CN108243158A - A kind of method and apparatus of safety certification - Google Patents

A kind of method and apparatus of safety certification Download PDF

Info

Publication number
CN108243158A
CN108243158A CN201611219818.8A CN201611219818A CN108243158A CN 108243158 A CN108243158 A CN 108243158A CN 201611219818 A CN201611219818 A CN 201611219818A CN 108243158 A CN108243158 A CN 108243158A
Authority
CN
China
Prior art keywords
identifier
encrypted ticket
bill
encrypted
ticket
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611219818.8A
Other languages
Chinese (zh)
Inventor
潘宇轩
王国飞
王宝晗
陶捷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Suzhou Software Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611219818.8A priority Critical patent/CN108243158A/en
Publication of CN108243158A publication Critical patent/CN108243158A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides the processing methods in a kind of safety, receive the first user identifier and the first application identities;After getting the license that the first application is accessed with the first identity, generation includes the bill of the first user identifier and the first application identities, and encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys;The identifier of the encrypted ticket is calculated based on preset algorithm, the identifier of encrypted ticket, Encryption Algorithm and the decruption key is being locally stored, is sending encrypted ticket.The present invention also provides a kind of devices of safety certification.

Description

A kind of method and apparatus of safety certification
Technical field
The present invention relates to field of information security technology more particularly to a kind of method and apparatus of safety certification.
Background technology
In the big data epoch, Hadoop has obtained large-scale application, and Hadoop is good in terms of mass data by it Good autgmentability, efficient read-write and outstanding processing capacity, receive attention.Therefore, the peace of Hadoop platform how is ensured Become an important subject naturally entirely.Wherein, one safety guarantee of the safety certification as Hadoop platform, to entirely putting down The meaning of platform is most important.At present, most of Hadoop platforms all select a reliable third-party platform progress safety to recognize Card, such as Kerberos etc..
It is but this to be had the following problems dependent on third-party platform:It (1) can not if third-party platform breaks down It logs in the information stored on Hadoop platform or third-party platform to be stolen, then the safety certification of Hadoop platform is all lost , that is, there is Single Point of Faliure in effect;Only there are one bills by (2) users, i.e., can access different answer by a bill With, and then certification granularity is excessive;If the bill is stolen, it is possible to all applications that the user can access are accessed, so as to Significantly reduce safety;(3) verification process is excessively complicated, and performance bottleneck is be easy to cause in Hadoop platform.
Therefore, how a kind of more stable, certification fine size and simple and safe authenticating party are provided in Hadoop platform Method is a problem to be solved.
Invention content
In view of this, it is a primary object of the present invention to a kind of more stable, certification granularity is provided in Hadoop platform Thin and simple and safe safety certifying method and device.
In order to achieve the above objectives, the technical proposal of the invention is realized in this way:
An embodiment of the present invention provides the processing method in a kind of safety certification, this method includes:
Receive the first user identifier and the first application identities;
After getting the license that the first application is accessed with the first identity, generation includes the first user identifier and the first application The bill of mark obtains encrypted ticket based on bill described in Encryption Algorithm and encryption keys;
The identifier of the encrypted ticket is calculated based on preset algorithm, the encrypted ticket is being locally stored Identifier, Encryption Algorithm and decruption key send encrypted ticket.
In said program, the identifier that the encrypted ticket is calculated based on preset algorithm is being locally stored Identifier, Encryption Algorithm and the decruption key of the encrypted ticket, including:
The MD5 values of the encrypted ticket are calculated based on Message Digest 5 5MD5, described added is being locally stored MD5 values, Encryption Algorithm and the decruption key of close bill.
It is described that the identifier of encrypted ticket, Encryption Algorithm and the decruption key, packet is being locally stored in said program It includes:
The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.
It is described that encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys in said program, at this The identifier of encrypted ticket, Encryption Algorithm and decruption key described in ground storage, including:
Encrypted ticket is obtained based on bill described in rivest, shamir, adelman and public key encryption, described added is being locally stored Identifier, rivest, shamir, adelman and the private key of close bill.
It is described that encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys in said program, at this The identifier of encrypted ticket, Encryption Algorithm and decruption key described in ground storage, including:
Encrypted ticket is obtained based on bill described in rivest, shamir, adelman and private key encryption, described added is being locally stored Identifier, rivest, shamir, adelman and the public key of close bill.
An embodiment of the present invention provides a kind of method of the safety certification based on above-mentioned processing method, this method includes:
Receive encrypted ticket, second user mark and the second application identities;
The identifier of the encrypted ticket is calculated based on preset algorithm, according to the identifier of the encrypted ticket Encryption Algorithm and decruption key are obtained, based on encrypted ticket decryption described in the Encryption Algorithm and decryption key pair, obtains ticket According to;
Determine that the second user identifies consistent with the first user identifier in the bill and described second application identities When consistent with the first application identities in the bill, allow to access the first application with the first identity.
An embodiment of the present invention provides the processing unit in a kind of safety certification, described device includes authentication information and receives mould Module is replied in block, authorization handler module and mandate, wherein:
The authorization message receiving module, for receiving the first user identifier and the first application identities;
The authorization handler module, after getting the license that the first application is accessed with the first identity, generation includes The bill of first user identifier and the first application identities has been encrypted based on bill described in Encryption Algorithm and encryption keys Bill;
Described authorize replys module, for the identifier of the encrypted ticket to be calculated based on preset algorithm, at this Ground the storage identifier of encrypted ticket, Encryption Algorithm and the decruption key, transmission encrypted ticket.
In said program, described authorize replys module, is specifically used for:
The MD5 values of the encrypted ticket are calculated based on Message Digest 5 5MD5, described added is being locally stored MD5 values, Encryption Algorithm and the decruption key of close bill.
In said program, described authorize replys module, is specifically used for:
The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.
In said program, the authorization handler module is specifically used for, based on described in rivest, shamir, adelman and public key encryption Bill obtains encrypted ticket;
Described authorize replys module, is specifically used for, and the identifier of encrypted ticket, the asymmetric encryption is being locally stored Algorithm and private key.
In said program, the authorization handler module is specifically used for, based on described in rivest, shamir, adelman and private key encryption Bill obtains encrypted ticket;
Described authorize replys module, is specifically used for, and the identifier of encrypted ticket, the asymmetric encryption is being locally stored Algorithm and public key.
An embodiment of the present invention provides a kind of device of the safety certification of above-mentioned processing unit, which includes authentication information Receiving module, information extraction modules and identification processing module, wherein:
The authentication information receiving module, for receiving encrypted ticket, second user mark and the second application identities;
Described information extraction module, for the identifier of the encrypted ticket to be calculated based on preset algorithm, according to The identifier of the encrypted ticket obtains Encryption Algorithm and decruption key, based on described in the Encryption Algorithm and decryption key pair Encrypted ticket is decrypted, obtains bill;
The identification processing module, for determining the second user mark and the first user identifier one in the bill Cause and second application identities it is consistent with the first application identities in the bill when, allow with the first identity access first Using.
The method and apparatus of a kind of safety certification that the embodiment of the present invention is provided, the method for generating encrypted ticket are: Receive the first user identifier and the first application identities;After getting the license that the first application is accessed with the first identity, generation includes There is the bill of the first user identifier and the first application identities, obtain having added based on bill described in Encryption Algorithm and encryption keys Close bill;The identifier of the encrypted ticket is calculated based on preset algorithm, the encrypted ticket is being locally stored Identifier, Encryption Algorithm and decruption key send encrypted ticket.Using encrypted ticket carry out authentication process be: Receive encrypted ticket, second user mark and the second application identities;The encrypted ticket is calculated based on preset algorithm Identifier, Encryption Algorithm and decruption key are obtained according to the identifier of the encrypted ticket, based on the Encryption Algorithm and Decruption key decrypts the encrypted ticket, obtains bill;Determine the second user mark and first in the bill When user identifier is unanimously and second application identities are consistent with the first application identities in the bill, allow with the first body Part accesses the first application.In this way, a kind of more stable, certification fine size and simple and safe certification are provided in Hadoop platform Method and apparatus.
Description of the drawings
Fig. 1 is the flow diagram of the processing method in the safety certification of the embodiment of the present invention;
Fig. 2 is the flow diagram of the method for the safety certification of the embodiment of the present invention;
Fig. 3 is the structure diagram of the processing unit in the safety certification of the embodiment of the present invention;
Fig. 4 is the structure diagram of the device of the safety certification of the embodiment of the present invention;
Fig. 5 is the structure diagram of the security certification system of the embodiment of the present invention;
Fig. 6 is the idiographic flow schematic diagram of the processing method in the safety certification of the embodiment of the present invention;
Fig. 7 is the idiographic flow schematic diagram of the method for the safety certification of the embodiment of the present invention.
Specific embodiment
In the embodiment of the present invention, the method for generating encrypted ticket is:Receive the first user identifier and the first application identities; After getting the license that the first application is accessed with the first identity, generation includes the ticket of the first user identifier and the first application identities According to obtaining encrypted ticket based on bill described in Encryption Algorithm and encryption keys;It is calculated based on preset algorithm described The identifier of encrypted ticket is being locally stored the identifier of encrypted ticket, Encryption Algorithm and the decruption key, is sending Encrypted ticket.Using encrypted ticket carry out authentication process be:Receive encrypted ticket, second user mark and second Application identities;The identifier of the encrypted ticket is calculated based on preset algorithm, according to the mark of the encrypted ticket Symbol obtains Encryption Algorithm and decruption key, based on encrypted ticket decryption described in the Encryption Algorithm and decryption key pair, obtains Bill;Determine second user mark consistent with the first user identifier in the bill and second application identities and When the first application identities in the bill are consistent, allow to access the first application with the first identity.
With reference to embodiment, the present invention is further described in more detail.
An embodiment of the present invention provides the processing method in a kind of safety certification, as shown in Figure 1, this method includes:
Step 101:Receive the first user identifier and the first application identities;
In general, some applications can be disposed in Hadoop platform, such as:HBase (Hadoop Database, Hadoop numbers According to library), HDFS (Hadoop Distributed File System, Hadoop distributed file system), the applications such as Hive.Institute State title, service type, IP (Internet Protocol, internetworking protocol) address that application identities can be the application Etc. the identifier for being capable of the unique mark application;The user identifier can be that user name, User ID, IP address etc. can be unique Identify the identifier of the user identity.It, can be simultaneously when user applies for the access rights of some application in Hadoop platform The user identifier and the application identities are submitted, at this point, Hadoop platform can receive user identifier and application identities, i.e., For the first user identifier and the first application identities.
Step 102:Get with the first identity access first application license after, generation include the first user identifier and The bill of first application identities obtains encrypted ticket based on bill described in Encryption Algorithm and encryption keys;
Here, the first identity can be understood as the user identity that the first user identifier is referred to.
General Hadoop platform has administrator, therefore, can be presented to the first user identifier and the first application identities Administrator is decided whether to allow to access the first application with the first identity, if the input of administrator represents to allow, i.e., by administrator Get corresponding license.
As an optional embodiment, a permission configuration file can be created in Hadoop platform, administrator can The configuration item that a license accesses the first application with the first identity is written in the configuration file, this is read in the processing method During configuration item, the license of response has just been got.In addition, administrator can also inform fortune by sending the modes such as signal designation The process of the row processing method has got the license that the first application is accessed with the first identity.
In this step, a bill only corresponds to access of the identity to an application, i.e., for same user, The corresponding different bill of different applications, if the user has multiple identity, access point of the different identity to different application Different bills is not corresponded to, so as to possess thinner certification granularity.Therefore, when a user is in the Hadoop platform It when having the access rights more applied, needs to be individually created encrypted ticket for each application, so as to not only refine certification granularity but also carry The high safety of the Hadoop platform.
Step 103:The identifier of the encrypted ticket is calculated based on preset algorithm, described added is being locally stored Identifier, Encryption Algorithm and the decruption key of close bill send encrypted ticket.
The identifier of the encrypted ticket for can with the character string of the unique mark encrypted ticket, such as:It has encrypted MD5 (Message Digest Algorithm 5, message digest algorithm 5) value of bill, SHA256 (Secure Hash Algorithm 256, secure hash algorithm 256) value etc..Correspondingly, the preset algorithm can be MD5, SHA256 etc..This The identifier and Encryption Algorithm of the encrypted ticket of ground storage, there are correspondences for decruption key, you can passes through encrypted ticket Identifier can determine that the corresponding Encryption Algorithm and decruption key.
Prevent the safety that encrypted ticket has been forged for Hadoop platform most important, in treatment method, by Know the encryption key in only Hadoop platform, therefore, other devices are that can not generate can be by the decruption key just The encrypted ticket really decrypted, you can with prevent encrypted ticket be forged.
In step 102 and step 103, if Encryption Algorithm is symmetric encipherment algorithm, it is close that encryption key is equal to decryption Key;If Encryption Algorithm is rivest, shamir, adelman, encryption key is any one of public, private key, as public key is (private Key), and decruption key is another, such as private key (public key).
In the embodiment of the present invention, the identifier that the encrypted ticket is calculated based on preset algorithm, in local The identifier of encrypted ticket, Encryption Algorithm and decruption key described in storage, including:It is calculated based on Message Digest 5 5MD5 To the MD5 values of the encrypted ticket, in MD5 values, Encryption Algorithm and the decruption key that the encrypted ticket is locally stored.
Since the identifier of encrypted ticket and Encryption Algorithm, decruption key are there are correspondence, in storage, It needs to prevent different encrypted tickets from corresponding to identical Encryption Algorithm and decruption key;And different encrypted tickets has Different MD5 values, it is possible to effectively prevent the generation of this problem.
It is described that the identifier of encrypted ticket, Encryption Algorithm is being locally stored and is decrypting close in the embodiment of the present invention Key, including:The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.Here, When user has accidentally lost encrypted ticket, then administrator can also send the encrypted ticket stored in Hadoop platform To user terminal.
It is described that encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys in the embodiment of the present invention, The identifier of encrypted ticket, Encryption Algorithm and the decruption key is being locally stored, including:Based on rivest, shamir, adelman and Bill described in public key encryption obtains encrypted ticket, and the identifier of encrypted ticket, asymmetric encryption calculation is being locally stored Method and private key.
Here, rivest, shamir, adelman and private key are stored in local by Hadoop platform, by public key to discarding.
It is described that encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys in the embodiment of the present invention, The identifier of encrypted ticket, Encryption Algorithm and the decruption key is being locally stored, including:Based on rivest, shamir, adelman and Bill described in private key encryption obtains encrypted ticket, and the identifier of encrypted ticket, asymmetric encryption calculation is being locally stored Method and public key.
Rivest, shamir, adelman and public key are stored in local by Hadoop platform, i.e., by private key to discarding.
Alternatively, the rivest, shamir, adelman is HMAC-SHA (Hash-based Message Authentication Code-Secure Hash Algorithm, the relevant hash operation message authentication code of key-safety are breathed out Uncommon algorithm).
Rivest, shamir, adelman is related to two keys:Public key and private key.Public key is a pair of with private key, if with public key pair Data are encrypted, then could only be decrypted with corresponding private key;, whereas if data are encrypted with private key, then It could only be decrypted with corresponding public key, that is, encrypt and decryption uses two different keys.Place in safety certification In reason method, bill is encrypted using public key (private key), then must be decrypted using private key (public key), and public key (private key) It has been abandoned that, then can not forge the encrypted ticket that can be decrypted by private key (public key), so as to further improve Hadoop The safety of platform.
An embodiment of the present invention provides a kind of method of safety certification, as shown in Fig. 2, this method includes:
Step 201:Receive encrypted ticket, second user mark and the second application identities;
In actual use, user terminal is typically all by the application program in network access Hadoop platform;Therefore, In step 201, in access application, user terminal needs to submit encrypted ticket, second user mark and the simultaneously Two application identities are to Hadoop platform.
Step 202:The identifier of the encrypted ticket is calculated based on preset algorithm, according to the encrypted ticket Identifier obtain Encryption Algorithm and decruption key, based on encrypted ticket solution described in the Encryption Algorithm and decryption key pair It is close, obtain bill;
Here, it is identical when the preset algorithm is with the preset algorithm used in step 103, in this way, same encrypted Bill can obtain identical identifier.Step 203:Determine that the second user mark is used with described first in the bill When family mark is unanimously and second application identities are consistent with the first application identities in the bill, allow with the first identity Access the first application.
Here, it is only necessary to encrypted ticket is decrypted, is then compared the access rights for being assured that user, from It and can be fairly simple.It can be seen that the safety certifying method does not depend on any Third Party Authentication system, have lightweight, it is efficiently easy-to-use and The advantages of High Availabitity.
An embodiment of the present invention provides the processing unit in a kind of safety certification, as shown in figure 3, described device includes authorizing Module 3 is replied in information receiving module 1, authorization handler module 2 and mandate, wherein:
The authorization message receiving module 1, for receiving the first user identifier and the first application identities;
The authorization handler module 2, after getting the license that the first application is accessed with the first identity, generation includes The bill of first user identifier and the first application identities has been encrypted based on bill described in Encryption Algorithm and encryption keys Bill;
Described authorize replys module 3, for the identifier of the encrypted ticket to be calculated based on preset algorithm, at this Ground the storage identifier of encrypted ticket, Encryption Algorithm and the decruption key, transmission encrypted ticket.
In general, some applications can be disposed in Hadoop platform, such as:HBase (Hadoop Database, Hadoop numbers According to library), HDFS (Hadoop Distributed File System, Hadoop distributed file system), the applications such as Hive.Institute State title, service type, IP (Internet Protocol, internetworking protocol) address that application identities can be the application Etc. the identifier for being capable of the unique mark application;The user identifier can be that user name, User ID, IP address etc. can be unique Identify the identifier of the user identity.It, can be simultaneously when user applies for the access rights of some application in Hadoop platform The user identifier and the application identities are submitted, at this point, Hadoop platform can receive user identifier and application identities, i.e., For the first user identifier and the first application identities.
Here, the first identity can be understood as the user identity that the first user identifier is referred to.
General Hadoop platform has administrator, therefore, can be presented to the first user identifier and the first application identities Administrator is decided whether to allow to access the first application with the first identity, if the input of administrator represents to allow, i.e., by administrator Get corresponding license.
As an optional embodiment, a permission configuration file can be created in Hadoop platform, administrator can The configuration item that a license accesses the first application with the first identity is written in the configuration file, this is read in the processing unit During configuration item, the license of response has just been got.In addition, administrator can also inform fortune by sending the modes such as signal designation The row processing unit has got the license that the first application is accessed with the first identity.
In the present apparatus, a bill only corresponds to access of the identity to an application, i.e., for same user, The corresponding different bill of different applications, if the user has multiple identity, access point of the different identity to different application Different bills is not corresponded to, so as to possess thinner certification granularity.Therefore, when a user is in the Hadoop platform It when having the access rights more applied, needs to be individually created encrypted ticket for each application, so as to not only refine certification granularity but also carry The high safety of the Hadoop platform.
The identifier of the encrypted ticket for can with the character string of the unique mark encrypted ticket, such as:It has encrypted MD5 (Message Digest Algorithm 5, message digest algorithm 5) value of bill, SHA256 (Secure Hash Algorithm 256, secure hash algorithm 256) value etc..Correspondingly, the preset algorithm can be MD5, SHA256 etc..This The identifier and Encryption Algorithm of the encrypted ticket of ground storage, there are correspondences for decruption key, you can passes through encrypted ticket Identifier can determine that the corresponding Encryption Algorithm and decruption key.
Prevent the safety that encrypted ticket has been forged for Hadoop platform most important, in treatment method, by Know the encryption key in only Hadoop platform, therefore, other devices are that can not generate can be by the encryption key just The encrypted ticket really decrypted, you can with prevent encrypted ticket be forged.
In the processing unit, if Encryption Algorithm is symmetric encipherment algorithm, encryption key is equal to decruption key;If Encryption Algorithm is rivest, shamir, adelman, then encryption key is any one of for public, private key, such as public key (private key), and is decrypted Key is another, such as private key (public key).
In the embodiment of the present invention, described authorize replys module 3, is specifically used for:It is calculated based on Message Digest 5 5MD5 To the MD5 values of the encrypted ticket, in MD5 values, Encryption Algorithm and the decruption key that the encrypted ticket is locally stored.
Since the identifier of encrypted ticket and Encryption Algorithm, decruption key are there are correspondence, in storage, It needs to prevent different encrypted tickets from corresponding to identical Encryption Algorithm and decruption key;And different encrypted tickets has Different MD5 values, it is possible to effectively prevent the generation of this problem.
In the embodiment of the present invention, described authorize replys module 3, is specifically used for:The encrypted ticket is being locally stored, Identifier, Encryption Algorithm and the decruption key of encrypted ticket.
Here, when user has accidentally lost encrypted ticket, then administrator can also will store in Hadoop platform Encrypted ticket is sent to user terminal.
In the embodiment of the present invention, the authorization handler module 2 is specifically used for, is added based on rivest, shamir, adelman and public key The close bill obtains encrypted ticket;Described authorize replys module 3, is specifically used for, and the encrypted ticket is being locally stored Identifier, rivest, shamir, adelman and private key.
Here, rivest, shamir, adelman and private key are stored in local by Hadoop platform, by public key to discarding.
In the embodiment of the present invention, the authorization handler module 2 is specifically used for, is added based on rivest, shamir, adelman and private key The close bill obtains encrypted ticket;Described authorize replys module 3, is specifically used for, and the encrypted ticket is being locally stored Identifier, rivest, shamir, adelman and public key.
Rivest, shamir, adelman and public key are stored in local by Hadoop platform, i.e., by private key to discarding.
Alternatively, the rivest, shamir, adelman is HMAC-SHA (Hash-based Message Authentication Code-Secure Hash Algorithm, the relevant hash operation message authentication code of key-safety are breathed out Uncommon algorithm).
Rivest, shamir, adelman is related to two keys:Public key and private key.Public key is a pair of with private key, if with public key pair Data are encrypted, then could only be decrypted with corresponding private key;, whereas if data are encrypted with private key, then It could only be decrypted with corresponding public key, that is, encrypt and decryption uses two different keys.Place in safety certification It manages in device, bill is encrypted using public key (private key), then must be decrypted using private key (public key), and public key (private key) It has been abandoned that, then can not forge the encrypted ticket that can be decrypted by private key (public key), so as to further improve Hadoop The safety of platform.
An embodiment of the present invention provides a kind of device of safety certification, as shown in figure 4, the device is received including authentication information Module 4, information extraction modules 5 and identification processing module 6, wherein:
The authentication information receiving module 4, for receiving encrypted ticket, second user mark and the second application identities;
Described information extraction module 5, for the identifier of the encrypted ticket to be calculated based on preset algorithm, according to The identifier of the encrypted ticket obtains Encryption Algorithm and decruption key, based on described in the Encryption Algorithm and decryption key pair Encrypted ticket is decrypted, obtains bill;
The identification processing module 6, for determining the second user mark and the first user identifier in the bill When unanimously and second application identities are consistent with the first application identities in the bill, allow to access the with the first identity One application.
In actual use, user terminal is typically all by the application program in network access Hadoop platform;Therefore, In access application, user terminal needs submission simultaneously, and encrypted ticket, second user mark and the second application identities are given Hadoop platform.
Here, which replys identical during the preset algorithm used in module 3 with authorizing, in this way, same Encrypted ticket can obtain identical identifier.
Here, it is only necessary to encrypted ticket is decrypted, is then compared the access rights for being assured that user, from It and can be fairly simple.It can be seen that the safety certification device does not depend on any Third Party Authentication system, have lightweight, it is efficiently easy-to-use and The advantages of High Availabitity.
An embodiment of the present invention provides a kind of device of safety certification, as shown in figure 5, the device includes authentication administrative system (AMS, Authtication Manager System), communication system (CS, Communication System), memory module With big data platform bottom storage system, wherein:
1st, authentication administrative system AMS, for when user is authenticated, generating bill, and bill is encrypted to and has been encrypted Bill;When user logs in, encrypted ticket is authenticated handling;Including following module:
(1) bill generation module, for receiving the first user identifier and the first application identities, generation is marked comprising the first user Know the bill with the first application identities, the bill is sent to bill encrypting module;
(2) bill encrypting module for receiving bill, and obtains having added based on Encryption Algorithm and encryption keys bill Close bill;And encrypted ticket is sent in communication system CS, the identifier of encrypted ticket is calculated, by encrypted ticket Identifier, Encryption Algorithm and decruption key are sent to memory module;Rivest, shamir, adelman HMAC- can be used in the Encryption Algorithm SHA;
(3) bill correction verification module, for receiving encrypted ticket, second user mark and the second application from communication system CS Mark calculates the identifier of encrypted ticket and corresponding encryption is inquired from memory module according to the identifier of encrypted ticket Algorithm and decruption key, and based on the Encryption Algorithm and the decryption key decryption encrypted ticket, so as to obtain the first user Mark and the first application identities;Determine second user mark with the first user identifier in the bill consistent and institute State the second application identities it is consistent with the first application identities in the bill when then to communication system CS send certification by disappear It ceases, otherwise return authentication failure news.
As it can be seen that in authentication administrative system AMS, bill generation module and the mutual cooperation of bill encrypting module complete mandate Processing module 2 and the function of authorizing reply module 3;Bill correction verification module completes information extraction modules 5 and the authentication processing The function of module 6.
2nd, memory module, for storing the identifier of encrypted ticket, Encryption Algorithm and decruption key;And according to being received The identifier of encrypted ticket arrived reads corresponding Encryption Algorithm and decruption key;Including following module:
(1) plug-in type memory module, for receiving comprising the identifier of encrypted ticket, adding from authentication administrative system AMS The storage entry of close algorithm and decruption key, and the function of following storage entry change is provided:Storage entry is stored to big number It is put down according to platform bottom storage system, by certain storage entries in big data platform bottom storage system to deletion, by big data Certain storage entries in platform bottom storage system are modified;At the same time, also the instruction for storing entry change is sent To dlm (dynamic loading module);It is also used for receiving the instruction for reading storage entry from dlm (dynamic loading module), and from big data platform bottom All storage entries are read in storage system, and are sent to dlm (dynamic loading module);It is deposited to shield different big data platform bottoms The difference of storage system, so as to provide authentication administrative system AMS unified data-interface, plug-in type memory module is preferably plug-in unit Formula, can be with self-defined storage class, the storage for supporting the file, database, distributed memory system of clear and definite form etc. different Type;
(2) dlm (dynamic loading module) for sending the instruction for reading storage entry to plug-in type memory module, and reception is deposited It stores up in entry storage to memory;And the instruction changed according to the storage entry received in real time carries out the storage entry in memory Update, so as to ensure that the storage entry in memory is consistent with the storage entry in big data platform bottom storage system.
In within the storage system, the identifier of encrypted ticket, Encryption Algorithm and decruption key have been already loaded into In depositing, it is possible to greatly improve read or write speed, and then improve the performance of whole system.
3rd, big data platform bottom storage system, for receiving the identifier of the received encrypted ticket of storage, adding Close algorithm and decruption key, can be there are many realization method, such as HDFS etc..
4th, communication system CS for providing the communication between client, authentication administrative system AMS, shields different system Encoding variability provides unified communication interface, including following module:
(1) first communication interface, for completing the communication between authentication administrative system AMS;
(2) second communication interfaces, for the communication completed and between client and application server;
(3) control module for receiving the first user identifier and the first application identities from client, and is transmitted to certification pipe Return the result (encrypted ticket or the authorization failure) that is obtained from authentication administrative system AMS is transmitted to client by reason system AMS End;Encrypted ticket, second user mark and the second application identities, and be transmitted to authentication administrative system are obtained from application server Return the result (certification success or the authentification failure) that is obtained from authentication administrative system AMS is transmitted to application server by AMS.
Communication system CS completes the function of authorization message receiving module 1 and authentication information receiving module 4.
As shown in fig. 6, the licensing process of the device of the safety certification is as follows:
Step 601:Client is sent to Admin Administration's system applies, needs to submit the first user identifier and first simultaneously First user identifier and the first application identities can be presented to Hadoop platform administrator by application identities, Admin Administration's system;
Step 602:Administrator is judged, decides whether that the client is allowed to access the first application with the first identity, such as Fruit allows, and performs step 603;Otherwise, terminate this process flow;
Step 603:Client sends the first user identifier and the first application identities to communication system CS;
Step 604:Communication system CS judges whether client realizes the second communication interface, and communication system CS is externally provided The second unified communication interface, therefore, client sends the first user identifier and first according to the requirement of the second communication interface should With mark;If it realizes, operating procedure 605;Otherwise, terminate this process flow;
Step 605:By the second communication interface, the first user identifier and the first application identities are sent to by communication system CS Authentication administrative system AMS;
Step 606:Bill generation module utilizes the first user identifier and the first application identities generation bill, the bill packet Include the first user identifier and the first application identities;
Step 607:Bill encrypting module is based on Encryption Algorithm and encryption keys bill obtains encrypted ticket, and will The identifier of encrypted ticket, Encryption Algorithm and decruption key are sent to memory module, will and be sent to encrypted ticket logical Letter system CS;
Step 608:In a storage module, plug-in type memory module conciliates the identifier of encrypted ticket, Encryption Algorithm Close key storage is in big data platform bottom storage system;
Step 609:The identifier of encrypted ticket, Encryption Algorithm and decruption key are dynamically loaded by dlm (dynamic loading module) In memory;
Step 610:Encrypted ticket is sent to client by communication system CS.
As shown in fig. 7, the verification process of the device of the safety certification is as follows:
Step 701:Client sends to the application server operated in Hadoop platform and accesses application, in order to just Frequentation asks that client should provide encrypted ticket, second user mark and the second application identities;
Step 702:Application server judges whether application carries encrypted ticket, if it is not, being returned to client Lack of competence accesses, and terminates this process flow;Otherwise operating procedure 703;
Step 703:Application server sends encrypted ticket, second user mark and the second application to communication system CS and marks Know;
Step 704:Communication system CS judges whether application server realizes the second communication interface, and communication system CS is externally carried The second unified communication interface is supplied, therefore, application server sends encrypted ticket, the according to the requirement of the second communication interface Two user identifiers and the second application identities;If it realizes, operating procedure 605;Otherwise, denied access and terminate this processing stream Journey;
Step 705:By the second communication interface, communication system CS should by encrypted ticket, second user mark and second Authentication administrative system AMS is sent to mark;
Step 706:The identifier of encrypted ticket is calculated in bill correction verification module, and utilizes the mark of encrypted ticket Symbol obtains its corresponding Encryption Algorithm and decruption key from memory module;
Step 707:Using Encryption Algorithm and decryption key pair, encrypted ticket is decrypted bill correction verification module, obtains the One user identifier and the first application identities;
Step 708:Judge that the first user identifier is equal to second user mark and the first application identities are equal to the second application and mark KnowIf NO, then operating procedure 709;Otherwise operating procedure 710;
Step 709:Authentication result is fails, operating procedure 711;
Step 710:Authentication result is successfully operating procedure 711;
Step 711:Communication system CS is to application server return authentication result;
Step 712:Application server judges that authentication result for success, then allows client to access application server;Otherwise Forbid accessing.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.

Claims (12)

1. the processing method in a kind of safety certification, which is characterized in that this method includes:
Receive the first user identifier and the first application identities;
After getting the license that the first application is accessed with the first identity, generation includes the first user identifier and the first application identities Bill, encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys;
The identifier of the encrypted ticket is calculated based on preset algorithm, in the mark that the encrypted ticket is locally stored Symbol, Encryption Algorithm and decruption key send encrypted ticket.
2. the processing method in safety certification according to claim 1, which is characterized in that described to be calculated based on preset algorithm The identifier of the encrypted ticket is obtained, the identifier of encrypted ticket, Encryption Algorithm and decryption are close being locally stored Key, including:
The MD5 values of the encrypted ticket are calculated based on Message Digest 5 5MD5, described ticket has been encrypted being locally stored According to MD5 values, Encryption Algorithm and decruption key.
3. the processing method in safety certification according to claim 1, which is characterized in that it is described be locally stored it is described Identifier, Encryption Algorithm and the decruption key of encrypted ticket, including:
The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.
4. the processing method in safety certification according to claim 1, which is characterized in that described to be based on Encryption Algorithm and add Key encrypts the bill and obtains encrypted ticket, be locally stored the identifier of encrypted ticket, Encryption Algorithm and Decruption key, including:
Encrypted ticket is obtained based on bill described in rivest, shamir, adelman and public key encryption, described ticket has been encrypted being locally stored According to identifier, rivest, shamir, adelman and private key.
5. the processing method in safety certification according to claim 1, which is characterized in that described to be based on Encryption Algorithm and add Key encrypts the bill and obtains encrypted ticket, be locally stored the identifier of encrypted ticket, Encryption Algorithm and Decruption key, including:
Encrypted ticket is obtained based on bill described in rivest, shamir, adelman and private key encryption, described ticket has been encrypted being locally stored According to identifier, rivest, shamir, adelman and public key.
A kind of 6. method of the safety certification based on any one of claim 1-5, which is characterized in that this method includes:
Receive encrypted ticket, second user mark and the second application identities;
The identifier of the encrypted ticket is calculated based on preset algorithm, is obtained according to the identifier of the encrypted ticket Encryption Algorithm and decruption key based on encrypted ticket decryption described in the Encryption Algorithm and decryption key pair, obtain bill;
Determine that the second user identifies consistent with the first user identifier in the bill and described second application identities and institute State the first application identities in bill it is consistent when, allow to access the first application with the first identity.
7. the processing unit in a kind of safety certification, which is characterized in that described device includes authentication information receiving module, at mandate It manages module and authorizes and reply module, wherein:
The authorization message receiving module, for receiving the first user identifier and the first application identities;
The authorization handler module, after getting the license that the first application is accessed with the first identity, generation includes first The bill of user identifier and the first application identities has been encrypted ticket based on bill described in Encryption Algorithm and encryption keys According to;
Described authorize replys module, for the identifier of the encrypted ticket to be calculated based on preset algorithm, is deposited locally The storage identifier of encrypted ticket, Encryption Algorithm and the decruption key, transmission encrypted ticket.
8. the processing unit in safety certification according to claim 7, which is characterized in that described authorize replys module, tool Body is used for:
The MD5 values of the encrypted ticket are calculated based on Message Digest 5 5MD5, described ticket has been encrypted being locally stored According to MD5 values, Encryption Algorithm and decruption key.
9. the processing unit in safety certification according to claim 7, which is characterized in that described authorize replys module, tool Body is used for:
The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.
10. the processing unit in safety certification according to claim 7, it is characterised in that:
The authorization handler module, is specifically used for, and has been encrypted based on bill described in rivest, shamir, adelman and public key encryption Bill;
Described authorize replys module, is specifically used for, and the identifier of encrypted ticket, the rivest, shamir, adelman is being locally stored And private key.
11. the processing unit in safety certification according to claim 12, it is characterised in that:
The authorization handler module, is specifically used for, and has been encrypted based on bill described in rivest, shamir, adelman and private key encryption Bill;
Described authorize replys module, is specifically used for, and the identifier of encrypted ticket, the rivest, shamir, adelman is being locally stored And public key.
12. a kind of device of the safety certification based on any one of claim 7-11, which is characterized in that the device is believed including certification Receiving module, information extraction modules and identification processing module are ceased, wherein:
The authentication information receiving module, for receiving encrypted ticket, second user mark and the second application identities;
Described information extraction module, for the identifier of the encrypted ticket to be calculated based on preset algorithm, according to described The identifier of encrypted ticket obtains Encryption Algorithm and decruption key, based on having added described in the Encryption Algorithm and decryption key pair Close bill decryption, obtains bill;
The identification processing module, for determine second user mark it is consistent with the first user identifier in the bill, And second application identities it is consistent with the first application identities in the bill when, allow with the first identity access first should With.
CN201611219818.8A 2016-12-26 2016-12-26 A kind of method and apparatus of safety certification Pending CN108243158A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611219818.8A CN108243158A (en) 2016-12-26 2016-12-26 A kind of method and apparatus of safety certification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611219818.8A CN108243158A (en) 2016-12-26 2016-12-26 A kind of method and apparatus of safety certification

Publications (1)

Publication Number Publication Date
CN108243158A true CN108243158A (en) 2018-07-03

Family

ID=62702076

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611219818.8A Pending CN108243158A (en) 2016-12-26 2016-12-26 A kind of method and apparatus of safety certification

Country Status (1)

Country Link
CN (1) CN108243158A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111865991A (en) * 2020-07-23 2020-10-30 北京睿知图远科技有限公司 Dynamic encryption and decryption method for data encryption center
WO2021248342A1 (en) * 2020-06-10 2021-12-16 Citrix Systems, Inc. Provision of remote application action feed cards

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030084302A1 (en) * 2001-10-29 2003-05-01 Sun Microsystems, Inc., A Delaware Corporation Portability and privacy with data communications network browsing
CN101207482A (en) * 2007-12-13 2008-06-25 深圳市戴文科技有限公司 System and method for implementation of single login
CN101340436A (en) * 2008-08-14 2009-01-07 普天信息技术研究院有限公司 Method and apparatus implementing remote access control based on portable memory apparatus
CN101351027A (en) * 2007-07-19 2009-01-21 中国移动通信集团公司 Method and system for processing service authentication
CN101727547A (en) * 2008-10-30 2010-06-09 爱思开电讯投资(中国)有限公司 Device and method used for protecting DRM license file
CN102201915A (en) * 2010-03-22 2011-09-28 中国移动通信集团公司 Terminal authentication method and device based on single sign-on
CN103037312A (en) * 2011-10-08 2013-04-10 阿里巴巴集团控股有限公司 Message push method and message push device
CN103051630A (en) * 2012-12-21 2013-04-17 微梦创科网络科技(中国)有限公司 Method, device and system for implementing authorization of third-party application based on open platform
CN103051628A (en) * 2012-12-21 2013-04-17 微梦创科网络科技(中国)有限公司 Method and system for obtaining authentication token based on servers
CN103312515A (en) * 2013-06-21 2013-09-18 百度在线网络技术(北京)有限公司 Generation method, generation device, authentication method and authentication system for authorization token
CN104113412A (en) * 2013-04-22 2014-10-22 中国银联股份有限公司 PaaS platform-based identity authentication method and identity authentication apparatus
CN104426848A (en) * 2013-08-22 2015-03-18 腾讯科技(深圳)有限公司 Method and system for logging in web application
CN104836664A (en) * 2015-03-27 2015-08-12 腾讯科技(深圳)有限公司 Method for executing business processing, device for executing business processing and system for executing business processing
CN105450637A (en) * 2015-11-09 2016-03-30 歌尔声学股份有限公司 Single sign-on method and device for multiple application systems
CN105978855A (en) * 2016-04-18 2016-09-28 南开大学 System and method for protecting personal information security in real-name system

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030084302A1 (en) * 2001-10-29 2003-05-01 Sun Microsystems, Inc., A Delaware Corporation Portability and privacy with data communications network browsing
CN101351027A (en) * 2007-07-19 2009-01-21 中国移动通信集团公司 Method and system for processing service authentication
CN101207482A (en) * 2007-12-13 2008-06-25 深圳市戴文科技有限公司 System and method for implementation of single login
CN101340436A (en) * 2008-08-14 2009-01-07 普天信息技术研究院有限公司 Method and apparatus implementing remote access control based on portable memory apparatus
CN101727547A (en) * 2008-10-30 2010-06-09 爱思开电讯投资(中国)有限公司 Device and method used for protecting DRM license file
CN102201915A (en) * 2010-03-22 2011-09-28 中国移动通信集团公司 Terminal authentication method and device based on single sign-on
CN103037312A (en) * 2011-10-08 2013-04-10 阿里巴巴集团控股有限公司 Message push method and message push device
CN103051630A (en) * 2012-12-21 2013-04-17 微梦创科网络科技(中国)有限公司 Method, device and system for implementing authorization of third-party application based on open platform
CN103051628A (en) * 2012-12-21 2013-04-17 微梦创科网络科技(中国)有限公司 Method and system for obtaining authentication token based on servers
CN104113412A (en) * 2013-04-22 2014-10-22 中国银联股份有限公司 PaaS platform-based identity authentication method and identity authentication apparatus
CN103312515A (en) * 2013-06-21 2013-09-18 百度在线网络技术(北京)有限公司 Generation method, generation device, authentication method and authentication system for authorization token
CN104426848A (en) * 2013-08-22 2015-03-18 腾讯科技(深圳)有限公司 Method and system for logging in web application
CN104836664A (en) * 2015-03-27 2015-08-12 腾讯科技(深圳)有限公司 Method for executing business processing, device for executing business processing and system for executing business processing
CN105450637A (en) * 2015-11-09 2016-03-30 歌尔声学股份有限公司 Single sign-on method and device for multiple application systems
CN105978855A (en) * 2016-04-18 2016-09-28 南开大学 System and method for protecting personal information security in real-name system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021248342A1 (en) * 2020-06-10 2021-12-16 Citrix Systems, Inc. Provision of remote application action feed cards
US11244255B2 (en) 2020-06-10 2022-02-08 Citrix Systems. Inc. Provision of remote application action feed cards
CN114144833A (en) * 2020-06-10 2022-03-04 思杰系统有限公司 Providing remote application action feed cards
US11803789B2 (en) 2020-06-10 2023-10-31 Citrix Systems, Inc. Provision of remote application action feed cards
CN111865991A (en) * 2020-07-23 2020-10-30 北京睿知图远科技有限公司 Dynamic encryption and decryption method for data encryption center

Similar Documents

Publication Publication Date Title
CN105095696B (en) Method, system and the equipment of safety certification are carried out to application program
US7155616B1 (en) Computer network comprising network authentication facilities implemented in a disk drive
US5548721A (en) Method of conducting secure operations on an uncontrolled network
CN103685282B (en) A kind of identity identifying method based on single-sign-on
CN106888084B (en) Quantum fort machine system and authentication method thereof
CN108768963B (en) Communication method and system of trusted application and secure element
US8953805B2 (en) Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method
CN107465689A (en) The key management system and method for virtual credible platform module under cloud environment
CN101515319B (en) Cipher key processing method, cipher key cryptography service system and cipher key consultation method
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
CN113014444B (en) Internet of things equipment production test system and safety protection method
CN1921395B (en) Method for improving security of network software
CN113541935B (en) Encryption cloud storage method, system, equipment and terminal supporting key escrow
CN107920052B (en) Encryption method and intelligent device
CN112565265B (en) Authentication method, authentication system and communication method between terminal devices of Internet of things
CN109688133A (en) It is a kind of based on exempt from account login communication means
CN111954211B (en) Novel authentication key negotiation system of mobile terminal
JP2017152880A (en) Authentication system, key processing coordination method, and key processing coordination program
JP2022542095A (en) Hardened secure encryption and decryption system
CN107040520A (en) A kind of cloud computing data-sharing systems and method
CN103973698B (en) User access right revoking method in cloud storage environment
CN114244508A (en) Data encryption method, device, equipment and storage medium
US10764260B2 (en) Distributed processing of a product on the basis of centrally encrypted stored data
US20060053288A1 (en) Interface method and device for the on-line exchange of content data in a secure manner
US20140250499A1 (en) Password based security method, systems and devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180703