CN106992978A - Network safety managing method and server - Google Patents

Network safety managing method and server Download PDF

Info

Publication number
CN106992978A
CN106992978A CN201710192013.7A CN201710192013A CN106992978A CN 106992978 A CN106992978 A CN 106992978A CN 201710192013 A CN201710192013 A CN 201710192013A CN 106992978 A CN106992978 A CN 106992978A
Authority
CN
China
Prior art keywords
certificate file
authority
authority certificate
hardware modules
cryptographic hardware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710192013.7A
Other languages
Chinese (zh)
Other versions
CN106992978B (en
Inventor
张奇伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN201710192013.7A priority Critical patent/CN106992978B/en
Publication of CN106992978A publication Critical patent/CN106992978A/en
Application granted granted Critical
Publication of CN106992978B publication Critical patent/CN106992978B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention discloses a kind of network safety managing method and server, methods described includes:When detecting access right certificate file execution authentication operation requests, the authority certificate file is obtained;The authority certificate file is sent to credible cryptographic hardware modules;So that operation is decrypted to the authority certificate file in the credible cryptographic hardware modules;Authentication operation is carried out using the authority certificate file after decryption.The technical scheme of the present embodiment is encrypted by the authority certificate file to main body in cluster using credible cryptographic hardware modules, is sent and responded to the main body according to the content of the request after decryption, so as to ensure that internet security.

Description

Network safety managing method and server
Technical field
The present invention relates to technical field of network security, more particularly to a kind of network safety managing method and server.
Background technology
For big data system, authority management module is its important module.Because authority management module is not only controlled Access rights of the user to big data system, more directly access of the control user to the data of big data system.Especially exist Big data internal system, is generally directed to the communication across main frame, now authority management module can realize in cluster each The control of the authorization data of main frame, and complete the renewal to authorization data.
Authority management module is when being managed authorization data, it usually needs carry out proof of identity, particular by big number The certificate issued according to system carries out proof of identity.If certificate is read by third party, the safety of authority management module is on the hazard, Thus the communication security between each main frame is caused also to be on the hazard.
The content of the invention
In view of this, the purpose of the embodiment of the present invention is to provide a kind of can carry out proof of identity to authority management module Network safety managing method and server.
To achieve these goals, the embodiments of the invention provide a kind of network safety managing method, including:
When detecting access right certificate file execution authentication operation requests, the authority certificate file is obtained;
The authority certificate file is sent to credible cryptographic hardware modules;So that the credible cryptographic hardware modules are to institute State authority certificate file and operation is decrypted;
Authentication operation is carried out using the authority certificate file after decryption.
Preferably, call the credible cryptographic hardware modules that the authority certificate file is decrypted before operation, Methods described also includes:
The processing authority of the request is verified, the first judged result is obtained;
First judged result show it is described request possess perform authentication operation authority when, it is described it is credible plus Operation is decrypted to the authority certificate file in close hardware module.
Preferably, methods described also includes:
Judge the access rights of the user of transmission request, obtain the second judged result;
It is described when second judged result shows that the user possesses the access rights to the authority certificate file Operation is decrypted to the authority certificate file in credible cryptographic hardware modules.
Preferably, methods described also includes:The knot of authentication operation is carried out according to the authority certificate file after decryption Really, the access request for the user for sending request is received;
The access request is sent to the credible cryptographic hardware modules;So that the credible cryptographic hardware modules are to institute State access request and operation is decrypted;
Access request after decryption is responded.
Preferably, methods described also includes:
Call the credible cryptographic hardware modules that the response is encrypted;
The response after encryption is sent to the user for sending request.
The embodiment of the present invention also provides a kind of network safety managing method, including:
Generate authority certificate file;
Call credible cryptographic hardware modules that the authority certificate file is encrypted;
Authentication operation requests are sent using the authority certificate file.
Preferably, methods described includes:Receive the response results to the operation requests.
The embodiment of the present invention also provides a kind of server, including:
Processor, when being configured to detect access right certificate file execution authentication operation requests, obtains the power Certificate file is limited, and the authority certificate file is sent to credible cryptographic hardware modules;
The credible cryptographic hardware modules, are configured to that operation is decrypted to the authority certificate file;
Wherein, the processor, is additionally configured to carry out authentication operation using the authority certificate file after decryption.
Preferably, the server includes:
The processor, is additionally configured to call the credible cryptographic hardware modules that the authority certificate file is decrypted Before operation, the processing authority of the request is verified, the first judged result is obtained, and show described in first judged result When request possesses the authority for performing authentication operation, the credible cryptographic hardware modules are solved to the authority certificate file Close operation.
The embodiment of the present invention also provides a kind of server, including:
Processor, is configured to generate authority certificate file, and call credible cryptographic hardware modules to authority certificate text Part is encrypted, and sends authentication operation requests using the authority certificate file.
Compared with prior art, the embodiment of the present invention has the advantages that:It is right that the technical scheme of the present embodiment passes through The authority certificate file of main body is encrypted using credible cryptographic hardware modules in cluster, according to the content of the request after decryption to The main body sends response, so as to ensure that internet security.
Brief description of the drawings
Fig. 1 is the flow chart of the embodiment one of the network safety managing method of the present invention;
Fig. 2 is a kind of schematic diagram of a scenario based on embodiment one of the network safety managing method of the present invention;
Fig. 3 is the flow chart of the embodiment three of the network safety managing method of the present invention;
Fig. 4 is the schematic diagram of the embodiment one of the server of the present invention;
Fig. 5 is the schematic diagram of the embodiment two of the server of the present invention.
Embodiment
The various schemes and feature of the disclosure are described herein with reference to accompanying drawing.
It should be understood that can disclosed embodiments be made with various modifications.Therefore, description above should not be regarded To limit, and only as the example of embodiment.Those skilled in the art will expect within the scope and spirit of this Other modifications.
Comprising in the description and constituting the accompanying drawing of a part of specification and show embodiment of the disclosure, and with it is upper Substantially description and the detailed description given below to embodiment of this disclosure that face is provided are used to explain the disclosure together Principle.
It is of the invention by description with reference to the accompanying drawings to the preferred form of the embodiment that is given as non-limiting examples These and other characteristic will become apparent.
It is also understood that although with reference to some instantiations, invention has been described, people in the art Member realize with can determine the present invention many other equivalents, they have feature as claimed in claim and therefore all In the protection domain limited whereby.
When read in conjunction with the accompanying drawings, in view of described further below, above and other aspect, the feature and advantage of the disclosure will become It is more readily apparent.
The specific embodiment of the disclosure is described hereinafter with reference to accompanying drawing;It will be appreciated, however, that the disclosed embodiments are only The example of the disclosure, it can be implemented using various ways.The function and structure known and/or repeated is not described in detail to avoid Unnecessary or unnecessary details causes the disclosure smudgy.Therefore, specific structural and feature disclosed herein is thin Section is not intended to restrictions, but as just the basis of claim and representative basis for instruct those skilled in the art with Substantially any appropriate detailed construction diversely uses the disclosure.
This specification can be used phrase " in one embodiment ", " in another embodiment ", " in another embodiment In " or " in other embodiments ", it may refer to according to one or more of identical or different embodiment of the disclosure.
Current big data cluster is all just managed by authority management module and the data occurred in cluster is managed, and And use forcible authentication mode, i.e. authority management module to need by just may be used after the authentication to itself authority management module To be managed to database.Because authority management module to data when being managed, main body in cluster can be related to (principle) communication between, if the data that authority management module occurs in safety problem, whole cluster all can be by prestige The side of body.Therefore, to solve the above problems, the embodiments of the invention provide a kind of network safety managing method and device;Further, In order to more fully hereinafter understand the features of the present invention and technology contents, the realization to the present invention below in conjunction with the accompanying drawings is carried out in detail It is thin to illustrate, appended accompanying drawing purposes of discussion only for reference, not for limiting the present invention.
Embodiment one
A kind of network safety managing method is present embodiments provided, specifically, methods described is applied to big data cluster.Collection There are multiple main bodys in group, wherein main body can be communicated between server, and each main body.Authority management module pair When the authority of each main body and the data of generation are managed, occurs information exchange with main body, when authority management module and main body are logical During letter, the authority certificate file encrypted by hardware can be used so that main body verifies to its identity, main body first it is detected that When access right certificate file performs authentication operation requests, the authority certificate file is obtained, then the authority is demonstrate,proved Written matter is sent to credible cryptographic hardware modules so that the credible cryptographic hardware modules are solved to the authority certificate file Close operation, then carries out authentication operation using the authority certificate file after decryption.Wherein, authority management module can be set In a main body in cluster, it can also be arranged on different main frames.Because credible cryptographic hardware modules are arranged at locally, Therefore, even if disabled user obtains authority documentary evidence, it can not still be decrypted, it is impossible to carry out it using authority documentary evidence He operates.So, authority management module is carried out when being managed to authority using the authority documentary evidence after encryption to itself Authentication, to ensure the security of authority management module, so as to improve the security of network.
Fig. 1 is the flow chart of the embodiment one of the network safety managing method of the present invention, as shown in figure 1, the present embodiment Network safety managing method, specifically may include steps of:
S101, when detecting access right certificate file execution authentication operation requests, obtains the authority certificate text Part.
The executive agent of the present embodiment is any server in cluster.Server detects the presence of main body access right card Written matter is sent when asking the management of authority, it is necessary to be verified to authority certificate file.Wherein, the main body for sending request can Think any body in cluster, be specifically the authority management module of the cluster management platform set in the main body.
S102, the authority certificate file is sent to credible cryptographic hardware modules;So that the credible encryption hardware mould Operation is decrypted to the authority certificate file in block.
Server in the cluster of the present embodiment observes this proof rule by agreement.When server obtains authority certificate After file, authority certificate file is transmitted to credible cryptographic hardware modules, is decrypted, if successful decryption, illustrated The identity of authority management module is legal.
Wherein, credible cryptographic hardware modules can be credible password module (Trusted Cryptography Module, TCM), this be it is a kind of be storage key, a microcontroller for password and data certificate, it will ensure that in computer storage number According to security, the risk that will not be stolen by external software attack or entity.
S103, authentication operation is carried out using the authority certificate file after decryption.
Specifically, if a main body can the authority certificate file operation is decrypted, the authority after decrypting Certificate file obtains the authentication information of main body, can make the response of corresponding authority to main body according to authentication information.
In an application scenarios, as shown in Fig. 2 main body A and server B in cluster, main body A are sent to server B Access right certificate file C carries out the request of authentication, and B servers obtain authority certificate file C first, and to authority certificate File C is verified, is specifically to send authority certificate file to credible cryptographic hardware modules to be decrypted, the power after decrypting Limit certificate file can obtain A authentication information.So as to authorization data of the B servers according to A main bodys, that is to say, that to authorizing number According to being decrypted, if successful decryption, the authentication information in authority certificate file C can be obtained.Thus according to the certification of main body A Information, the request to A is responded.
The credible cryptographic hardware modules of the present embodiment are disposed on local hardware module, therefore to authority certificate file When being decrypted, it is necessary to call credible cryptographic hardware modules to be decrypted from local;Even if that is, disabled user obtains Authority certificate file, also can not the credible encrypting module of invoking server authority certificate file is decrypted, therefore can not Obtain the authentication information described in authority certificate file.So as to protect the security of network.
The technical scheme of the present embodiment uses credible cryptographic hardware modules by the authority certificate file to main body in cluster It is encrypted, is sent and responded to the main body according to the content of the request after decryption, so as to ensure that internet security.
Embodiment two
Based on the method described in embodiment one, this gives several concrete modes verified to main body.
Mode one, in a specific embodiment, in order to be further ensured that the security of network, server call it is described The authority certificate file is decrypted before operation credible cryptographic hardware modules, in addition it is also necessary to the processing authority of the request Verified, comprised the following steps:A, verifies the processing authority of the request, obtains the first judged result;B, described first When judged result shows that the request possesses the authority for performing authentication operation, the credible cryptographic hardware modules are to the power Operation is decrypted in limit certificate file.For example, for example, in wherein one application scenarios, request has timed, out, server for The request of time-out can not responded.
Mode two, in another specific embodiment, methods described is also verified to the principal rights for sending request, is walked It is rapid as follows:C, judges to send the access rights of the user of request, obtains the second judged result;D, in the second judged result table When the bright user possesses the access rights to the authority certificate file, the credible cryptographic hardware modules are demonstrate,proved the authority Operation is decrypted in written matter.Such as, in another application scene, server judges that the IP address for sending request is illegal, then The request can not responded, if request possesses legal authentication information, while IP address is legal, server can Corresponding response is made with the content to request.Wherein, the user of transmission request is to refer to the main body for sending request, and the two is same It is semantic.It is as follows.
In another specific embodiment, server shows the identity authentication result of main body, and main body has legal body Part.Then server can receive the operation to rights management of main body.Specifically include following steps:E, according to the authority after decryption Certificate file carries out the result of authentication operation, receives the access request for the user for sending request;F, by the access request Send to the credible cryptographic hardware modules;G, so that behaviour is decrypted to the access request in the credible cryptographic hardware modules Make;Access request after decryption is responded.
In another specific embodiment, in order to further improve internet security, server can also be by main body Response is encrypted.Specifically it may comprise steps of:H, calls the credible cryptographic hardware modules to add the response It is close;I, the user for sending request is sent to by the response after encryption.
The technical scheme of the present embodiment not only uses credible cryptographic hardware modules to the authority certificate file of main body in cluster It is encrypted, but also the authority information of main body is verified, and the response sent to main body is also encrypted, never The security of network is improved with dimension.
Embodiment three
A kind of network safety managing method is present embodiments provided, specifically, methods described is applied to big data cluster.Collection There are multiple main bodys in group, wherein main body can be communicated between server, and each main body.Authority management module pair When the authority of each main body and the data of generation are managed, occurs information exchange with main body, when authority management module and main body are logical During letter, the authority certificate file encrypted by hardware can be used so that main body verifies to its identity, main body first it is detected that When access right certificate file performs authentication operation requests, the authority certificate file is obtained, then the authority is demonstrate,proved Written matter is sent to credible cryptographic hardware modules so that the credible cryptographic hardware modules are solved to the authority certificate file Close operation, then carries out authentication operation using the authority certificate file after decryption.Wherein, authority management module can be set In a main body in cluster, it can also be arranged on different main frames.Because credible cryptographic hardware modules are arranged at locally, Therefore, even if disabled user obtains authority documentary evidence, it can not still be decrypted, it is impossible to carry out it using authority documentary evidence He operates.So, authority management module is carried out when being managed to authority using the authority documentary evidence after encryption to itself Authentication, to ensure the security of authority management module, so as to improve the security of network.Fig. 3 is network of the invention The flow chart of the embodiment three of method for managing security, specifically can be with as shown in figure 3, the network safety managing method of the present embodiment Comprise the following steps:
S301, generates authority certificate file.
Specifically, main body is when access right certificate file sends ID authentication request to server, it is necessary first to generate Authority certificate file.Wherein authority certificate file can be generated by main body itself, can also be according to the communication protocols used between main body Discuss server generation.
S302, calls credible cryptographic hardware modules that the authority certificate file is encrypted.
Wherein, credible cryptographic hardware modules can be credible password module (Trusted Cryptography Module, TCM), this be it is a kind of be storage key, a microcontroller for password and data certificate, it will ensure that in computer storage number According to security, the risk that will not be stolen by external software attack or entity.The credible cryptographic hardware modules of the present embodiment are Local hardware module is arranged at, therefore when carrying out Encrypt and Decrypt to authority certificate file, it is necessary to credible add is called from local Close hardware module is solved, decrypted;Even if that is, disabled user obtains authority certificate file, can not also call service The credible encrypting module of device carries out Encrypt and Decrypt to authority certificate file, therefore can not obtain recognizing described in authority certificate file Demonstrate,prove information.So as to protect the security of network.
S303, authentication operation requests are sent using the authority certificate file.
Specifically, main body first sends the authority certificate file after encryption, request before being asked to server to server Carry out authentication.After by authentication, subsequently it can be operated for authority.
In wherein one specific embodiment, the response results to the operation requests are received.Specifically, service is received Response results of the device to the operation requests.In actual applications, to improve internet security, response results can also be used The encryption of reliable hardware encrypting module, therefore main body also needs to that response results are decrypted.
The technical scheme of the present embodiment uses credible cryptographic hardware modules by the authority certificate file to main body in cluster It is encrypted, is sent and responded to the main body according to the content of the request after decryption, so as to ensure that internet security.
Example IV
A kind of server is present embodiments provided, the server is the server in cluster.For each master in cluster Body is in communication, to improve the security of network, and the authority when carrying out rights management for main body is authenticated, and in master When body is sent to data progress operation requests, further need to verify the authority certificate file of main body, the present embodiment In main body call credible cryptographic hardware modules to be encrypted authority certificate file before sending permission certificate file, receive The server of request calls credible cryptographic hardware modules that operation is decrypted authority certificate file.Due to credible encryption hardware mould Block is arranged at locally, so Encrypt and Decrypt process occurs local, even if disabled user obtains authority certificate file, also without Authority certificate file is decrypted method, therefore improves the security of network.Further, as shown in figure 4, the server Including:
Processor 41, when being configured to detect access right certificate file execution authentication operation requests, obtains described Authority certificate file, and the authority certificate file is sent to credible cryptographic hardware modules;
The credible cryptographic hardware modules 42, are configured to that operation is decrypted to the authority certificate file;
Wherein, the processor 41, is additionally configured to carry out authentication operation using the authority certificate file after decryption.
In wherein one specific embodiment, the processor 41 is additionally configured to call the credible encryption hardware mould The authority certificate file is decrypted before operation block, verifies the processing authority of the request, obtains the first judged result, And when first judged result shows that the request possesses the authority for performing authentication operation, the credible encryption hardware Operation is decrypted to the authority certificate file in module.
Embodiment five,
A kind of server is present embodiments provided, the server is the server in cluster.For each master in cluster Body is in communication, to improve the security of network, and the authority when carrying out rights management for main body is authenticated, and in master When body is sent to data progress operation requests, further need to verify the authority certificate file of main body, the present embodiment In main body call credible cryptographic hardware modules to be encrypted authority certificate file before sending permission certificate file, receive The server of request calls credible cryptographic hardware modules that operation is decrypted authority certificate file.Due to credible encryption hardware mould Block is arranged at locally, so Encrypt and Decrypt process occurs local, even if disabled user obtains authority certificate file, also without Authority certificate file is decrypted method, therefore improves the security of network.Further, as shown in figure 5, the server Including:
Processor 51, is configured to generate authority certificate file, and call credible cryptographic hardware modules to the authority certificate File is encrypted, and sends authentication operation requests using the authority certificate file.
It need to be noted that be:Above electronic equipment implements the description of item, is similar, tool with above method description There is same embodiment of the method identical beneficial effect, therefore do not repeat.For what is do not disclosed in electronic equipment embodiment of the present invention Ins and outs, those skilled in the art refer to the description of the inventive method embodiment and understand, to save length, here not Repeat again.
, can be by it in several embodiments provided herein, it should be understood that disclosed apparatus and method Its mode is realized.Apparatus embodiments described above are only schematical, for example, the division of the unit, is only A kind of division of logic function, can have other dividing mode, such as when actually realizing:Multiple units or component can be combined, or Another system is desirably integrated into, or some features can be ignored, or do not perform.In addition, shown or discussed each composition portion Coupling point each other or direct-coupling or communication connection can be the INDIRECT COUPLINGs of equipment or unit by some interfaces Or communication connection, can be electrical, machinery or other forms.
The above-mentioned unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit The part shown can be or may not be physical location, you can positioned at a place, can also be distributed to multiple network lists In member;Part or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated into a processing unit, also may be used Be each unit individually as a unit, can also two or more units it is integrated in a unit;It is above-mentioned Integrated unit can both be realized in the form of hardware, it would however also be possible to employ hardware adds the form of SFU software functional unit to realize.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through Programmed instruction related hardware is completed, and foregoing program can be stored in a computer read/write memory medium, the program Upon execution, the step of including above method embodiment is performed;And foregoing storage medium includes:It is movable storage device, read-only Memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or Person's CD etc. is various can be with the medium of store program codes.
Or, if the above-mentioned integrated unit of the present invention is realized using in the form of software function module and is used as independent product Sale in use, can also be stored in a computer read/write memory medium.Understood based on such, the present invention is implemented The part that the technical scheme of example substantially contributes to prior art in other words can be embodied in the form of software product, The computer software product is stored in a storage medium, including some instructions are to cause a computer equipment (can be with It is personal computer, server or network equipment etc.) perform all or part of each of the invention embodiment methods described. And foregoing storage medium includes:Movable storage device, read-only storage (ROM, Read Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.

Claims (10)

1. a kind of network safety managing method, including:
When detecting access right certificate file execution authentication operation requests, the authority certificate file is obtained;
The authority certificate file is sent to credible cryptographic hardware modules;So that the credible cryptographic hardware modules are to the power Operation is decrypted in limit certificate file;
Authentication operation is carried out using the authority certificate file after decryption.
2. according to the method described in claim 1, call the credible cryptographic hardware modules to carry out the authority certificate file Before decryption oprerations, methods described also includes:
The processing authority of the request is verified, the first judged result is obtained;
When first judged result shows that the request possesses the authority for performing authentication operation, the credible encryption is hard Operation is decrypted to the authority certificate file in part module.
3. method according to claim 2, methods described also includes:
Judge the access rights of the user of transmission request, obtain the second judged result;
It is described credible when second judged result shows that the user possesses the access rights to the authority certificate file Operation is decrypted to the authority certificate file in cryptographic hardware modules.
4. according to the method described in claim 1, methods described also includes:Identity is carried out according to the authority certificate file after decryption The result of authentication operation, receives the access request for the user for sending request;
The access request is sent to the credible cryptographic hardware modules;So that the credible cryptographic hardware modules are visited described Ask that operation is decrypted in request;
Access request after decryption is responded.
5. method according to claim 4, methods described also includes:
Call the credible cryptographic hardware modules that the response is encrypted;
The response after encryption is sent to the user for sending request.
6. a kind of network safety managing method, including:
Generate authority certificate file;
Call credible cryptographic hardware modules that the authority certificate file is encrypted;
Authentication operation requests are sent using the authority certificate file.
7. method according to claim 6, methods described includes:Receive the response results to the operation requests.
8. a kind of server, including:
Processor, when being configured to detect access right certificate file execution authentication operation requests, obtains the authority card Written matter, and the authority certificate file is sent to credible cryptographic hardware modules;
The credible cryptographic hardware modules, are configured to that operation is decrypted to the authority certificate file;
Wherein, the processor, is additionally configured to carry out authentication operation using the authority certificate file after decryption.
9. server according to claim 8, including:
The processor, is additionally configured to call the credible cryptographic hardware modules that operation is decrypted to the authority certificate file Before, the processing authority of the request is verified, the first judged result is obtained, and show the request in first judged result When possessing the authority for performing authentication operation, behaviour is decrypted to the authority certificate file in the credible cryptographic hardware modules Make.
10. a kind of server, including:
Processor, is configured to generate authority certificate file, and call credible cryptographic hardware modules to enter the authority certificate file Row encryption, and send authentication operation requests using the authority certificate file.
CN201710192013.7A 2017-03-28 2017-03-28 Network security management method and server Active CN106992978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710192013.7A CN106992978B (en) 2017-03-28 2017-03-28 Network security management method and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710192013.7A CN106992978B (en) 2017-03-28 2017-03-28 Network security management method and server

Publications (2)

Publication Number Publication Date
CN106992978A true CN106992978A (en) 2017-07-28
CN106992978B CN106992978B (en) 2020-08-25

Family

ID=59413301

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710192013.7A Active CN106992978B (en) 2017-03-28 2017-03-28 Network security management method and server

Country Status (1)

Country Link
CN (1) CN106992978B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107919955A (en) * 2017-12-28 2018-04-17 北京奇虎科技有限公司 A kind of vehicle network safety certifying method, system, vehicle, device and medium
CN109684864A (en) * 2018-11-05 2019-04-26 众安信息技术服务有限公司 A kind of certificate processing method and system based on block chain
CN111756532A (en) * 2020-06-08 2020-10-09 西安万像电子科技有限公司 Data transmission method and device
CN115118474A (en) * 2022-06-20 2022-09-27 广东省工业边缘智能创新中心有限公司 Identification query and storage management method, identification agent module and authority management system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102207999A (en) * 2010-03-29 2011-10-05 国民技术股份有限公司 Data protection method based on trusted computing cryptography support platform
CN102025503B (en) * 2010-11-04 2014-04-16 曙光云计算技术有限公司 Data security implementation method in cluster environment and high-security cluster
CN104023012B (en) * 2014-05-30 2017-05-31 北京金山网络科技有限公司 The method, apparatus and system of service are called in cluster
CN104580250A (en) * 2015-01-29 2015-04-29 成都卫士通信息产业股份有限公司 System and method for authenticating credible identities on basis of safety chips

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107919955A (en) * 2017-12-28 2018-04-17 北京奇虎科技有限公司 A kind of vehicle network safety certifying method, system, vehicle, device and medium
CN109684864A (en) * 2018-11-05 2019-04-26 众安信息技术服务有限公司 A kind of certificate processing method and system based on block chain
CN111756532A (en) * 2020-06-08 2020-10-09 西安万像电子科技有限公司 Data transmission method and device
CN115118474A (en) * 2022-06-20 2022-09-27 广东省工业边缘智能创新中心有限公司 Identification query and storage management method, identification agent module and authority management system

Also Published As

Publication number Publication date
CN106992978B (en) 2020-08-25

Similar Documents

Publication Publication Date Title
WO2021179449A1 (en) Mimic defense system based on certificate identity authentication, and certificate issuing method
CN107959567B (en) Data storage method, data acquisition method, device and system
CN106888084B (en) Quantum fort machine system and authentication method thereof
US7975312B2 (en) Token passing technique for media playback devices
JP5361894B2 (en) Multi-factor content protection
CN102271037B (en) Based on the key protectors of online key
CN112528250B (en) System and method for realizing data privacy and digital identity through block chain
CN105471833A (en) Safe communication method and device
CN105653986B (en) A kind of data guard method and device based on microSD card
CN103220141B (en) A kind of protecting sensitive data method and system based on group key strategy
CN104767731A (en) Identity authentication protection method of Restful mobile transaction system
CN104361267A (en) Software authorization and protection device and method based on asymmetric cryptographic algorithm
US11316685B1 (en) Systems and methods for encrypted content management
CN106992978A (en) Network safety managing method and server
CN103973698A (en) User access right revoking method in cloud storage environment
CN114826702A (en) Database access password encryption method and device and computer equipment
CN103379103A (en) Linear encryption and decryption hardware implementation method
Suthar et al. EncryScation: A novel framework for cloud iaas, daas security using encryption and obfuscation techniques
CN106790304A (en) Data access method, device, node and server cluster
CN111538973A (en) Personal authorization access control system based on state cryptographic algorithm
CN116244750A (en) Secret-related information maintenance method, device, equipment and storage medium
US20090282245A1 (en) Security method and system for media playback devices
CN114697113A (en) Hardware accelerator card-based multi-party privacy calculation method, device and system
CN114091058A (en) Method and system for secure sharing of data between a first area and a second area
Yoo et al. Confidential information protection system for mobile devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant