CN105404560A - RAID5 based security authentication method in object storage system - Google Patents
RAID5 based security authentication method in object storage system Download PDFInfo
- Publication number
- CN105404560A CN105404560A CN201510744366.4A CN201510744366A CN105404560A CN 105404560 A CN105404560 A CN 105404560A CN 201510744366 A CN201510744366 A CN 201510744366A CN 105404560 A CN105404560 A CN 105404560A
- Authority
- CN
- China
- Prior art keywords
- server
- raid5
- authentication request
- target
- tacontroller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
- G06F11/10—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
- G06F11/1076—Parity data used in redundant arrays of independent storages, e.g. in RAID systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Abstract
The invention discloses an RAID5 based security authentication method in an object storage system. The method comprises: by utilizing the characteristics of security, reliability and low cost of RAID5, setting N TA servers in a key path TA of the object storage system, then integrating storage resources of the N TA servers, and deploying the RAID5 in the TA servers; when a client sends out an authentication request, a TA Controller endowing the authentication request with an ID first and performing modular operation on the ID, selecting one target TA server to perform processing on the authentication request of the Client, and returning an authentication request processing result to the TA Controller; and the TA Controller storing the processing result in the RAID5, and performing data access according to an access mechanism of the RAID5. The redundant TA servers can effectively prevent single-point faults, and meanwhile, the RAID5 can ensure quick recovery of lost data, so that the security of TA-end user data and the reliability of services are ensured. According to the method, the security and reliability of the TA-end data can be greatly improved.
Description
Technical field
The invention belongs to storage system and technical field of security authentication, more specifically, relate to the safety certifying method based on RAID5 (RedundantArraysofIndependentDisks5, disk array 5) in a kind of object storage system.
Background technology
The arrival of large data age, makes data become a kind of invisible and priceless assets, its safe reliability also gradually by country, enterprise and individual pay attention to and pay close attention to.
Trusted party ((TrustedAuthority in object storage system, TA) user profile list and certificate revocation list (CertificateRevocationList is mainly comprised, the important information such as CRL), when TA server is subject to assault time, following risk can be there is:
Loss of data: hacker's invasive system, after the acquisition of information of user, thus enter object storage system acquisition user stored in the data in object storage device (Object-basedStorageDevice, OSD), user is caused to the economic loss that cannot estimate.
Corrupted data: when after hacker's invasive system, distort and damage user data, makes user normally cannot use data in OSD, causes immeasurable economic loss.
Service disruption: after hacker invades TA server, implants trojan horse and makes TA server normally cannot provide service, cause service disruption, and this is by concerning needing uninterruptedly to provide the enterprise of service a kind of deathblow beyond doubt.
The related work of existing object storage system is all single TA server providing services, if once this server is under attack, then can cause imponderable economic loss.
Summary of the invention
For above defect or the Improvement requirement of prior art, the invention provides the safety certifying method based on RAID5 in a kind of object storage system, at the critical path TA deploy RAID5 of object storage system, its objective is the safe reliability improving object storage system; When separate unit TA server is under attack, object storage system can continue to provide normal service to user; If loss of data or damage, the fast quick-recovery data of the Restoration Mechanism by RAID5.
To achieve these goals, the invention provides the safety certifying method based on RAID5 in a kind of object storage system, comprise the steps:
(1) start the N platform TA server based on RAID5, wait for that client (Client) connects, wherein N is the quantity of TA server;
(2) authentication request is sent to trusted party controller (TAController) by Client end, and TAController selects in above-mentioned multiple stage TA server one as target TA server;
(3) selected target TA server processes the authentication request that Client holds, and authentication request result is returned to TAController;
(4) described authentication request result is disperseed stored in forming in the different disk of RAID5 according to the access mechanism of RAID5 by TAController.
In one embodiment of the present of invention, described step (2) comprises following sub-step:
(2.1) first the authentication request of multiple Client end is sent in TAController, TAController carries out ID numbering (such as 0,1,2......) to authentication request, then modulo operation (ID%N) is carried out to ID, numbering is equaled the TA server of modulo operation result as target TA server, the numbering of above-mentioned N platform TA server is respectively 1-N;
(2.2) between Client end and selected target TA server, set up a connecting path, selected target TA server is used for processing the authentication request of Client end.
In one embodiment of the present of invention, described step (3) comprises following sub-step:
(3.1) target TA server and Client end, first generate the secret key of respective session according to the parameter of arranging in advance and algorithm, follow-up communication process is all encrypted transmission by the secret key of session;
(3.2) target TA server obtains the username and password comprised in the authentication request of Client end transmission, then carries out legitimate verification to username and password.After being verified, the information in the list of contrast user profile, looks into and sees if there is Data Matching;
Wherein legitimate verification refers to form, length to user name, password, whether comprises unallowable instruction digit etc. and verify.
(3.3) if having Data Matching in contrast, then illustrate that user profile is in user list.Illustrate and sent certificate to user and before the deadline, now target TA server refusal generates new certificate for user; If not in user list, illustrate that user is first application certificate, target TA server accepts the authentication request of Client end;
(3.4) target TA server generates private key and certificate by user name, password, and is sent to Client end by the secret key of session by after private key and certificate encryption.The private key that Client end is received by the session secret key pair of self, certificate data are decrypted, and be then decrypted with the certificate of private key to the encryption that uses public-key, certificate is kept at Client end this locality the most at last;
(3.5) authentication request result turns back in TAController by target TA server.
In one embodiment of the present of invention, described step (4) comprises following sub-step:
(4.1) data of authentication request result are returned to TAController by selected target TA server, and are kept in TAController;
(4.2) the authentication request result that target TA server returns by TAcontroller is disperseed stored in forming in the different disk of RAID5, to realize safe storage according to RAID5 mechanism.
In one embodiment of the present of invention, the N value in described step (1) is 3.
In general, the above technical scheme conceived by the present invention compared with prior art, has following beneficial effect: the present invention utilizes redundancy, effectively can solve the problem of TA Single Point of Faliure, improves the reliability of system; Utilize RAID5 technology, hacker can be made to invade certain TA server, also can only fetching portion user data and not all user data, further ensure the security of user data; Utilize RAID5 technology, also can carry out fast quick-recovery to the data of losing and damage, ensure the safety and reliability of data.
Accompanying drawing explanation
Fig. 1 is redundancy TA object storage system structural drawing in the embodiment of the present invention;
Fig. 2 is that in the embodiment of the present invention, TA server selects process flow diagram;
Fig. 3 is TA server stores data flowchart in the embodiment of the present invention;
Fig. 4 is user's registration and certificate authority process flow diagram in the embodiment of the present invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.In addition, if below in described each embodiment of the present invention involved technical characteristic do not form conflict each other and just can mutually combine.
As shown in Figure 1, the inventive method based on redundancy TA object storage system structural drawing be described in detail as follows:
Object storage system mainly comprises four part: client Client, trusted party TA, meta data server MDS, object storage device OSD.
Redundancy TA object storage system is on the basis of object storage system, on the critical path TA of system, builds redundancy TA, improves the reliability of system.
Redundancy object storage system flow process: first Client end sends authentication request to TAController, TAController is first for authentication request gives ID, then modulo operation is carried out to authentication request ID, select target TA server, and username and password information is sent to target TA server.First target TA server is held with Client and is set up a communication line, then authentication request is processed, and authentication request result is sent it back in TAController, by TAController user profile is saved in and forms in the TA cluster-based storage equipment of RAID5.Certificate, encrypted private key are sent to Client end, Client end is kept at this locality after being deciphered by the certificate of acquisition simultaneously.Certificate and request are sent to MDS end by Client end, and MDS end is by returning to Client end by powers and functions certificate and metadata information after checking.Client end utilizes the powers and functions certificate and metadata information obtained to hold to OSD and sends request, and obtains desired data.
As shown in Figure 2, TA server selects process flow diagram to be described in detail as follows:
When Client end sends authentication request to TA server, being first sent in TAController, is that authentication request gives ID by TAController.
TAController carries out modulo operation (ID%3) to authentication request ID, selects target TA server.If modulo operation result is 0, then select the TA0 server process authentication request being numbered 0; If modulo operation result is 1, then select the TA1 server process authentication request being numbered 1; If modulo operation result is 2, then select the TA2 server process authentication request being numbered 2.
As shown in Figure 3, TA module stores data flowchart is described in detail as follows:
When TAController is after Client holds authentication request to choose target TA server, a communication line can be set up between Client end and target TA server.Process Client by target TA server and hold authentication request, and authentication request result is turned back in TAController.
The authentication request result returned is disperseed stored in forming in the different disk of RAID5 according to RAID5 access mechanism by TAController.
As shown in Figure 4, user's registration is described in detail as follows with certificate authority process flow diagram:
When Client end sends authentication request to TAController, obtain the user profile list in RAID5 by TAController.
After Client end sends authentication request to TAController, TAController first monitoring users request, after obtaining user name, password, first legitimate verification is carried out, after being verified, the information in the list of contrast user profile, sees if there is Data Matching.If any Data Matching, user profile has been described in lists, had sent certificate to user, and certificate still before the deadline, now refuse to generate new certificate for user.If without Data Matching, then illustrate that user is first application certificate, just generate public and private key for it and transmit certificate, the list of renewal user profile.
Those skilled in the art will readily understand; the foregoing is only preferred embodiment of the present invention; not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (6)
1. in object storage system based on a safety certifying method of RAID5, it is characterized in that, comprise the steps:
(1) start the N platform TA server based on RAID5, wait for that client Client connects, wherein N is the quantity of TA server;
(2) authentication request is sent to trusted party controller TAController by Client end, and TAController selects in above-mentioned multiple stage TA server one as target TA server;
(3) selected target TA server processes the authentication request that Client holds, and authentication request result is returned to TAController;
(4) described authentication request result is disperseed stored in forming in the different disk of RAID5 according to the access mechanism of RAID5 by TAController.
2. in object storage system as claimed in claim 1 based on the safety certifying method of RAID5, it is characterized in that, described step (2) specifically comprises following sub-step:
(2.1) first the authentication request of multiple Client end is sent in TAController, TAController carries out ID numbering to authentication request, then modulo operation ID%N is carried out to ID, numbering is equaled the TA server of modulo operation result as target TA server, wherein the numbering of above-mentioned N platform TA server is respectively 1-N;
(2.2) between Client end and selected target TA server, set up a connecting path, selected target TA server is used for processing the authentication request of Client end.
3. in object storage system as claimed in claim 1 or 2 based on the safety certifying method of RAID5, it is characterized in that, described step (3) specifically comprises following sub-step:
(3.1) target TA server and Client end, generate the secret key of respective session according to the parameter of arranging in advance and algorithm, follow-up communication process is all encrypted transmission by the secret key of session;
(3.2) target TA server obtains the username and password comprised in the authentication request of Client end transmission, then carries out legitimate verification to username and password; After being verified, the information in the list of contrast user profile, looks into and sees if there is Data Matching;
(3.3) if having Data Matching in contrast, then illustrate that user profile is in user list, had sent certificate to user and before the deadline, now target TA server refusal generates new certificate for user; If not in user list, illustrate that user is first application certificate, target TA server accepts the authentication request of Client end;
(3.4) target TA server generates private key and certificate by user name, password, and is sent to Client end by the secret key of session by after private key and certificate encryption; The private key that Client end is received by the session secret key pair of self, certificate data are decrypted, and be then decrypted with the certificate of private key to the encryption that uses public-key, certificate is kept at Client end this locality the most at last;
(3.5) authentication request result turns back in TAController by target TA server.
4. in object storage system as claimed in claim 1 or 2 based on the safety certifying method of RAID5, it is characterized in that, described step (4) specifically comprises following sub-step:
(4.1) data of authentication request result are returned to TAController by selected target TA server, and are kept in TAController;
(4.2) the authentication request result that target TA server returns by TAcontroller is disperseed stored in forming in the different disk of RAID5, to realize safe storage according to RAID5 mechanism.
5. in object storage system as claimed in claim 3 based on the safety certifying method of RAID5, it is characterized in that, in described step (3.2), carry out legitimate verification refer to form, length to username and password, whether comprise unallowable instruction digit and verify.
6. in object storage system as claimed in claim 1 or 2 based on the safety certifying method of RAID5, it is characterized in that, the N value in described step (1) is 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510744366.4A CN105404560B (en) | 2015-11-05 | 2015-11-05 | Safety certifying method based on RAID5 in a kind of object storage system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510744366.4A CN105404560B (en) | 2015-11-05 | 2015-11-05 | Safety certifying method based on RAID5 in a kind of object storage system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105404560A true CN105404560A (en) | 2016-03-16 |
| CN105404560B CN105404560B (en) | 2019-01-04 |
Family
ID=55470058
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510744366.4A Active CN105404560B (en) | 2015-11-05 | 2015-11-05 | Safety certifying method based on RAID5 in a kind of object storage system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105404560B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030182549A1 (en) * | 2002-03-22 | 2003-09-25 | Hallin Philip J. | Systems and methods for distributing trusted certification authorities |
| CN101095116A (en) * | 2004-11-05 | 2007-12-26 | 数据机器人技术公司 | Storage system condition indicator and method |
| US20080098212A1 (en) * | 2006-10-20 | 2008-04-24 | Helms William L | Downloadable security and protection methods and apparatus |
| CN101534295A (en) * | 2009-04-08 | 2009-09-16 | 哈尔滨工程大学 | Storage method of architecture based on object storage system |
| CN104917843A (en) * | 2015-06-17 | 2015-09-16 | 嘉兴市第一医院 | Cloud storage and medical image seamless joint system |
-
2015
- 2015-11-05 CN CN201510744366.4A patent/CN105404560B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030182549A1 (en) * | 2002-03-22 | 2003-09-25 | Hallin Philip J. | Systems and methods for distributing trusted certification authorities |
| CN101095116A (en) * | 2004-11-05 | 2007-12-26 | 数据机器人技术公司 | Storage system condition indicator and method |
| US20080098212A1 (en) * | 2006-10-20 | 2008-04-24 | Helms William L | Downloadable security and protection methods and apparatus |
| CN101534295A (en) * | 2009-04-08 | 2009-09-16 | 哈尔滨工程大学 | Storage method of architecture based on object storage system |
| CN104917843A (en) * | 2015-06-17 | 2015-09-16 | 嘉兴市第一医院 | Cloud storage and medical image seamless joint system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105404560B (en) | 2019-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107251035B (en) | Account recovery protocol | |
| CN106664202B (en) | Method, system and computer readable medium for providing encryption on multiple devices | |
| US9432339B1 (en) | Automated token renewal using OTP-based authentication codes | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
| CN103138939B (en) | Based on the key access times management method of credible platform module under cloud memory module | |
| US20150039890A1 (en) | Method and device for secure communications over a network using a hardware security engine | |
| CN103607393A (en) | Data safety protection method based on data partitioning | |
| JP6190404B2 (en) | Receiving node, message receiving method and computer program | |
| WO2016014120A1 (en) | Device authentication agent | |
| US11714914B2 (en) | Secure storage of passwords | |
| US20200344075A1 (en) | Secure provisioning of keys | |
| CN104836784A (en) | Information processing method, client, and server | |
| CN111104691A (en) | Sensitive information processing method and device, storage medium and equipment | |
| Chen et al. | Security analysis and improvement of user authentication framework for cloud computing | |
| KR20150135032A (en) | System and method for updating secret key using physical unclonable function | |
| CN111355591A (en) | Block chain account safety management method based on real-name authentication technology | |
| CN104994095A (en) | Equipment authentication method, clients, server and system | |
| CN107181589B (en) | Bastion machine private key management method and device | |
| CN102769629A (en) | Client-side password storage method and service system | |
| KR101593675B1 (en) | User data integrity verification method and apparatus | |
| CN102761560A (en) | Method and system for verifying information integrity | |
| US20180041342A1 (en) | Device and method for sending and verifying a signature | |
| CN103916372A (en) | Third-party login information hosting method and system | |
| CN105404560A (en) | RAID5 based security authentication method in object storage system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |