only the assembly relevant with the present invention is shown in graphic but not component count, shape and size when implementing according to reality is drawn, it is actual when implementing, and the kenel of each assembly, quantity and ratio can be a kind of change arbitrarily, and its assembly layout kenel also may be more complicated.
Embodiment 1
Refer to Fig. 1, be the schematic flow sheet of authentication method one embodiment of a kind of cloud terminal data access of the present invention, described authentication method comprises step:
The access request of step S1, the person that detects data access, sends alarm to corresponding client;
Wherein, whether detecting real-time has data access person, to the data access of the server of cloud terminal, when the access request of the person that detects data access, sends alarm to corresponding client; Particularly; cloud terminal includes some servers (being specially a large amount of server); each server has connected corresponding client; the data of this server stores client; when the person that has data access accesses this server; access request can be sent; corresponding client is found based on this access request; then alarm is sent to client; to inform the data that this client person that has data access accesses it and stores; its very first time is made to identify the access rights of this data access person, the safety of timely protected data.Further, this alarm can comprise user self, and normally access or non-user self are normally accessed, now in order to send alarm to corresponding client in time, analysis not carried out to access request and identifying, therefore only identify whether as corresponding client user self access identifies.
Step S2, analyze the access rights of this data access person according to this access request, corresponding operating is performed according to analysis result, when this access request carries private key or the PKI of cipher key pair, confirm that this access mode is for normal access, authorization data visitor conduct interviews.
Wherein, need to analyze access request, specifically can analyze PKI or private key that whether access request carries cipher key pair, this double secret key is a kind of digital ID card, by being digital code by the true identity convert information of client, the public keys pair identifying and inquire about is carried out by relevant devices such as networks, it comprises PKI (also can become key) and private key (also can become key), PKI is part disclosed in cipher key pair, and private key is covert part, PKI is generally used for encrypted session key, certifying digital signature, or enciphered data etc., but this enciphered data must be decrypted by corresponding private key.And private key is generated in conjunction with user identity by open believable private key maker PKG (PrivateKeyGenerator), this private key or PKI all can be used to carry out enciphered data in conjunction with the true identity information of client, but the two occurs in pairs, when one of them is for enciphered data, this enciphered data could be deciphered by another one.This ensures that there the absolute safety of data.Further, when carrying out data encryption with one of them, this enciphered data is stored in the server of cloud terminal, another then sends to corresponding client, this client can send this double secret key according to actual request to needing the Lawful access person (such as other client users) accessing these data, is convenient to this Lawful access person when needing visit data, sends of carrying this cipher key pair and carries out authentication, after examining identity, carry out data deciphering.
In the present embodiment, whether Real-Time Monitoring has data access person is to the data access of the server of cloud terminal, as the person that detects data access, private key or the PKI of cipher key pair whether is carried based on access request, can the legitimacy of checking data visitor, when examining as normally accessing, to this data access, person authorizes, owing to using double secret key to carry out data authentication, the fail safe of data access can be ensured to a certain extent.
Further in one embodiment of the present invention, described authentication method is further comprising the steps of:
Step S3, the visit information of data access person to be stored.
Wherein, this visit information can comprise visitor's identity, the network address, access request and Access Reason etc., does not limit this herein.Particularly, classification can be carried out to this visit information to store, specifically can be divided into mandates/unauthorized or normal/abnormal or malice/non-malicious or server provider/non-serving device provider or the non-common access of common access or partial content deciphering access/whole plaintext decryption accesses or the lower visitor of the higher visitor/level of security of level of security.Further, described authentication method also can comprise step: visit information is fed back to corresponding client, certain operations is carried out according to visit information for client user, such as according to actual conditions, to part, unauthorized or non-malicious data visitor carries out section entitlement, makes it can conduct interviews to some data.Some malice visitors are limited or disable access; Or granted access is carried out to the higher visitor of Partial security rank or to its open priority access authority etc.; Limiting access is carried out to the lower visitor of Partial security rank or gives low priority access rights.
As shown in Figure 2, be the particular flow sheet of the step S1 of the authentication method of a kind of cloud terminal data access of the present invention, described step S1 specifically comprises:
Step S11, the identity information of client user is converted into digital code, form double secret key, this double secret key comprises the private key of PKI and correspondence; ;
The true identity information of client user is converted into digital code by converting algorithm, forms double secret key, specifically can adopt existing converting algorithm, not repeat herein.This double secret key can be symmetry or unsymmetrical key pair, and in one embodiment of the present invention, double secret key is unsymmetrical key pair herein.
Step S12, to be encrypted based on the data of double secret key to client, to obtain enciphered data;
Data client being stored in server are encrypted, and use above-mentioned double secret key to be encrypted, and private key or PKI can be used to be encrypted these data.Prior art can be adopted to be encrypted above-mentioned data, to repeat no more herein.
The access request of step S13, the person that detects data access, sends alarm based on this access request to corresponding client.
Particularly, whether detecting real-time has data access person, to the data access of the server of cloud terminal, when the access request of the person that detects data access, sends alarm to corresponding client.Now any process is not carried out to access request, and in time to the alarm of the corresponding client feedback person that has data access, can reminding user, ensure the fail safe of data to a certain extent.
In a preferred version of the present embodiment, in described step S12, be specially and according to this PKI, data be encrypted, obtain enciphered data.As shown in Figure 3, be the particular flow sheet of the step S2 of a preferred embodiment of the authentication method of a kind of cloud terminal data access of the present invention, the detailed process of described step S2 is as follows:
Step S21, analysis access request, judge whether described access request carries described private key, when judged result is yes, confirms as normal access, forward step S22 to, otherwise confirm as unauthorized access, forward step S23 to;
Particularly, analyze this access request, if this access request carries private key, then explanation is the normal access of validated user, if do not carried, illustrate that this data access person is abnormal access, owing to being use public-key to be encrypted data in abovementioned steps, private key now must be used decrypt data, now this access request needs to carry this private key and just can conduct interviews.Because this double secret key is unsymmetrical key pair, compared to common password encryption, use unsymmetrical key to carrying out data encryption and deciphering herein.Greatly can improve the fail safe of data.
Step S22, data visitor to be authorized, allow data access person to carry out data access;
When this access request carries private key, illustrate that this visitor is Lawful access person, namely obtained the mandate of corresponding client.Now this data access person is authorized, allow it to carry out data access.
S23, refuse the access request of this data access person.
When access request does not carry this private key, the visitor person that is not Lawful access is described, does not namely obtain the mandate of corresponding client, now refuse the access request to this data access person, make it have no right to carry out data access.
In another one preferred version, in described step S12, be specially and according to this private key, data be encrypted, obtain enciphered data.As shown in Figure 4, be the particular flow sheet of the step S2 of another preferred embodiment of the authentication method of a kind of cloud terminal data access of the present invention, the detailed process of described step S2 is as follows:
Step S41, analysis access request, judge whether described access request carries described PKI, when judged result is yes, confirms as normal access, forward step S42 to, otherwise confirm as unauthorized access, forward step S43 to;
Particularly, analyze this access request, if this access request carries PKI, then explanation is the normal access of validated user, if do not carried, illustrate that this data access person is abnormal access, owing to being use private key to be encrypted data in abovementioned steps, now must use public-key to decrypt data, now this access request needs to carry this PKI and just can conduct interviews.Because this double secret key is unsymmetrical key pair, compared to common password encryption, using unsymmetrical key to carrying out data encryption and deciphering herein, greatly can improve the fail safe of data.
Step S42, data visitor to be authorized, allow data access person to carry out data access;
When this access request carries PKI, illustrate that this visitor is Lawful access person, namely obtained the mandate of corresponding client.Now this data access person is authorized, allow it to carry out data access.
S43, refuse the access request of this data access person.
When access request does not carry this PKI, the visitor person that is not Lawful access is described, does not namely obtain the mandate of corresponding client, now refuse the access request to this data access person, make it have no right to carry out data access.
In the present embodiment, when having detected access request, based on the legitimacy of access request and the double secret key identification data visitor corresponding with data, when for authorizing to it time legal, when for refusing its request time illegal, owing to using asymmetry double secret key, the fail safe of data effectively can be ensured.
In addition, when receiving access request, sending alarm to immediately corresponding client, being convenient to the legitimacy of the client user person that judges data access in time, ensureing the fail safe of data further.
Embodiment 2
Refer to Fig. 5, for the invention provides the structural representation of Verification System one embodiment of a kind of cloud terminal data access, wherein said system comprises terminal, and described terminal specifically comprises: detecting module 1 and connected access control module 2, wherein,
Detecting module 1, for the detecting real-time person that whether has data access to the data access of the server of cloud terminal, when the access request of the person that detects data access, sends alarm to corresponding client;
Whether detecting module 1 detecting real-time has data access person, to the data access of the server of cloud terminal, when the access request of the person that detects data access, sends alarm to corresponding client; Particularly; cloud terminal includes some servers (being specially a large amount of server); each server has connected corresponding client; the data of this server stores client; when the person that has data access accesses this server; access request can be sent; corresponding client is found based on this access request; then alarm is sent to client; to inform the data that this client person that has data access accesses it and stores; its very first time is made to identify the access rights of this data access person, the safety of timely protected data.Further, this alarm can comprise user self, and normally access or non-user self are normally accessed, now in order to send alarm to corresponding client in time, analysis not carried out to access request and identifying, therefore only identify whether as corresponding client user self access identifies.
Access control module 2, for analyzing the access mode of described data access person according to described access request, corresponding operating is performed according to analysis result, when described access request carries private key or the PKI of cipher key pair, confirm that this access mode is for normal access, authorizes described data access person to conduct interviews.
Wherein, need to analyze access request, specifically can analyze PKI or private key that whether access request carries cipher key pair, this double secret key is a kind of digital ID card, by being digital code by the true identity convert information of client, the public keys pair identifying and inquire about is carried out by relevant devices such as networks, it comprises PKI and private key, PKI is part disclosed in cipher key pair, and private key is covert part, PKI is generally used for encrypted session key, certifying digital signature, or enciphered data etc., but this enciphered data must be decrypted by corresponding private key.And private key is generated in conjunction with user identity by open believable private key maker PKG (PrivateKeyGenerator), this private key or PKI all can be used to carry out enciphered data in conjunction with the true identity information of client, but the two occurs in pairs, when one of them is for enciphered data, this enciphered data could be deciphered by another one.This ensures that there the absolute safety of data.Further, when carrying out data encryption with one of them, this enciphered data is stored in the server of cloud terminal, another then sends to corresponding client, this client can send this double secret key according to actual request to needing the Lawful access person (such as other client users) accessing these data, is convenient to this Lawful access person when needing visit data, sends of carrying this cipher key pair and carries out authentication, after examining identity, carry out data deciphering.
In the present embodiment, whether Real-Time Monitoring has data access person is to the data access of the server of cloud terminal, as the person that detects data access, private key or the PKI of cipher key pair whether is carried based on access request, can the legitimacy of checking data visitor, when examining as normally accessing, to this data access, person authorizes, owing to using double secret key to carry out data authentication, the fail safe of data access can be ensured to a certain extent.
Further in one embodiment of the present invention, described Verification System also comprises the memory module 3 be connected with described access control module 2;
Memory module 3, for the visit information of data access person is stored.
Wherein, this visit information can comprise visitor's identity, the network address, access request and Access Reason etc., does not limit this herein.Particularly, classification can be carried out to this visit information to store, specifically can be divided into mandates/unauthorized or normal/abnormal or malice/non-malicious or server provider/non-serving device provider or the non-common access of common access or partial content deciphering access/whole plaintext decryption accesses or the lower visitor of the higher visitor/level of security of level of security.Further, described Verification System also can comprise feedback module, for visit information is fed back to corresponding client, certain operations is carried out according to visit information for client user, such as according to actual conditions, to part, unauthorized or non-malicious data visitor carries out section entitlement, makes it can conduct interviews to some data.Some malice visitors are limited or disable access; Or granted access is carried out to the higher visitor of Partial security rank or to its open priority access authority etc.; Limiting access is carried out to the lower visitor of Partial security rank or gives low priority access rights.
As shown in Figure 6, for the concrete structure figure of the detecting module 1 of the Verification System of a kind of cloud terminal data access of the present invention, described detecting module 1 specifically comprises: conversion unit 11, the ciphering unit 12 be connected with described conversion unit 11 and the detecting unit 13 be connected with this ciphering unit 12; Wherein:
Conversion unit 11, for the identity information of client user is converted into digital code, form described double secret key, described double secret key comprises the private key of PKI and correspondence;
Particularly, the true identity information of client user is converted into digital code by converting algorithm, forms double secret key.This double secret key can be symmetry or unsymmetrical key pair, and in one embodiment of the present invention, double secret key is unsymmetrical key pair herein.
Ciphering unit 12, for being encrypted based on the data of described double secret key to described client, obtains enciphered data;
Particularly, data client being stored in server are encrypted, and use above-mentioned double secret key to be encrypted, and private key or PKI can be used to be encrypted these data.Prior art can be adopted to be encrypted above-mentioned data, to repeat no more herein.
Detecting unit 13, for the detecting real-time person that whether has data access to the data access of the server of cloud terminal, when the access request of the person that detects data access, sends alarm to corresponding client.
Particularly, whether detecting real-time has data access person, to the data access of the server of cloud terminal, when the access request of the person that detects data access, sends alarm to corresponding client.Now any process is not carried out to access request, and in time to the alarm of the corresponding client feedback person that has data access, can reminding user, ensure the fail safe of data to a certain extent.
In a preferred version of the present embodiment, this ciphering unit 12, specifically for being encrypted based on the data of PKI to client, obtains enciphered data; As shown in Figure 7, for the concrete structure figure of the access control module 2 of a preferred embodiment of the Verification System of a kind of cloud terminal data access of the present invention, this access control module 2 specifically comprises: the first judging unit 21, the first granted unit 22 be connected with this first judging unit 21, and be connected with this first judging unit 21 first refuses unit 23.
First judging unit 21, for analyzing described access request, judges whether described access request carries described private key, when judged result is for being confirm as normal access, otherwise confirms as unauthorized access;
Particularly, this first judging unit 21 analyzes this access request, if this access request carries private key, then explanation is the normal access of validated user, if do not carried, illustrate that this data access person is abnormal access, owing to being use public-key to be encrypted data in above-mentioned ciphering unit 12, private key now must be used decrypt data, now this access request needs to carry this private key and just can conduct interviews.Because this double secret key is unsymmetrical key pair, compared to common password encryption, use unsymmetrical key to carrying out data encryption and deciphering herein.Greatly can improve the fail safe of data.
First granted unit 22, for when confirm as normally access time, described data access person is authorized, allows described data access person to carry out data access;
When this access request carries private key, illustrate that this visitor is Lawful access person, namely obtained the mandate of corresponding client.Now this data access person is authorized, allow it to carry out data access.
First refusal unit 23, for when confirming as unauthorized access, refuses the access request of this data access person.
When access request does not carry this private key, the visitor person that is not Lawful access is described, does not namely obtain the mandate of corresponding client, now refuse the access request to this data access person, make it have no right to carry out data access.
In another preferred version of the present embodiment, this ciphering unit 12, specifically for being encrypted based on the data of private key to client, obtains enciphered data; As shown in Figure 8, for the concrete structure figure of the access control module 2 of another preferred embodiment of the Verification System of a kind of cloud terminal data access of the present invention, this access control module 2 specifically comprises: the second judging unit 81, the second granted unit 82 be connected with this second judging unit 81, and be connected with this second judging unit 81 second refuses unit 83.
Second judging unit 21, for analyzing access request, judges whether access request carries described PKI, when judged result is for being confirm as normal access, otherwise confirms as unauthorized access;
Particularly, this second judging unit 81 analyzes this access request, if this access request carries PKI, then explanation is the normal access of validated user, if do not carried, illustrate that this data access person is abnormal access, because above-mentioned ciphering unit 12 uses private key to be encrypted data, now must use public-key to decrypt data, now this access request needs to carry this PKI and just can conduct interviews.Because this double secret key is unsymmetrical key pair, compared to common password encryption, using unsymmetrical key to carrying out data encryption and deciphering herein, greatly can improve the fail safe of data.
Second granted unit 82, for when confirm as normally access time, described data access person is authorized, allows described data access person to carry out data access;
When this access request carries PKI, illustrate that this visitor is Lawful access person, namely obtained the mandate of corresponding client.Now this data access person is authorized, allow it to carry out data access.
Second refusal unit 83, for when confirming as unauthorized access, refuses the access request of this data access person.
When access request does not carry this PKI, the visitor person that is not Lawful access is described, does not namely obtain the mandate of corresponding client, now refuse the access request to this data access person, make it have no right to carry out data access.
In the present embodiment, when having detected access request, based on the legitimacy of access request and the double secret key identification data visitor corresponding with data, when for authorizing to it time legal, when for refusing its request time illegal, owing to using asymmetry double secret key, the fail safe of data effectively can be ensured.
In addition, when receiving access request, sending alarm to immediately corresponding client, being convenient to the legitimacy of the client user person that judges data access in time, ensureing the fail safe of data further.
Based on above-described embodiment, the present invention also provides a kind of management system of cloud terminal, this cloud terminal includes a large amount of servers, and server can store the data of client, wherein need to be encrypted to ensure that data are not arbitrarily accessed to these data, and ensure the fail safe of data, this management system is provided with the Verification System of cloud terminal data access, for ensureing the fail safe of data access, basically identical described in the concrete structure of this Verification System and operation principle and above-described embodiment, specifically with reference to above-described embodiment, can repeat no more herein.
In sum, the authentication method of a kind of cloud terminal data access of the present invention, system and cloud terminal, double secret key is used to carry out data encryption and deciphering, when having detected request of data, analyze this request of data and whether carry key, to carry out identity verification to data visitor, the key (private key or PKI) when this request of data is carried, this data access person is normal visitor, granted access is carried out to it, when this access request does not carry key, its data access person is unauthorized access, refuse its access request, data encryption and deciphering is carried out owing to using double secret key, the fail safe of data can be ensured.So the present invention effectively overcomes various shortcoming of the prior art and tool high industrial utilization.
Above-described embodiment is illustrative principle of the present invention and effect thereof only, but not for limiting the present invention.Any person skilled in the art scholar all without prejudice under spirit of the present invention and category, can modify above-described embodiment or changes.Therefore, such as have in art usually know the knowledgeable do not depart from complete under disclosed spirit and technological thought all equivalence modify or change, must be contained by claim of the present invention.
Claims (10)
1. an authentication method for cloud terminal data access, it is characterized in that, described authentication method comprises the following steps:
The access request of S1, the person that detects data access, sends alarm to corresponding client;
S2, analyze the access rights of described data access person according to described access request, corresponding operating is performed according to analysis result, when described access request carries private key or the PKI of cipher key pair, confirm that this access mode is for normal access, authorizes described data access person to conduct interviews.
2. authentication method according to claim 1, is characterized in that: described step S1 specifically comprises:
S11, the identity information of client user is converted into digital code, form described double secret key, described double secret key comprises the private key of PKI and correspondence;
S12, to be encrypted based on the data of described double secret key to described client, to obtain enciphered data;
The access request of S13, the person that detects data access, sends alarm based on this access request to corresponding client.
3. authentication method according to claim 2, is characterized in that: described step S12 is specially: be encrypted described data according to described PKI, obtains enciphered data;
Described step S2 specifically comprises:
S21, analyze described access request, judge whether described access request carries described private key, when judged result is yes, confirms as normal access, forward step S22 to, otherwise confirm as unauthorized access, forward step S23 to;
S22, described data access person to be authorized, allow described data access person to carry out data access;
S23, refuse the access request of this data access person.
4. authentication method according to claim 1, is characterized in that: described step S12 is specially: be encrypted described data according to described private key, obtains enciphered data;
Described step S2 specifically comprises:
S81, analyze described access request, judge whether described access request carries described PKI, when judged result is yes, confirms as normal access, forward step S82 to, otherwise confirm as unauthorized access, forward step S83 to;
S82, described data access person to be authorized, allow described data access person to carry out data access;
S83, refuse the access request of described data access person.
5. the authentication method according to claim 3 or 4, is characterized in that: described in forbid to described data access person access request step after, also comprise:
The visit information of described data access person is stored.
6. a Verification System for cloud terminal data access, is characterized in that: described Verification System comprises:
Detecting module, for the detecting real-time person that whether has data access to the data access of the server of cloud terminal, when the access request of the person that detects data access, sends alarm to corresponding client;
The access control module be connected with described detecting module, for analyzing the access rights of described data access person according to described access request, corresponding operating is performed according to analysis result, when described access request carries private key or the PKI of cipher key pair, confirm that this access mode is for normal access, authorizes described data access person to conduct interviews.
7. Verification System according to claim 6, is characterized in that, described detecting module specifically comprises:
Conversion unit, for the identity information of client user is converted into digital code, form described double secret key, described double secret key comprises the private key of PKI and correspondence;
The ciphering unit be connected with described conversion unit, for being encrypted based on the data of described double secret key to described client, obtains enciphered data;
The detecting unit be connected with described ciphering unit, for the detecting real-time person that whether has data access to the data access of the server of cloud terminal, when the access request of the person that detects data access, sends alarm to corresponding client.
8. Verification System according to claim 7, is characterized in that, described ciphering unit, specifically for being encrypted based on the data of described PKI to described client, obtains enciphered data;
Described access control module specifically comprises:
First judging unit, for analyzing described access request, judges whether described access request carries described private key, when judged result is for being confirm as normal access, otherwise confirms as unauthorized access;
The first granted unit be connected with described first judging unit, for when confirm as normally access time, described data access person is authorized, allows described data access person to carry out data access;
Be connected with described first judging unit first refuses unit, for when confirming as unauthorized access, refuses the access request of this data access person.
9. Verification System according to claim 7, is characterized in that, described ciphering unit, specifically for being encrypted based on the data of described private key to described client, obtains enciphered data;
Described access control module specifically comprises:
Second judging unit, for analyzing described access request, judging whether described access request carries described PKI, when judged result is yes, confirms as normal access, otherwise confirming as unauthorized access;
The second granted unit be connected with described second judging unit, for when confirm as normally access time, described data access person is authorized, allows described data access person to carry out data access;
Be connected with described second judging unit second refuses unit, for when confirming as unauthorized access, refuses the access request of this data access person.
10. a management system for cloud terminal, is characterized in that, comprises the Verification System as described in claim 6 to 9 any one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510847030.0A CN105376242A (en) | 2015-11-26 | 2015-11-26 | Cloud terminal data access authentication method, cloud terminal data access authentication system and cloud terminal management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510847030.0A CN105376242A (en) | 2015-11-26 | 2015-11-26 | Cloud terminal data access authentication method, cloud terminal data access authentication system and cloud terminal management system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105376242A true CN105376242A (en) | 2016-03-02 |
Family
ID=55378047
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510847030.0A Pending CN105376242A (en) | 2015-11-26 | 2015-11-26 | Cloud terminal data access authentication method, cloud terminal data access authentication system and cloud terminal management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105376242A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106961435A (en) * | 2017-03-22 | 2017-07-18 | 北京深思数盾科技股份有限公司 | A kind of access protection method and system |
| CN110263553A (en) * | 2019-05-13 | 2019-09-20 | 清华大学 | Access and control strategy of database method, apparatus and electronic equipment based on public key verifications |
| CN113111398A (en) * | 2021-04-19 | 2021-07-13 | 龙应斌 | Data security storage method and device for preventing illegal stealing |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030217165A1 (en) * | 2002-05-17 | 2003-11-20 | Microsoft Corporation | End-to-end authentication of session initiation protocol messages using certificates |
| CN103002052A (en) * | 2012-12-24 | 2013-03-27 | 百度在线网络技术(北京)有限公司 | Resource positioning method and device in cloud database |
| CN104298934A (en) * | 2014-10-27 | 2015-01-21 | 浪潮(北京)电子信息产业有限公司 | File verification method, server and system in cloud calculation system |
| US20150089244A1 (en) * | 2013-09-25 | 2015-03-26 | Amazon Technologies, Inc. | Data security using request-supplied keys |
| CN104980477A (en) * | 2014-04-14 | 2015-10-14 | 航天信息股份有限公司 | Data access control method and system in cloud storage environment |
| CN105007279A (en) * | 2015-08-04 | 2015-10-28 | 北京百度网讯科技有限公司 | Authentication method and authentication system |
-
2015
- 2015-11-26 CN CN201510847030.0A patent/CN105376242A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030217165A1 (en) * | 2002-05-17 | 2003-11-20 | Microsoft Corporation | End-to-end authentication of session initiation protocol messages using certificates |
| CN103002052A (en) * | 2012-12-24 | 2013-03-27 | 百度在线网络技术(北京)有限公司 | Resource positioning method and device in cloud database |
| US20150089244A1 (en) * | 2013-09-25 | 2015-03-26 | Amazon Technologies, Inc. | Data security using request-supplied keys |
| CN104980477A (en) * | 2014-04-14 | 2015-10-14 | 航天信息股份有限公司 | Data access control method and system in cloud storage environment |
| CN104298934A (en) * | 2014-10-27 | 2015-01-21 | 浪潮(北京)电子信息产业有限公司 | File verification method, server and system in cloud calculation system |
| CN105007279A (en) * | 2015-08-04 | 2015-10-28 | 北京百度网讯科技有限公司 | Authentication method and authentication system |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106961435A (en) * | 2017-03-22 | 2017-07-18 | 北京深思数盾科技股份有限公司 | A kind of access protection method and system |
| CN106961435B (en) * | 2017-03-22 | 2019-12-13 | 北京深思数盾科技股份有限公司 | access protection method and system |
| CN110263553A (en) * | 2019-05-13 | 2019-09-20 | 清华大学 | Access and control strategy of database method, apparatus and electronic equipment based on public key verifications |
| CN110263553B (en) * | 2019-05-13 | 2021-07-13 | 清华大学 | Database access control method and device based on public key verification and electronic equipment |
| CN113111398A (en) * | 2021-04-19 | 2021-07-13 | 龙应斌 | Data security storage method and device for preventing illegal stealing |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6941146B2 (en) | Data security service | |
| CN110855671B (en) | Trusted computing method and system | |
| CA2899027C (en) | Data security service | |
| US10021077B1 (en) | System and method for distributing and using signed send tokens | |
| KR101809974B1 (en) | A system for security certification generating authentication key combinating multi-user element and a method thereof | |
| CN103780584A (en) | Cloud computing-based identity authentication fusion method | |
| CN105376242A (en) | Cloud terminal data access authentication method, cloud terminal data access authentication system and cloud terminal management system | |
| CN108810084B (en) | Mobile-based device service system using encrypted code offload | |
| KR101809976B1 (en) | A method for security certification generating authentication key combinating multi-user element | |
| CN102427461B (en) | Method and system for realizing Web service application security | |
| CN113271306B (en) | Data request and transmission method, device and system | |
| CN110263553B (en) | Database access control method and device based on public key verification and electronic equipment | |
| Spirintseva et al. | The models of the information security in the cloud storage | |
| Kostadinovska | Varnost v oblaku-Pristop s sodobnimi kriptografskimi rešitvami |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160302 |