CN105915523A - Implementation method of safety configuration device based on cloud calculation - Google Patents
Implementation method of safety configuration device based on cloud calculation Download PDFInfo
- Publication number
- CN105915523A CN105915523A CN201610291647.3A CN201610291647A CN105915523A CN 105915523 A CN105915523 A CN 105915523A CN 201610291647 A CN201610291647 A CN 201610291647A CN 105915523 A CN105915523 A CN 105915523A
- Authority
- CN
- China
- Prior art keywords
- cloud
- key
- cloud computing
- center
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The present invention provides an implementation method of safety configuration device based on the cloud calculation. The method comprises: a gatekeeper is employed to divide a cloud calculation platform into the foreground and the background of the cloud calculation platform, the cloud user's plaintext file is stored at the foreground of the cloud calculation center, the cloud user's cryptograph file is stored at the background of the cloud calculation center, an encryption channel is established between the cloud user terminal and the background of the cloud calculation center to ensure the cloud user to completely transmit the program and the data thereof to the background of the cloud calculation center through encryption channel safety and run the program at the background of the cloud calculation center, the program operation result is safely and completely transmitted into the client machine of the cloud user terminal through the encryption channel, a registration log database and an operation log database are established at the cloud safety center to monitor the attack of external hackers on the cloud calculation platform, monitor the illegal operation of the cloud calculation platform from internal managers, and therefore a cloud calculation safety system is established.
Description
Technical field
The present invention relates to the information security field of cloud computing.
Background technology:
At present, the security system of domestic cloud computing all uses PKI/CA security architecture, PKI/CA technology to be to use asymmetric cryptography
Algorithm and symmetric cryptographic algorithm, set up authenticating user identification, data integrity validation and Data Encrypting Transmission System jointly, but
It is that the certification speed of PKI/CA is relatively slow, the lazy weight of ca authentication centre management user, and ca authentication center construction cost is higher,
Leave program and the data thereof of cloud user in cloud computing platform in, be also easily subject to external hackers and attack or internal control personnel
Pry, in a word, existing network security technology and product all can not meet the market demand to cloud computing information security.
Summary of the invention:
A kind of implementation method based on cloud computing safty architecture device, is to use chip hardware equipment, symmetric cryptographic algorithm and group
Closing cipher key technique, under non-cloud computing environment, use smart card is as the hardware device of client encryption system, at smart card
In chip, use symmetric cryptographic algorithm to set up client encryption system, and it is close to write symmetric cryptographic algorithm, digest algorithm, combination
Key generating algorithm, key " base ", client identity authentication protocol, digital signature protocol, signature verification agreement, enciphering/deciphering agreement,
Setting up authentication center at network application server end, authentication center is inserted many block encryptions by multiple servers, every station server
Card or access multiple stage encryption equipment equipment composition, use symmetric cryptographic algorithm to set up end encryption system of authentication center in authentication center
System, in encrypted card or encryption equipment chip, write symmetric cryptographic algorithm, digest algorithm, one group of storage key K, authentication center's end
Identity authentication protocol, digital signature protocol, signature verification agreement and enciphering/deciphering agreement, and the key " base " of super manager,
At server key " base " lane database of authentication center, store total user key " base " ciphertext, wherein: total user key
" base " is used the storage key K in encrypted card or encryption equipment chip to be encrypted to ciphertext in advance, builds in network application server
The Rights Management System of vertical user, shares out the work district for user, and user uses smart card in client, by intelligent card chip
Identity authentication protocol logging in network application server, and according to Rights Management System, the network application server user of entrance
Corresponding working area, user uses smart card in client, is digitally signed by the file of client, re-encrypts into ciphertext,
Digital signature is submitted to cryptograph files the working area that network application server user is corresponding, authentication center's ciphertext to delivering to
File is decrypted and data integrity validation, leaves legal clear text file in work that network application server user is corresponding
District, wherein: identity authentication protocol, digital signature protocol, signature verification agreement and enciphering/deciphering agreement, all uses symmetric cryptography to calculate
Method and combination key technology are set up, and combination key technology is to use a kind of combination key generating algorithm, it may be assumed that by one group of random number,
In the table form a group key " base ", element is chosen, and the element selected is merged into one group of symmetric key, as adding/solving
Decryption key, certification key or signature key, thus, it is achieved under non-cloud computing environment, client and network application server end
Between authenticating user identification, data integrity authentication and Data Encryption Transmission;
The present invention is the security architecture using gateway equipment to set up cloud computing, it is achieved the use between cloud user side and cloud computing platform
Family authentication, data integrity validation and Data Encryption Transmission, being technically characterized in that of its method
Under cloud computing environment, cloud computing platform is divided into the foreground of cloud computing center and the backstage of cloud computing center, at cloud meter
The clear text file of the foreground storage cloud user at calculation center, at the cryptograph files of the backstage of cloud computing center storage cloud user, cloud meter
The foreground at calculation center is connected with the WEB server of cloud computing, by one between foreground and the cloud computing center backstage of cloud computing center
Platform gateway equipment is connected, and cloud security center is connected with WEB server and the gateway of cloud computing respectively, and cloud user uses intelligence
Card, carries out authentication and logs in the working area of cloud computing center foreground correspondence cloud user, and before sending out and delivering to cloud computing center
The file of platform is i.e.: program and data thereof, is digitally signed and encrypts, then contained by cryptograph files: digital signature, is submitted to cloud meter
The working area of foreground, calculation center correspondence cloud user, cloud computing management system is by work corresponding for the foreground cloud user of cloud computing center
Qu Li, the cryptograph files of the cloud user of storage contains: digital signature, is sent to gateway, and in gateway, cloud security center is to this ciphertext
File contains: digital signature, is decrypted and data integrity validation, the clear text file of legal cloud user is sent in cloud computing
The backstage of the heart, at the running background program of cloud computing center, cloud computing management system, runs " result " i.e. clear text file by program
Being sent to gateway, in gateway, this clear text file is digitally signed and encrypts by cloud security center, and is contained by cryptograph files:
Digital signature, is sent in the working area that the foreground cloud user of cloud computing center is corresponding in the lump, and cloud user stepped on by authentication
Record the working area that the foreground cloud user of cloud computing center is corresponding, this ciphertext part is contained: digital signature, download to the visitor of cloud user side
In the machine of family, in cloud user side intelligent card chip, this cryptograph files is contained: digital signature, be decrypted and test with data integrity
Card, obtains program and runs the plaintext of " result ", sets up at cloud security center and logs in log database and Operation Log data base, note
Record cloud user and cloud computing unit management person log in cloud computing platform and operation cloud user file have related parameter, cloud security center
Use combination key generating algorithm, and call key " base " generation of the super manager of storage in encrypted card or encryption equipment chip
The whole records logged in log database and Operation Log data base are encrypted to ciphertext and store by symmetric key respectively, and often
Bar record uses one group of symmetric key encryption, and super manager uses the smart card of super manager, to logging in log database
It is decrypted with the ciphertext record in Operation Log data base, thus, set up cloud computing safty architecture system, cloud computing roll-over protective structure
Construction system all realizes by software and hardware combination, and concrete grammar is as follows:
1, using the chip of smart card as the encryption system hardware device of cloud user side, in intelligent card chip, cloud user side is set up
Encryption system, in intelligent chip, write symmetric cryptographic algorithm, combination key generating algorithm, digest algorithm, cloud user side
Identity authentication protocol, digital signature and cryptographic protocol, deciphering and signature verification agreement, and write data: a group key " base " and
The mark of cloud user.
2, setting up cloud security center at cloud computing platform end, cloud security center is by server, encrypted card or encryption equipment hardware
Equipment forms, and inserts 1~5 block encryption cards on the pci interface of server, or by server and 1~2 cipher machine serial line interface
It is directly connected to, using encrypted card or cipher machine as the hardware device of cloud security center-side encryption system, sets up at cloud security center
The encryption system of cloud security center-side, in encrypted card or encryption equipment chip, write symmetric cryptographic algorithm, combination key generate to be calculated
Method, one group of fixed symmetrical key be i.e.: storage key K, digest algorithm, the identity authentication protocol of cloud security center-side, digital signature
With cryptographic protocol, deciphering and signature verification agreement, cryptographic protocol, the key " base " of one group of super manager.
3, at key " base " lane database at cloud security center, the mark of all cloud users and all cloud user marks are deposited
Know the ciphertext of a corresponding group key " base ", in procedure for cipher key initialization, with cloud security center encrypted card or encryption movement
Storage key K in sheet, is encrypted to ciphertext respectively by the key " base " of all cloud users, is stored in cloud security central server
Key " base " lane database.
4, in the intelligent card chip of the super manager of cloud computing unit, the encryption system of cloud user side is set up, in intelligence
Can in card chip, write symmetric cryptographic algorithm, combination key generating algorithm, digest algorithm, the identity authentication protocol of cloud user side,
Digital signature and cryptographic protocol, deciphering and signature verification agreement, decryption protocol, and write data: the mark of super manager, with
The key " base " of one group of super manager same in cloud security center encrypted card or encryption equipment chip.
5, a smart card, every cloud user and cloud computing list are all distributed for every cloud user and cloud computing unit management person
Position manager mark all with a smart card one_to_one corresponding, also with a group key " base " one_to_one corresponding, every cloud user and cloud
Unit of account manager mark is all unique, and the mark of cloud user and cloud computing unit management person is the most different, cloud user
Added English alphabet with the mark of cloud computing unit management person formed, such as by numeral or numeral: user's serial number, identification card number, its
Medium cloud user refer to: carried out the user of cloud computing by network entry cloud computing platform, and cloud computing unit management person refers to: management cloud
Calculate the system maintenance person of platform, also include: the super manager in cloud computing unit management person.
6, all cloud users and the corresponding key " base " of cloud computing unit management person, by cloud security center encrypted card or add
Randomizer in close movement sheet produces, the most different, and has stronger randomness, the number of every group key " base "
According to accounting for 256 bytes or 512 bytes, and form two 16 × 16 keys " base " tables, wherein: the element of two key " base " tables all accounts for
0.5 byte or 1 byte.
7, in cloud user side smart card and authentication center's end encrypted card or encryption equipment chip, the symmetry that encryption system uses
Cryptographic algorithm, such as: SM1, DES, RC5, SMS4, ASE, the digest algorithm of use, such as: SM2, SHA-1, SM3, MD5.
8, set up the security architecture of cloud computing, cloud computing platform is divided into two, it may be assumed that the foreground of cloud computing center and cloud meter
The backstage at calculation center, the foreground of cloud computing center is connected with the WEB server of cloud computing, the foreground of cloud computing center and cloud computing
Being connected by a gateway equipment between center background, cloud security center is connected with WEB server and the gateway of cloud computing respectively,
And in WEB server, set up Rights Management System, distribute the working area on cloud computing center foreground for cloud user, in cloud computing
The cryptograph files of heart foreground storage cloud user, wherein: cryptograph files includes: be encrypted to program and the data thereof of ciphertext, at cloud
Calculating the clear text file of center background storage cloud user, wherein: clear text file includes: program and data thereof, and program is run
" result ".
9, cloud security center is responsible for that cloud user is logged in WEB server and is carried out authentication, and legal cloud user can log in
The WEB server of cloud computing, and enter the working area of cloud computing center foreground correspondence cloud user according to Rights Management System, illegally
Cloud user cannot log in the WEB server of cloud computing, and in gateway, cloud security center is responsible for defeated from the foreground of cloud computing center
Enter the cryptograph files in gateway, be decrypted and data integrity validation, bright to be input in gateway from calculating center background
Literary composition file, is digitally signed and encrypts.
10, when cloud user needs operation program, cloud computing center management system is by gateway, by cloud user's cryptograph files
It is transferred to gateway, in gateway, by deciphering and the signature verification agreement at cloud security center, cryptograph files is decrypted and data
Integrity verification, then by the clear text file after deciphering i.e.: the program of cloud user and data thereof, it is transferred to cloud computing center backstage,
The program of cloud user and data thereof are at cloud computing center running background, and obtain the operation " result " of program;Cloud computing center pipe
Reason system, by the operation " result " of program i.e.: clear text file, is transferred to gateway, in gateway, and the encryption sum at cloud security center
Word signature agreement, by cloud user program operation " result ", is digitally signed and encrypts, then cryptograph files is transferred to cloud computing
The working area of foreground, center correspondence cloud user.
11, when cloud user needs acquisition program to run " result ", first, cloud user uses smart card to carry out identity to recognize
Card, logs in the working area of cloud computing center foreground correspondence cloud, and the ciphertext that program runs " result " is downloaded to cloud user side
In client computer, and in cloud user side intelligent card chip, program is run the ciphertext solution of " result " by deciphering and signature verification agreement
Close and data integrity validation, obtains the plaintext of cloud user program operation " result ".
12, between cloud user side and the backstage of cloud computing center, encrypted tunnel is set up,
(1) cloud user is by file M i.e.: program and data thereof, by the encrypted and digitally signed agreement in intelligent card chip, by literary composition
Part M is digitally signed, and is encrypted to cryptograph files M1, then is logged in the WEB server of cloud computing by authentication, and according to
Rights Management System, enters the working area of cloud computing center foreground correspondence cloud user, and cloud user submits to cryptograph files M1 to cloud meter
The working area of foreground, calculation center correspondence cloud user, in the working area of cloud computing center foreground correspondence cloud user, cloud user " clicks on "
The cryptograph files M1 run, cloud computing center management system is needed cryptograph files M1 to be inputted gateway, in gateway, in cloud security
The heart calls deciphering and signature verification agreement, and cryptograph files M1 is decrypted into clear text file M and the digital signature of file M, and to bright
Literary composition file M carry out data integrity validation, by by verify clear text file M be input to cloud computing center backstage, meanwhile, cloud
Cryptograph files M1 corresponding in gateway, clear text file M and digital signature are removed by security centre, if clear text file M is not passed through
Data integrity validation, then remove clear text file M and cryptograph files M1 and digital signature, and fed back by " illegal file " printed words
Working area to the foreground of cloud user's correspondence cloud computing center;
(2) " result " that the program of cloud user is run by cloud computing management system is i.e.: clear text file N input gateway, in gateway,
Cloud security center call number signature and cryptographic protocol, be digitally signed this clear text file N, and be encrypted to cryptograph files
N1, cryptograph files N1 is input to the working area of cloud computing center foreground correspondence cloud user by cloud security center again, and cloud user pass through
Authentication logs in cloud computing WEB server, enters the work of cloud computing center foreground correspondence cloud user according to Rights Management System
Make district, by cryptograph files N1, download in the client computer of cloud user side, in cloud user side intelligent card chip, cloud user side
Deciphering and signature verification agreement, the cryptograph files N1 deciphering that will receive, obtain the digital signature of clear text file N and N, then in plain text
File N carries out data integrity validation, it is thus achieved that clear text file N i.e.: program run " result ".
13, between cloud user side and cloud computing center backstage, encrypted tunnel is set up, it is ensured that cloud user is by program and number thereof
According to, by encrypted tunnel safety, the backstage of complete transmission to cloud computing center, and in the running background program of cloud computing center,
Acquisition program runs " result ", then by program operation " result " by encrypted tunnel, safety, complete transmission are to the visitor of cloud user side
In the machine of family;If it is virus document that the cloud computing center foreground that gateway receives sends the file come, cloud security center is to this virus
File is decrypted with in data integrity verification procedures, and virus document is cannot to pass through data integrity validation, then at gateway
In, can be removed by cloud security center, therefore, gateway can the attack of effective blocking virus.
14, being divided into two by cloud computing platform with gateway, every cloud user, by Rights Management System, distributes a cloud computing
Foreground district, center and a cloud computing center background work district, wherein: the manager of cloud computing unit passes through authentication,
Cloud computing center foreground and the background work district of cloud user can be logged in, in the work of cloud computing center foreground correspondence cloud user
District, the cryptograph files of the cloud user deposited, in the working area of cloud computing center backstage correspondence cloud user, deposit the plaintext of cloud user
File, gateway is received the cryptograph files deciphering on foreground, and carries out data integrity validation by cloud security center, then will be the most civilian
Part is transferred to cloud computing center backstage, and gateway is received the plaintext literary composition file on backstage by cloud security center, be digitally signed and
After encryption, then cryptograph files is transferred to cloud computing center foreground, is stored in user's clear text file on cloud computing center backstage i.e.:
Program and data thereof, at cloud computing center running background, " result " that program is run also is stored in the backstage of cloud computing center, from
And, it is ensured that cloud user file i.e.: the transmission of program and data thereof safety, storage safety and run safety.
15, a group key of storage in the client-side intelligent card chip of each cloud user and cloud computing unit management person
" base ", is to be stored in advance in intelligent chip in procedure for cipher key initialization, and key " base " accounts for 16 × 16 × 1 × 2=512 word
Joint, or 16 × 16 × 0.5 × 2=256 byte, and form key " base " table of two (16 × 16), it is set to: table Za and table Zb,
Totally 2 tables, each element of each table accounts for 0.5 or 1 byte, and the element of table Za and table Zb is mutually different, if:
16, combination key technology refers to: use a kind of combination key generating algorithm, to key " base " i.e.: the element of table Za and Zb
Choosing, select 32 elements and synthesize one group of symmetric key, this is a kind of combination key generating algorithm, if: S1,
S2 ..., SY, for Y (Y=16) individual hexadecimal random number, by the random number in smart card, encrypted card or encryption equipment chip
Generator produces, or is produced by the WEB server of cloud computing, and concrete combination key generating algorithm is as follows:
With the numerical value correspondence table Za S1 row element of the 1st hexadecimal random number S1, carry out corresponding table Za S2 with the numerical value of S2
The element of row, takes out the element of table Za S1 row and S2 row infall, is set to: kk1, with the numerical value correspondence table Za S2 of S2
Row element, carrys out the element of corresponding table Za S3 row with the numerical value of S3, is taken out by the element of table Za S2 row and S3 row infall,
It is set to: kk2;..., with the numerical value correspondence table Za S16 row element of S16, come the unit of corresponding table Za S1 row with the numerical value of S1
Element, takes out the element of S16 row and S1 row infall, is set to: kk16;
With the numerical value correspondence table Zb S1 row element of the 1st hexadecimal random number S1, carry out corresponding table Zb S2 with the numerical value of S2
The element of row, by the taking-up of the element of table Zb S1 row and S2 row infall, is set to: kk17, with the numerical value correspondence table Zb of S2 the
S2 row element, carrys out the element of corresponding table Zb S3 row, is taken by the element of table Zb S2 row and S3 row infall with the numerical value of S3
Go out, be set to: kk18;..., with the numerical value correspondence table Zb S16 row element of S16, carry out corresponding table Zb S1 row with the numerical value of S1
Element, takes out the element of S16 row and S1 row infall, is set to: kk32;
When the element of table Za and table Zb is 0.5 byte, these 16 elements of table Za will be selected i.e.: kk1, kk2 ..., kk16,
With select these 16 elements of table Zb i.e.: kk17, kk18 ..., kk32, synthesize one group of symmetric key, it may be assumed that kk1,
Kk2 ..., kk16, kk17 ..., kk32;
When the element of table Za and table Zb is 1 byte, these 16 elements of table Za will be selected i.e.: kk1, kk2 ..., kk16, with
Select these 16 elements of table Zb i.e.: kk17, kk18 ..., kk32, para-position mould two adds one group of symmetric key of generation, it may be assumed that kk1&
CirclePlus;kk17,kk2⊕kk18,......,kk16⊕kk32.]]>
17, the method using combination key generating algorithm to generate key is illustrated, if: S1, S2, S3 ..., S16=3,0,
9,6, A, 5,4, F, 8, B, 1, C, 7,2, E, D, each element of table Za and Zb accounts for 0.5 byte or 1 byte, then:
The numerical value of the 1st and the 2nd random number is respectively 3 and 0, take table Za the 4th row the 1st row element, Za30,
The numerical value of the 2nd and the 3rd random number is respectively 0 and 9, take table Za the 1st row the 10th row element, Za09,
The numerical value of the 3rd and the 4th random number is respectively 9 and 6, take table Za the 10th row the 7th row element, Za96,
The numerical value of the 4th and the 5th random number is respectively 6 and A, take table Za the 7th row the 11st row element, Za610,
The numerical value of the 5th and the 6th random number is respectively A and 5, take table Za the 11st row the 6th row element, Za105,
The numerical value of the 6th and the 7th random number is respectively 5 and 4, take table Za the 6th row the 5th row element, Za54,
The numerical value of the 7th and the 8th random number is respectively 4 and F, take table Za the 5th row the 16th row element, Za415,
The numerical value of the 8th and the 9th random number is respectively F and 8, take table Za the 16th row the 9th row element, Za158,
The numerical value of the 9th and the 10th random number is respectively 8 and B, take table Za the 9th row the 12nd row element, Za811,
The numerical value of the 10th and the 11st random number is respectively B and 1, take table Za the 12nd row the 2nd row element, Za111,
The numerical value of the 11st and the 12nd random number is respectively 1 and C, take table Za the 2nd row the 13rd row element, Za112,
The numerical value of the 12nd and the 13rd random number is respectively C and 7, take table Za the 13rd row the 8th row element, Za127,
The numerical value of the 13rd and the 14th random number is respectively 7 and 2, take table Za eighth row the 3rd row element, Za72,
The numerical value of the 14th and the 15th random number is respectively 2 and E, take table Za the 3rd row the 15th row element, Za214,
The numerical value of the 15th and the 16th random number is respectively E and D, take table Za the 15th row the 14th row element, Za1413,
The numerical value of the 16th and the 1st random number is respectively D and 3, take table Za the 14th row the 4th row element, Za133,
Therefore, according to random number S1, S2, S3 ..., S16=3,0,9,6, A, 5,4, F, 8, B, 1, C, 7,2, E, D, from table Za
In, take out 16 elements, it may be assumed that Za30, Za09, Za96, Za610, Za105, Za54, Za415, Za158, Za811, Za111,
Za112, Za127, Za72, Za214, Za1413, Za133;
Following:
The numerical value of the 1st and the 2nd random number is respectively 3 and 0, take table Zb the 4th row the 1st row element, Zb30,
The numerical value of the 2nd and the 3rd random number is respectively 0 and 9, take table Zb the 1st row the 10th row element, Zb09,
The numerical value of the 3rd and the 4th random number is respectively 9 and 6, take table Zb the 10th row the 7th row element, Zb96,
The numerical value of the 4th and the 5th random number is respectively 6 and A, take table Zb the 7th row the 11st row element, Zb610,
The numerical value of the 5th and the 6th random number is respectively A and 5, take table Zb the 11st row the 6th row element, Zb105,
The numerical value of the 6th and the 7th random number is respectively 5 and 4, take table Zb the 6th row the 5th row element, Zb54,
The numerical value of the 7th and the 8th random number is respectively 4 and F, take table Za the 5th row the 16th row element, Zb415,
The numerical value of the 8th and the 9th random number is respectively F and 8, take table Zb the 16th row the 9th row element, Zb158,
The numerical value of the 9th and the 10th random number is respectively 8 and B, take table Zb the 9th row the 12nd row element, Zb811,
The numerical value of the 10th and the 11st random number is respectively B and 1, take table Zb the 12nd row the 2nd row element, Zb111,
The numerical value of the 11st and the 12nd random number is respectively 1 and C, take table Zb the 2nd row the 13rd row element, Zb112,
The numerical value of the 12nd and the 13rd random number is respectively C and 7, take table Zb the 13rd row the 8th row element, Zb127,
The numerical value of the 13rd and the 14th random number is respectively 7 and 2, take table Zb eighth row the 3rd row element, Zb72,
The numerical value of the 14th and the 15th random number is respectively 2 and E, take table Zb the 3rd row the 15th row element, Zb214,
The numerical value of the 15th and the 16th random number is respectively E and D, take table Zb the 15th row the 14th row element, Zb1413,
The numerical value of the 16th and the 1st random number is respectively D and 3, take table Zb the 14th row the 4th row element, Zb133,
Therefore, according to random number S1, S2, S3 ..., S16=3,0,9,6, A, 5,4, F, 8, B, 1, C, 7,2, E, D, from table Zb
In, take out 16 elements, it may be assumed that Zb30, Zb09, Zb96, Zb610, Zb105, Zb54, Zb415, Zb158, Zb811, Zb111,
Zb112, Zb127, Zb72, Zb214, Zb1413, Zb133;
When the element of table Za and table Zb respectively accounts for 0.5 byte, then: by from the element of table Za and table Zb, each 16 units taken out
Element, totally 32 elements synthesize one group of symmetric key and are: Za30, Za09, Za96, Za610, Za105, Za54, Za415, Za158,
Za811, Za111, Za112, Za127, Za72, Za214, Za1413, Za133, Zb30, Zb09, Zb96, Zb610, Zb105,
Zb54, Zb415, Zb158, Zb811, Zb111, Zb112, Zb127, Zb72, Zb214, Zb1413, Zb133, this symmetric key accounts for
16 bytes are i.e.: 128 bits,
When the element of table Za and table Zb respectively accounts for 1 byte, then: by from the element of table Za and table Zb, each 16 elements taken out,
Para-position mould two adds respectively, one group of symmetric key of resynthesis, it may be assumed that Za30⊕Zb30,Za09⊕
Zb09,]]>Za96⊕Zb96,Za610⊕Zb610,Za105⊕Zb105,
Za54⊕Zb54,Za415⊕Zb415,Za158⊕Zb158,Za811&
CirclePlus;Zb811,Za111⊕Zb111,Za112⊕Zb112,Za127&
CirclePlus;Zb127,Za72⊕Zb7]]>2,Za214⊕Zb214,Za1413&
CirclePlus;Zb1413,Za133⊕Zb133 ,]] > this symmetric key accounts for 16 bytes i.e.: 128 bits.
18, the digital signature of cloud user side and cryptographic protocol, in intelligent card chip, the encryption system of cloud user side, adjust
Produce one group of random number SS1 with generator in intelligent chip, recall combination key generating algorithm, according to random number SS1 to intelligence
Key " base " in energy chip, it may be assumed that the element of table Za and table Zb is chosen, and selects 16 elements, totally 32 elements respectively, and
Synthesize one group of symmetric key K1, call digest algorithm to file M i.e.: program and data thereof are made a summary, generate summary info L1,
Recall symmetric key K1 and symmetric cryptographic algorithm to encrypt file M and summary info L1, obtain file M's and summary info L1
Ciphertext M1, wherein: be encrypted the summary info L1 of file M, the ciphertext of generation is digital signature.
19, the deciphering of cloud security center-side and signature verification agreement, cloud security center-side encryption system is according to cloud user's
Mark, to the ciphertext record that should identify in key " base " data base of location, by adding of this ciphertext record input cloud security center
In close card or encryption equipment chip, call storage key K, decipher this ciphertext record, obtain this cloud ID counterpart keys " base "
That is: the element of table Za and table Zb in plain text, calls combination key generating algorithm, according to the random number SS1 received, to key " base "
That is: the element of table Za and table Zb is chosen, and selects 16 elements, totally 32 elements respectively, and synthesizes one group of symmetric key K2,
Recall symmetric key K2 and symmetric cryptographic algorithm to decipher M1, obtain the plaintext of M1 i.e.: file M and summary info L1, then adjust
With digest algorithm, file M is made a summary, generate summary info L2, the most identical by contrast L1 with L2, verify the number to M
Word signature is the most legal, thus, it is achieved the signature verification to file M.
20, the digital signature of cloud security center-side and cryptographic protocol, cloud security center-side encryption system is according to cloud user's
Mark, to the ciphertext record that should identify in key " base " data base of location, by adding of this ciphertext record input cloud security center
In close card or encryption equipment chip, call storage key K, decipher this ciphertext record, obtain this cloud ID counterpart keys " base "
That is: the element of table Za and table Zb in plain text, calls the randomizer in encrypted card or encryption equipment chip, produces one group of random number
SS2, recalls combination key generating algorithm, according to random number SS2 to key " base " i.e.: the element of table Za and table Zb selects
Take, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K3, call digest algorithm and receive in gateway
File N i.e.: program is run " result " and is made a summary, and generates summary info L3, recalls symmetric key K3 and symmetric cryptography and calculates
Method, encrypts file N and summary info L3, obtains file N and ciphertext N1 of summary info L3, wherein: believe the summary of file N
Breath L3 is encrypted, and the ciphertext of generation is digital signature.
21, the deciphering of cloud user side and signature verification agreement, in intelligent card chip, cloud user side encryption system calls group
Close key schedule, according to the random number SS2 received to the key " base " in intelligent card chip, it may be assumed that table Za and table Zb element
Choose, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K4, recall symmetric key K4 and
Symmetric cryptographic algorithm carrys out decrypting ciphertext N1, obtains the plaintext of ciphertext N1 i.e.: file N and summary info L3, recalls digest algorithm
File N is made a summary, generates summary info L4, the most identical by contrast L3 with L4, whether verify the digital signature to N
Legal, thus, it is achieved the signature verification to file N.
22, cloud user or cloud computing unit management person's identity authentication protocol, cloud user or cloud computing unit management person are visitor
On the machine of family insert smart card, login button in " click " cloud computing WEB server, cloud computing WEB server produce one group random
Number and timestamp, and it is sent to the client-side of cloud user or cloud computing unit management person, the encryption system in intelligent card chip
System, calls combination key generating algorithm, according to the random number received to key " base " i.e.: the element of table Za and table Zb selects
Take, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key KK, carry out encrypted random number with KK and generate certification
Password H1, then by cloud user or the mark of cloud computing unit management person, random number, timestamp, certification password H1 and client computer
IP address, is sent to WEB server in the lump, and WEB server relays to cloud security center.
23, the identity authentication protocol of cloud security center-side, cloud security center receives the mark of cloud user, random number, time
Behind the IP address of stamp, certification password H1 and client computer, according to cloud user or the mark of cloud computing unit management person, at key " base "
Lane database location ciphertext record, finds key " base " ciphertext of correspondence, and inputs encrypted card or the encryption equipment at cloud security center
In chip, in encrypted card or encryption equipment chip, call storage key K to decipher this key " base " ciphertext, obtain key " base "
Plaintext, recall combination key generating algorithm, according to random number to key " base " i.e.: the plaintext element of table Za and table Zb is carried out
Choose, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K2, carry out encrypted random number and generate certification mouth
Making H2, contrast H1 and H2, as H1=H2, the authentication of cloud user or cloud computing unit management person is used by being legal cloud
Family or legal cloud computing unit management person, then according to the Rights Management System of cloud computing, log in cloud computing center foreground correspondence cloud
The working area of user, wherein: cloud computing unit management person can log in the working area of whole cloud user, as H1 ≠ H2, cloud user
Or the authentication of cloud computing unit management person do not passes through, it is illegal cloud user or illegal cloud computing unit management person, Yunan County
Full center feeds back to WEB server " disabled user " printed words, and WEB server relays in the client computer of cloud user side.
24, using combination key technology, the various security protocols of the cloud computing of foundation, security protocol includes: authentication
Agreement, digital signature and cryptographic protocol, deciphering and signature verification agreement, and cryptographic protocol, every group key " base " i.e.: table Za and
Zb, accounts for 256 or 512 bytes altogether, the mark of 300,000,000 groups of cloud users of cloud security central store and key " base ", constitute about 80GB or
160GB, takies cloud security center resources less, thus, it is ensured that cloud security center can manage large-scale cloud user, and can build
The cloud security center of low cost.
25, using combination key technology, the repetitive rate generating symmetric key is the least, and each repetitive rate is: 1/264 × 1/
264=1/2128, thus, it is ensured that every time generate symmetric key i.e.: for encrypting, certification or the key of signature, almost one time one
Become, do not repeat, thus, improve the safe class of each security protocol in cloud security center.
26, digital signature protocol and cryptographic protocol are merged into digital signature and cryptographic protocol, by a kind of combination key
Generating algorithm, generates one group of symmetric key to complete digital signature and the encryption of file, by decryption protocol and signature verification agreement
I.e. data integrity validation agreement, is merged into deciphering and signature verification agreement, by a kind of combination key generating algorithm, generates one
Group symmetric key completes deciphering and the signature verification of data, can be greatly improved the operational efficiency of various security protocol, and every time
Generating symmetric key is to be automatically performed by combination key generating algorithm, it is not necessary to artificial regeneration symmetric key, thus, can significantly drop
The low key maintenance cost at cloud security center.
27, in cloud security, login Log Administration System is set up, when cloud user or cloud computing unit management person use
Smart card, when carrying out authentication login cloud computing platform, cloud user or cloud computing unit management person under cloud security central record
Logging in the login parameters of cloud computing platform, login parameters includes: random number, the mark of cloud user, timestamp and the IP of client computer
Address, meanwhile, the login parameters recorded is encrypted to ciphertext by cloud security center, is stored in login log database.
28, in cloud security, Operation Log Management system is set up, when the cloud computing list having logged on cloud computing platform
When file is operated by position manager, wherein: operation file includes: browse file, amendment file, copied files, transmission literary composition
Part or mimeograph documents, the parameter of cloud computing unit management person operation file under cloud security central record, operating parameter includes: cloud meter
Calculate the mark of unit management person, timestamp, by the filename of operation file and the IP address of client computer, meanwhile, cloud security center
The operating parameter recorded is encrypted to ciphertext, is stored in Operation Log lane database.
29, login log database and the process of Operation Log data base are set up at cloud security center,
(1) setting up login log database process is, in cloud security center encrypted card or encryption equipment chip, cloud security center
Cryptographic protocol calls randomizer and produces one group of random number, calls combination key generating algorithm, according to random number to storage
The key " base " of one group of super management cloud in encrypted card or encryption equipment chip is i.e.: table Za and table Zb chooses, and selects respectively
Go out 16 elements, totally 32 elements, and synthesize one group of symmetric key, the 1st article of record divisor evidence that will log in log database
Outside No. ID of storehouse and random number field, all it is encrypted to ciphertext, it may be assumed that by the cloud user in login parameters or cloud computing unit management person
The IP address encryption of mark, timestamp and client computer become ciphertext to store, by same method, then produce one group of random number, and
According to one group of symmetric key of this generating random number, by the 2nd article of record logging in log database except No. ID of data base and with
Outside machine digital section, all it is encrypted to ciphertext ..., finally, produce one group of random number, and close according to one group of symmetry of this generating random number
Key, by last 1 record of logging in log database in addition to No. ID of data base and random number field, is all encrypted to ciphertext;
(2) setting up Operation Log data base procedure is, in cloud security center encrypted card or encryption equipment chip, cloud security center
Cryptographic protocol calls randomizer and produces one group of random number, calls combination key generating algorithm, according to random number to storage
The key " base " of one group of super manager in encrypted card or encryption equipment chip is i.e.: table Za and table Zb chooses, and selects respectively
Go out 16 elements, totally 32 elements, and synthesize one group of symmetric key, by the 1st article of record divisor evidence in Operation Log data base
Outside the ID field in storehouse and random number field, all it is encrypted to ciphertext, it may be assumed that by the cloud user in operating parameter or cloud computing unit tube
The mark of reason person, timestamp, by the filename of operation file and the IP address of client computer, be encrypted to ciphertext storage, with same
Method, then produce one group of random number, and according to one group of symmetric key of this generating random number, by the 2nd in Operation Log database data
Bar record, is all encrypted to ciphertext in addition to the ID field and timestamp field of data base ..., finally, produce one group of random number,
And according to one group of symmetric key of this generating random number, last 1 record in Operation Log data base is removed data base No. ID
Outside field and timestamp field, all it is encrypted to ciphertext.
30, use a kind of combination key generating algorithm, generate one group of symmetric key, come encrypted login log database and behaviour
Making log database record, i.e. one records corresponding one group of random number, the most corresponding one group of symmetric key, combination key generates and calculate
The symmetric key that method produces, almost one time one change, can improve login log database and the secrecy etc. of Operation Log data base
Level, can facilitate again super manager to browse the recorded content specified.
31, the library structure logging in log database is as follows:
32, the library structure of Operation Log data base is as follows:
33, the super manager of cloud user management unit uses smart card, to logging in log database and Operation Log data base
Ciphertext record be decrypted, decryption method is, the decryption protocol in super manager's intelligent card chip, calls combination key raw
Become algorithm, according to logging in the random number deposited in log database every record, to one group of super management in intelligent card chip
The key " base " of member is i.e.: table Za and table Zb chooses, and selects 16 elements, totally 32 elements respectively, and synthesize one group symmetrical
Key, is decrypted into logging in ciphertext record corresponding in log database in plain text;By same decryption method, it may be assumed that according to operation
The random number deposited in log database every record, to the key " base " of one group of super manager in intelligent card chip i.e.:
Table Za and table Zb chooses, and selects 16 elements, totally 32 elements respectively, and synthesizes one group of symmetric key, by Operation Log
The ciphertext record that lane database is corresponding is decrypted in plain text, and the super manager for cloud user management unit browses analysis.
34, login daily record data and the data base of Operation Log are set up at cloud security center, surpassing of only cloud computing unit
Level manager, just can browse login log database and the data-base recording content of Operation Log, the pipe of other cloud computing units
Reason personnel cannot browse, the super manager of cloud computing unit, it is possible to monitors the login situation of cloud user in real time, it is possible in real time
Monitor cloud computing unit management person i.e.: the login situation of internal staff, and which file " click " crosses, outside energy effective monitoring
Hacker's attack to cloud computing platform, effective monitoring cloud computing platform is from the illegal operation of internal control personnel, such as: steal cloud
The program of user and data thereof.
Claims (9)
1. an implementation method based on cloud computing safty architecture device, be use chip hardware equipment, symmetric cryptographic algorithm and
Combination key technology, under non-cloud computing environment, use smart card is as the hardware device of client encryption system, at smart card
Chip in, use symmetric cryptographic algorithm to set up client encryption system, and write symmetric cryptographic algorithm, digest algorithm, combination
Key schedule, key " base ", client identity authentication protocol, digital signature protocol, signature verification agreement, enciphering/deciphering are assisted
View, sets up authentication center at network application server end, and authentication center is added by insertion polylith in multiple servers, every station server
Close card or access multiple stage encryption equipment equipment composition, use symmetric cryptographic algorithm to set up end encryption system of authentication center in authentication center
System, in encrypted card or encryption equipment chip, write symmetric cryptographic algorithm, digest algorithm, one group of storage key K, authentication center's end
Identity authentication protocol, digital signature protocol, signature verification agreement and enciphering/deciphering agreement, and the key " base " of super manager,
At server key " base " lane database of authentication center, store total user key " base " ciphertext, wherein: total user key
" base " is used the storage key K in encrypted card or encryption equipment chip to be encrypted to ciphertext in advance, builds in network application server
The Rights Management System of vertical user, shares out the work district for user, and user uses smart card in client, by intelligent card chip
Identity authentication protocol logging in network application server, and according to Rights Management System, the network application server user of entrance
Corresponding working area, user uses smart card in client, is digitally signed by the file of client, re-encrypts into ciphertext,
Digital signature is submitted to cryptograph files the working area that network application server user is corresponding, authentication center's ciphertext to delivering to
File is decrypted and data integrity validation, leaves legal clear text file in work that network application server user is corresponding
District, wherein: identity authentication protocol, digital signature protocol, signature verification agreement and enciphering/deciphering agreement, all uses symmetric cryptography to calculate
Method and combination key technology are set up, and combination key technology is to use a kind of combination key generating algorithm, it may be assumed that by one group of random number,
In the table form a group key " base ", element is chosen, and the element selected is merged into one group of symmetric key, as adding/solving
Decryption key, certification key or signature key, thus, it is achieved under non-cloud computing environment, client and network application server end
Between authenticating user identification, data integrity authentication and Data Encryption Transmission;
The present invention is the security architecture using gateway equipment to set up cloud computing, it is achieved the use between cloud user side and cloud computing platform
Family authentication, data integrity validation and Data Encryption Transmission, being technically characterized in that of its method
Under cloud computing environment, cloud computing platform is divided into the foreground of cloud computing center and the backstage of cloud computing center, at cloud meter
The clear text file of the foreground storage cloud user at calculation center, at the cryptograph files of the backstage of cloud computing center storage cloud user, cloud meter
The foreground at calculation center is connected with the WEB server of cloud computing, by one between foreground and the cloud computing center backstage of cloud computing center
Platform gateway equipment is connected, and cloud security center is connected with WEB server and the gateway of cloud computing respectively, and cloud user uses intelligence
Card, carries out authentication and logs in the working area of cloud computing center foreground correspondence cloud user, and before sending out and delivering to cloud computing center
The file of platform is i.e.: program and data thereof, is digitally signed and encrypts, then contained by cryptograph files: digital signature, is submitted to cloud meter
The working area of foreground, calculation center correspondence cloud user, cloud computing management system is by work corresponding for the foreground cloud user of cloud computing center
Qu Li, the cryptograph files of the cloud user of storage contains: digital signature, is sent to gateway, and in gateway, cloud security center is to this ciphertext
File contains: digital signature, is decrypted and data integrity validation, the clear text file of legal cloud user is sent in cloud computing
The backstage of the heart, at the running background program of cloud computing center, cloud computing management system, runs " result " i.e. clear text file by program
Being sent to gateway, in gateway, this plaintext literary composition file is digitally signed and encrypts by cloud security center, and by cryptograph files
Containing: digital signature, be sent in the lump in the working area that the foreground cloud user of cloud computing center is corresponding, cloud user passes through authentication
Log in the working area that the foreground cloud user of cloud computing center is corresponding, this ciphertext part is contained: digital signature, download to cloud user side
In client computer, in cloud user side intelligent card chip, this cryptograph files is contained: digital signature, be decrypted and data integrity
Checking, obtains program and runs the plaintext of " result ", sets up at cloud security center and logs in log database and Operation Log data base,
Record cloud user and cloud computing unit management person log in cloud computing platform and operation cloud user file have related parameter, in cloud security
The heart uses combination key generating algorithm, and it is raw to call the key " base " of the super manager of storage in encrypted card or encryption equipment chip
Become symmetric key, the whole records logged in log database and Operation Log data base are encrypted to respectively ciphertext storage, and
Every record uses one group of symmetric key encryption, and super manager uses the smart card of super manager, to logging in daily record data
Ciphertext record in storehouse and Operation Log data base is decrypted, thus, set up cloud computing safty architecture system.
Method the most according to claim 1, it is characterised in that:
Encrypted tunnel is set up between cloud user side and the backstage of cloud computing center,
(1) cloud user is by file M i.e.: program and data thereof, by the encrypted and digitally signed agreement in intelligent card chip, by literary composition
Part M is digitally signed, and is encrypted to cryptograph files M1, then is logged in the WEB server of cloud computing by authentication, and according to
Rights Management System, enters the working area of cloud computing center foreground correspondence cloud user, and cloud user submits to cryptograph files M1 to cloud meter
The working area of foreground, calculation center correspondence cloud user, in the working area of cloud computing center foreground correspondence cloud user, cloud user " clicks on "
The cryptograph files M1 run, cloud computing center management system is needed cryptograph files M1 to be inputted gateway, in gateway, in cloud security
The heart calls deciphering and signature verification agreement, and cryptograph files M1 is decrypted into clear text file M and the digital signature of file M, and to bright
Literary composition file M carry out data integrity validation, by by verify clear text file M be input to cloud computing center backstage, meanwhile, cloud
Cryptograph files M1 corresponding in gateway, clear text file M and digital signature are removed by security centre, if clear text file M is not passed through
Data integrity validation, then remove clear text file M and cryptograph files M1 and digital signature, and fed back by " illegal file " printed words
Working area to the foreground of cloud user's correspondence cloud computing center;
(2) " result " that the program of cloud user is run by cloud computing management system is i.e.: clear text file N input gateway, in gateway,
Cloud security center call number signature and cryptographic protocol, be digitally signed this clear text file N, and be encrypted to cryptograph files
N1, cryptograph files N1 is input to the working area of cloud computing center foreground correspondence cloud user by cloud security center again, and cloud user pass through
Authentication logs in cloud computing WEB server, enters the work of cloud computing center foreground correspondence cloud user according to Rights Management System
Make district, by cryptograph files N1, download in the client computer of cloud user side, in cloud user side intelligent card chip, cloud user side
Deciphering and signature verification agreement, the cryptograph files N1 deciphering that will receive, obtain the digital signature of clear text file N and N, then in plain text
File N carries out data integrity validation, it is thus achieved that clear text file N i.e.: program run " result ".
Method the most according to claim 2, it is characterised in that:
Encrypted tunnel is set up, it is ensured that cloud user, by program and data thereof, passes through between cloud user side and cloud computing center backstage
Encrypted tunnel safety, complete transmission are to the backstage of cloud computing center, and in the running background program of cloud computing center, it is thus achieved that program
Run " result ", then by program operation " result " by encrypted tunnel, in safety, complete transmission to the client computer of cloud user side;
If it is virus document that the cloud computing center foreground that gateway receives sends the file come, this virus document is carried out by cloud security center
In deciphering and data integrity verification procedures, virus document is to pass through data integrity validation, then in gateway, and can be by cloud
Security centre removes, and therefore, gateway can the attack of effective blocking virus.
Method the most according to claim 1, it is characterised in that:
Being divided into two by cloud computing platform with gateway, every cloud user is by Rights Management System, before distributing a cloud computing center
Platform working area and a cloud computing center background work district, wherein: the manager of cloud computing unit passes through authentication, Ke Yideng
The cloud computing center foreground of record cloud user and background work district, in the working area of cloud computing center foreground correspondence cloud user, deposit
The cryptograph files of cloud user, in the working area of cloud computing center backstage correspondence cloud user, deposit the clear text file of cloud user, cloud
Gateway is received the cryptograph files deciphering on foreground by security centre, and carries out data integrity validation, then clear text file is transmitted
To cloud computing center backstage, gateway is received the plaintext literary composition file on backstage by cloud security center, after being digitally signed and encrypting,
Cryptograph files is transferred to cloud computing center foreground again, is stored in user's clear text file on cloud computing center backstage i.e.: program and
Its data, at cloud computing center running background, " result " that program is run also is stored in the backstage of cloud computing center, thus, protect
Demonstrate,prove cloud user file i.e.: the transmission safety of program and data thereof, storage safety and operation safety.
Method the most according to claim 1, it is characterised in that:
Combination key technology refers to: use a kind of combination key generating algorithm, to key " base " i.e.: the element of table Za and Zb is carried out
Choosing, select 32 elements and synthesize one group of symmetric key, this is a kind of combination key generating algorithm, if: S1, S2 ...,
SY, for Y (Y=16) individual hexadecimal random number, is produced by the randomizer in smart card, encrypted card or encryption equipment chip
Raw, or produced by the WEB server of cloud computing, concrete combination key generating algorithm is as follows:
With the numerical value correspondence table Za S1 row element of the 1st hexadecimal random number S1, carry out corresponding table Za S2 with the numerical value of S2
The element of row, takes out the element of table Za S1 row and S2 row infall, is set to: kk1, with the numerical value correspondence table Za S2 of S2
Row element, carrys out the element of corresponding table Za S3 row with the numerical value of S3, is taken out by the element of table Za S2 row and S3 row infall,
It is set to: kk2;..., with the numerical value correspondence table Za S16 row element of S16, come the unit of corresponding table Za S1 row with the numerical value of S1
Element, takes out the element of S16 row and S1 row infall, is set to: kk16;
With the numerical value correspondence table Zb S1 row element of the 1st hexadecimal random number S1, carry out corresponding table Zb S2 with the numerical value of S2
The element of row, by the taking-up of the element of table Zb S1 row and S2 row infall, is set to: kk17, with the numerical value correspondence table Zb of S2 the
S2 row element, carrys out the element of corresponding table Zb S3 row, is taken by the element of table Zb S2 row and S3 row infall with the numerical value of S3
Go out, be set to: kk18;..., with the numerical value correspondence table Zb S16 row element of S16, carry out corresponding table Zb S1 row with the numerical value of S1
Element, takes out the element of S16 row and S1 row infall, is set to: kk32;
When the element of table Za and table Zb is 0.5 byte, these 16 elements of table Za will be selected i.e.: kk1, kk2 ..., kk16,
With select these 16 elements of table Zb i.e.: kk17, kk18 ..., kk32, synthesize one group of symmetric key, it may be assumed that kk1,
Kk2 ..., kk16, kk17 ..., kk32;
When the element of table Za and table Zb is 1 byte, these 16 elements of table Za will be selected i.e.: kk1, kk2 ..., kk16, with
Select these 16 elements of table Zb i.e.: kk17, kk18 ..., kk32, para-position mould two adds one group of symmetric key of generation, it may be assumed that kk1&
CirclePlus;kk17,kk2⊕kk18,......,kk16⊕kk32.]]>。
Method the most according to claim 1, it is characterised in that:
(1) digital signature of cloud user side and cryptographic protocol, in intelligent card chip, the encryption system of cloud user side, calls intelligence
In energy chip, generator produces one group of random number SS1, recalls combination key generating algorithm, according to random number SS1 to intelligence core
Key " base " in sheet, it may be assumed that the element of table Za and table Zb is chosen, selects 16 elements, totally 32 elements respectively, and synthesizes
One group of symmetric key K1, calls digest algorithm to file M i.e.: program and data thereof are made a summary, and generates summary info L1, then adjusts
Encrypt file M and summary info L1 with symmetric key K1 and symmetric cryptographic algorithm, obtain file M and the ciphertext of summary info L1
M1, wherein: be encrypted the summary info L1 of file M, the ciphertext of generation is digital signature;
(2) deciphering of cloud security center-side and signature verification agreement, cloud security center-side encryption system according to the mark of cloud user,
To the ciphertext record that should identify in key " base " data base of location, by the encrypted card at this ciphertext record input cloud security center or
In encryption equipment chip, call storage key K, decipher this ciphertext record, obtain this cloud ID counterpart keys " base " i.e.: table Za
With the element of table Zb in plain text, call combination key generating algorithm, according to the random number SS1 received, to key " base " i.e.: table Za and
The element of table Zb is chosen, and selects 16 elements, totally 32 elements respectively, and synthesizes one group of symmetric key K2, and it is right to recall
Claim key K2 and symmetric cryptographic algorithm to decipher M1, obtain the plaintext of M1 i.e.: file M and summary info L1, recall summary and calculate
File M is made a summary by method, generates summary info L2, the most identical by contrast L1 with L2, verifies that the digital signature to M is
No legal, thus, it is achieved the signature verification to file M;
(3) digital signature of cloud security center-side and cryptographic protocol, cloud security center-side encryption system according to the mark of cloud user,
To the ciphertext record that should identify in key " base " data base of location, by the encrypted card at this ciphertext record input cloud security center or
In encryption equipment chip, call storage key K, decipher this ciphertext record, obtain this cloud ID counterpart keys " base " i.e.: table Za
With the element plaintext of table Zb, call the randomizer in encrypted card or encryption equipment chip, produce one group of random number SS2, then
Call combination key generating algorithm, according to random number SS2 to key " base " i.e.: the element of table Za and table Zb is chosen, respectively
Select 16 elements, totally 32 elements, and synthesize one group of symmetric key K3, call the digest algorithm file N to receiving in gateway
That is: program operation " result " is made a summary, and generates summary info L3, recalls symmetric key K3 and symmetric cryptographic algorithm, add
Ciphertext part N and summary info L3, obtains file N and ciphertext N1 of summary info L3, wherein: enter the summary info L3 of file N
Row encryption, the ciphertext of generation is digital signature;
(4) deciphering of cloud user side and signature verification agreement, in intelligent card chip, it is close that cloud user side encryption system calls combination
Key generating algorithm, according to the random number SS2 received to the key " base " in intelligent card chip, it may be assumed that table Za and table Zb element are carried out
Choose, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K4, recall symmetric key K4 and symmetry
Cryptographic algorithm carrys out decrypting ciphertext N1, obtains the plaintext of ciphertext N1 i.e.: file N and summary info L3, recalls digest algorithm to literary composition
Part N makes a summary, and generates summary info L4, the most identical by contrast L3 with L4, verifies whether the digital signature to N closes
Method, thus, it is achieved the signature verification to file N;
(5) cloud user or cloud computing unit management person's identity authentication protocol, cloud user or cloud computing unit management person are in client computer
Upper insertion smart card, login button in " click " cloud computing WEB server, cloud computing WEB server produce one group of random number and
Timestamp, and it is sent to the client-side of cloud user or cloud computing unit management person, the encryption system in intelligent card chip, adjust
Use combination key generating algorithm, according to the random number received to key " base " i.e.: the element of table Za and table Zb is chosen, respectively
Select 16 elements, totally 32 elements, and synthesize one group of symmetric key KK, carry out encrypted random number with KK and generate certification password H1,
Again by cloud user or the mark of cloud computing unit management person, random number, timestamp, certification password H1 and the IP address of client computer,
Being sent to WEB server in the lump, WEB server relays to cloud security center;
(6) identity authentication protocol of cloud security center-side, cloud security center receives the mark of cloud user, random number, timestamp, recognizes
Behind the IP address of card password H1 and client computer, according to cloud user or the mark of cloud computing unit management person, in key " base " data
Ku Li positions ciphertext record, finds key " base " ciphertext of correspondence, and inputs encrypted card or the encryption equipment chip at cloud security center
In, in encrypted card or encryption equipment chip, call storage key K to decipher this key " base " ciphertext, obtain the bright of key " base "
Literary composition, recalls combination key generating algorithm, according to random number to key " base " i.e.: the plaintext element of table Za and table Zb selects
Take, select 16 elements, totally 32 elements respectively, and synthesize one group of symmetric key K2, carry out encrypted random number and generate certification password
H2, contrasts H1 and H2, and as H1=H2, the authentication of cloud user or cloud computing unit management person is by being legal cloud user
Or legal cloud computing unit management person, then according to the Rights Management System of cloud computing, log in cloud computing center foreground correspondence cloud and use
The working area at family, wherein: cloud computing unit management person can log in the working area of whole cloud user, as H1 ≠ H2, cloud user or
The authentication of cloud computing unit management person is not passed through, and is illegal cloud user or illegal cloud computing unit management person, cloud security
Center feeds back to WEB server " disabled user " printed words, and WEB server relays in the client computer of cloud user side.
7. according to the method for claim 5 or 6, it is characterised in that:
(1) using combination key technology, the various security protocols of the cloud computing of foundation, security protocol includes: identity authentication protocol,
Digital signature and cryptographic protocol, deciphering and signature verification agreement, and cryptographic protocol, every group key " base " i.e.: table Za and Zb, altogether
Account for 256 or 512 bytes, the mark of 300,000,000 groups of cloud users of cloud security central store and key " base ", constitute about 80GB or 160GB, account for
Less by cloud security center resources, thus, it is ensured that cloud security center can manage large-scale cloud user, and can Construction of Low Cost
Cloud security center;
(2) using combination key technology, the repetitive rate generating symmetric key is the least, and each repetitive rate is: 1/264 × 1/264
=1/2128, thus, it is ensured that every time generate symmetric key i.e.: for encrypting, certification or the key of signature, almost one time one change,
Do not repeat, thus, improve the safe class of each security protocol in cloud security center;
(3) digital signature protocol and cryptographic protocol are merged into digital signature and cryptographic protocol, are generated by a kind of combination key
Algorithm, generates one group of symmetric key to complete digital signature and the encryption of file, by several to decryption protocol and signature verification agreement
According to integrity verification agreement, it is merged into deciphering and signature verification agreement, by a kind of combination key generating algorithm, generates one group pair
Claim key to complete deciphering and the signature verification of data, the operational efficiency of various security protocol can be greatly improved, and generate every time
Symmetric key is to be automatically performed by combination key generating algorithm, it is not necessary to artificial regeneration symmetric key, thus, can greatly reduce
The key maintenance cost at cloud security center.
Method the most according to claim 1, it is characterised in that:
(1) setting up login log database process is, in cloud security center encrypted card or encryption equipment chip, cloud security center
Cryptographic protocol calls randomizer and produces one group of random number, calls combination key generating algorithm, according to random number to storage
The key " base " of one group of super management cloud in encrypted card or encryption equipment chip is i.e.: table Za and table Zb chooses, and selects respectively
Go out 16 elements, totally 32 elements, and synthesize one group of symmetric key, the 1st article of record divisor evidence that will log in log database
Outside No. ID of storehouse and random number field, all it is encrypted to ciphertext, it may be assumed that by the cloud user in login parameters or cloud computing unit management person
The IP address encryption of mark, timestamp and client computer become ciphertext to store, by same method, then produce one group of random number, and
According to one group of symmetric key of this generating random number, by the 2nd article of record logging in log database except No. ID of data base and with
Outside machine digital section, all it is encrypted to ciphertext ..., finally, produce one group of random number, and close according to one group of symmetry of this generating random number
Key, by last 1 record of logging in log database in addition to No. ID of data base and random number field, is all encrypted to ciphertext;
(2) setting up Operation Log data base procedure is, in cloud security center encrypted card or encryption equipment chip, cloud security center
Cryptographic protocol calls randomizer and produces one group of random number, calls combination key generating algorithm, according to random number to storage
The key " base " of one group of super manager in encrypted card or encryption equipment chip is i.e.: table Za and table Zb chooses, and selects respectively
Go out 16 elements, totally 32 elements, and synthesize one group of symmetric key, by the 1st article of record divisor evidence in Operation Log data base
Outside the ID field in storehouse and random number field, all it is encrypted to ciphertext, it may be assumed that by the cloud user in operating parameter or cloud computing unit tube
The mark of reason person, timestamp, by the filename of operation file and the IP address of client computer, be encrypted to ciphertext storage, with same
Method, then produce one group of random number, and according to one group of symmetric key of this generating random number, by the 2nd in Operation Log database data
Bar record, is all encrypted to ciphertext in addition to the ID field and timestamp field of data base ..., finally, produce one group of random number,
And according to one group of symmetric key of this generating random number, last 1 record in Operation Log data base is removed data base No. ID
Outside field and timestamp field, all it is encrypted to ciphertext;
(3) the super manager of cloud user management unit uses smart card, to logging in log database and Operation Log data base
Ciphertext record be decrypted, decryption method is, the decryption protocol in super manager's intelligent card chip, calls combination key raw
Become algorithm, according to logging in the random number deposited in log database every record, to one group of super management in intelligent card chip
The key " base " of member is i.e.: table Za and table Zb chooses, and selects 16 elements, totally 32 elements respectively, and synthesize one group symmetrical
Key, is decrypted into logging in ciphertext record corresponding in log database in plain text;By same decryption method, it may be assumed that according to operation
The random number deposited in log database every record, to the key " base " of one group of super manager in intelligent card chip i.e.:
Table Za and table Zb chooses, and selects 16 elements, totally 32 elements respectively, and synthesizes one group of symmetric key, by Operation Log
The ciphertext record that lane database is corresponding is decrypted in plain text, and the super manager for cloud user management unit browses analysis.
Method the most according to claim 8, it is characterised in that:
(1) use a kind of combination key generating algorithm, generate one group of symmetric key, come encrypted login log database and operation day
Will data-base recording, i.e. one records corresponding one group of random number, the most corresponding one group of symmetric key, combination key generating algorithm produces
Raw symmetric key, almost one time one change, can improve login log database and the security classification of Operation Log data base, again
Super manager can be facilitated to browse the recorded content specified;
(2) login daily record data and the data base of Operation Log, the super pipe of only cloud computing unit are set up at cloud security center
Reason person, just can browse login log database and the data-base recording content of Operation Log, the administrative man of other cloud computing units
Member cannot browse, the super manager of cloud computing unit, it is possible to monitors the login situation of cloud user in real time, it is possible to monitor in real time
Cloud computing unit management person is i.e.: the login situation of internal staff, and which file " click " crosses, can effective monitoring external hackers
Attack to cloud computing platform, effective monitoring cloud computing platform is from the illegal operation of internal control personnel, such as: steal cloud user
Program and data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610291647.3A CN105915523A (en) | 2016-05-05 | 2016-05-05 | Implementation method of safety configuration device based on cloud calculation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610291647.3A CN105915523A (en) | 2016-05-05 | 2016-05-05 | Implementation method of safety configuration device based on cloud calculation |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105915523A true CN105915523A (en) | 2016-08-31 |
Family
ID=56752331
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610291647.3A Pending CN105915523A (en) | 2016-05-05 | 2016-05-05 | Implementation method of safety configuration device based on cloud calculation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105915523A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106973070A (en) * | 2017-05-17 | 2017-07-21 | 济南浪潮高新科技投资发展有限公司 | A kind of big data calculates trusteeship service security certification system and method |
CN107508801A (en) * | 2017-08-04 | 2017-12-22 | 安徽智圣通信技术股份有限公司 | A kind of file tamper-proof method and device |
CN109451016A (en) * | 2018-11-05 | 2019-03-08 | 金蝶软件(中国)有限公司 | Data downloading management method, system and relevant device |
CN109657492A (en) * | 2018-12-12 | 2019-04-19 | 泰康保险集团股份有限公司 | Data base management method, medium and electronic equipment |
CN109996089A (en) * | 2019-02-20 | 2019-07-09 | 视联动力信息技术股份有限公司 | A kind of method of processing operation log, system and a kind of streaming media server |
CN110032894A (en) * | 2019-04-09 | 2019-07-19 | 北京信安世纪科技股份有限公司 | A kind of database journal recording method and system and database log detection method |
CN110929252A (en) * | 2019-11-22 | 2020-03-27 | 福建金密网络安全测评技术有限公司 | Algorithm and random number detection system |
CN111324872A (en) * | 2018-12-17 | 2020-06-23 | 上海擎感智能科技有限公司 | Method and system for redirected centralized audit of login records and operation records |
CN114268445A (en) * | 2020-09-15 | 2022-04-01 | 中国电信股份有限公司 | Authentication method, device and system for cloud mobile phone application, authentication module and terminal |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101854392A (en) * | 2010-05-20 | 2010-10-06 | 清华大学 | Personal data management method based on cloud computing environment |
US20100293606A1 (en) * | 2004-07-30 | 2010-11-18 | Research In Motion Limited | Method and system for managing delayed user authentication |
CN101969438A (en) * | 2010-10-25 | 2011-02-09 | 胡祥义 | Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things |
CN102291418A (en) * | 2011-09-23 | 2011-12-21 | 胡祥义 | Method for realizing cloud computing security architecture |
-
2016
- 2016-05-05 CN CN201610291647.3A patent/CN105915523A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100293606A1 (en) * | 2004-07-30 | 2010-11-18 | Research In Motion Limited | Method and system for managing delayed user authentication |
CN101854392A (en) * | 2010-05-20 | 2010-10-06 | 清华大学 | Personal data management method based on cloud computing environment |
CN101969438A (en) * | 2010-10-25 | 2011-02-09 | 胡祥义 | Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things |
CN102291418A (en) * | 2011-09-23 | 2011-12-21 | 胡祥义 | Method for realizing cloud computing security architecture |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106973070A (en) * | 2017-05-17 | 2017-07-21 | 济南浪潮高新科技投资发展有限公司 | A kind of big data calculates trusteeship service security certification system and method |
CN107508801A (en) * | 2017-08-04 | 2017-12-22 | 安徽智圣通信技术股份有限公司 | A kind of file tamper-proof method and device |
CN109451016A (en) * | 2018-11-05 | 2019-03-08 | 金蝶软件(中国)有限公司 | Data downloading management method, system and relevant device |
CN109657492A (en) * | 2018-12-12 | 2019-04-19 | 泰康保险集团股份有限公司 | Data base management method, medium and electronic equipment |
CN111324872A (en) * | 2018-12-17 | 2020-06-23 | 上海擎感智能科技有限公司 | Method and system for redirected centralized audit of login records and operation records |
CN109996089A (en) * | 2019-02-20 | 2019-07-09 | 视联动力信息技术股份有限公司 | A kind of method of processing operation log, system and a kind of streaming media server |
CN109996089B (en) * | 2019-02-20 | 2021-09-28 | 视联动力信息技术股份有限公司 | Method and system for processing operation log and streaming media server |
CN110032894A (en) * | 2019-04-09 | 2019-07-19 | 北京信安世纪科技股份有限公司 | A kind of database journal recording method and system and database log detection method |
CN110032894B (en) * | 2019-04-09 | 2021-07-20 | 北京信安世纪科技股份有限公司 | Database log recording method and system and database log detection method |
CN110929252A (en) * | 2019-11-22 | 2020-03-27 | 福建金密网络安全测评技术有限公司 | Algorithm and random number detection system |
CN110929252B (en) * | 2019-11-22 | 2021-10-26 | 福建金密网络安全测评技术有限公司 | Algorithm and random number detection system |
CN114268445A (en) * | 2020-09-15 | 2022-04-01 | 中国电信股份有限公司 | Authentication method, device and system for cloud mobile phone application, authentication module and terminal |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105915523A (en) | Implementation method of safety configuration device based on cloud calculation | |
CN102291418A (en) | Method for realizing cloud computing security architecture | |
CN106548345B (en) | Method and system for realizing block chain private key protection based on key partitioning | |
CN105553662B (en) | Dynamic digital copyright protection method and system based on id password | |
CN1939028B (en) | Accessing protected data on network storage from multiple devices | |
CN101969438B (en) | Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things | |
EP2697931B1 (en) | Qkd key management system | |
CN101282222B (en) | Digital signature method based on CSK | |
CN104244026B (en) | A kind of key distribution device in video monitoring system | |
DE102012111903B4 (en) | Method for establishing a secure connection between clients | |
CN102024123B (en) | Method and device for importing mirror image of virtual machine in cloud calculation | |
CN104113409B (en) | The key management method and system of a kind of SIP video monitoring networkings system | |
AT512289B1 (en) | CRYPTOGRAPHIC AUTHENTICATION AND IDENTIFICATION METHOD FOR MOBILE TELEPHONE AND COMMUNICATION DEVICES WITH REAL-TIME ENCRYPTION DURING THE ACTION PERIOD | |
CN102664739A (en) | PKI (Public Key Infrastructure) implementation method based on safety certificate | |
CN102075544A (en) | Encryption system, encryption method and decryption method for local area network shared file | |
CN104168267A (en) | Identity authentication method for accessing SIP security video monitoring system | |
CN103684798B (en) | Authentication method used in distributed user service | |
CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
CN102833075A (en) | Identity authentication and digital signature method based on three-layered overlapping type key management technology | |
CN112532656B (en) | Block chain-based data encryption and decryption method and device and related equipment | |
CN107104795A (en) | Method for implanting, framework and the system of RSA key pair and certificate | |
CN108880995A (en) | Strange social network user information and message based on block chain push encryption method | |
CN105471901A (en) | Industrial information security authentication system | |
CN101938353B (en) | Method for remotely resetting personal identification number (PIN) of key device | |
CN111416712B (en) | Quantum secret communication identity authentication system and method based on multiple mobile devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160831 |