CN105404560B - Safety certifying method based on RAID5 in a kind of object storage system - Google Patents

Safety certifying method based on RAID5 in a kind of object storage system Download PDF

Info

Publication number
CN105404560B
CN105404560B CN201510744366.4A CN201510744366A CN105404560B CN 105404560 B CN105404560 B CN 105404560B CN 201510744366 A CN201510744366 A CN 201510744366A CN 105404560 B CN105404560 B CN 105404560B
Authority
CN
China
Prior art keywords
server
raid5
controller
certification request
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510744366.4A
Other languages
Chinese (zh)
Other versions
CN105404560A (en
Inventor
冯丹
王阿孟
胡燏翀
吴锋
文可
肖仁智
张晓阳
常栓霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201510744366.4A priority Critical patent/CN105404560B/en
Publication of CN105404560A publication Critical patent/CN105404560A/en
Application granted granted Critical
Publication of CN105404560B publication Critical patent/CN105404560B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/08Error detection or correction by redundancy in data representation, e.g. by using checking codes
    • G06F11/10Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
    • G06F11/1076Parity data used in redundant arrays of independent storages, e.g. in RAID systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses the safety certifying methods based on RAID5 in a kind of object storage system.This method comprises: N platform TA server is arranged on the critical path TA of object storage system using the characteristic of the safe and reliable low cost of RAID5, then the storage resource on N platform TA server is integrated, and dispose RAID5 on it.When client sends certification request, TA Controller assigns ID to certification request first, and modulo operation is carried out to ID, it selects a target TA server to handle the end Client certification request, certification request processing result is returned in TA Controller.Processing result is stored in RAID5 by TA Controller, carries out data access according to the access mechanism of RAID5.Redundancy TA server can be effectively prevented Single Point of Faliure, meanwhile, RAID5 ensures that fast quick-recovery when loss of data, guarantees the safety and reliability of service of TA end-user data.The security reliability of TA end data can be significantly increased in the present invention.

Description

Safety certifying method based on RAID5 in a kind of object storage system
Technical field
The invention belongs to storage systems and technical field of security authentication, more particularly, in a kind of object storage system Safety certifying method based on RAID5 (Redundant Arrays of Independent Disks 5, disk array 5).
Background technique
The arrival of big data era, so that data become a kind of invisible and priceless assets, security reliability is also gradually Paid attention to and paid close attention to by country, enterprise and individual.
((Trusted Authority, TA) mainly includes user information list and card to trusted party in object storage system The important informations such as book revocation list (Certificate Revocation List, CRL), when TA server is hacked When, there can be following risk:
Loss of data: hacker's invasive system obtains user hence into object storage system after the acquisition of information of user The data being stored in object storage device (Object-based Storage Device, OSD), cause not estimating to user Economic loss.
Corrupted data: after hacker's invasive system, distorting user data and damaged, so that user can not normally make With the data in OSD, immeasurable economic loss is caused.
Service disruption: after hacker invades TA server, implantation trojan horse makes TA server that can not normally provide clothes Business, leads to service disruption, this will be undoubtedly a kind of deathblow for the enterprise for needing uninterruptedly to provide service.
The related work of existing object storage system is all single TA server providing services, if once the server Under attack, it will cause imponderable economic losses.
Summary of the invention
Aiming at the above defects or improvement requirements of the prior art, the present invention provides be based in a kind of object storage system The safety certifying method of RAID5 disposes RAID5 on the critical path TA of object storage system, and the purpose is to improve object to deposit The security reliability of storage system;In the case where separate unit TA server is under attack, object storage system be can continue to user Normal service is provided;If loss of data or damage, the fast quick-recovery data of Restoration Mechanism of RAID5 can be passed through.
To achieve the goals above, the present invention provides the safety certification sides based on RAID5 in a kind of object storage system Method includes the following steps:
(1) start the N platform TA server based on RAID5, wait client (Client) connection, wherein N is TA server Quantity;
(2) certification request is sent to trusted party controller (TA Controller), TA by the end Client Controller select one in above-mentioned more TA servers as target TA server;
(3) selected target TA server handles the certification request at the end Client, and certification request is handled As a result TA Controller is returned to;
(4) TA Controller constitutes the certification request processing result according to the access mechanism dispersion deposit of RAID5 In the different disk of RAID5.
In one embodiment of the present of invention, the step (2) includes following sub-step:
(2.1) certification request at multiple ends Client is sent to first in TA Controller, TA Controller ID number (such as 0,1,2......) is carried out to certification request, modulo operation (ID%N) then is carried out to ID, number is equal to For the TA server of modulo operation result as target TA server, the number of above-mentioned N platform TA server is respectively 1-N;
(2.2) connecting path, selected mesh are established between the end Client and selected target TA server Mark TA server is for handling the certification request at the end Client.
In one embodiment of the present of invention, the step (3) includes following sub-step:
(3.1) target TA server and the end Client generate respective meeting first, in accordance with the parameter and algorithm arranged in advance Code key is talked about, subsequent communication process all passes through session code key and carries out encrypted transmission;
(3.2) target TA server obtains the username and password for including in the certification request that the end Client is sent, then Legitimate verification is carried out to username and password.After being verified, the information in user information list is compared, has checked whether number According to matching;
Wherein whether legitimate verification refers to the format to user name, password, length, tests comprising forbidden character etc. Card.
(3.3) if having Data Matching in comparison, illustrate user information in user list.Illustrate to use Family is transmitted across certificate and before the deadline, and new certificate is generated for user in target TA server refusal at this time;If not in user In list, illustrate that user is first application certificate, target TA server receives the certification request at the end Client;
(3.4) target TA server generates private key and certificate by user name, password, and by session code key by private key and The end Client is sent to after certificate encryption.The end Client is carried out by the received private key of session secret key pair of itself, certificate data Decryption, is then decrypted the certificate for using public key encryption with private key, certificate is finally stored in the end Client;
(3.5) target TA server returns to certification request processing result in TA Controller.
In one embodiment of the present of invention, the step (4) includes following sub-step:
(4.1) data of certification request processing result are returned to TA Controller by selected target TA server, And it is stored in TA Controller;
(4.2) the certification request processing result that TA controller returns to target TA server is according to RAID5 mechanism point It dissipates deposit to constitute in the different disk of RAID5, to realize secure storage.
In one embodiment of the present of invention, the N value in the step (1) is 3.
In general, through the invention it is contemplated above technical scheme is compared with the prior art, have below beneficial to effect Fruit: the problem of present invention utilizes redundancy, can efficiently solve TA Single Point of Faliure improves the reliability of system;It utilizes RAID5 technology can make hacker invade certain TA server, also can only fetching portion user data and not all number of users According to further ensuring the safety of user data;Using RAID5 technology, the data lost and damaged can also be carried out quick Restore, guarantees the safety and reliability of data.
Detailed description of the invention
Fig. 1 is redundancy TA object storage system structure chart in the embodiment of the present invention;
Fig. 2 is that TA server selects flow chart in the embodiment of the present invention;
Fig. 3 is TA server storing data flow chart in the embodiment of the present invention;
Fig. 4 is user's registration and certificate authority flow chart in the embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.As long as in addition, technical characteristic involved in the various embodiments of the present invention described below Not constituting a conflict with each other can be combined with each other.
As shown in Figure 1, the redundancy TA object storage system structure chart that the method for the present invention is based on is described in detail as follows:
Object storage system mainly includes four parts: client Client, trusted party TA, meta data server MDS, Object storage device OSD.
Redundancy TA object storage system on the critical path TA of system, is built on the basis of object storage system Redundancy TA improves the reliability of system.
Redundancy object storage system process: the end Client sends certification request, TA to TA Controller first Controller is that certification request assigns ID first, then carries out modulo operation to certification request ID, selects target TA service Device, and username and password information is sent to target TA server.Target TA server establishes one with the end Client first Then communication line is handled certification request, and certification request processing result is sent back in TA Controller, by User information is saved in the TA cluster-based storage equipment for constituting RAID5 by TA Controller.Simultaneously by certificate, private key encryption It is sent to the end Client, is stored in local after the certificate decryption that the end Client will acquire.The end Client sends certificate and request To the end MDS, the end MDS is by returning to the end Client for powers and functions certificate and metadata information after verifying.The end Client utilizes acquisition Powers and functions certificate and metadata information to the end OSD send request, obtain needed for data.
As shown in Fig. 2, TA server selection flow chart is described in detail as follows:
When the end Client sends certification request to TA server, it is first sent in TA Controller, by TA Controller is that certification request assigns ID.
TA Controller carries out modulo operation (ID%3) to certification request ID, selects target TA server.If taken Modular arithmetic result is 0, then selects to number the TA0 server process certification request for 0;If modulo operation result is 1, select The TA1 server process certification request that number is 1;If modulo operation result is 2, select to number at for 2 TA2 server Manage certification request.
As shown in figure 3, TA module storing data flow chart is described in detail as follows:
After TA Controller is that the end Client certification request chooses target TA server, can at the end Client and A communication line is established between target TA server.The end Client certification request is handled by target TA server, and will be recognized Card request processing result returns in TA Controller.
The certification request processing result of return is dispersed deposit according to RAID5 access mechanism and constituted by TA Controller In the different disk of RAID5.
As shown in figure 4, user's registration is described in detail as follows with certificate authority flow chart:
When the end Client sends certification request to TA Controller, the use in RAID5 is obtained by TA Controller Family information list.
After the end Client issues certification request to TA Controller, TA Controller first listens to user's request, After obtaining user name, password, legitimate verification is carried out first, after being verified, is compared the information in user information list, is seen See if there is Data Matching.If any Data Matching, illustrate that user information in lists, is transmitted across certificate to user, And certificate is still before the deadline, new certificate is generated for user in refusal at this time.If no data matches, illustrate that user is first Secondary application certificate just generates public and private key for it and transmits certificate, updates user information list.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, not to The limitation present invention, any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should all include Within protection scope of the present invention.

Claims (4)

1. based on the safety certifying method of RAID5 in a kind of object storage system, which comprises the steps of:
(1) start the N platform TA server based on RAID5, wait client Client connection, wherein N is the quantity of TA server;
(2) certification request is sent to trusted party controller TA Controller, TA Controller selection by the end Client One in above-mentioned more TA servers is used as target TA server;
(3) selected target TA server handles the certification request at the end Client, and by certification request processing result Return to TA Controller;
(4) TA Controller constitutes the certification request processing result according to the access mechanism dispersion deposit of RAID5 In the different disk of RAID5;
The step (3) specifically includes following sub-step:
(3.1) target TA server and the end Client generate respective session code key according to the parameter and algorithm arranged in advance, after Continuous communication process all passes through session code key and carries out encrypted transmission;
(3.2) target TA server obtain the end Client send certification request in include username and password, then to Name in an account book and password carry out legitimate verification;After being verified, the information in user information list is compared, has checked whether data Match;
(3.3) if having Data Matching in comparison, illustrate that user information in user list, is transmitted across to user Certificate and before the deadline, new certificate is generated for user in target TA server refusal at this time;If said not in user list Bright user is first application certificate, and target TA server receives the certification request at the end Client;
(3.4) target TA server generates private key and certificate by user name, password, and passes through session code key for private key and certificate The end Client is sent to after encryption;The end Client is decrypted by the received private key of session secret key pair of itself, certificate data, Then the certificate for using public key encryption is decrypted with private key, certificate is finally stored in the end Client;
(3.5) target TA server returns to certification request processing result in TA Controller;
The step (4) specifically includes following sub-step:
(4.1) data of certification request processing result are returned to TA Controller by selected target TA server, and are protected There are in TA Controller;
(4.2) TA controller deposits the certification request processing result that target TA server returns according to the dispersion of RAID5 mechanism Enter to constitute in the different disk of RAID5, to realize secure storage.
2. based on the safety certifying method of RAID5 in object storage system as described in claim 1, which is characterized in that described Step (2) specifically includes following sub-step:
(2.1) certification request at multiple ends Client is sent to first in TA Controller, and TA Controller is to recognizing Card request carries out ID number, then carries out modulo operation ID%N to ID, and the TA server that number is equal to modulo operation result is made For target TA server, wherein the number of above-mentioned N platform TA server is respectively 1-N;
(2.2) connecting path, selected target TA are established between the end Client and selected target TA server Server is for handling the certification request at the end Client.
3. based on the safety certifying method of RAID5 in object storage system as described in claim 1, which is characterized in that in institute Progress legitimate verification in step (3.2) is stated to refer to the format to username and password, length, whether carry out comprising forbidden character Verifying.
4. based on the safety certifying method of RAID5 in object storage system as described in claim 1, which is characterized in that described N value in step (1) is 3.
CN201510744366.4A 2015-11-05 2015-11-05 Safety certifying method based on RAID5 in a kind of object storage system Active CN105404560B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510744366.4A CN105404560B (en) 2015-11-05 2015-11-05 Safety certifying method based on RAID5 in a kind of object storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510744366.4A CN105404560B (en) 2015-11-05 2015-11-05 Safety certifying method based on RAID5 in a kind of object storage system

Publications (2)

Publication Number Publication Date
CN105404560A CN105404560A (en) 2016-03-16
CN105404560B true CN105404560B (en) 2019-01-04

Family

ID=55470058

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510744366.4A Active CN105404560B (en) 2015-11-05 2015-11-05 Safety certifying method based on RAID5 in a kind of object storage system

Country Status (1)

Country Link
CN (1) CN105404560B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117134918A (en) * 2023-07-20 2023-11-28 威艾特科技(深圳)有限公司 Distributed data signature verification method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030182549A1 (en) * 2002-03-22 2003-09-25 Hallin Philip J. Systems and methods for distributing trusted certification authorities
CN101095116A (en) * 2004-11-05 2007-12-26 数据机器人技术公司 Storage system condition indicator and method
US20080098212A1 (en) * 2006-10-20 2008-04-24 Helms William L Downloadable security and protection methods and apparatus
CN101534295A (en) * 2009-04-08 2009-09-16 哈尔滨工程大学 Storage method of architecture based on object storage system
CN104917843A (en) * 2015-06-17 2015-09-16 嘉兴市第一医院 Cloud storage and medical image seamless joint system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030182549A1 (en) * 2002-03-22 2003-09-25 Hallin Philip J. Systems and methods for distributing trusted certification authorities
CN101095116A (en) * 2004-11-05 2007-12-26 数据机器人技术公司 Storage system condition indicator and method
US20080098212A1 (en) * 2006-10-20 2008-04-24 Helms William L Downloadable security and protection methods and apparatus
CN101534295A (en) * 2009-04-08 2009-09-16 哈尔滨工程大学 Storage method of architecture based on object storage system
CN104917843A (en) * 2015-06-17 2015-09-16 嘉兴市第一医院 Cloud storage and medical image seamless joint system

Also Published As

Publication number Publication date
CN105404560A (en) 2016-03-16

Similar Documents

Publication Publication Date Title
US11799656B2 (en) Security authentication method and device
KR102493744B1 (en) Security Verification Method Based on Biometric Characteristics, Client Terminal, and Server
US9432339B1 (en) Automated token renewal using OTP-based authentication codes
KR102193644B1 (en) Facility verification method and device
EP3219049B1 (en) Account recovery protocol
US8997198B1 (en) Techniques for securing a centralized metadata distributed filesystem
US9317714B2 (en) Storing user data in a service provider cloud without exposing user-specific secrets to the service provider
CN103220344B (en) Microblogging licenses method and system
CN105409186B (en) system and method for user authentication
CN109347835A (en) Information transferring method, client, server and computer readable storage medium
US20150033020A1 (en) Protocol for Controlling Access to Encryption Keys
CN103607393A (en) Data safety protection method based on data partitioning
US20200412554A1 (en) Id as service based on blockchain
US9154304B1 (en) Using a token code to control access to data and applications in a mobile platform
CN103138939A (en) Secret key use time management method based on credible platform module under cloud storage mode
CN1937498A (en) Dynamic cipher authentication method, system and device
WO2016014120A1 (en) Device authentication agent
KR102137122B1 (en) Security check method, device, terminal and server
CN104601593A (en) Anti-tracking method in network electronic identity authentication process based on challenge modes
CN206212040U (en) A kind of real-name authentication system for express delivery industry
CN112989426B (en) Authorization authentication method and device, and resource access token acquisition method
Nayak et al. An improved mutual authentication framework for cloud computing
CN101552676B (en) Host module legitimacy verification method, system and device using a card module
JP2011176435A (en) Secret key sharing system, method, data processor, management server, and program
CN106331042A (en) Single sign-on method and device for heterogeneous user system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant