CN105915523A - Implementation method of safety configuration device based on cloud calculation - Google Patents

Implementation method of safety configuration device based on cloud calculation Download PDF

Info

Publication number
CN105915523A
CN105915523A CN201610291647.3A CN201610291647A CN105915523A CN 105915523 A CN105915523 A CN 105915523A CN 201610291647 A CN201610291647 A CN 201610291647A CN 105915523 A CN105915523 A CN 105915523A
Authority
CN
China
Prior art keywords
cloud
key
cloud computing
center
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610291647.3A
Other languages
Chinese (zh)
Inventor
于欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yunshen Technology Investment Co Ltd
Original Assignee
Yunshen Technology Investment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yunshen Technology Investment Co Ltd filed Critical Yunshen Technology Investment Co Ltd
Priority to CN201610291647.3A priority Critical patent/CN105915523A/en
Publication of CN105915523A publication Critical patent/CN105915523A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The present invention provides an implementation method of safety configuration device based on the cloud calculation. The method comprises: a gatekeeper is employed to divide a cloud calculation platform into the foreground and the background of the cloud calculation platform, the cloud user's plaintext file is stored at the foreground of the cloud calculation center, the cloud user's cryptograph file is stored at the background of the cloud calculation center, an encryption channel is established between the cloud user terminal and the background of the cloud calculation center to ensure the cloud user to completely transmit the program and the data thereof to the background of the cloud calculation center through encryption channel safety and run the program at the background of the cloud calculation center, the program operation result is safely and completely transmitted into the client machine of the cloud user terminal through the encryption channel, a registration log database and an operation log database are established at the cloud safety center to monitor the attack of external hackers on the cloud calculation platform, monitor the illegal operation of the cloud calculation platform from internal managers, and therefore a cloud calculation safety system is established.

Description

A kind of implementation method based on cloud computing safty architecture device
Technical field
The present invention relates to the information security field of cloud computing.
Background technology:
At present, the security system of domestic cloud computing all uses PKI/CA security architecture, PKI/CA technology to be to use asymmetric cryptography Algorithm and symmetric cryptographic algorithm, set up authenticating user identification, data integrity validation and Data Encrypting Transmission System jointly, but It is that the certification speed of PKI/CA is relatively slow, the lazy weight of ca authentication centre management user, and ca authentication center construction cost is higher, Leave program and the data thereof of cloud user in cloud computing platform in, be also easily subject to external hackers and attack or internal control personnel Pry, in a word, existing network security technology and product all can not meet the market demand to cloud computing information security.
Summary of the invention:
A kind of implementation method based on cloud computing safty architecture device, is to use chip hardware equipment, symmetric cryptographic algorithm and group Closing cipher key technique, under non-cloud computing environment, use smart card is as the hardware device of client encryption system, at smart card In chip, use symmetric cryptographic algorithm to set up client encryption system, and it is close to write symmetric cryptographic algorithm, digest algorithm, combination Key generating algorithm, key " base ", client identity authentication protocol, digital signature protocol, signature verification agreement, enciphering/deciphering agreement, Setting up authentication center at network application server end, authentication center is inserted many block encryptions by multiple servers, every station server Card or access multiple stage encryption equipment equipment composition, use symmetric cryptographic algorithm to set up end encryption system of authentication center in authentication center System, in encrypted card or encryption equipment chip, write symmetric cryptographic algorithm, digest algorithm, one group of storage key K, authentication center's end Identity authentication protocol, digital signature protocol, signature verification agreement and enciphering/deciphering agreement, and the key " base " of super manager, At server key " base " lane database of authentication center, store total user key " base " ciphertext, wherein: total user key " base " is used the storage key K in encrypted card or encryption equipment chip to be encrypted to ciphertext in advance, builds in network application server The Rights Management System of vertical user, shares out the work district for user, and user uses smart card in client, by intelligent card chip Identity authentication protocol logging in network application server, and according to Rights Management System, the network application server user of entrance Corresponding working area, user uses smart card in client, is digitally signed by the file of client, re-encrypts into ciphertext, Digital signature is submitted to cryptograph files the working area that network application server user is corresponding, authentication center's ciphertext to delivering to File is decrypted and data integrity validation, leaves legal clear text file in work that network application server user is corresponding District, wherein: identity authentication protocol, digital signature protocol, signature verification agreement and enciphering/deciphering agreement, all uses symmetric cryptography to calculate Method and combination key technology are set up, and combination key technology is to use a kind of combination key generating algorithm, it may be assumed that by one group of random number, In the table form a group key " base ", element is chosen, and the element selected is merged into one group of symmetric key, as adding/solving Decryption key, certification key or signature key, thus, it is achieved under non-cloud computing environment, client and network application server end Between authenticating user identification, data integrity authentication and Data Encryption Transmission;
The present invention is the security architecture using gateway equipment to set up cloud computing, it is achieved the use between cloud user side and cloud computing platform Family authentication, data integrity validation and Data Encryption Transmission, being technically characterized in that of its method
Under cloud computing environment, cloud computing platform is divided into the foreground of cloud computing center and the backstage of cloud computing center, at cloud meter The clear text file of the foreground storage cloud user at calculation center, at the cryptograph files of the backstage of cloud computing center storage cloud user, cloud meter The foreground at calculation center is connected with the WEB server of cloud computing, by one between foreground and the cloud computing center backstage of cloud computing center Platform gateway equipment is connected, and cloud security center is connected with WEB server and the gateway of cloud computing respectively, and cloud user uses intelligence Card, carries out authentication and logs in the working area of cloud computing center foreground correspondence cloud user, and before sending out and delivering to cloud computing center The file of platform is i.e.: program and data thereof, is digitally signed and encrypts, then contained by cryptograph files: digital signature, is submitted to cloud meter The working area of foreground, calculation center correspondence cloud user, cloud computing management system is by work corresponding for the foreground cloud user of cloud computing center Qu Li, the cryptograph files of the cloud user of storage contains: digital signature, is sent to gateway, and in gateway, cloud security center is to this ciphertext File contains: digital signature, is decrypted and data integrity validation, the clear text file of legal cloud user is sent in cloud computing The backstage of the heart, at the running background program of cloud computing center, cloud computing management system, runs " result " i.e. clear text file by program Being sent to gateway, in gateway, this clear text file is digitally signed and encrypts by cloud security center, and is contained by cryptograph files: Digital signature, is sent in the working area that the foreground cloud user of cloud computing center is corresponding in the lump, and cloud user stepped on by authentication Record the working area that the foreground cloud user of cloud computing center is corresponding, this ciphertext part is contained: digital signature, download to the visitor of cloud user side In the machine of family, in cloud user side intelligent card chip, this cryptograph files is contained: digital signature, be decrypted and test with data integrity Card, obtains program and runs the plaintext of " result ", sets up at cloud security center and logs in log database and Operation Log data base, note Record cloud user and cloud computing unit management person log in cloud computing platform and operation cloud user file have related parameter, cloud security center Use combination key generating algorithm, and call key " base " generation of the super manager of storage in encrypted card or encryption equipment chip The whole records logged in log database and Operation Log data base are encrypted to ciphertext and store by symmetric key respectively, and often Bar record uses one group of symmetric key encryption, and super manager uses the smart card of super manager, to logging in log database It is decrypted with the ciphertext record in Operation Log data base, thus, set up cloud computing safty architecture system, cloud computing roll-over protective structure Construction system all realizes by software and hardware combination, and concrete grammar is as follows:
1, using the chip of smart card as the encryption system hardware device of cloud user side, in intelligent card chip, cloud user side is set up Encryption system, in intelligent chip, write symmetric cryptographic algorithm, combination key generating algorithm, digest algorithm, cloud user side Identity authentication protocol, digital signature and cryptographic protocol, deciphering and signature verification agreement, and write data: a group key " base " and The mark of cloud user.
2, setting up cloud security center at cloud computing platform end, cloud security center is by server, encrypted card or encryption equipment hardware Equipment forms, and inserts 1~5 block encryption cards on the pci interface of server, or by server and 1~2 cipher machine serial line interface It is directly connected to, using encrypted card or cipher machine as the hardware device of cloud security center-side encryption system, sets up at cloud security center The encryption system of cloud security center-side, in encrypted card or encryption equipment chip, write symmetric cryptographic algorithm, combination key generate to be calculated Method, one group of fixed symmetrical key be i.e.: storage key K, digest algorithm, the identity authentication protocol of cloud security center-side, digital signature With cryptographic protocol, deciphering and signature verification agreement, cryptographic protocol, the key " base " of one group of super manager.
3, at key " base " lane database at cloud security center, the mark of all cloud users and all cloud user marks are deposited Know the ciphertext of a corresponding group key " base ", in procedure for cipher key initialization, with cloud security center encrypted card or encryption movement Storage key K in sheet, is encrypted to ciphertext respectively by the key " base " of all cloud users, is stored in cloud security central server Key " base " lane database.
4, in the intelligent card chip of the super manager of cloud computing unit, the encryption system of cloud user side is set up, in intelligence Can in card chip, write symmetric cryptographic algorithm, combination key generating algorithm, digest algorithm, the identity authentication protocol of cloud user side, Digital signature and cryptographic protocol, deciphering and signature verification agreement, decryption protocol, and write data: the mark of super manager, with The key " base " of one group of super manager same in cloud security center encrypted card or encryption equipment chip.
5, a smart card, every cloud user and cloud computing list are all distributed for every cloud user and cloud computing unit management person Position manager mark all with a smart card one_to_one corresponding, also with a group key " base " one_to_one corresponding, every cloud user and cloud Unit of account manager mark is all unique, and the mark of cloud user and cloud computing unit management person is the most different, cloud user Added English alphabet with the mark of cloud computing unit management person formed, such as by numeral or numeral: user's serial number, identification card number, its Medium cloud user refer to: carried out the user of cloud computing by network entry cloud computing platform, and cloud computing unit management person refers to: management cloud Calculate the system maintenance person of platform, also include: the super manager in cloud computing unit management person.
6, all cloud users and the corresponding key " base " of cloud computing unit management person, by cloud security center encrypted card or add Randomizer in close movement sheet produces, the most different, and has stronger randomness, the number of every group key " base " According to accounting for 256 bytes or 512 bytes, and form two 16 × 16 keys " base " tables, wherein: the element of two key " base " tables all accounts for 0.5 byte or 1 byte.
7, in cloud user side smart card and authentication center's end encrypted card or encryption equipment chip, the symmetry that encryption system uses Cryptographic algorithm, such as: SM1, DES, RC5, SMS4, ASE, the digest algorithm of use, such as: SM2, SHA-1, SM3, MD5.
8, set up the security architecture of cloud computing, cloud computing platform is divided into two, it may be assumed that the foreground of cloud computing center and cloud meter The backstage at calculation center, the foreground of cloud computing center is connected with the WEB server of cloud computing, the foreground of cloud computing center and cloud computing Being connected by a gateway equipment between center background, cloud security center is connected with WEB server and the gateway of cloud computing respectively, And in WEB server, set up Rights Management System, distribute the working area on cloud computing center foreground for cloud user, in cloud computing The cryptograph files of heart foreground storage cloud user, wherein: cryptograph files includes: be encrypted to program and the data thereof of ciphertext, at cloud Calculating the clear text file of center background storage cloud user, wherein: clear text file includes: program and data thereof, and program is run " result ".
9, cloud security center is responsible for that cloud user is logged in WEB server and is carried out authentication, and legal cloud user can log in The WEB server of cloud computing, and enter the working area of cloud computing center foreground correspondence cloud user according to Rights Management System, illegally Cloud user cannot log in the WEB server of cloud computing, and in gateway, cloud security center is responsible for defeated from the foreground of cloud computing center Enter the cryptograph files in gateway, be decrypted and data integrity validation, bright to be input in gateway from calculating center background Literary composition file, is digitally signed and encrypts.
10, when cloud user needs operation program, cloud computing center management system is by gateway, by cloud user's cryptograph files It is transferred to gateway, in gateway, by deciphering and the signature verification agreement at cloud security center, cryptograph files is decrypted and data Integrity verification, then by the clear text file after deciphering i.e.: the program of cloud user and data thereof, it is transferred to cloud computing center backstage, The program of cloud user and data thereof are at cloud computing center running background, and obtain the operation " result " of program;Cloud computing center pipe Reason system, by the operation " result " of program i.e.: clear text file, is transferred to gateway, in gateway, and the encryption sum at cloud security center Word signature agreement, by cloud user program operation " result ", is digitally signed and encrypts, then cryptograph files is transferred to cloud computing The working area of foreground, center correspondence cloud user.
11, when cloud user needs acquisition program to run " result ", first, cloud user uses smart card to carry out identity to recognize Card, logs in the working area of cloud computing center foreground correspondence cloud, and the ciphertext that program runs " result " is downloaded to cloud user side In client computer, and in cloud user side intelligent card chip, program is run the ciphertext solution of " result " by deciphering and signature verification agreement Close and data integrity validation, obtains the plaintext of cloud user program operation " result ".
12, between cloud user side and the backstage of cloud computing center, encrypted tunnel is set up,
(1) cloud user is by file M i.e.: program and data thereof, by the encrypted and digitally signed agreement in intelligent card chip, by literary composition Part M is digitally signed, and is encrypted to cryptograph files M1, then is logged in the WEB server of cloud computing by authentication, and according to Rights Management System, enters the working area of cloud computing center foreground correspondence cloud user, and cloud user submits to cryptograph files M1 to cloud meter The working area of foreground, calculation center correspondence cloud user, in the working area of cloud computing center foreground correspondence cloud user, cloud user " clicks on " The cryptograph files M1 run, cloud computing center management system is needed cryptograph files M1 to be inputted gateway, in gateway, in cloud security The heart calls deciphering and signature verification agreement, and cryptograph files M1 is decrypted into clear text file M and the digital signature of file M, and to bright Literary composition file M carry out data integrity validation, by by verify clear text file M be input to cloud computing center backstage, meanwhile, cloud Cryptograph files M1 corresponding in gateway, clear text file M and digital signature are removed by security centre, if clear text file M is not passed through Data integrity validation, then remove clear text file M and cryptograph files M1 and digital signature, and fed back by " illegal file " printed words Working area to the foreground of cloud user's correspondence cloud computing center;
(2) " result " that the program of cloud user is run by cloud computing management system is i.e.: clear text file N input gateway, in gateway, Cloud security center call number signature and cryptographic protocol, be digitally signed this clear text file N, and be encrypted to cryptograph files N1, cryptograph files N1 is input to the working area of cloud computing center foreground correspondence cloud user by cloud security center again, and cloud user pass through Authentication logs in cloud computing WEB server, enters the work of cloud computing center foreground correspondence cloud user according to Rights Management System Make district, by cryptograph files N1, download in the client computer of cloud user side, in cloud user side intelligent card chip, cloud user side Deciphering and signature verification agreement, the cryptograph files N1 deciphering that will receive, obtain the digital signature of clear text file N and N, then in plain text File N carries out data integrity validation, it is thus achieved that clear text file N i.e.: program run " result ".
13, between cloud user side and cloud computing center backstage, encrypted tunnel is set up, it is ensured that cloud user is by program and number thereof According to, by encrypted tunnel safety, the backstage of complete transmission to cloud computing center, and in the running background program of cloud computing center, Acquisition program runs " result ", then by program operation " result " by encrypted tunnel, safety, complete transmission are to the visitor of cloud user side In the machine of family;If it is virus document that the cloud computing center foreground that gateway receives sends the file come, cloud security center is to this virus File is decrypted with in data integrity verification procedures, and virus document is cannot to pass through data integrity validation, then at gateway In, can be removed by cloud security center, therefore, gateway can the attack of effective blocking virus.
14, being divided into two by cloud computing platform with gateway, every cloud user, by Rights Management System, distributes a cloud computing Foreground district, center and a cloud computing center background work district, wherein: the manager of cloud computing unit passes through authentication, Cloud computing center foreground and the background work district of cloud user can be logged in, in the work of cloud computing center foreground correspondence cloud user District, the cryptograph files of the cloud user deposited, in the working area of cloud computing center backstage correspondence cloud user, deposit the plaintext of cloud user File, gateway is received the cryptograph files deciphering on foreground, and carries out data integrity validation by cloud security center, then will be the most civilian Part is transferred to cloud computing center backstage, and gateway is received the plaintext literary composition file on backstage by cloud security center, be digitally signed and After encryption, then cryptograph files is transferred to cloud computing center foreground, is stored in user's clear text file on cloud computing center backstage i.e.: Program and data thereof, at cloud computing center running background, " result " that program is run also is stored in the backstage of cloud computing center, from And, it is ensured that cloud user file i.e.: the transmission of program and data thereof safety, storage safety and run safety.
15, a group key of storage in the client-side intelligent card chip of each cloud user and cloud computing unit management person " base ", is to be stored in advance in intelligent chip in procedure for cipher key initialization, and key " base " accounts for 16 × 16 × 1 × 2=512 word Joint, or 16 × 16 × 0.5 × 2=256 byte, and form key " base " table of two (16 × 16), it is set to: table Za and table Zb, Totally 2 tables, each element of each table accounts for 0.5 or 1 byte, and the element of table Za and table Zb is mutually different, if:
16, combination key technology refers to: use a kind of combination key generating algorithm, to key " base " i.e.: the element of table Za and Zb Choosing, select 32 elements and synthesize one group of symmetric key, this is a kind of combination key generating algorithm, if: S1, S2 ..., SY, for Y (Y=16) individual hexadecimal random number, by the random number in smart card, encrypted card or encryption equipment chip Generator produces, or is produced by the WEB server of cloud computing, and concrete combination key generating algorithm is as follows:
With the numerical value correspondence table Za S1 row element of the 1st hexadecimal random number S1, carry out corresponding table Za S2 with the numerical value of S2 The element of row, takes out the element of table Za S1 row and S2 row infall, is set to: kk1, with the numerical value correspondence table Za S2 of S2 Row element, carrys out the element of corresponding table Za S3 row with the numerical value of S3, is taken out by the element of table Za S2 row and S3 row infall, It is set to: kk2;..., with the numerical value correspondence table Za S16 row element of S16, come the unit of corresponding table Za S1 row with the numerical value of S1 Element, takes out the element of S16 row and S1 row infall, is set to: kk16;
With the numerical value correspondence table Zb S1 row element of the 1st hexadecimal random number S1, carry out corresponding table Zb S2 with the numerical value of S2 The element of row, by the taking-up of the element of table Zb S1 row and S2 row infall, is set to: kk17, with the numerical value correspondence table Zb of S2 the S2 row element, carrys out the element of corresponding table Zb S3 row, is taken by the element of table Zb S2 row and S3 row infall with the numerical value of S3 Go out, be set to: kk18;..., with the numerical value correspondence table Zb S16 row element of S16, carry out corresponding table Zb S1 row with the numerical value of S1 Element, takes out the element of S16 row and S1 row infall, is set to: kk32;
When the element of table Za and table Zb is 0.5 byte, these 16 elements of table Za will be selected i.e.: kk1, kk2 ..., kk16, With select these 16 elements of table Zb i.e.: kk17, kk18 ..., kk32, synthesize one group of symmetric key, it may be assumed that kk1, Kk2 ..., kk16, kk17 ..., kk32;
When the element of table Za and table Zb is 1 byte, these 16 elements of table Za will be selected i.e.: kk1, kk2 ..., kk16, with Select these 16 elements of table Zb i.e.: kk17, kk18 ..., kk32, para-position mould two adds one group of symmetric key of generation, it may be assumed that kk1& CirclePlus;kk17,kk2⊕kk18,......,kk16⊕kk32.]]>
17, the method using combination key generating algorithm to generate key is illustrated, if: S1, S2, S3 ..., S16=3,0, 9,6, A, 5,4, F, 8, B, 1, C, 7,2, E, D, each element of table Za and Zb accounts for 0.5 byte or 1 byte, then:
The numerical value of the 1st and the 2nd random number is respectively 3 and 0, take table Za the 4th row the 1st row element, Za30,
The numerical value of the 2nd and the 3rd random number is respectively 0 and 9, take table Za the 1st row the 10th row element, Za09,
The numerical value of the 3rd and the 4th random number is respectively 9 and 6, take table Za the 10th row the 7th row element, Za96,
The numerical value of the 4th and the 5th random number is respectively 6 and A, take table Za the 7th row the 11st row element, Za610,
The numerical value of the 5th and the 6th random number is respectively A and 5, take table Za the 11st row the 6th row element, Za105,
The numerical value of the 6th and the 7th random number is respectively 5 and 4, take table Za the 6th row the 5th row element, Za54,
The numerical value of the 7th and the 8th random number is respectively 4 and F, take table Za the 5th row the 16th row element, Za415,
The numerical value of the 8th and the 9th random number is respectively F and 8, take table Za the 16th row the 9th row element, Za158,
The numerical value of the 9th and the 10th random number is respectively 8 and B, take table Za the 9th row the 12nd row element, Za811,
The numerical value of the 10th and the 11st random number is respectively B and 1, take table Za the 12nd row the 2nd row element, Za111,
The numerical value of the 11st and the 12nd random number is respectively 1 and C, take table Za the 2nd row the 13rd row element, Za112,
The numerical value of the 12nd and the 13rd random number is respectively C and 7, take table Za the 13rd row the 8th row element, Za127,
The numerical value of the 13rd and the 14th random number is respectively 7 and 2, take table Za eighth row the 3rd row element, Za72,
The numerical value of the 14th and the 15th random number is respectively 2 and E, take table Za the 3rd row the 15th row element, Za214,
The numerical value of the 15th and the 16th random number is respectively E and D, take table Za the 15th row the 14th row element, Za1413,
The numerical value of the 16th and the 1st random number is respectively D and 3, take table Za the 14th row the 4th row element, Za133,
Therefore, according to random number S1, S2, S3 ..., S16=3,0,9,6, A, 5,4, F, 8, B, 1, C, 7,2, E, D, from table Za In, take out 16 elements, it may be assumed that Za30, Za09, Za96, Za610, Za105, Za54, Za415, Za158, Za811, Za111, Za112, Za127, Za72, Za214, Za1413, Za133;
Following:
The numerical value of the 1st and the 2nd random number is respectively 3 and 0, take table Zb the 4th row the 1st row element, Zb30,
The numerical value of the 2nd and the 3rd random number is respectively 0 and 9, take table Zb the 1st row the 10th row element, Zb09,
The numerical value of the 3rd and the 4th random number is respectively 9 and 6, take table Zb the 10th row the 7th row element, Zb96,
The numerical value of the 4th and the 5th random number is respectively 6 and A, take table Zb the 7th row the 11st row element, Zb610,
The numerical value of the 5th and the 6th random number is respectively A and 5, take table Zb the 11st row the 6th row element, Zb105,
The numerical value of the 6th and the 7th random number is respectively 5 and 4, take table Zb the 6th row the 5th row element, Zb54,
The numerical value of the 7th and the 8th random number is respectively 4 and F, take table Za the 5th row the 16th row element, Zb415,
The numerical value of the 8th and the 9th random number is respectively F and 8, take table Zb the 16th row the 9th row element, Zb158,
The numerical value of the 9th and the 10th random number is respectively 8 and B, take table Zb the 9th row the 12nd row element, Zb811,
The numerical value of the 10th and the 11st random number is respectively B and 1, take table Zb the 12nd row the 2nd row element, Zb111,
The numerical value of the 11st and the 12nd random number is respectively 1 and C, take table Zb the 2nd row the 13rd row element, Zb112,
The numerical value of the 12nd and the 13rd random number is respectively C and 7, take table Zb the 13rd row the 8th row element, Zb127,
The numerical value of the 13rd and the 14th random number is respectively 7 and 2, take table Zb eighth row the 3rd row element, Zb72,
The numerical value of the 14th and the 15th random number is respectively 2 and E, take table Zb the 3rd row the 15th row element, Zb214,
The numerical value of the 15th and the 16th random number is respectively E and D, take table Zb the 15th row the 14th row element, Zb1413,
The numerical value of the 16th and the 1st random number is respectively D and 3, take table Zb the 14th row the 4th row element, Zb133,
Therefore, according to random number S1, S2, S3 ..., S16=3,0,9,6, A, 5,4, F, 8, B, 1, C, 7,2, E, D, from table Zb In, take out 16 elements, it may be assumed that Zb30, Zb09, Zb96, Zb610, Zb105, Zb54, Zb415, Zb158, Zb811, Zb111, Zb112, Zb127, Zb72, Zb214, Zb1413, Zb133;
When the element of table Za and table Zb respectively accounts for 0.5 byte, then: by from the element of table Za and table Zb, each 16 units taken out Element, totally 32 elements synthesize one group of symmetric key and are: Za30, Za09, Za96, Za610, Za105, Za54, Za415, Za158, Za811, Za111, Za112, Za127, Za72, Za214, Za1413, Za133, Zb30, Zb09, Zb96, Zb610, Zb105, Zb54, Zb415, Zb158, Zb811, Zb111, Zb112, Zb127, Zb72, Zb214, Zb1413, Zb133, this symmetric key accounts for 16 bytes are i.e.: 128 bits,
When the element of table Za and table Zb respectively accounts for 1 byte, then: by from the element of table Za and table Zb, each 16 elements taken out, Para-position mould two adds respectively, one group of symmetric key of resynthesis, it may be assumed that Za30⊕Zb30,Za09⊕ Zb09,]]>Za96⊕Zb96,Za610⊕Zb610,Za105⊕Zb105, Za54⊕Zb54,Za415⊕Zb415,Za158⊕Zb158,Za811& CirclePlus;Zb811,Za111⊕Zb111,Za112⊕Zb112,Za127& CirclePlus;Zb127,Za72⊕Zb7]]>2,Za214⊕Zb214,Za1413& CirclePlus;Zb1413,Za133⊕Zb133 ,]] > this symmetric key accounts for 16 bytes i.e.: 128 bits.
18, the digital signature of cloud user side and cryptographic protocol, in intelligent card chip, the encryption system of cloud user side, adjust Produce one group of random number SS1 with generator in intelligent chip, recall combination key generating algorithm, according to random number SS1 to intelligence Key " base " in energy chip, it may be assumed that the element of table Za and table Zb is chosen, and selects 16 elements, totally 32 elements respectively, and Synthesize one group of symmetric key K1, call digest algorithm to file M i.e.: program and data thereof are made a summary, generate summary info L1, Recall symmetric key K1 and symmetric cryptographic algorithm to encrypt file M and summary info L1, obtain file M's and summary info L1 Ciphertext M1, wherein: be encrypted the summary info L1 of file M, the ciphertext of generation is digital signature.
19, the deciphering of cloud security center-side and signature verification agreement, cloud security center-side encryption system is according to cloud user's Mark, to the ciphertext record that should identify in key " base " data base of location, by adding of this ciphertext record input cloud security center In close card or encryption equipment chip, call storage key K, decipher this ciphertext record, obtain this cloud ID counterpart keys " base " That is: the element of table Za and table Zb in plain text, calls combination key generating algorithm, according to the random number SS1 received, to key " base " That is: the element of table Za and table Zb is chosen, and selects 16 elements, totally 32 elements respectively, and synthesizes one group of symmetric key K2, Recall symmetric key K2 and symmetric cryptographic algorithm to decipher M1, obtain the plaintext of M1 i.e.: file M and summary info L1, then adjust With digest algorithm, file M is made a summary, generate summary info L2, the most identical by contrast L1 with L2, verify the number to M Word signature is the most legal, thus, it is achieved the signature verification to file M.
20, the digital signature of cloud security center-side and cryptographic protocol, cloud security center-side encryption system is according to cloud user's Mark, to the ciphertext record that should identify in key " base " data base of location, by adding of this ciphertext record input cloud security center In close card or encryption equipment chip, call storage key K, decipher this ciphertext record, obtain this cloud ID counterpart keys " base " That is: the element of table Za and table Zb in plain text, calls the randomizer in encrypted card or encryption equipment chip, produces one group of random number SS2, recalls combination key generating algorithm, according to random number SS2 to key " base " i.e.: the element of table Za and table Zb selects Take, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K3, call digest algorithm and receive in gateway File N i.e.: program is run " result " and is made a summary, and generates summary info L3, recalls symmetric key K3 and symmetric cryptography and calculates Method, encrypts file N and summary info L3, obtains file N and ciphertext N1 of summary info L3, wherein: believe the summary of file N Breath L3 is encrypted, and the ciphertext of generation is digital signature.
21, the deciphering of cloud user side and signature verification agreement, in intelligent card chip, cloud user side encryption system calls group Close key schedule, according to the random number SS2 received to the key " base " in intelligent card chip, it may be assumed that table Za and table Zb element Choose, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K4, recall symmetric key K4 and Symmetric cryptographic algorithm carrys out decrypting ciphertext N1, obtains the plaintext of ciphertext N1 i.e.: file N and summary info L3, recalls digest algorithm File N is made a summary, generates summary info L4, the most identical by contrast L3 with L4, whether verify the digital signature to N Legal, thus, it is achieved the signature verification to file N.
22, cloud user or cloud computing unit management person's identity authentication protocol, cloud user or cloud computing unit management person are visitor On the machine of family insert smart card, login button in " click " cloud computing WEB server, cloud computing WEB server produce one group random Number and timestamp, and it is sent to the client-side of cloud user or cloud computing unit management person, the encryption system in intelligent card chip System, calls combination key generating algorithm, according to the random number received to key " base " i.e.: the element of table Za and table Zb selects Take, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key KK, carry out encrypted random number with KK and generate certification Password H1, then by cloud user or the mark of cloud computing unit management person, random number, timestamp, certification password H1 and client computer IP address, is sent to WEB server in the lump, and WEB server relays to cloud security center.
23, the identity authentication protocol of cloud security center-side, cloud security center receives the mark of cloud user, random number, time Behind the IP address of stamp, certification password H1 and client computer, according to cloud user or the mark of cloud computing unit management person, at key " base " Lane database location ciphertext record, finds key " base " ciphertext of correspondence, and inputs encrypted card or the encryption equipment at cloud security center In chip, in encrypted card or encryption equipment chip, call storage key K to decipher this key " base " ciphertext, obtain key " base " Plaintext, recall combination key generating algorithm, according to random number to key " base " i.e.: the plaintext element of table Za and table Zb is carried out Choose, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K2, carry out encrypted random number and generate certification mouth Making H2, contrast H1 and H2, as H1=H2, the authentication of cloud user or cloud computing unit management person is used by being legal cloud Family or legal cloud computing unit management person, then according to the Rights Management System of cloud computing, log in cloud computing center foreground correspondence cloud The working area of user, wherein: cloud computing unit management person can log in the working area of whole cloud user, as H1 ≠ H2, cloud user Or the authentication of cloud computing unit management person do not passes through, it is illegal cloud user or illegal cloud computing unit management person, Yunan County Full center feeds back to WEB server " disabled user " printed words, and WEB server relays in the client computer of cloud user side.
24, using combination key technology, the various security protocols of the cloud computing of foundation, security protocol includes: authentication Agreement, digital signature and cryptographic protocol, deciphering and signature verification agreement, and cryptographic protocol, every group key " base " i.e.: table Za and Zb, accounts for 256 or 512 bytes altogether, the mark of 300,000,000 groups of cloud users of cloud security central store and key " base ", constitute about 80GB or 160GB, takies cloud security center resources less, thus, it is ensured that cloud security center can manage large-scale cloud user, and can build The cloud security center of low cost.
25, using combination key technology, the repetitive rate generating symmetric key is the least, and each repetitive rate is: 1/264 × 1/ 264=1/2128, thus, it is ensured that every time generate symmetric key i.e.: for encrypting, certification or the key of signature, almost one time one Become, do not repeat, thus, improve the safe class of each security protocol in cloud security center.
26, digital signature protocol and cryptographic protocol are merged into digital signature and cryptographic protocol, by a kind of combination key Generating algorithm, generates one group of symmetric key to complete digital signature and the encryption of file, by decryption protocol and signature verification agreement I.e. data integrity validation agreement, is merged into deciphering and signature verification agreement, by a kind of combination key generating algorithm, generates one Group symmetric key completes deciphering and the signature verification of data, can be greatly improved the operational efficiency of various security protocol, and every time Generating symmetric key is to be automatically performed by combination key generating algorithm, it is not necessary to artificial regeneration symmetric key, thus, can significantly drop The low key maintenance cost at cloud security center.
27, in cloud security, login Log Administration System is set up, when cloud user or cloud computing unit management person use Smart card, when carrying out authentication login cloud computing platform, cloud user or cloud computing unit management person under cloud security central record Logging in the login parameters of cloud computing platform, login parameters includes: random number, the mark of cloud user, timestamp and the IP of client computer Address, meanwhile, the login parameters recorded is encrypted to ciphertext by cloud security center, is stored in login log database.
28, in cloud security, Operation Log Management system is set up, when the cloud computing list having logged on cloud computing platform When file is operated by position manager, wherein: operation file includes: browse file, amendment file, copied files, transmission literary composition Part or mimeograph documents, the parameter of cloud computing unit management person operation file under cloud security central record, operating parameter includes: cloud meter Calculate the mark of unit management person, timestamp, by the filename of operation file and the IP address of client computer, meanwhile, cloud security center The operating parameter recorded is encrypted to ciphertext, is stored in Operation Log lane database.
29, login log database and the process of Operation Log data base are set up at cloud security center,
(1) setting up login log database process is, in cloud security center encrypted card or encryption equipment chip, cloud security center Cryptographic protocol calls randomizer and produces one group of random number, calls combination key generating algorithm, according to random number to storage The key " base " of one group of super management cloud in encrypted card or encryption equipment chip is i.e.: table Za and table Zb chooses, and selects respectively Go out 16 elements, totally 32 elements, and synthesize one group of symmetric key, the 1st article of record divisor evidence that will log in log database Outside No. ID of storehouse and random number field, all it is encrypted to ciphertext, it may be assumed that by the cloud user in login parameters or cloud computing unit management person The IP address encryption of mark, timestamp and client computer become ciphertext to store, by same method, then produce one group of random number, and According to one group of symmetric key of this generating random number, by the 2nd article of record logging in log database except No. ID of data base and with Outside machine digital section, all it is encrypted to ciphertext ..., finally, produce one group of random number, and close according to one group of symmetry of this generating random number Key, by last 1 record of logging in log database in addition to No. ID of data base and random number field, is all encrypted to ciphertext;
(2) setting up Operation Log data base procedure is, in cloud security center encrypted card or encryption equipment chip, cloud security center Cryptographic protocol calls randomizer and produces one group of random number, calls combination key generating algorithm, according to random number to storage The key " base " of one group of super manager in encrypted card or encryption equipment chip is i.e.: table Za and table Zb chooses, and selects respectively Go out 16 elements, totally 32 elements, and synthesize one group of symmetric key, by the 1st article of record divisor evidence in Operation Log data base Outside the ID field in storehouse and random number field, all it is encrypted to ciphertext, it may be assumed that by the cloud user in operating parameter or cloud computing unit tube The mark of reason person, timestamp, by the filename of operation file and the IP address of client computer, be encrypted to ciphertext storage, with same Method, then produce one group of random number, and according to one group of symmetric key of this generating random number, by the 2nd in Operation Log database data Bar record, is all encrypted to ciphertext in addition to the ID field and timestamp field of data base ..., finally, produce one group of random number, And according to one group of symmetric key of this generating random number, last 1 record in Operation Log data base is removed data base No. ID Outside field and timestamp field, all it is encrypted to ciphertext.
30, use a kind of combination key generating algorithm, generate one group of symmetric key, come encrypted login log database and behaviour Making log database record, i.e. one records corresponding one group of random number, the most corresponding one group of symmetric key, combination key generates and calculate The symmetric key that method produces, almost one time one change, can improve login log database and the secrecy etc. of Operation Log data base Level, can facilitate again super manager to browse the recorded content specified.
31, the library structure logging in log database is as follows:
32, the library structure of Operation Log data base is as follows:
33, the super manager of cloud user management unit uses smart card, to logging in log database and Operation Log data base Ciphertext record be decrypted, decryption method is, the decryption protocol in super manager's intelligent card chip, calls combination key raw Become algorithm, according to logging in the random number deposited in log database every record, to one group of super management in intelligent card chip The key " base " of member is i.e.: table Za and table Zb chooses, and selects 16 elements, totally 32 elements respectively, and synthesize one group symmetrical Key, is decrypted into logging in ciphertext record corresponding in log database in plain text;By same decryption method, it may be assumed that according to operation The random number deposited in log database every record, to the key " base " of one group of super manager in intelligent card chip i.e.: Table Za and table Zb chooses, and selects 16 elements, totally 32 elements respectively, and synthesizes one group of symmetric key, by Operation Log The ciphertext record that lane database is corresponding is decrypted in plain text, and the super manager for cloud user management unit browses analysis.
34, login daily record data and the data base of Operation Log are set up at cloud security center, surpassing of only cloud computing unit Level manager, just can browse login log database and the data-base recording content of Operation Log, the pipe of other cloud computing units Reason personnel cannot browse, the super manager of cloud computing unit, it is possible to monitors the login situation of cloud user in real time, it is possible in real time Monitor cloud computing unit management person i.e.: the login situation of internal staff, and which file " click " crosses, outside energy effective monitoring Hacker's attack to cloud computing platform, effective monitoring cloud computing platform is from the illegal operation of internal control personnel, such as: steal cloud The program of user and data thereof.

Claims (9)

1. an implementation method based on cloud computing safty architecture device, be use chip hardware equipment, symmetric cryptographic algorithm and Combination key technology, under non-cloud computing environment, use smart card is as the hardware device of client encryption system, at smart card Chip in, use symmetric cryptographic algorithm to set up client encryption system, and write symmetric cryptographic algorithm, digest algorithm, combination Key schedule, key " base ", client identity authentication protocol, digital signature protocol, signature verification agreement, enciphering/deciphering are assisted View, sets up authentication center at network application server end, and authentication center is added by insertion polylith in multiple servers, every station server Close card or access multiple stage encryption equipment equipment composition, use symmetric cryptographic algorithm to set up end encryption system of authentication center in authentication center System, in encrypted card or encryption equipment chip, write symmetric cryptographic algorithm, digest algorithm, one group of storage key K, authentication center's end Identity authentication protocol, digital signature protocol, signature verification agreement and enciphering/deciphering agreement, and the key " base " of super manager, At server key " base " lane database of authentication center, store total user key " base " ciphertext, wherein: total user key " base " is used the storage key K in encrypted card or encryption equipment chip to be encrypted to ciphertext in advance, builds in network application server The Rights Management System of vertical user, shares out the work district for user, and user uses smart card in client, by intelligent card chip Identity authentication protocol logging in network application server, and according to Rights Management System, the network application server user of entrance Corresponding working area, user uses smart card in client, is digitally signed by the file of client, re-encrypts into ciphertext, Digital signature is submitted to cryptograph files the working area that network application server user is corresponding, authentication center's ciphertext to delivering to File is decrypted and data integrity validation, leaves legal clear text file in work that network application server user is corresponding District, wherein: identity authentication protocol, digital signature protocol, signature verification agreement and enciphering/deciphering agreement, all uses symmetric cryptography to calculate Method and combination key technology are set up, and combination key technology is to use a kind of combination key generating algorithm, it may be assumed that by one group of random number, In the table form a group key " base ", element is chosen, and the element selected is merged into one group of symmetric key, as adding/solving Decryption key, certification key or signature key, thus, it is achieved under non-cloud computing environment, client and network application server end Between authenticating user identification, data integrity authentication and Data Encryption Transmission;
The present invention is the security architecture using gateway equipment to set up cloud computing, it is achieved the use between cloud user side and cloud computing platform Family authentication, data integrity validation and Data Encryption Transmission, being technically characterized in that of its method
Under cloud computing environment, cloud computing platform is divided into the foreground of cloud computing center and the backstage of cloud computing center, at cloud meter The clear text file of the foreground storage cloud user at calculation center, at the cryptograph files of the backstage of cloud computing center storage cloud user, cloud meter The foreground at calculation center is connected with the WEB server of cloud computing, by one between foreground and the cloud computing center backstage of cloud computing center Platform gateway equipment is connected, and cloud security center is connected with WEB server and the gateway of cloud computing respectively, and cloud user uses intelligence Card, carries out authentication and logs in the working area of cloud computing center foreground correspondence cloud user, and before sending out and delivering to cloud computing center The file of platform is i.e.: program and data thereof, is digitally signed and encrypts, then contained by cryptograph files: digital signature, is submitted to cloud meter The working area of foreground, calculation center correspondence cloud user, cloud computing management system is by work corresponding for the foreground cloud user of cloud computing center Qu Li, the cryptograph files of the cloud user of storage contains: digital signature, is sent to gateway, and in gateway, cloud security center is to this ciphertext File contains: digital signature, is decrypted and data integrity validation, the clear text file of legal cloud user is sent in cloud computing The backstage of the heart, at the running background program of cloud computing center, cloud computing management system, runs " result " i.e. clear text file by program Being sent to gateway, in gateway, this plaintext literary composition file is digitally signed and encrypts by cloud security center, and by cryptograph files Containing: digital signature, be sent in the lump in the working area that the foreground cloud user of cloud computing center is corresponding, cloud user passes through authentication Log in the working area that the foreground cloud user of cloud computing center is corresponding, this ciphertext part is contained: digital signature, download to cloud user side In client computer, in cloud user side intelligent card chip, this cryptograph files is contained: digital signature, be decrypted and data integrity Checking, obtains program and runs the plaintext of " result ", sets up at cloud security center and logs in log database and Operation Log data base, Record cloud user and cloud computing unit management person log in cloud computing platform and operation cloud user file have related parameter, in cloud security The heart uses combination key generating algorithm, and it is raw to call the key " base " of the super manager of storage in encrypted card or encryption equipment chip Become symmetric key, the whole records logged in log database and Operation Log data base are encrypted to respectively ciphertext storage, and Every record uses one group of symmetric key encryption, and super manager uses the smart card of super manager, to logging in daily record data Ciphertext record in storehouse and Operation Log data base is decrypted, thus, set up cloud computing safty architecture system.
Method the most according to claim 1, it is characterised in that:
Encrypted tunnel is set up between cloud user side and the backstage of cloud computing center,
(1) cloud user is by file M i.e.: program and data thereof, by the encrypted and digitally signed agreement in intelligent card chip, by literary composition Part M is digitally signed, and is encrypted to cryptograph files M1, then is logged in the WEB server of cloud computing by authentication, and according to Rights Management System, enters the working area of cloud computing center foreground correspondence cloud user, and cloud user submits to cryptograph files M1 to cloud meter The working area of foreground, calculation center correspondence cloud user, in the working area of cloud computing center foreground correspondence cloud user, cloud user " clicks on " The cryptograph files M1 run, cloud computing center management system is needed cryptograph files M1 to be inputted gateway, in gateway, in cloud security The heart calls deciphering and signature verification agreement, and cryptograph files M1 is decrypted into clear text file M and the digital signature of file M, and to bright Literary composition file M carry out data integrity validation, by by verify clear text file M be input to cloud computing center backstage, meanwhile, cloud Cryptograph files M1 corresponding in gateway, clear text file M and digital signature are removed by security centre, if clear text file M is not passed through Data integrity validation, then remove clear text file M and cryptograph files M1 and digital signature, and fed back by " illegal file " printed words Working area to the foreground of cloud user's correspondence cloud computing center;
(2) " result " that the program of cloud user is run by cloud computing management system is i.e.: clear text file N input gateway, in gateway, Cloud security center call number signature and cryptographic protocol, be digitally signed this clear text file N, and be encrypted to cryptograph files N1, cryptograph files N1 is input to the working area of cloud computing center foreground correspondence cloud user by cloud security center again, and cloud user pass through Authentication logs in cloud computing WEB server, enters the work of cloud computing center foreground correspondence cloud user according to Rights Management System Make district, by cryptograph files N1, download in the client computer of cloud user side, in cloud user side intelligent card chip, cloud user side Deciphering and signature verification agreement, the cryptograph files N1 deciphering that will receive, obtain the digital signature of clear text file N and N, then in plain text File N carries out data integrity validation, it is thus achieved that clear text file N i.e.: program run " result ".
Method the most according to claim 2, it is characterised in that:
Encrypted tunnel is set up, it is ensured that cloud user, by program and data thereof, passes through between cloud user side and cloud computing center backstage Encrypted tunnel safety, complete transmission are to the backstage of cloud computing center, and in the running background program of cloud computing center, it is thus achieved that program Run " result ", then by program operation " result " by encrypted tunnel, in safety, complete transmission to the client computer of cloud user side; If it is virus document that the cloud computing center foreground that gateway receives sends the file come, this virus document is carried out by cloud security center In deciphering and data integrity verification procedures, virus document is to pass through data integrity validation, then in gateway, and can be by cloud Security centre removes, and therefore, gateway can the attack of effective blocking virus.
Method the most according to claim 1, it is characterised in that:
Being divided into two by cloud computing platform with gateway, every cloud user is by Rights Management System, before distributing a cloud computing center Platform working area and a cloud computing center background work district, wherein: the manager of cloud computing unit passes through authentication, Ke Yideng The cloud computing center foreground of record cloud user and background work district, in the working area of cloud computing center foreground correspondence cloud user, deposit The cryptograph files of cloud user, in the working area of cloud computing center backstage correspondence cloud user, deposit the clear text file of cloud user, cloud Gateway is received the cryptograph files deciphering on foreground by security centre, and carries out data integrity validation, then clear text file is transmitted To cloud computing center backstage, gateway is received the plaintext literary composition file on backstage by cloud security center, after being digitally signed and encrypting, Cryptograph files is transferred to cloud computing center foreground again, is stored in user's clear text file on cloud computing center backstage i.e.: program and Its data, at cloud computing center running background, " result " that program is run also is stored in the backstage of cloud computing center, thus, protect Demonstrate,prove cloud user file i.e.: the transmission safety of program and data thereof, storage safety and operation safety.
Method the most according to claim 1, it is characterised in that:
Combination key technology refers to: use a kind of combination key generating algorithm, to key " base " i.e.: the element of table Za and Zb is carried out Choosing, select 32 elements and synthesize one group of symmetric key, this is a kind of combination key generating algorithm, if: S1, S2 ..., SY, for Y (Y=16) individual hexadecimal random number, is produced by the randomizer in smart card, encrypted card or encryption equipment chip Raw, or produced by the WEB server of cloud computing, concrete combination key generating algorithm is as follows:
With the numerical value correspondence table Za S1 row element of the 1st hexadecimal random number S1, carry out corresponding table Za S2 with the numerical value of S2 The element of row, takes out the element of table Za S1 row and S2 row infall, is set to: kk1, with the numerical value correspondence table Za S2 of S2 Row element, carrys out the element of corresponding table Za S3 row with the numerical value of S3, is taken out by the element of table Za S2 row and S3 row infall, It is set to: kk2;..., with the numerical value correspondence table Za S16 row element of S16, come the unit of corresponding table Za S1 row with the numerical value of S1 Element, takes out the element of S16 row and S1 row infall, is set to: kk16;
With the numerical value correspondence table Zb S1 row element of the 1st hexadecimal random number S1, carry out corresponding table Zb S2 with the numerical value of S2 The element of row, by the taking-up of the element of table Zb S1 row and S2 row infall, is set to: kk17, with the numerical value correspondence table Zb of S2 the S2 row element, carrys out the element of corresponding table Zb S3 row, is taken by the element of table Zb S2 row and S3 row infall with the numerical value of S3 Go out, be set to: kk18;..., with the numerical value correspondence table Zb S16 row element of S16, carry out corresponding table Zb S1 row with the numerical value of S1 Element, takes out the element of S16 row and S1 row infall, is set to: kk32;
When the element of table Za and table Zb is 0.5 byte, these 16 elements of table Za will be selected i.e.: kk1, kk2 ..., kk16, With select these 16 elements of table Zb i.e.: kk17, kk18 ..., kk32, synthesize one group of symmetric key, it may be assumed that kk1, Kk2 ..., kk16, kk17 ..., kk32;
When the element of table Za and table Zb is 1 byte, these 16 elements of table Za will be selected i.e.: kk1, kk2 ..., kk16, with Select these 16 elements of table Zb i.e.: kk17, kk18 ..., kk32, para-position mould two adds one group of symmetric key of generation, it may be assumed that kk1& CirclePlus;kk17,kk2⊕kk18,......,kk16⊕kk32.]]>。
Method the most according to claim 1, it is characterised in that:
(1) digital signature of cloud user side and cryptographic protocol, in intelligent card chip, the encryption system of cloud user side, calls intelligence In energy chip, generator produces one group of random number SS1, recalls combination key generating algorithm, according to random number SS1 to intelligence core Key " base " in sheet, it may be assumed that the element of table Za and table Zb is chosen, selects 16 elements, totally 32 elements respectively, and synthesizes One group of symmetric key K1, calls digest algorithm to file M i.e.: program and data thereof are made a summary, and generates summary info L1, then adjusts Encrypt file M and summary info L1 with symmetric key K1 and symmetric cryptographic algorithm, obtain file M and the ciphertext of summary info L1 M1, wherein: be encrypted the summary info L1 of file M, the ciphertext of generation is digital signature;
(2) deciphering of cloud security center-side and signature verification agreement, cloud security center-side encryption system according to the mark of cloud user, To the ciphertext record that should identify in key " base " data base of location, by the encrypted card at this ciphertext record input cloud security center or In encryption equipment chip, call storage key K, decipher this ciphertext record, obtain this cloud ID counterpart keys " base " i.e.: table Za With the element of table Zb in plain text, call combination key generating algorithm, according to the random number SS1 received, to key " base " i.e.: table Za and The element of table Zb is chosen, and selects 16 elements, totally 32 elements respectively, and synthesizes one group of symmetric key K2, and it is right to recall Claim key K2 and symmetric cryptographic algorithm to decipher M1, obtain the plaintext of M1 i.e.: file M and summary info L1, recall summary and calculate File M is made a summary by method, generates summary info L2, the most identical by contrast L1 with L2, verifies that the digital signature to M is No legal, thus, it is achieved the signature verification to file M;
(3) digital signature of cloud security center-side and cryptographic protocol, cloud security center-side encryption system according to the mark of cloud user, To the ciphertext record that should identify in key " base " data base of location, by the encrypted card at this ciphertext record input cloud security center or In encryption equipment chip, call storage key K, decipher this ciphertext record, obtain this cloud ID counterpart keys " base " i.e.: table Za With the element plaintext of table Zb, call the randomizer in encrypted card or encryption equipment chip, produce one group of random number SS2, then Call combination key generating algorithm, according to random number SS2 to key " base " i.e.: the element of table Za and table Zb is chosen, respectively Select 16 elements, totally 32 elements, and synthesize one group of symmetric key K3, call the digest algorithm file N to receiving in gateway That is: program operation " result " is made a summary, and generates summary info L3, recalls symmetric key K3 and symmetric cryptographic algorithm, add Ciphertext part N and summary info L3, obtains file N and ciphertext N1 of summary info L3, wherein: enter the summary info L3 of file N Row encryption, the ciphertext of generation is digital signature;
(4) deciphering of cloud user side and signature verification agreement, in intelligent card chip, it is close that cloud user side encryption system calls combination Key generating algorithm, according to the random number SS2 received to the key " base " in intelligent card chip, it may be assumed that table Za and table Zb element are carried out Choose, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K4, recall symmetric key K4 and symmetry Cryptographic algorithm carrys out decrypting ciphertext N1, obtains the plaintext of ciphertext N1 i.e.: file N and summary info L3, recalls digest algorithm to literary composition Part N makes a summary, and generates summary info L4, the most identical by contrast L3 with L4, verifies whether the digital signature to N closes Method, thus, it is achieved the signature verification to file N;
(5) cloud user or cloud computing unit management person's identity authentication protocol, cloud user or cloud computing unit management person are in client computer Upper insertion smart card, login button in " click " cloud computing WEB server, cloud computing WEB server produce one group of random number and Timestamp, and it is sent to the client-side of cloud user or cloud computing unit management person, the encryption system in intelligent card chip, adjust Use combination key generating algorithm, according to the random number received to key " base " i.e.: the element of table Za and table Zb is chosen, respectively Select 16 elements, totally 32 elements, and synthesize one group of symmetric key KK, carry out encrypted random number with KK and generate certification password H1, Again by cloud user or the mark of cloud computing unit management person, random number, timestamp, certification password H1 and the IP address of client computer, Being sent to WEB server in the lump, WEB server relays to cloud security center;
(6) identity authentication protocol of cloud security center-side, cloud security center receives the mark of cloud user, random number, timestamp, recognizes Behind the IP address of card password H1 and client computer, according to cloud user or the mark of cloud computing unit management person, in key " base " data Ku Li positions ciphertext record, finds key " base " ciphertext of correspondence, and inputs encrypted card or the encryption equipment chip at cloud security center In, in encrypted card or encryption equipment chip, call storage key K to decipher this key " base " ciphertext, obtain the bright of key " base " Literary composition, recalls combination key generating algorithm, according to random number to key " base " i.e.: the plaintext element of table Za and table Zb selects Take, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K2, carry out encrypted random number and generate certification password H2, contrasts H1 and H2, and as H1=H2, the authentication of cloud user or cloud computing unit management person is by being legal cloud user Or legal cloud computing unit management person, then according to the Rights Management System of cloud computing, log in cloud computing center foreground correspondence cloud and use The working area at family, wherein: cloud computing unit management person can log in the working area of whole cloud user, as H1 ≠ H2, cloud user or The authentication of cloud computing unit management person is not passed through, and is illegal cloud user or illegal cloud computing unit management person, cloud security Center feeds back to WEB server " disabled user " printed words, and WEB server relays in the client computer of cloud user side.
7. according to the method for claim 5 or 6, it is characterised in that:
(1) using combination key technology, the various security protocols of the cloud computing of foundation, security protocol includes: identity authentication protocol, Digital signature and cryptographic protocol, deciphering and signature verification agreement, and cryptographic protocol, every group key " base " i.e.: table Za and Zb, altogether Account for 256 or 512 bytes, the mark of 300,000,000 groups of cloud users of cloud security central store and key " base ", constitute about 80GB or 160GB, account for Less by cloud security center resources, thus, it is ensured that cloud security center can manage large-scale cloud user, and can Construction of Low Cost Cloud security center;
(2) using combination key technology, the repetitive rate generating symmetric key is the least, and each repetitive rate is: 1/264 × 1/264 =1/2128, thus, it is ensured that every time generate symmetric key i.e.: for encrypting, certification or the key of signature, almost one time one change, Do not repeat, thus, improve the safe class of each security protocol in cloud security center;
(3) digital signature protocol and cryptographic protocol are merged into digital signature and cryptographic protocol, are generated by a kind of combination key Algorithm, generates one group of symmetric key to complete digital signature and the encryption of file, by several to decryption protocol and signature verification agreement According to integrity verification agreement, it is merged into deciphering and signature verification agreement, by a kind of combination key generating algorithm, generates one group pair Claim key to complete deciphering and the signature verification of data, the operational efficiency of various security protocol can be greatly improved, and generate every time Symmetric key is to be automatically performed by combination key generating algorithm, it is not necessary to artificial regeneration symmetric key, thus, can greatly reduce The key maintenance cost at cloud security center.
Method the most according to claim 1, it is characterised in that:
(1) setting up login log database process is, in cloud security center encrypted card or encryption equipment chip, cloud security center Cryptographic protocol calls randomizer and produces one group of random number, calls combination key generating algorithm, according to random number to storage The key " base " of one group of super management cloud in encrypted card or encryption equipment chip is i.e.: table Za and table Zb chooses, and selects respectively Go out 16 elements, totally 32 elements, and synthesize one group of symmetric key, the 1st article of record divisor evidence that will log in log database Outside No. ID of storehouse and random number field, all it is encrypted to ciphertext, it may be assumed that by the cloud user in login parameters or cloud computing unit management person The IP address encryption of mark, timestamp and client computer become ciphertext to store, by same method, then produce one group of random number, and According to one group of symmetric key of this generating random number, by the 2nd article of record logging in log database except No. ID of data base and with Outside machine digital section, all it is encrypted to ciphertext ..., finally, produce one group of random number, and close according to one group of symmetry of this generating random number Key, by last 1 record of logging in log database in addition to No. ID of data base and random number field, is all encrypted to ciphertext;
(2) setting up Operation Log data base procedure is, in cloud security center encrypted card or encryption equipment chip, cloud security center Cryptographic protocol calls randomizer and produces one group of random number, calls combination key generating algorithm, according to random number to storage The key " base " of one group of super manager in encrypted card or encryption equipment chip is i.e.: table Za and table Zb chooses, and selects respectively Go out 16 elements, totally 32 elements, and synthesize one group of symmetric key, by the 1st article of record divisor evidence in Operation Log data base Outside the ID field in storehouse and random number field, all it is encrypted to ciphertext, it may be assumed that by the cloud user in operating parameter or cloud computing unit tube The mark of reason person, timestamp, by the filename of operation file and the IP address of client computer, be encrypted to ciphertext storage, with same Method, then produce one group of random number, and according to one group of symmetric key of this generating random number, by the 2nd in Operation Log database data Bar record, is all encrypted to ciphertext in addition to the ID field and timestamp field of data base ..., finally, produce one group of random number, And according to one group of symmetric key of this generating random number, last 1 record in Operation Log data base is removed data base No. ID Outside field and timestamp field, all it is encrypted to ciphertext;
(3) the super manager of cloud user management unit uses smart card, to logging in log database and Operation Log data base Ciphertext record be decrypted, decryption method is, the decryption protocol in super manager's intelligent card chip, calls combination key raw Become algorithm, according to logging in the random number deposited in log database every record, to one group of super management in intelligent card chip The key " base " of member is i.e.: table Za and table Zb chooses, and selects 16 elements, totally 32 elements respectively, and synthesize one group symmetrical Key, is decrypted into logging in ciphertext record corresponding in log database in plain text;By same decryption method, it may be assumed that according to operation The random number deposited in log database every record, to the key " base " of one group of super manager in intelligent card chip i.e.: Table Za and table Zb chooses, and selects 16 elements, totally 32 elements respectively, and synthesizes one group of symmetric key, by Operation Log The ciphertext record that lane database is corresponding is decrypted in plain text, and the super manager for cloud user management unit browses analysis.
Method the most according to claim 8, it is characterised in that:
(1) use a kind of combination key generating algorithm, generate one group of symmetric key, come encrypted login log database and operation day Will data-base recording, i.e. one records corresponding one group of random number, the most corresponding one group of symmetric key, combination key generating algorithm produces Raw symmetric key, almost one time one change, can improve login log database and the security classification of Operation Log data base, again Super manager can be facilitated to browse the recorded content specified;
(2) login daily record data and the data base of Operation Log, the super pipe of only cloud computing unit are set up at cloud security center Reason person, just can browse login log database and the data-base recording content of Operation Log, the administrative man of other cloud computing units Member cannot browse, the super manager of cloud computing unit, it is possible to monitors the login situation of cloud user in real time, it is possible to monitor in real time Cloud computing unit management person is i.e.: the login situation of internal staff, and which file " click " crosses, can effective monitoring external hackers Attack to cloud computing platform, effective monitoring cloud computing platform is from the illegal operation of internal control personnel, such as: steal cloud user Program and data.
CN201610291647.3A 2016-05-05 2016-05-05 Implementation method of safety configuration device based on cloud calculation Pending CN105915523A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610291647.3A CN105915523A (en) 2016-05-05 2016-05-05 Implementation method of safety configuration device based on cloud calculation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610291647.3A CN105915523A (en) 2016-05-05 2016-05-05 Implementation method of safety configuration device based on cloud calculation

Publications (1)

Publication Number Publication Date
CN105915523A true CN105915523A (en) 2016-08-31

Family

ID=56752331

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610291647.3A Pending CN105915523A (en) 2016-05-05 2016-05-05 Implementation method of safety configuration device based on cloud calculation

Country Status (1)

Country Link
CN (1) CN105915523A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106973070A (en) * 2017-05-17 2017-07-21 济南浪潮高新科技投资发展有限公司 A kind of big data calculates trusteeship service security certification system and method
CN107508801A (en) * 2017-08-04 2017-12-22 安徽智圣通信技术股份有限公司 A kind of file tamper-proof method and device
CN109451016A (en) * 2018-11-05 2019-03-08 金蝶软件(中国)有限公司 Data downloading management method, system and relevant device
CN109657492A (en) * 2018-12-12 2019-04-19 泰康保险集团股份有限公司 Data base management method, medium and electronic equipment
CN109996089A (en) * 2019-02-20 2019-07-09 视联动力信息技术股份有限公司 A kind of method of processing operation log, system and a kind of streaming media server
CN110032894A (en) * 2019-04-09 2019-07-19 北京信安世纪科技股份有限公司 A kind of database journal recording method and system and database log detection method
CN110929252A (en) * 2019-11-22 2020-03-27 福建金密网络安全测评技术有限公司 Algorithm and random number detection system
CN111324872A (en) * 2018-12-17 2020-06-23 上海擎感智能科技有限公司 Method and system for redirected centralized audit of login records and operation records
CN114268445A (en) * 2020-09-15 2022-04-01 中国电信股份有限公司 Authentication method, device and system for cloud mobile phone application, authentication module and terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101854392A (en) * 2010-05-20 2010-10-06 清华大学 Personal data management method based on cloud computing environment
US20100293606A1 (en) * 2004-07-30 2010-11-18 Research In Motion Limited Method and system for managing delayed user authentication
CN101969438A (en) * 2010-10-25 2011-02-09 胡祥义 Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things
CN102291418A (en) * 2011-09-23 2011-12-21 胡祥义 Method for realizing cloud computing security architecture

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100293606A1 (en) * 2004-07-30 2010-11-18 Research In Motion Limited Method and system for managing delayed user authentication
CN101854392A (en) * 2010-05-20 2010-10-06 清华大学 Personal data management method based on cloud computing environment
CN101969438A (en) * 2010-10-25 2011-02-09 胡祥义 Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things
CN102291418A (en) * 2011-09-23 2011-12-21 胡祥义 Method for realizing cloud computing security architecture

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106973070A (en) * 2017-05-17 2017-07-21 济南浪潮高新科技投资发展有限公司 A kind of big data calculates trusteeship service security certification system and method
CN107508801A (en) * 2017-08-04 2017-12-22 安徽智圣通信技术股份有限公司 A kind of file tamper-proof method and device
CN109451016A (en) * 2018-11-05 2019-03-08 金蝶软件(中国)有限公司 Data downloading management method, system and relevant device
CN109657492A (en) * 2018-12-12 2019-04-19 泰康保险集团股份有限公司 Data base management method, medium and electronic equipment
CN111324872A (en) * 2018-12-17 2020-06-23 上海擎感智能科技有限公司 Method and system for redirected centralized audit of login records and operation records
CN109996089A (en) * 2019-02-20 2019-07-09 视联动力信息技术股份有限公司 A kind of method of processing operation log, system and a kind of streaming media server
CN109996089B (en) * 2019-02-20 2021-09-28 视联动力信息技术股份有限公司 Method and system for processing operation log and streaming media server
CN110032894A (en) * 2019-04-09 2019-07-19 北京信安世纪科技股份有限公司 A kind of database journal recording method and system and database log detection method
CN110032894B (en) * 2019-04-09 2021-07-20 北京信安世纪科技股份有限公司 Database log recording method and system and database log detection method
CN110929252A (en) * 2019-11-22 2020-03-27 福建金密网络安全测评技术有限公司 Algorithm and random number detection system
CN110929252B (en) * 2019-11-22 2021-10-26 福建金密网络安全测评技术有限公司 Algorithm and random number detection system
CN114268445A (en) * 2020-09-15 2022-04-01 中国电信股份有限公司 Authentication method, device and system for cloud mobile phone application, authentication module and terminal

Similar Documents

Publication Publication Date Title
CN105915523A (en) Implementation method of safety configuration device based on cloud calculation
CN102291418A (en) Method for realizing cloud computing security architecture
CN106548345B (en) Method and system for realizing block chain private key protection based on key partitioning
CN105553662B (en) Dynamic digital copyright protection method and system based on id password
CN1939028B (en) Accessing protected data on network storage from multiple devices
CN101969438B (en) Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things
EP2697931B1 (en) Qkd key management system
CN101282222B (en) Digital signature method based on CSK
CN104244026B (en) A kind of key distribution device in video monitoring system
DE102012111903B4 (en) Method for establishing a secure connection between clients
CN102024123B (en) Method and device for importing mirror image of virtual machine in cloud calculation
CN104113409B (en) The key management method and system of a kind of SIP video monitoring networkings system
AT512289B1 (en) CRYPTOGRAPHIC AUTHENTICATION AND IDENTIFICATION METHOD FOR MOBILE TELEPHONE AND COMMUNICATION DEVICES WITH REAL-TIME ENCRYPTION DURING THE ACTION PERIOD
CN102664739A (en) PKI (Public Key Infrastructure) implementation method based on safety certificate
CN102075544A (en) Encryption system, encryption method and decryption method for local area network shared file
CN104168267A (en) Identity authentication method for accessing SIP security video monitoring system
CN103684798B (en) Authentication method used in distributed user service
CN110519046A (en) Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN102833075A (en) Identity authentication and digital signature method based on three-layered overlapping type key management technology
CN112532656B (en) Block chain-based data encryption and decryption method and device and related equipment
CN107104795A (en) Method for implanting, framework and the system of RSA key pair and certificate
CN108880995A (en) Strange social network user information and message based on block chain push encryption method
CN105471901A (en) Industrial information security authentication system
CN101938353B (en) Method for remotely resetting personal identification number (PIN) of key device
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160831