CN105404560B - Safety certifying method based on RAID5 in a kind of object storage system - Google Patents
Safety certifying method based on RAID5 in a kind of object storage system Download PDFInfo
- Publication number
- CN105404560B CN105404560B CN201510744366.4A CN201510744366A CN105404560B CN 105404560 B CN105404560 B CN 105404560B CN 201510744366 A CN201510744366 A CN 201510744366A CN 105404560 B CN105404560 B CN 105404560B
- Authority
- CN
- China
- Prior art keywords
- server
- raid5
- controller
- certification request
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
- G06F11/10—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
- G06F11/1076—Parity data used in redundant arrays of independent storages, e.g. in RAID systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses the safety certifying methods based on RAID5 in a kind of object storage system.This method comprises: N platform TA server is arranged on the critical path TA of object storage system using the characteristic of the safe and reliable low cost of RAID5, then the storage resource on N platform TA server is integrated, and dispose RAID5 on it.When client sends certification request, TA Controller assigns ID to certification request first, and modulo operation is carried out to ID, it selects a target TA server to handle the end Client certification request, certification request processing result is returned in TA Controller.Processing result is stored in RAID5 by TA Controller, carries out data access according to the access mechanism of RAID5.Redundancy TA server can be effectively prevented Single Point of Faliure, meanwhile, RAID5 ensures that fast quick-recovery when loss of data, guarantees the safety and reliability of service of TA end-user data.The security reliability of TA end data can be significantly increased in the present invention.
Description
Technical field
The invention belongs to storage systems and technical field of security authentication, more particularly, in a kind of object storage system
Safety certifying method based on RAID5 (Redundant Arrays of Independent Disks 5, disk array 5).
Background technique
The arrival of big data era, so that data become a kind of invisible and priceless assets, security reliability is also gradually
Paid attention to and paid close attention to by country, enterprise and individual.
((Trusted Authority, TA) mainly includes user information list and card to trusted party in object storage system
The important informations such as book revocation list (Certificate Revocation List, CRL), when TA server is hacked
When, there can be following risk:
Loss of data: hacker's invasive system obtains user hence into object storage system after the acquisition of information of user
The data being stored in object storage device (Object-based Storage Device, OSD), cause not estimating to user
Economic loss.
Corrupted data: after hacker's invasive system, distorting user data and damaged, so that user can not normally make
With the data in OSD, immeasurable economic loss is caused.
Service disruption: after hacker invades TA server, implantation trojan horse makes TA server that can not normally provide clothes
Business, leads to service disruption, this will be undoubtedly a kind of deathblow for the enterprise for needing uninterruptedly to provide service.
The related work of existing object storage system is all single TA server providing services, if once the server
Under attack, it will cause imponderable economic losses.
Summary of the invention
Aiming at the above defects or improvement requirements of the prior art, the present invention provides be based in a kind of object storage system
The safety certifying method of RAID5 disposes RAID5 on the critical path TA of object storage system, and the purpose is to improve object to deposit
The security reliability of storage system;In the case where separate unit TA server is under attack, object storage system be can continue to user
Normal service is provided;If loss of data or damage, the fast quick-recovery data of Restoration Mechanism of RAID5 can be passed through.
To achieve the goals above, the present invention provides the safety certification sides based on RAID5 in a kind of object storage system
Method includes the following steps:
(1) start the N platform TA server based on RAID5, wait client (Client) connection, wherein N is TA server
Quantity;
(2) certification request is sent to trusted party controller (TA Controller), TA by the end Client
Controller select one in above-mentioned more TA servers as target TA server;
(3) selected target TA server handles the certification request at the end Client, and certification request is handled
As a result TA Controller is returned to;
(4) TA Controller constitutes the certification request processing result according to the access mechanism dispersion deposit of RAID5
In the different disk of RAID5.
In one embodiment of the present of invention, the step (2) includes following sub-step:
(2.1) certification request at multiple ends Client is sent to first in TA Controller, TA Controller
ID number (such as 0,1,2......) is carried out to certification request, modulo operation (ID%N) then is carried out to ID, number is equal to
For the TA server of modulo operation result as target TA server, the number of above-mentioned N platform TA server is respectively 1-N;
(2.2) connecting path, selected mesh are established between the end Client and selected target TA server
Mark TA server is for handling the certification request at the end Client.
In one embodiment of the present of invention, the step (3) includes following sub-step:
(3.1) target TA server and the end Client generate respective meeting first, in accordance with the parameter and algorithm arranged in advance
Code key is talked about, subsequent communication process all passes through session code key and carries out encrypted transmission;
(3.2) target TA server obtains the username and password for including in the certification request that the end Client is sent, then
Legitimate verification is carried out to username and password.After being verified, the information in user information list is compared, has checked whether number
According to matching;
Wherein whether legitimate verification refers to the format to user name, password, length, tests comprising forbidden character etc.
Card.
(3.3) if having Data Matching in comparison, illustrate user information in user list.Illustrate to use
Family is transmitted across certificate and before the deadline, and new certificate is generated for user in target TA server refusal at this time;If not in user
In list, illustrate that user is first application certificate, target TA server receives the certification request at the end Client;
(3.4) target TA server generates private key and certificate by user name, password, and by session code key by private key and
The end Client is sent to after certificate encryption.The end Client is carried out by the received private key of session secret key pair of itself, certificate data
Decryption, is then decrypted the certificate for using public key encryption with private key, certificate is finally stored in the end Client;
(3.5) target TA server returns to certification request processing result in TA Controller.
In one embodiment of the present of invention, the step (4) includes following sub-step:
(4.1) data of certification request processing result are returned to TA Controller by selected target TA server,
And it is stored in TA Controller;
(4.2) the certification request processing result that TA controller returns to target TA server is according to RAID5 mechanism point
It dissipates deposit to constitute in the different disk of RAID5, to realize secure storage.
In one embodiment of the present of invention, the N value in the step (1) is 3.
In general, through the invention it is contemplated above technical scheme is compared with the prior art, have below beneficial to effect
Fruit: the problem of present invention utilizes redundancy, can efficiently solve TA Single Point of Faliure improves the reliability of system;It utilizes
RAID5 technology can make hacker invade certain TA server, also can only fetching portion user data and not all number of users
According to further ensuring the safety of user data;Using RAID5 technology, the data lost and damaged can also be carried out quick
Restore, guarantees the safety and reliability of data.
Detailed description of the invention
Fig. 1 is redundancy TA object storage system structure chart in the embodiment of the present invention;
Fig. 2 is that TA server selects flow chart in the embodiment of the present invention;
Fig. 3 is TA server storing data flow chart in the embodiment of the present invention;
Fig. 4 is user's registration and certificate authority flow chart in the embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.As long as in addition, technical characteristic involved in the various embodiments of the present invention described below
Not constituting a conflict with each other can be combined with each other.
As shown in Figure 1, the redundancy TA object storage system structure chart that the method for the present invention is based on is described in detail as follows:
Object storage system mainly includes four parts: client Client, trusted party TA, meta data server MDS,
Object storage device OSD.
Redundancy TA object storage system on the critical path TA of system, is built on the basis of object storage system
Redundancy TA improves the reliability of system.
Redundancy object storage system process: the end Client sends certification request, TA to TA Controller first
Controller is that certification request assigns ID first, then carries out modulo operation to certification request ID, selects target TA service
Device, and username and password information is sent to target TA server.Target TA server establishes one with the end Client first
Then communication line is handled certification request, and certification request processing result is sent back in TA Controller, by
User information is saved in the TA cluster-based storage equipment for constituting RAID5 by TA Controller.Simultaneously by certificate, private key encryption
It is sent to the end Client, is stored in local after the certificate decryption that the end Client will acquire.The end Client sends certificate and request
To the end MDS, the end MDS is by returning to the end Client for powers and functions certificate and metadata information after verifying.The end Client utilizes acquisition
Powers and functions certificate and metadata information to the end OSD send request, obtain needed for data.
As shown in Fig. 2, TA server selection flow chart is described in detail as follows:
When the end Client sends certification request to TA server, it is first sent in TA Controller, by TA
Controller is that certification request assigns ID.
TA Controller carries out modulo operation (ID%3) to certification request ID, selects target TA server.If taken
Modular arithmetic result is 0, then selects to number the TA0 server process certification request for 0;If modulo operation result is 1, select
The TA1 server process certification request that number is 1;If modulo operation result is 2, select to number at for 2 TA2 server
Manage certification request.
As shown in figure 3, TA module storing data flow chart is described in detail as follows:
After TA Controller is that the end Client certification request chooses target TA server, can at the end Client and
A communication line is established between target TA server.The end Client certification request is handled by target TA server, and will be recognized
Card request processing result returns in TA Controller.
The certification request processing result of return is dispersed deposit according to RAID5 access mechanism and constituted by TA Controller
In the different disk of RAID5.
As shown in figure 4, user's registration is described in detail as follows with certificate authority flow chart:
When the end Client sends certification request to TA Controller, the use in RAID5 is obtained by TA Controller
Family information list.
After the end Client issues certification request to TA Controller, TA Controller first listens to user's request,
After obtaining user name, password, legitimate verification is carried out first, after being verified, is compared the information in user information list, is seen
See if there is Data Matching.If any Data Matching, illustrate that user information in lists, is transmitted across certificate to user,
And certificate is still before the deadline, new certificate is generated for user in refusal at this time.If no data matches, illustrate that user is first
Secondary application certificate just generates public and private key for it and transmits certificate, updates user information list.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, not to
The limitation present invention, any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should all include
Within protection scope of the present invention.
Claims (4)
1. based on the safety certifying method of RAID5 in a kind of object storage system, which comprises the steps of:
(1) start the N platform TA server based on RAID5, wait client Client connection, wherein N is the quantity of TA server;
(2) certification request is sent to trusted party controller TA Controller, TA Controller selection by the end Client
One in above-mentioned more TA servers is used as target TA server;
(3) selected target TA server handles the certification request at the end Client, and by certification request processing result
Return to TA Controller;
(4) TA Controller constitutes the certification request processing result according to the access mechanism dispersion deposit of RAID5
In the different disk of RAID5;
The step (3) specifically includes following sub-step:
(3.1) target TA server and the end Client generate respective session code key according to the parameter and algorithm arranged in advance, after
Continuous communication process all passes through session code key and carries out encrypted transmission;
(3.2) target TA server obtain the end Client send certification request in include username and password, then to
Name in an account book and password carry out legitimate verification;After being verified, the information in user information list is compared, has checked whether data
Match;
(3.3) if having Data Matching in comparison, illustrate that user information in user list, is transmitted across to user
Certificate and before the deadline, new certificate is generated for user in target TA server refusal at this time;If said not in user list
Bright user is first application certificate, and target TA server receives the certification request at the end Client;
(3.4) target TA server generates private key and certificate by user name, password, and passes through session code key for private key and certificate
The end Client is sent to after encryption;The end Client is decrypted by the received private key of session secret key pair of itself, certificate data,
Then the certificate for using public key encryption is decrypted with private key, certificate is finally stored in the end Client;
(3.5) target TA server returns to certification request processing result in TA Controller;
The step (4) specifically includes following sub-step:
(4.1) data of certification request processing result are returned to TA Controller by selected target TA server, and are protected
There are in TA Controller;
(4.2) TA controller deposits the certification request processing result that target TA server returns according to the dispersion of RAID5 mechanism
Enter to constitute in the different disk of RAID5, to realize secure storage.
2. based on the safety certifying method of RAID5 in object storage system as described in claim 1, which is characterized in that described
Step (2) specifically includes following sub-step:
(2.1) certification request at multiple ends Client is sent to first in TA Controller, and TA Controller is to recognizing
Card request carries out ID number, then carries out modulo operation ID%N to ID, and the TA server that number is equal to modulo operation result is made
For target TA server, wherein the number of above-mentioned N platform TA server is respectively 1-N;
(2.2) connecting path, selected target TA are established between the end Client and selected target TA server
Server is for handling the certification request at the end Client.
3. based on the safety certifying method of RAID5 in object storage system as described in claim 1, which is characterized in that in institute
Progress legitimate verification in step (3.2) is stated to refer to the format to username and password, length, whether carry out comprising forbidden character
Verifying.
4. based on the safety certifying method of RAID5 in object storage system as described in claim 1, which is characterized in that described
N value in step (1) is 3.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510744366.4A CN105404560B (en) | 2015-11-05 | 2015-11-05 | Safety certifying method based on RAID5 in a kind of object storage system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510744366.4A CN105404560B (en) | 2015-11-05 | 2015-11-05 | Safety certifying method based on RAID5 in a kind of object storage system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105404560A CN105404560A (en) | 2016-03-16 |
CN105404560B true CN105404560B (en) | 2019-01-04 |
Family
ID=55470058
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510744366.4A Active CN105404560B (en) | 2015-11-05 | 2015-11-05 | Safety certifying method based on RAID5 in a kind of object storage system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105404560B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117134918A (en) * | 2023-07-20 | 2023-11-28 | 威艾特科技(深圳)有限公司 | Distributed data signature verification method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030182549A1 (en) * | 2002-03-22 | 2003-09-25 | Hallin Philip J. | Systems and methods for distributing trusted certification authorities |
CN101095116A (en) * | 2004-11-05 | 2007-12-26 | 数据机器人技术公司 | Storage system condition indicator and method |
US20080098212A1 (en) * | 2006-10-20 | 2008-04-24 | Helms William L | Downloadable security and protection methods and apparatus |
CN101534295A (en) * | 2009-04-08 | 2009-09-16 | 哈尔滨工程大学 | Storage method of architecture based on object storage system |
CN104917843A (en) * | 2015-06-17 | 2015-09-16 | 嘉兴市第一医院 | Cloud storage and medical image seamless joint system |
-
2015
- 2015-11-05 CN CN201510744366.4A patent/CN105404560B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030182549A1 (en) * | 2002-03-22 | 2003-09-25 | Hallin Philip J. | Systems and methods for distributing trusted certification authorities |
CN101095116A (en) * | 2004-11-05 | 2007-12-26 | 数据机器人技术公司 | Storage system condition indicator and method |
US20080098212A1 (en) * | 2006-10-20 | 2008-04-24 | Helms William L | Downloadable security and protection methods and apparatus |
CN101534295A (en) * | 2009-04-08 | 2009-09-16 | 哈尔滨工程大学 | Storage method of architecture based on object storage system |
CN104917843A (en) * | 2015-06-17 | 2015-09-16 | 嘉兴市第一医院 | Cloud storage and medical image seamless joint system |
Also Published As
Publication number | Publication date |
---|---|
CN105404560A (en) | 2016-03-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11799656B2 (en) | Security authentication method and device | |
KR102493744B1 (en) | Security Verification Method Based on Biometric Characteristics, Client Terminal, and Server | |
US9432339B1 (en) | Automated token renewal using OTP-based authentication codes | |
KR102193644B1 (en) | Facility verification method and device | |
EP3219049B1 (en) | Account recovery protocol | |
US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
US9317714B2 (en) | Storing user data in a service provider cloud without exposing user-specific secrets to the service provider | |
CN103220344B (en) | Microblogging licenses method and system | |
CN105409186B (en) | system and method for user authentication | |
CN109347835A (en) | Information transferring method, client, server and computer readable storage medium | |
US20150033020A1 (en) | Protocol for Controlling Access to Encryption Keys | |
CN103607393A (en) | Data safety protection method based on data partitioning | |
US20200412554A1 (en) | Id as service based on blockchain | |
US9154304B1 (en) | Using a token code to control access to data and applications in a mobile platform | |
CN103138939A (en) | Secret key use time management method based on credible platform module under cloud storage mode | |
CN1937498A (en) | Dynamic cipher authentication method, system and device | |
WO2016014120A1 (en) | Device authentication agent | |
KR102137122B1 (en) | Security check method, device, terminal and server | |
CN104601593A (en) | Anti-tracking method in network electronic identity authentication process based on challenge modes | |
CN206212040U (en) | A kind of real-name authentication system for express delivery industry | |
CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
Nayak et al. | An improved mutual authentication framework for cloud computing | |
CN101552676B (en) | Host module legitimacy verification method, system and device using a card module | |
JP2011176435A (en) | Secret key sharing system, method, data processor, management server, and program | |
CN106331042A (en) | Single sign-on method and device for heterogeneous user system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |