CN106992978A - Network safety managing method and server - Google Patents
Network safety managing method and server Download PDFInfo
- Publication number
- CN106992978A CN106992978A CN201710192013.7A CN201710192013A CN106992978A CN 106992978 A CN106992978 A CN 106992978A CN 201710192013 A CN201710192013 A CN 201710192013A CN 106992978 A CN106992978 A CN 106992978A
- Authority
- CN
- China
- Prior art keywords
- certificate file
- authority
- authority certificate
- hardware modules
- cryptographic hardware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention discloses a kind of network safety managing method and server, methods described includes:When detecting access right certificate file execution authentication operation requests, the authority certificate file is obtained;The authority certificate file is sent to credible cryptographic hardware modules;So that operation is decrypted to the authority certificate file in the credible cryptographic hardware modules;Authentication operation is carried out using the authority certificate file after decryption.The technical scheme of the present embodiment is encrypted by the authority certificate file to main body in cluster using credible cryptographic hardware modules, is sent and responded to the main body according to the content of the request after decryption, so as to ensure that internet security.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of network safety managing method and server.
Background technology
For big data system, authority management module is its important module.Because authority management module is not only controlled
Access rights of the user to big data system, more directly access of the control user to the data of big data system.Especially exist
Big data internal system, is generally directed to the communication across main frame, now authority management module can realize in cluster each
The control of the authorization data of main frame, and complete the renewal to authorization data.
Authority management module is when being managed authorization data, it usually needs carry out proof of identity, particular by big number
The certificate issued according to system carries out proof of identity.If certificate is read by third party, the safety of authority management module is on the hazard,
Thus the communication security between each main frame is caused also to be on the hazard.
The content of the invention
In view of this, the purpose of the embodiment of the present invention is to provide a kind of can carry out proof of identity to authority management module
Network safety managing method and server.
To achieve these goals, the embodiments of the invention provide a kind of network safety managing method, including:
When detecting access right certificate file execution authentication operation requests, the authority certificate file is obtained;
The authority certificate file is sent to credible cryptographic hardware modules;So that the credible cryptographic hardware modules are to institute
State authority certificate file and operation is decrypted;
Authentication operation is carried out using the authority certificate file after decryption.
Preferably, call the credible cryptographic hardware modules that the authority certificate file is decrypted before operation,
Methods described also includes:
The processing authority of the request is verified, the first judged result is obtained;
First judged result show it is described request possess perform authentication operation authority when, it is described it is credible plus
Operation is decrypted to the authority certificate file in close hardware module.
Preferably, methods described also includes:
Judge the access rights of the user of transmission request, obtain the second judged result;
It is described when second judged result shows that the user possesses the access rights to the authority certificate file
Operation is decrypted to the authority certificate file in credible cryptographic hardware modules.
Preferably, methods described also includes:The knot of authentication operation is carried out according to the authority certificate file after decryption
Really, the access request for the user for sending request is received;
The access request is sent to the credible cryptographic hardware modules;So that the credible cryptographic hardware modules are to institute
State access request and operation is decrypted;
Access request after decryption is responded.
Preferably, methods described also includes:
Call the credible cryptographic hardware modules that the response is encrypted;
The response after encryption is sent to the user for sending request.
The embodiment of the present invention also provides a kind of network safety managing method, including:
Generate authority certificate file;
Call credible cryptographic hardware modules that the authority certificate file is encrypted;
Authentication operation requests are sent using the authority certificate file.
Preferably, methods described includes:Receive the response results to the operation requests.
The embodiment of the present invention also provides a kind of server, including:
Processor, when being configured to detect access right certificate file execution authentication operation requests, obtains the power
Certificate file is limited, and the authority certificate file is sent to credible cryptographic hardware modules;
The credible cryptographic hardware modules, are configured to that operation is decrypted to the authority certificate file;
Wherein, the processor, is additionally configured to carry out authentication operation using the authority certificate file after decryption.
Preferably, the server includes:
The processor, is additionally configured to call the credible cryptographic hardware modules that the authority certificate file is decrypted
Before operation, the processing authority of the request is verified, the first judged result is obtained, and show described in first judged result
When request possesses the authority for performing authentication operation, the credible cryptographic hardware modules are solved to the authority certificate file
Close operation.
The embodiment of the present invention also provides a kind of server, including:
Processor, is configured to generate authority certificate file, and call credible cryptographic hardware modules to authority certificate text
Part is encrypted, and sends authentication operation requests using the authority certificate file.
Compared with prior art, the embodiment of the present invention has the advantages that:It is right that the technical scheme of the present embodiment passes through
The authority certificate file of main body is encrypted using credible cryptographic hardware modules in cluster, according to the content of the request after decryption to
The main body sends response, so as to ensure that internet security.
Brief description of the drawings
Fig. 1 is the flow chart of the embodiment one of the network safety managing method of the present invention;
Fig. 2 is a kind of schematic diagram of a scenario based on embodiment one of the network safety managing method of the present invention;
Fig. 3 is the flow chart of the embodiment three of the network safety managing method of the present invention;
Fig. 4 is the schematic diagram of the embodiment one of the server of the present invention;
Fig. 5 is the schematic diagram of the embodiment two of the server of the present invention.
Embodiment
The various schemes and feature of the disclosure are described herein with reference to accompanying drawing.
It should be understood that can disclosed embodiments be made with various modifications.Therefore, description above should not be regarded
To limit, and only as the example of embodiment.Those skilled in the art will expect within the scope and spirit of this
Other modifications.
Comprising in the description and constituting the accompanying drawing of a part of specification and show embodiment of the disclosure, and with it is upper
Substantially description and the detailed description given below to embodiment of this disclosure that face is provided are used to explain the disclosure together
Principle.
It is of the invention by description with reference to the accompanying drawings to the preferred form of the embodiment that is given as non-limiting examples
These and other characteristic will become apparent.
It is also understood that although with reference to some instantiations, invention has been described, people in the art
Member realize with can determine the present invention many other equivalents, they have feature as claimed in claim and therefore all
In the protection domain limited whereby.
When read in conjunction with the accompanying drawings, in view of described further below, above and other aspect, the feature and advantage of the disclosure will become
It is more readily apparent.
The specific embodiment of the disclosure is described hereinafter with reference to accompanying drawing;It will be appreciated, however, that the disclosed embodiments are only
The example of the disclosure, it can be implemented using various ways.The function and structure known and/or repeated is not described in detail to avoid
Unnecessary or unnecessary details causes the disclosure smudgy.Therefore, specific structural and feature disclosed herein is thin
Section is not intended to restrictions, but as just the basis of claim and representative basis for instruct those skilled in the art with
Substantially any appropriate detailed construction diversely uses the disclosure.
This specification can be used phrase " in one embodiment ", " in another embodiment ", " in another embodiment
In " or " in other embodiments ", it may refer to according to one or more of identical or different embodiment of the disclosure.
Current big data cluster is all just managed by authority management module and the data occurred in cluster is managed, and
And use forcible authentication mode, i.e. authority management module to need by just may be used after the authentication to itself authority management module
To be managed to database.Because authority management module to data when being managed, main body in cluster can be related to
(principle) communication between, if the data that authority management module occurs in safety problem, whole cluster all can be by prestige
The side of body.Therefore, to solve the above problems, the embodiments of the invention provide a kind of network safety managing method and device;Further,
In order to more fully hereinafter understand the features of the present invention and technology contents, the realization to the present invention below in conjunction with the accompanying drawings is carried out in detail
It is thin to illustrate, appended accompanying drawing purposes of discussion only for reference, not for limiting the present invention.
Embodiment one
A kind of network safety managing method is present embodiments provided, specifically, methods described is applied to big data cluster.Collection
There are multiple main bodys in group, wherein main body can be communicated between server, and each main body.Authority management module pair
When the authority of each main body and the data of generation are managed, occurs information exchange with main body, when authority management module and main body are logical
During letter, the authority certificate file encrypted by hardware can be used so that main body verifies to its identity, main body first it is detected that
When access right certificate file performs authentication operation requests, the authority certificate file is obtained, then the authority is demonstrate,proved
Written matter is sent to credible cryptographic hardware modules so that the credible cryptographic hardware modules are solved to the authority certificate file
Close operation, then carries out authentication operation using the authority certificate file after decryption.Wherein, authority management module can be set
In a main body in cluster, it can also be arranged on different main frames.Because credible cryptographic hardware modules are arranged at locally,
Therefore, even if disabled user obtains authority documentary evidence, it can not still be decrypted, it is impossible to carry out it using authority documentary evidence
He operates.So, authority management module is carried out when being managed to authority using the authority documentary evidence after encryption to itself
Authentication, to ensure the security of authority management module, so as to improve the security of network.
Fig. 1 is the flow chart of the embodiment one of the network safety managing method of the present invention, as shown in figure 1, the present embodiment
Network safety managing method, specifically may include steps of:
S101, when detecting access right certificate file execution authentication operation requests, obtains the authority certificate text
Part.
The executive agent of the present embodiment is any server in cluster.Server detects the presence of main body access right card
Written matter is sent when asking the management of authority, it is necessary to be verified to authority certificate file.Wherein, the main body for sending request can
Think any body in cluster, be specifically the authority management module of the cluster management platform set in the main body.
S102, the authority certificate file is sent to credible cryptographic hardware modules;So that the credible encryption hardware mould
Operation is decrypted to the authority certificate file in block.
Server in the cluster of the present embodiment observes this proof rule by agreement.When server obtains authority certificate
After file, authority certificate file is transmitted to credible cryptographic hardware modules, is decrypted, if successful decryption, illustrated
The identity of authority management module is legal.
Wherein, credible cryptographic hardware modules can be credible password module (Trusted Cryptography Module,
TCM), this be it is a kind of be storage key, a microcontroller for password and data certificate, it will ensure that in computer storage number
According to security, the risk that will not be stolen by external software attack or entity.
S103, authentication operation is carried out using the authority certificate file after decryption.
Specifically, if a main body can the authority certificate file operation is decrypted, the authority after decrypting
Certificate file obtains the authentication information of main body, can make the response of corresponding authority to main body according to authentication information.
In an application scenarios, as shown in Fig. 2 main body A and server B in cluster, main body A are sent to server B
Access right certificate file C carries out the request of authentication, and B servers obtain authority certificate file C first, and to authority certificate
File C is verified, is specifically to send authority certificate file to credible cryptographic hardware modules to be decrypted, the power after decrypting
Limit certificate file can obtain A authentication information.So as to authorization data of the B servers according to A main bodys, that is to say, that to authorizing number
According to being decrypted, if successful decryption, the authentication information in authority certificate file C can be obtained.Thus according to the certification of main body A
Information, the request to A is responded.
The credible cryptographic hardware modules of the present embodiment are disposed on local hardware module, therefore to authority certificate file
When being decrypted, it is necessary to call credible cryptographic hardware modules to be decrypted from local;Even if that is, disabled user obtains
Authority certificate file, also can not the credible encrypting module of invoking server authority certificate file is decrypted, therefore can not
Obtain the authentication information described in authority certificate file.So as to protect the security of network.
The technical scheme of the present embodiment uses credible cryptographic hardware modules by the authority certificate file to main body in cluster
It is encrypted, is sent and responded to the main body according to the content of the request after decryption, so as to ensure that internet security.
Embodiment two
Based on the method described in embodiment one, this gives several concrete modes verified to main body.
Mode one, in a specific embodiment, in order to be further ensured that the security of network, server call it is described
The authority certificate file is decrypted before operation credible cryptographic hardware modules, in addition it is also necessary to the processing authority of the request
Verified, comprised the following steps:A, verifies the processing authority of the request, obtains the first judged result;B, described first
When judged result shows that the request possesses the authority for performing authentication operation, the credible cryptographic hardware modules are to the power
Operation is decrypted in limit certificate file.For example, for example, in wherein one application scenarios, request has timed, out, server for
The request of time-out can not responded.
Mode two, in another specific embodiment, methods described is also verified to the principal rights for sending request, is walked
It is rapid as follows:C, judges to send the access rights of the user of request, obtains the second judged result;D, in the second judged result table
When the bright user possesses the access rights to the authority certificate file, the credible cryptographic hardware modules are demonstrate,proved the authority
Operation is decrypted in written matter.Such as, in another application scene, server judges that the IP address for sending request is illegal, then
The request can not responded, if request possesses legal authentication information, while IP address is legal, server can
Corresponding response is made with the content to request.Wherein, the user of transmission request is to refer to the main body for sending request, and the two is same
It is semantic.It is as follows.
In another specific embodiment, server shows the identity authentication result of main body, and main body has legal body
Part.Then server can receive the operation to rights management of main body.Specifically include following steps:E, according to the authority after decryption
Certificate file carries out the result of authentication operation, receives the access request for the user for sending request;F, by the access request
Send to the credible cryptographic hardware modules;G, so that behaviour is decrypted to the access request in the credible cryptographic hardware modules
Make;Access request after decryption is responded.
In another specific embodiment, in order to further improve internet security, server can also be by main body
Response is encrypted.Specifically it may comprise steps of:H, calls the credible cryptographic hardware modules to add the response
It is close;I, the user for sending request is sent to by the response after encryption.
The technical scheme of the present embodiment not only uses credible cryptographic hardware modules to the authority certificate file of main body in cluster
It is encrypted, but also the authority information of main body is verified, and the response sent to main body is also encrypted, never
The security of network is improved with dimension.
Embodiment three
A kind of network safety managing method is present embodiments provided, specifically, methods described is applied to big data cluster.Collection
There are multiple main bodys in group, wherein main body can be communicated between server, and each main body.Authority management module pair
When the authority of each main body and the data of generation are managed, occurs information exchange with main body, when authority management module and main body are logical
During letter, the authority certificate file encrypted by hardware can be used so that main body verifies to its identity, main body first it is detected that
When access right certificate file performs authentication operation requests, the authority certificate file is obtained, then the authority is demonstrate,proved
Written matter is sent to credible cryptographic hardware modules so that the credible cryptographic hardware modules are solved to the authority certificate file
Close operation, then carries out authentication operation using the authority certificate file after decryption.Wherein, authority management module can be set
In a main body in cluster, it can also be arranged on different main frames.Because credible cryptographic hardware modules are arranged at locally,
Therefore, even if disabled user obtains authority documentary evidence, it can not still be decrypted, it is impossible to carry out it using authority documentary evidence
He operates.So, authority management module is carried out when being managed to authority using the authority documentary evidence after encryption to itself
Authentication, to ensure the security of authority management module, so as to improve the security of network.Fig. 3 is network of the invention
The flow chart of the embodiment three of method for managing security, specifically can be with as shown in figure 3, the network safety managing method of the present embodiment
Comprise the following steps:
S301, generates authority certificate file.
Specifically, main body is when access right certificate file sends ID authentication request to server, it is necessary first to generate
Authority certificate file.Wherein authority certificate file can be generated by main body itself, can also be according to the communication protocols used between main body
Discuss server generation.
S302, calls credible cryptographic hardware modules that the authority certificate file is encrypted.
Wherein, credible cryptographic hardware modules can be credible password module (Trusted Cryptography Module,
TCM), this be it is a kind of be storage key, a microcontroller for password and data certificate, it will ensure that in computer storage number
According to security, the risk that will not be stolen by external software attack or entity.The credible cryptographic hardware modules of the present embodiment are
Local hardware module is arranged at, therefore when carrying out Encrypt and Decrypt to authority certificate file, it is necessary to credible add is called from local
Close hardware module is solved, decrypted;Even if that is, disabled user obtains authority certificate file, can not also call service
The credible encrypting module of device carries out Encrypt and Decrypt to authority certificate file, therefore can not obtain recognizing described in authority certificate file
Demonstrate,prove information.So as to protect the security of network.
S303, authentication operation requests are sent using the authority certificate file.
Specifically, main body first sends the authority certificate file after encryption, request before being asked to server to server
Carry out authentication.After by authentication, subsequently it can be operated for authority.
In wherein one specific embodiment, the response results to the operation requests are received.Specifically, service is received
Response results of the device to the operation requests.In actual applications, to improve internet security, response results can also be used
The encryption of reliable hardware encrypting module, therefore main body also needs to that response results are decrypted.
The technical scheme of the present embodiment uses credible cryptographic hardware modules by the authority certificate file to main body in cluster
It is encrypted, is sent and responded to the main body according to the content of the request after decryption, so as to ensure that internet security.
Example IV
A kind of server is present embodiments provided, the server is the server in cluster.For each master in cluster
Body is in communication, to improve the security of network, and the authority when carrying out rights management for main body is authenticated, and in master
When body is sent to data progress operation requests, further need to verify the authority certificate file of main body, the present embodiment
In main body call credible cryptographic hardware modules to be encrypted authority certificate file before sending permission certificate file, receive
The server of request calls credible cryptographic hardware modules that operation is decrypted authority certificate file.Due to credible encryption hardware mould
Block is arranged at locally, so Encrypt and Decrypt process occurs local, even if disabled user obtains authority certificate file, also without
Authority certificate file is decrypted method, therefore improves the security of network.Further, as shown in figure 4, the server
Including:
Processor 41, when being configured to detect access right certificate file execution authentication operation requests, obtains described
Authority certificate file, and the authority certificate file is sent to credible cryptographic hardware modules;
The credible cryptographic hardware modules 42, are configured to that operation is decrypted to the authority certificate file;
Wherein, the processor 41, is additionally configured to carry out authentication operation using the authority certificate file after decryption.
In wherein one specific embodiment, the processor 41 is additionally configured to call the credible encryption hardware mould
The authority certificate file is decrypted before operation block, verifies the processing authority of the request, obtains the first judged result,
And when first judged result shows that the request possesses the authority for performing authentication operation, the credible encryption hardware
Operation is decrypted to the authority certificate file in module.
Embodiment five,
A kind of server is present embodiments provided, the server is the server in cluster.For each master in cluster
Body is in communication, to improve the security of network, and the authority when carrying out rights management for main body is authenticated, and in master
When body is sent to data progress operation requests, further need to verify the authority certificate file of main body, the present embodiment
In main body call credible cryptographic hardware modules to be encrypted authority certificate file before sending permission certificate file, receive
The server of request calls credible cryptographic hardware modules that operation is decrypted authority certificate file.Due to credible encryption hardware mould
Block is arranged at locally, so Encrypt and Decrypt process occurs local, even if disabled user obtains authority certificate file, also without
Authority certificate file is decrypted method, therefore improves the security of network.Further, as shown in figure 5, the server
Including:
Processor 51, is configured to generate authority certificate file, and call credible cryptographic hardware modules to the authority certificate
File is encrypted, and sends authentication operation requests using the authority certificate file.
It need to be noted that be:Above electronic equipment implements the description of item, is similar, tool with above method description
There is same embodiment of the method identical beneficial effect, therefore do not repeat.For what is do not disclosed in electronic equipment embodiment of the present invention
Ins and outs, those skilled in the art refer to the description of the inventive method embodiment and understand, to save length, here not
Repeat again.
, can be by it in several embodiments provided herein, it should be understood that disclosed apparatus and method
Its mode is realized.Apparatus embodiments described above are only schematical, for example, the division of the unit, is only
A kind of division of logic function, can have other dividing mode, such as when actually realizing:Multiple units or component can be combined, or
Another system is desirably integrated into, or some features can be ignored, or do not perform.In addition, shown or discussed each composition portion
Coupling point each other or direct-coupling or communication connection can be the INDIRECT COUPLINGs of equipment or unit by some interfaces
Or communication connection, can be electrical, machinery or other forms.
The above-mentioned unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit
The part shown can be or may not be physical location, you can positioned at a place, can also be distributed to multiple network lists
In member;Part or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated into a processing unit, also may be used
Be each unit individually as a unit, can also two or more units it is integrated in a unit;It is above-mentioned
Integrated unit can both be realized in the form of hardware, it would however also be possible to employ hardware adds the form of SFU software functional unit to realize.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
Programmed instruction related hardware is completed, and foregoing program can be stored in a computer read/write memory medium, the program
Upon execution, the step of including above method embodiment is performed;And foregoing storage medium includes:It is movable storage device, read-only
Memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or
Person's CD etc. is various can be with the medium of store program codes.
Or, if the above-mentioned integrated unit of the present invention is realized using in the form of software function module and is used as independent product
Sale in use, can also be stored in a computer read/write memory medium.Understood based on such, the present invention is implemented
The part that the technical scheme of example substantially contributes to prior art in other words can be embodied in the form of software product,
The computer software product is stored in a storage medium, including some instructions are to cause a computer equipment (can be with
It is personal computer, server or network equipment etc.) perform all or part of each of the invention embodiment methods described.
And foregoing storage medium includes:Movable storage device, read-only storage (ROM, Read Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained
Cover within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (10)
1. a kind of network safety managing method, including:
When detecting access right certificate file execution authentication operation requests, the authority certificate file is obtained;
The authority certificate file is sent to credible cryptographic hardware modules;So that the credible cryptographic hardware modules are to the power
Operation is decrypted in limit certificate file;
Authentication operation is carried out using the authority certificate file after decryption.
2. according to the method described in claim 1, call the credible cryptographic hardware modules to carry out the authority certificate file
Before decryption oprerations, methods described also includes:
The processing authority of the request is verified, the first judged result is obtained;
When first judged result shows that the request possesses the authority for performing authentication operation, the credible encryption is hard
Operation is decrypted to the authority certificate file in part module.
3. method according to claim 2, methods described also includes:
Judge the access rights of the user of transmission request, obtain the second judged result;
It is described credible when second judged result shows that the user possesses the access rights to the authority certificate file
Operation is decrypted to the authority certificate file in cryptographic hardware modules.
4. according to the method described in claim 1, methods described also includes:Identity is carried out according to the authority certificate file after decryption
The result of authentication operation, receives the access request for the user for sending request;
The access request is sent to the credible cryptographic hardware modules;So that the credible cryptographic hardware modules are visited described
Ask that operation is decrypted in request;
Access request after decryption is responded.
5. method according to claim 4, methods described also includes:
Call the credible cryptographic hardware modules that the response is encrypted;
The response after encryption is sent to the user for sending request.
6. a kind of network safety managing method, including:
Generate authority certificate file;
Call credible cryptographic hardware modules that the authority certificate file is encrypted;
Authentication operation requests are sent using the authority certificate file.
7. method according to claim 6, methods described includes:Receive the response results to the operation requests.
8. a kind of server, including:
Processor, when being configured to detect access right certificate file execution authentication operation requests, obtains the authority card
Written matter, and the authority certificate file is sent to credible cryptographic hardware modules;
The credible cryptographic hardware modules, are configured to that operation is decrypted to the authority certificate file;
Wherein, the processor, is additionally configured to carry out authentication operation using the authority certificate file after decryption.
9. server according to claim 8, including:
The processor, is additionally configured to call the credible cryptographic hardware modules that operation is decrypted to the authority certificate file
Before, the processing authority of the request is verified, the first judged result is obtained, and show the request in first judged result
When possessing the authority for performing authentication operation, behaviour is decrypted to the authority certificate file in the credible cryptographic hardware modules
Make.
10. a kind of server, including:
Processor, is configured to generate authority certificate file, and call credible cryptographic hardware modules to enter the authority certificate file
Row encryption, and send authentication operation requests using the authority certificate file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710192013.7A CN106992978B (en) | 2017-03-28 | 2017-03-28 | Network security management method and server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710192013.7A CN106992978B (en) | 2017-03-28 | 2017-03-28 | Network security management method and server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106992978A true CN106992978A (en) | 2017-07-28 |
CN106992978B CN106992978B (en) | 2020-08-25 |
Family
ID=59413301
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710192013.7A Active CN106992978B (en) | 2017-03-28 | 2017-03-28 | Network security management method and server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106992978B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107919955A (en) * | 2017-12-28 | 2018-04-17 | 北京奇虎科技有限公司 | A kind of vehicle network safety certifying method, system, vehicle, device and medium |
CN109684864A (en) * | 2018-11-05 | 2019-04-26 | 众安信息技术服务有限公司 | A kind of certificate processing method and system based on block chain |
CN111756532A (en) * | 2020-06-08 | 2020-10-09 | 西安万像电子科技有限公司 | Data transmission method and device |
CN115118474A (en) * | 2022-06-20 | 2022-09-27 | 广东省工业边缘智能创新中心有限公司 | Identification query and storage management method, identification agent module and authority management system |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102207999A (en) * | 2010-03-29 | 2011-10-05 | 国民技术股份有限公司 | Data protection method based on trusted computing cryptography support platform |
CN102025503B (en) * | 2010-11-04 | 2014-04-16 | 曙光云计算技术有限公司 | Data security implementation method in cluster environment and high-security cluster |
CN104023012B (en) * | 2014-05-30 | 2017-05-31 | 北京金山网络科技有限公司 | The method, apparatus and system of service are called in cluster |
CN104580250A (en) * | 2015-01-29 | 2015-04-29 | 成都卫士通信息产业股份有限公司 | System and method for authenticating credible identities on basis of safety chips |
-
2017
- 2017-03-28 CN CN201710192013.7A patent/CN106992978B/en active Active
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107919955A (en) * | 2017-12-28 | 2018-04-17 | 北京奇虎科技有限公司 | A kind of vehicle network safety certifying method, system, vehicle, device and medium |
CN109684864A (en) * | 2018-11-05 | 2019-04-26 | 众安信息技术服务有限公司 | A kind of certificate processing method and system based on block chain |
CN111756532A (en) * | 2020-06-08 | 2020-10-09 | 西安万像电子科技有限公司 | Data transmission method and device |
CN115118474A (en) * | 2022-06-20 | 2022-09-27 | 广东省工业边缘智能创新中心有限公司 | Identification query and storage management method, identification agent module and authority management system |
Also Published As
Publication number | Publication date |
---|---|
CN106992978B (en) | 2020-08-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021179449A1 (en) | Mimic defense system based on certificate identity authentication, and certificate issuing method | |
CN107959567B (en) | Data storage method, data acquisition method, device and system | |
CN106888084B (en) | Quantum fort machine system and authentication method thereof | |
US7975312B2 (en) | Token passing technique for media playback devices | |
JP5361894B2 (en) | Multi-factor content protection | |
CN102271037B (en) | Based on the key protectors of online key | |
CN112528250B (en) | System and method for realizing data privacy and digital identity through block chain | |
CN105471833A (en) | Safe communication method and device | |
CN105653986B (en) | A kind of data guard method and device based on microSD card | |
CN103220141B (en) | A kind of protecting sensitive data method and system based on group key strategy | |
CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
CN104361267A (en) | Software authorization and protection device and method based on asymmetric cryptographic algorithm | |
US11316685B1 (en) | Systems and methods for encrypted content management | |
CN106992978A (en) | Network safety managing method and server | |
CN103973698A (en) | User access right revoking method in cloud storage environment | |
CN114826702A (en) | Database access password encryption method and device and computer equipment | |
CN103379103A (en) | Linear encryption and decryption hardware implementation method | |
Suthar et al. | EncryScation: A novel framework for cloud iaas, daas security using encryption and obfuscation techniques | |
CN106790304A (en) | Data access method, device, node and server cluster | |
CN111538973A (en) | Personal authorization access control system based on state cryptographic algorithm | |
CN116244750A (en) | Secret-related information maintenance method, device, equipment and storage medium | |
US20090282245A1 (en) | Security method and system for media playback devices | |
CN114697113A (en) | Hardware accelerator card-based multi-party privacy calculation method, device and system | |
CN114091058A (en) | Method and system for secure sharing of data between a first area and a second area | |
Yoo et al. | Confidential information protection system for mobile devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |