CN107659574A - A kind of data access control system - Google Patents

A kind of data access control system Download PDF

Info

Publication number
CN107659574A
CN107659574A CN201710935932.9A CN201710935932A CN107659574A CN 107659574 A CN107659574 A CN 107659574A CN 201710935932 A CN201710935932 A CN 201710935932A CN 107659574 A CN107659574 A CN 107659574A
Authority
CN
China
Prior art keywords
data
request
responder
security server
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710935932.9A
Other languages
Chinese (zh)
Inventor
丁瑞锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201710935932.9A priority Critical patent/CN107659574A/en
Publication of CN107659574A publication Critical patent/CN107659574A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of data access control system, the system includes:Request of data end, security server and data responder, security server are connected with request of data end and data responder respectively, and request of data end is also connected with data responder, and the first public key of data responder is stored with security server, wherein:Request of data end obtains the first public key of data responder when needing to data responder request target data from security server;Data responder is authenticated using the first public key;After success identity, the request of data for target data is sent to data responder;Receive the target data returned;Data responder receives the request of data that request of data end is sent;Target data is sent to request of data end.The data access control system provided using the embodiment of the present invention, the security of data access can be improved, it is not necessary to produce access credentials, reduce the pressure to network transmission, improve the storage performance of system.

Description

A kind of data access control system
Technical field
The present invention relates to technical field of data storage, more particularly to a kind of data access control system.
Background technology
With the development of data storage technology, distributed document subsystem is also developed rapidly.Distributed document Request of data end in system is when needing to access the data of data responder, it is necessary to which a data access control system manages The process of whole data access.
Existing data access control system is that request of data end in distributed document subsystem, data responder etc. are each Communication ends are authenticated using symmetric key, i.e. each communication ends such as request of data end, data responder share key of the same race. Once the Key Exposure, then it there may be rogue device and palm off the data that data responder provides vacation to request of data end, or The data of data responder are defrauded of at personation request of data end, and the security of data access is low.And during data access Interactive flow is adds additional using access credentials as the foundation of data interaction, these vouchers.When distributed document subsystem When each communication ends of uniting carry out frequently data access, substantial amounts of access credentials can be produced, this can increase the pressure of network transmission, from And reduce the storage performance of system.
The content of the invention
In order to solve the above technical problems, the present invention provides following technical scheme:
A kind of data access control system, including:Request of data end, security server and data responder, the safety Server is connected with the request of data end and the data responder respectively, and the request of data end also responds with the data End is connected, and the first public key of the data responder is stored with the security server, wherein:
The request of data end, for need to the data responder request target data when, from the safety clothes The first public key of the data responder is obtained in business device;The data responder is authenticated using first public key; , please for the data of the target data to data responder transmission after success identity is carried out to the data responder Ask;Receive the target data that the data responder returns;
The data responder, the request of data sent for receiving the request of data end;According to the data Request, the request of data end is sent to by the target data.
In a kind of embodiment of the present invention,
The request of data end, it is additionally operable to obtaining the data responder from the security server described in execution Before the step of first public key, send the first authentication information to the security server and the security server is authenticated; Receive the first echo message that the security server returns;According to first echo message, the security server is determined Whether certification is successful, if it is, obtaining the first public key of the data responder described in performing from the security server The step of;
The security server, for receiving first authentication information, according to first authentication information, described in generation First echo message;First echo message is sent to the request of data end.
In a kind of embodiment of the present invention,
The request of data end, specifically for when needing to the data responder request target data, performing institute Before the step of stating the first public key that the data responder is obtained from the security server, the first random authentication is generated Number;Using the security server the second public key at least by the first ID of itself, the data responder the 2nd ID and The first authentication information that the first random authentication number is formed is encrypted;First authentication information after encryption is sent to The security server;Receive the first echo message that the security server returns;Using the 3rd private key of itself to described First echo message is decrypted, and obtains the first plaintext echo message;Determine first bright in the first plaintext echo message Whether literary certification number and the first random authentication number are identical, if it is, security server certification success;Described in execution The step of the first public key of the data responder is obtained from the security server;
The security server, for receiving first authentication information;Using the second private key of itself to described first Authentication information is decrypted, and obtains the first cleartext information;The first ID in first cleartext information and described Two ID, the 3rd public key at the request of data end and the first public affairs of the data responder are obtained from public key storehouse set in advance Key;Using the 3rd public key to generation at least by the 2nd ID, the first random authentication number and first public key First echo message formed is encrypted;First echo message is sent to the request of data end.
In a kind of embodiment of the present invention,
The data responder, it is additionally operable to be authenticated the security server;To security server success After certification, the 3rd public key returned using the security server is authenticated to the request of data end.
In a kind of embodiment of the present invention,
The data responder, the request of data sent specifically for receiving the request of data end;According to described Request of data, generate the second random authentication number;Using second public key at least by the first ID, the 2nd ID and institute The second authentication information for stating the second random authentication number composition is encrypted;Second authentication information after encryption is sent to institute State security server;Receive the second echo message that the security server returns;Using the first private key of itself to described Two echo messages are decrypted, and obtain second plaintext echo message;Determine the second plaintext in the second plaintext echo message Whether certification number and the second random authentication number are identical, if it is, security server certification success;Perform the profit The step of the 3rd public key returned with the security server is authenticated to the request of data end;
The security server, it is additionally operable to receive second authentication information;Using second private key to described second Authentication information is decrypted, and obtains second plaintext information;The first ID in the second plaintext information and described Two ID, first public key and the 3rd public key are obtained from the public key storehouse;Using first public key to generation extremely Few second echo message being made up of the first ID, the second random authentication number and the 3rd public key is added It is close;Second echo message is sent to the data responder.
In a kind of embodiment of the present invention,
The data responder, specifically for after to the security server success identity, generating the 3rd random authentication Number;The 3rd authentication information being at least made up of the 2nd ID and the 3rd random authentication number is entered using the 3rd public key Row encryption;The 3rd authentication information after encryption is sent to the request of data end;The request of data end is received to return The 3rd echo message;The 3rd echo message is decrypted using first private key, the 3rd is obtained and responds letter in plain text Breath;Determine whether the 3rd plaintext authentication number in the 3rd plaintext echo message and the 3rd random authentication number are identical, such as Fruit is then request of data end certification success;According to the request of data, the target data is sent into the data please Ask end;
The request of data end, it is additionally operable to receive the 3rd authentication information that the data responder returns;Using institute State the 3rd private key the 3rd authentication information is decrypted, obtain the 3rd cleartext information;Using first public key at least The 3rd echo message being made up of the 3rd random authentication number is encrypted;By the 3rd echo message after encryption It is sent to the data responder.
In a kind of embodiment of the present invention,
The request of data end, specifically for after to security server certification success, utilizing first public key The 4th authentication information being at least made up of the first ID and generation the 4th random authentication number is encrypted;After encryption 4th authentication information is sent to the data responder;Receive the 4th echo message that the data responder returns;Profit The 4th echo message is decrypted with the 3rd private key, obtains the 4th plaintext echo message;Determine that the described 4th is bright Whether the 4th plaintext authentication number and the 4th random authentication number in literary echo message are identical, if it is, the data are rung Certification success should be held;The request of data for the target data is sent to the data responder;
The data responder, it is additionally operable to receive the 4th authentication information that the request of data end returns;Using institute State the first private key the 4th authentication information is decrypted, obtain the 4th cleartext information;Using the 3rd public key at least The 4th echo message being made up of the 4th random authentication number is encrypted;By the 4th echo message after encryption It is sent to the request of data end.
The data access control system provided using the embodiment of the present invention, request of data end are being needed to data responder During request target data, the first public key of data responder is obtained from security server, data are responded using the first public key End is authenticated, please for the data of target data to the transmission of data responder after success identity is carried out to data responder Ask.Data responder receives the request of data that request of data end is sent, and according to request of data, target data is sent into data please End is asked, request of data end receives the target data that data responder returns.Public key is managed by security server this The data access control system of asymmetric, using the first public key of the data responder obtained from security server to data Responder is authenticated, and can improve the security of data access, it is not necessary to is produced access credentials, is reduced to network transmission Pressure, improve the storage performance of system.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of structural representation of data access control system in the embodiment of the present invention;
Fig. 2 is the list between request of data end and security server in the embodiment of the present invention in data access control system To authentication structures schematic diagram;
Fig. 3 is the list between data responder and security server in the embodiment of the present invention in data access control system To authentication structures schematic diagram;
Fig. 4 is data responder the authenticating to data request end in data access control system in the embodiment of the present invention The structural representation of journey;
Fig. 5 is request of data end the authenticating to data responder in data access control system in the embodiment of the present invention The structural representation of journey;
Fig. 6 is another structural representation of data access control system in the embodiment of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description The present invention is described in further detail.Obviously, described embodiment is only part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
Referring to Fig. 1, for a kind of structural representation of data access control system in the embodiment of the present invention.The system can wrap Include:
Request of data end 1, security server 2 and data responder 3, security server 2 respectively with the sum of request of data end 1 Connected according to responder 3, request of data end 1 is also connected with data responder 3, and data responder 3 is stored with security server 2 First public key,
Wherein, request of data end 1, for need to 3 request target data of data responder when, from security server 2 Middle the first public key for obtaining data responder 3;Data responder 3 is authenticated using the first public key;To data responder 3 After carrying out success identity, the request of data for target data is sent to data responder 3;Receive what data responder 3 returned Target data;
Data responder 3, for receiving the request of data of the transmission of request of data end 1;According to request of data, by target data It is sent to request of data end 1.
The data access control system that the embodiment of the present invention is provided includes request of data end 1, security server 2 and data Responder 3, security server 2 are connected with request of data end 1 and data responder 3 respectively, and request of data end 1 also responds with data The connection of end 3.
The public key of each communication ends in system can be stored in the security server 2 in system in advance, security server 2 Each public key is managed collectively, the first public key as being stored with data responder 3 in security server 2.Data in system Request end 1 need to during 3 request target data of data responder, it is necessary to data responder 3 carry out authentication, to confirm number According to the legitimacy of responder 3, you can to obtain the first public key of data responder 3 from security server 2, responded using data First public key at end 3 is authenticated to data responder 3, is sent out after the certification of data responder 3 success, then to data responder 3 Send the request of data for target data.Data responder 3 receives the request of data that request of data end 1 is sent, and according to data Request, target data is sent to request of data end 1, request of data end 1 receives the target data that data responder 3 returns.
The data access control system provided using the embodiment of the present invention, request of data end are being needed to data responder During request target data, the first public key of data responder is obtained from security server, data are responded using the first public key End is authenticated, please for the data of target data to the transmission of data responder after success identity is carried out to data responder Ask.Data responder receives the request of data that request of data end is sent, and according to request of data, target data is sent into data please End is asked, request of data end receives the target data that data responder returns.Public key is managed by security server this The data access control system of asymmetric, using the first public key of the data responder obtained from security server to data Responder is authenticated, and can improve the security of data access, it is not necessary to is produced access credentials, is reduced to network transmission Pressure, improve the storage performance of system.
In a kind of embodiment of the present invention, request of data end 1, it is additionally operable to performing from security server 2 Before the step of obtaining the first public key of data responder 3, the first authentication information is sent to security server to security server 2 2 are authenticated;Receive the first echo message that security server 2 returns;According to the first echo message, security server 2 is determined Whether certification is successful, if it is, the step of performing the first public key that data responder 3 is obtained from security server 2;
Security server 2, for receiving the first authentication information, according to the first authentication information, generate the first echo message;Will First echo message is sent to request of data end 1.
Request of data end 1 in system need to during data 3 request data of responder, it is necessary to be carried out to security server 2 Authentication, to confirm the legitimacy of security server 2, you can to send the first authentication information to safety to security server 2 Server 2 is authenticated, and security server 2 receives the first authentication information, and responds letter according to the first authentication information, generation first Breath, request of data end 1 is sent to by the first echo message.Request of data end 1 receives first that security server 2 returns and responds letter Breath, according to the first echo message, confirming security server 2, whether certification is successful, if certification success, shows that the first response is believed Breath comes from genuine security server 2.
The first public key for being used for being authenticated to data responder 3, request of data end 1 can be included in first echo message After to the certification of security server 2 success, the first public key of data responder 3 in the first echo message received can be utilized Data responder 3 is authenticated, to confirm the role of data responder 3, prevents identity from pretending to be, there is provided false data.
In a kind of embodiment of the present invention, the 3rd that request of data end 1 is also stored with security server 2 is public Key,
Request of data end 1, specifically for when needing to 3 request target data of data responder, performing from safety clothes Before the step of being engaged in obtaining the first public key of data responder 3 in device 2, the first random authentication number is generated;Utilize security server 2 The second public key to be at least made up of the first ID of itself, the 2nd ID of data responder 3 and the first random authentication number first Authentication information is encrypted;The first authentication information after encryption is sent to security server 2;Security server 2 is received to return The first echo message;The first echo message is decrypted using the 3rd private key of itself, obtains the first plaintext echo message; Determine whether the first plaintext authentication number in the first plaintext echo message and the first random authentication number are identical, if it is, safety The certification of server 2 success;The step of performing the first public key that data responder 3 is obtained from security server 2;
Security server 2, for receiving the first authentication information;The first authentication information is carried out using the second private key of itself Decryption, obtain the first cleartext information;The first ID and the 2nd ID in the first cleartext information, from public key storehouse set in advance Obtain the 3rd public key at request of data end 1 and the first public key of data responder 3;Using the 3rd public key to generation at least by The first echo message that two ID, the first random authentication number and the first public key are formed is encrypted;First echo message is sent to Request of data end 1.
It is the request of data end 1 in the embodiment of the present invention in data access control system and security server 2 referring to Fig. 2 Between unilateral authentication structural representation.For a communication ends public key for information is encrypted, can disclose, Each public key corresponds to unique private key, and only the communication ends can preserve the private key, using the private key to by public corresponding to it Information after key encryption is decrypted.Request of data end 1 and data responder 3 can get the of security server 2 in advance Two public keys, request of data end 1 can automatically generate the first random authentication when needing to 3 request target data of data responder Number None, and using security server 2 the second public key at least by the first ID of itself, data responder 3 the 2nd ID and The first authentication information that first random authentication number is formed is encrypted, and the first authentication information after encryption is sent into security service Device 2, to be authenticated to security server 2.
A public key storehouse can be preset in security server 2, request of data end 1, data responder 3 etc. are communicated The public key at end is all stored in the public key storehouse.Security server 2 receives the first authentication information that request of data end 1 is sent, and utilizes First authentication information is decrypted the second private key corresponding with the second public key of itself, obtains the first cleartext information.First is bright The first ID at request of data end 1 and the 2nd ID of data responder 3 of plaintext version are included in literary information, security server 2 can With the first ID and the 2nd ID in the first cleartext information, the of request of data end 1 is obtained from public key storehouse set in advance First public key of three public keys and data responder 3, and can generate at least by the 2nd ID, the first random authentication number and the first public key The first echo message is formed, the first echo message is encrypted using the 3rd public key got, by first time after encryption Information is answered to be sent to request of data end 1.
Request of data end 1 receives the first echo message that security server 2 returns, and utilizes the corresponding with the 3rd public key of itself The 3rd private key the first echo message is decrypted, obtain the first plaintext echo message, include in the first plaintext echo message 2nd ID of plaintext version, the first plaintext authentication number and plaintext version the first public key.Determine in the first plaintext echo message Whether the first plaintext authentication number and the first random authentication number are identical, if it is, the certification success of explanation security server 2, then profit Data responder 3 is authenticated with the first public key of data responder 3 in the first plaintext echo message, to ensure data access The security of process.
It should be noted that the first random authentication number can be a numeral or a word, the present invention is implemented Example is without limitation.
In a kind of embodiment of the present invention,
Data responder 3, it is additionally operable to be authenticated security server 2;After to the success identity of security server 2, profit The 3rd public key returned with security server 2 is authenticated to data request end 1.
During data access, data responder 3 can also utilize the 3rd public key at request of data end 1 please to data Ask end 1 to be authenticated, prevent data diddling.Therefore, data responder 3 needs to obtain request of data end 1 to security server 2 3rd public key, first security server 2 can be authenticated, after to the success identity of security server 2, that is, ensure security service After the 2-in-1 method of device, the 3rd public key for recycling security server 2 to return is authenticated to data request end 1.
In a kind of embodiment of the present invention, data responder 3, sent specifically for receiving request of data end 1 Request of data;According to request of data, the second random authentication number is generated;Using the second public key at least by the first ID, the 2nd ID And second random authentication number form the second authentication information be encrypted;The second authentication information after encryption is sent to safety clothes Business device 2;Receive the second echo message that security server 2 returns;The second echo message is carried out using the first private key of itself Decryption, obtain second plaintext echo message;Determine that the second plaintext certification number in second plaintext echo message is recognized at random with second Whether identical number is demonstrate,proved, if it is, the certification of security server 2 success;Perform the 3rd public key pair returned using security server 2 The step of request of data end 1 is authenticated;
Security server 2, it is additionally operable to receive the second authentication information;The second authentication information is solved using the second private key It is close, obtain second plaintext information;The first ID and the 2nd ID in second plaintext information, obtain the first public key from public key storehouse With the 3rd public key;Using the first public key to generation be at least made up of the first ID, the second random authentication number and the 3rd public key Two echo messages are encrypted;Second echo message is sent to data responder 3.
It is the data responder 3 and security server 2 in the embodiment of the present invention in data access control system referring to Fig. 3 Between unilateral authentication structural representation.The second public key of security server 2 can be obtained ahead of time in data responder 3, and data are rung After the request of data that 3 reception request of data ends 1 are sent should be held, the second random authentication number can be generated according to request of data, and it is raw Into the second authentication information being at least made up of the first ID, the 2nd ID and the second random authentication number, the second public key pair of acquisition is utilized Second authentication information is encrypted, and the second authentication information after encryption is sent into security server 2.
Security server 2 receives the second authentication information, and the second authentication information is solved using the second private key of itself It is close, second plaintext information is obtained, then number can be obtained from public key storehouse according to the first ID and the 2nd ID in second plaintext information According to the first public key of responder 3 and the 3rd public key of data request end 1, regenerate at least by the first ID, the second random authentication number And the 3rd the second echo message for forming of public key, and the second echo message is encrypted using the first public key for getting, will The second echo message after encryption is sent to data responder 3.
Data responder 3 receives the second echo message that security server 2 returns, using the first private key of itself to second Echo message is decrypted, and obtains second plaintext echo message, the first ID comprising plaintext version in second plaintext echo message, 3rd public key of second plaintext certification number and plaintext version.Determine the second plaintext certification number in second plaintext echo message and Whether two random authentication numbers are identical, if it is, the certification success of explanation security server 2, recycles second plaintext echo message 3rd public key at middle request of data end 3 is authenticated to data request end 3, to ensure the security of data access process.
In a kind of embodiment of the present invention, data responder 3, specifically for the success of security server 2 After certification, the 3rd random authentication number is generated;Using the 3rd public key to be at least made up of the 2nd ID and the 3rd random authentication number Three authentication informations are encrypted;The 3rd authentication information after encryption is sent to request of data end 1;Request of data end 1 is received to return The 3rd echo message returned;The 3rd echo message is decrypted using the first private key, obtains the 3rd plaintext echo message;It is determined that Whether the 3rd plaintext authentication number and the 3rd random authentication number in the 3rd plaintext echo message are identical, if it is, request of data Hold 1 certification success;According to request of data, target data is sent to request of data end 1;
Request of data end 1, it is additionally operable to receive the 3rd authentication information that data responder 3 returns;Using the 3rd private key to Three authentication informations are decrypted, and obtain the 3rd cleartext information;Using the first public key to being at least made up of the 3rd random authentication number 3rd echo message is encrypted;The 3rd echo message after encryption is sent to data responder 3.
It is the data responder 3 in the embodiment of the present invention in data access control system to data request end 1 referring to Fig. 4 Verification process structural representation.It is random can to generate the 3rd after to the success identity of security server 2 for data responder 3 Certification number, and the 3rd authentication information is at least formed by the 2nd ID and the 3rd random authentication number, the returned using security server 2 3rd authentication information is encrypted three public keys, and the 3rd authentication information after encryption is sent into request of data end 1.Request of data End 1 receives the 3rd authentication information that data responder 3 returns, and the 3rd authentication information is solved using the 3rd private key of itself It is close, so as to obtain the 3rd cleartext information.Request of data end 1, which regenerates the 3rd be at least made up of the 3rd random authentication number and responded, believes Breath, and the 3rd echo message is encrypted the first public key returned using security server 2, and the 3rd after encryption is responded and believed Breath is sent to data responder 3.
Data responder 3 receives the 3rd echo message that request of data end 1 returns, and is responded and believed to the 3rd using the first private key Breath is decrypted, and obtains the 3rd plaintext echo message.The 3rd plaintext authentication number is included in 3rd plaintext echo message, determines the 3rd Whether the 3rd plaintext authentication number and the 3rd random authentication number in plaintext echo message are identical, if identical, request of data end 1 Certification success.Data responder 3 can determine that request of data end 1 is legal, and according to request of data, target data is sent To request of data end 1.
In a kind of embodiment of the present invention, request of data end 1, specifically for the certification of security server 2 After success, the 4th authentication information being at least made up of the first ID and generation the 4th random authentication number is carried out using the first public key Encryption;The 4th authentication information after encryption is sent to data responder 3;Receive the 4th response letter that data responder 3 returns Breath;The 4th echo message is decrypted using the 3rd private key, obtains the 4th plaintext echo message;Determine that the 4th responds letter in plain text Whether the 4th plaintext authentication number and the 4th random authentication number in breath are identical, if it is, the certification of data responder 3 success;To Data responder 3 sends the request of data for target data;
Data responder 3, it is additionally operable to receive the 4th authentication information that request of data end 1 returns;Using the first private key to Four authentication informations are decrypted, and obtain the 4th cleartext information;Using the 3rd public key to being at least made up of the 4th random authentication number 4th echo message is encrypted;The 4th echo message after encryption is sent to request of data end 1.
Fig. 5 is certification of the request of data end 1 to data responder 3 in the embodiment of the present invention in data access control system The structural representation of process.Request of data end 1 can automatically generate the 4th and recognize at random after to the certification of security server 2 success Number is demonstrate,proved, and the 4th authentication information is at least formed by the first ID and the 4th random authentication number, first returned using security server 2 4th authentication information is encrypted public key, and the 4th authentication information after encryption is sent into data responder 3, data responder 3 receive the 4th authentication information that request of data end 1 returns, and the 4th authentication information is decrypted using the first private key of itself, So as to obtain the 4th cleartext information.The 3rd public key returned using security server 2 the 4th random authentication number to being at least made up of The 4th echo message be encrypted, the 4th echo message after encryption is sent to request of data end 1.
Request of data end 1 receives the 4th echo message that data responder 3 returns, and is responded using the 3rd private key to the 4th Information is decrypted, and obtains the 4th plaintext echo message, and the 4th plaintext authentication number is included in the 4th plaintext echo message, and data please End is asked to determine whether the 4th plaintext authentication number in the 4th plaintext echo message and the 4th random authentication number are identical, if phase Together, then the certification of data responder 3 success.Request of data end 1 can determine that data responder 3 is legal, can be rung to data 3 transmissions should be held to be directed to the request of data of target data.
In actual applications, as shown in fig. 6, whole data access control system can by client, object storage cluster, 2 four parts of meta data server and security server form, the data access between request of data end 1 and data responder 3 Process can be specially client, object storage cluster and meta data server any data access mistake between the two therein Journey.Wherein, passage 11,12,13 interaction path between client, object storage cluster and meta data server will be in interaction During add bidirectional identity authentication.21,22,23 interaction path between each communication ends and security server 2 of passage, will be at it Unidirectional authentication is added in interaction.Compared to traditional storage architecture, peace is with the addition of in data access control system Full server 2, it is used for providing inquiry and the management service of key, can be according to client, object storage cluster and metadata The ID of server, to provide corresponding public key.Built in client, object storage cluster, meta data server and security server 2 , it is necessary to carry out unidirectional or two-way authentication when vertical connection, it can prevent rogue device from emitting the identity in charging system Obtain illegal authority.
Security server 2 can provide public key to communication ends such as client, object storage cluster and meta data servers and look into Ask service.Any one communication ends can send Pubic-Key search request to security server 2, and one-way authentication protocol can prevent Rogue device pretends to be security server 2 to provide the public key palmed off to communication ends.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be with it is other The difference of embodiment, between each embodiment same or similar part mutually referring to.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and The interchangeability of software, the composition and step of each example are generally described according to function in the above description.These Function is performed with hardware or software mode actually, application-specific and design constraint depending on technical scheme.Specialty Technical staff can realize described function using distinct methods to each specific application, but this realization should not Think beyond the scope of this invention.
Directly it can be held with reference to the step of method or algorithm that the embodiments described herein describes with hardware, processor Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
Specific case used herein is set forth to the principle and embodiment of the present invention, and above example is said It is bright to be only intended to help and understand technical scheme and its core concept.It should be pointed out that for the common of the art For technical staff, under the premise without departing from the principles of the invention, some improvement and modification can also be carried out to the present invention, these Improve and modification is also fallen into the protection domain of the claims in the present invention.

Claims (7)

  1. A kind of 1. data access control system, it is characterised in that including:Request of data end, security server and data responder, The security server is connected with the request of data end and the data responder respectively, the request of data end also with it is described Data responder is connected, and the first public key of the data responder is stored with the security server, wherein:
    The request of data end, for need to the data responder request target data when, from the security server Middle the first public key for obtaining the data responder;The data responder is authenticated using first public key;Right After the data responder carries out success identity, the request of data for the target data is sent to the data responder; Receive the target data that the data responder returns;
    The data responder, the request of data sent for receiving the request of data end;According to the request of data, The target data is sent to the request of data end.
  2. 2. system according to claim 1, it is characterised in that
    The request of data end, it is additionally operable to obtaining the first of the data responder from the security server described in execution Before the step of public key, send the first authentication information to the security server and the security server is authenticated;Receive The first echo message that the security server returns;According to first echo message, whether the security server is determined Certification success, if it is, obtaining the step of the first public key of the data responder described in performing from the security server Suddenly;
    The security server, for receiving first authentication information, according to first authentication information, generation described first Echo message;First echo message is sent to the request of data end.
  3. 3. system according to claim 2, it is characterised in that the request of data is also stored with the security server 3rd public key at end,
    The request of data end, specifically for when needing to the data responder request target data, perform it is described from Before the step of the first public key of the data responder is obtained in the security server, the first random authentication number is generated;Profit With the second public key of the security server at least by the first ID of itself, the 2nd ID of the data responder and described The first authentication information that one random authentication number is formed is encrypted;First authentication information after encryption is sent to the peace Full server;Receive the first echo message that the security server returns;Using the 3rd private key of itself to described first time Answer information to be decrypted, obtain the first plaintext echo message;Determine the first plaintext authentication in the first plaintext echo message Whether number is identical with the first random authentication number, if it is, security server certification success;Perform described from described The step of the first public key of the data responder is obtained in security server;
    The security server, for receiving first authentication information;Using the second private key of itself to first certification Information is decrypted, and obtains the first cleartext information;The first ID and the 2nd ID in first cleartext information, The 3rd public key at the request of data end and the first public key of the data responder are obtained from public key storehouse set in advance;Profit With the 3rd public key being at least made up of the 2nd ID, the first random authentication number and first public key to generation First echo message is encrypted;First echo message is sent to the request of data end.
  4. 4. system according to claim 3, it is characterised in that
    The data responder, it is additionally operable to be authenticated the security server;To the security server success identity Afterwards, the 3rd public key returned using the security server is authenticated to the request of data end.
  5. 5. system according to claim 4, it is characterised in that
    The data responder, the request of data sent specifically for receiving the request of data end;According to the data Request, generate the second random authentication number;Using second public key at least by the first ID, the 2nd ID and described The second authentication information that two random authentication numbers are formed is encrypted;Second authentication information after encryption is sent to the peace Full server;Receive the second echo message that the security server returns;Using the first private key of itself to described second time Answer information to be decrypted, obtain second plaintext echo message;Determine the second plaintext certification in the second plaintext echo message Whether number is identical with the second random authentication number, if it is, security server certification success;Perform and described utilize institute State the step of the 3rd public key that security server returns is authenticated to the request of data end;
    The security server, it is additionally operable to receive second authentication information;Using second private key to second certification Information is decrypted, and obtains second plaintext information;The first ID and the 2nd ID in the second plaintext information, First public key and the 3rd public key are obtained from the public key storehouse;Using first public key to generation at least by institute Second echo message that the first ID, the second random authentication number and the 3rd public key are formed is stated to be encrypted;By institute State the second echo message and be sent to the data responder.
  6. 6. the system according to claim 4 or 5, it is characterised in that
    The data responder, specifically for after to the security server success identity, generating the 3rd random authentication number;Profit The 3rd authentication information being at least made up of the 2nd ID and the 3rd random authentication number is added with the 3rd public key It is close;The 3rd authentication information after encryption is sent to the request of data end;Receive that the request of data end returns the Three echo messages;The 3rd echo message is decrypted using first private key, obtains the 3rd plaintext echo message;Really Whether the 3rd plaintext authentication number and the 3rd random authentication number in the fixed 3rd plaintext echo message are identical, if it is, Then request of data end certification success;According to the request of data, the target data is sent to the request of data end;
    The request of data end, it is additionally operable to receive the 3rd authentication information that the data responder returns;Utilize described 3rd authentication information is decrypted three private keys, obtains the 3rd cleartext information;Using first public key at least by institute The 3rd echo message for stating the 3rd random authentication number composition is encrypted;The 3rd echo message after encryption is sent To the data responder.
  7. 7. system according to claim 6, it is characterised in that
    The request of data end, specifically for the security server certification success after, using first public key to extremely The 4th authentication information that few the 4th random authentication number by the first ID and generation is formed is encrypted;Described in after encryption 4th authentication information is sent to the data responder;Receive the 4th echo message that the data responder returns;Using institute State the 3rd private key the 4th echo message is decrypted, obtain the 4th plaintext echo message;Determine that the described 4th returns in plain text Answer the 4th plaintext authentication number in information and the 4th random authentication number whether identical, if it is, the data responder Certification success;The request of data for the target data is sent to the data responder;
    The data responder, it is additionally operable to receive the 4th authentication information that the request of data end returns;Utilize described 4th authentication information is decrypted one private key, obtains the 4th cleartext information;Using the 3rd public key at least by institute The 4th echo message for stating the 4th random authentication number composition is encrypted;The 4th echo message after encryption is sent To the request of data end.
CN201710935932.9A 2017-10-10 2017-10-10 A kind of data access control system Pending CN107659574A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710935932.9A CN107659574A (en) 2017-10-10 2017-10-10 A kind of data access control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710935932.9A CN107659574A (en) 2017-10-10 2017-10-10 A kind of data access control system

Publications (1)

Publication Number Publication Date
CN107659574A true CN107659574A (en) 2018-02-02

Family

ID=61117384

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710935932.9A Pending CN107659574A (en) 2017-10-10 2017-10-10 A kind of data access control system

Country Status (1)

Country Link
CN (1) CN107659574A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639706A (en) * 2018-12-27 2019-04-16 北京城市网邻信息技术有限公司 A kind of request processing method, server, user terminal and system
CN110392015A (en) * 2018-04-17 2019-10-29 网宿科技股份有限公司 A kind of method and system of processing business request
CN114302394A (en) * 2021-11-19 2022-04-08 深圳震有科技股份有限公司 Network direct memory access method and system under 5G UPF

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100005312A1 (en) * 2008-07-01 2010-01-07 Eran Rom Mutually Excluded Security Managers
CN102457561A (en) * 2010-10-28 2012-05-16 无锡江南计算技术研究所 Data access method and equipment adopting same
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
US20140337961A1 (en) * 2013-05-08 2014-11-13 Promise Technology, Inc. System for implementing dynamic access to private cloud environment via public network
CN104584509A (en) * 2014-12-31 2015-04-29 深圳大学 An access control method, a device and a system for shared data
CN104901942A (en) * 2015-03-10 2015-09-09 重庆邮电大学 Distributed access control method for attribute-based encryption
CN105391734A (en) * 2015-12-10 2016-03-09 布比(北京)网络技术有限公司 Secure login system, secure login method, login server and authentication server
CN105871888A (en) * 2016-05-16 2016-08-17 乐视控股(北京)有限公司 Identity authentication method, device and system
CN106375334A (en) * 2016-09-28 2017-02-01 郑州云海信息技术有限公司 Authentication method for distributed system
CN106411826A (en) * 2015-08-03 2017-02-15 阿里巴巴集团控股有限公司 Data access method and equipment thereof
CN106789039A (en) * 2017-01-25 2017-05-31 武汉大学 A kind of storage method of confidential data
CN106850654A (en) * 2017-02-23 2017-06-13 布比(北京)网络技术有限公司 The mandate access method and system of a kind of distributed information
CN106973036A (en) * 2017-02-07 2017-07-21 杭州云象网络技术有限公司 A kind of block chain method for secret protection based on asymmetric encryption
CN107025409A (en) * 2017-06-27 2017-08-08 中经汇通电子商务有限公司 A kind of data safety storaging platform

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100005312A1 (en) * 2008-07-01 2010-01-07 Eran Rom Mutually Excluded Security Managers
CN102457561A (en) * 2010-10-28 2012-05-16 无锡江南计算技术研究所 Data access method and equipment adopting same
US20140337961A1 (en) * 2013-05-08 2014-11-13 Promise Technology, Inc. System for implementing dynamic access to private cloud environment via public network
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
CN104584509A (en) * 2014-12-31 2015-04-29 深圳大学 An access control method, a device and a system for shared data
CN104901942A (en) * 2015-03-10 2015-09-09 重庆邮电大学 Distributed access control method for attribute-based encryption
CN106411826A (en) * 2015-08-03 2017-02-15 阿里巴巴集团控股有限公司 Data access method and equipment thereof
CN105391734A (en) * 2015-12-10 2016-03-09 布比(北京)网络技术有限公司 Secure login system, secure login method, login server and authentication server
CN105871888A (en) * 2016-05-16 2016-08-17 乐视控股(北京)有限公司 Identity authentication method, device and system
CN106375334A (en) * 2016-09-28 2017-02-01 郑州云海信息技术有限公司 Authentication method for distributed system
CN106789039A (en) * 2017-01-25 2017-05-31 武汉大学 A kind of storage method of confidential data
CN106973036A (en) * 2017-02-07 2017-07-21 杭州云象网络技术有限公司 A kind of block chain method for secret protection based on asymmetric encryption
CN106850654A (en) * 2017-02-23 2017-06-13 布比(北京)网络技术有限公司 The mandate access method and system of a kind of distributed information
CN107025409A (en) * 2017-06-27 2017-08-08 中经汇通电子商务有限公司 A kind of data safety storaging platform

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392015A (en) * 2018-04-17 2019-10-29 网宿科技股份有限公司 A kind of method and system of processing business request
CN110392015B (en) * 2018-04-17 2022-01-21 网宿科技股份有限公司 Method and system for processing service request
CN109639706A (en) * 2018-12-27 2019-04-16 北京城市网邻信息技术有限公司 A kind of request processing method, server, user terminal and system
CN114302394A (en) * 2021-11-19 2022-04-08 深圳震有科技股份有限公司 Network direct memory access method and system under 5G UPF
CN114302394B (en) * 2021-11-19 2023-11-03 深圳震有科技股份有限公司 Network direct memory access method and system under 5G UPF

Similar Documents

Publication Publication Date Title
US11651109B2 (en) Permission management method, permission verification method, and related apparatus
US10922772B2 (en) Copyright authorization management method and system
CN111429254B (en) Business data processing method and device and readable storage medium
US11115418B2 (en) Registration and authorization method device and system
US11757641B2 (en) Decentralized data authentication
CN108876374B (en) Block chain network identity document authentication method and system
Zhang et al. Secure and efficient data storage and sharing scheme for blockchain‐based mobile‐edge computing
US10614456B2 (en) Dynamic cryptocurrency aliasing
CN104113534B (en) The login system and method for application APP
CN108235805A (en) Account unifying method and device and storage medium
Zhong et al. Distributed blockchain‐based authentication and authorization protocol for smart grid
CN102946384B (en) User authentication method and equipment
CN103179134A (en) Single sign on method and system based on Cookie and application server thereof
CN109951490A (en) Webpage integrity assurance, system and electronic equipment based on block chain
CN103780580A (en) Method, server and system for providing capability access strategy
CN103535007A (en) Managed authentication on a distributed network
CN107040520A (en) A kind of cloud computing data-sharing systems and method
CN107659574A (en) A kind of data access control system
CN115834253A (en) Identity verification method, identity verification system, client and server
Kang et al. Analysis and Improvement on an Authentication Protocol for IoT‐Enabled Devices in Distributed Cloud Computing Environment
CN109842626A (en) The method and apparatus for distributing safety zone access credentials
CN114629713B (en) Identity verification method, device and system
Hou et al. Fine‐Grained and Controllably Redactable Blockchain with Harmful Data Forced Removal
Zhang et al. Blockchain‐Based DNS Root Zone Management Decentralization for Internet of Things
Xiao et al. Blockchain‐based reliable image copyright protection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180202

RJ01 Rejection of invention patent application after publication