CN108243158A - A kind of method and apparatus of safety certification - Google Patents
A kind of method and apparatus of safety certification Download PDFInfo
- Publication number
- CN108243158A CN108243158A CN201611219818.8A CN201611219818A CN108243158A CN 108243158 A CN108243158 A CN 108243158A CN 201611219818 A CN201611219818 A CN 201611219818A CN 108243158 A CN108243158 A CN 108243158A
- Authority
- CN
- China
- Prior art keywords
- identifier
- encrypted ticket
- bill
- encrypted
- ticket
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides the processing methods in a kind of safety, receive the first user identifier and the first application identities;After getting the license that the first application is accessed with the first identity, generation includes the bill of the first user identifier and the first application identities, and encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys;The identifier of the encrypted ticket is calculated based on preset algorithm, the identifier of encrypted ticket, Encryption Algorithm and the decruption key is being locally stored, is sending encrypted ticket.The present invention also provides a kind of devices of safety certification.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of method and apparatus of safety certification.
Background technology
In the big data epoch, Hadoop has obtained large-scale application, and Hadoop is good in terms of mass data by it
Good autgmentability, efficient read-write and outstanding processing capacity, receive attention.Therefore, the peace of Hadoop platform how is ensured
Become an important subject naturally entirely.Wherein, one safety guarantee of the safety certification as Hadoop platform, to entirely putting down
The meaning of platform is most important.At present, most of Hadoop platforms all select a reliable third-party platform progress safety to recognize
Card, such as Kerberos etc..
It is but this to be had the following problems dependent on third-party platform:It (1) can not if third-party platform breaks down
It logs in the information stored on Hadoop platform or third-party platform to be stolen, then the safety certification of Hadoop platform is all lost
, that is, there is Single Point of Faliure in effect;Only there are one bills by (2) users, i.e., can access different answer by a bill
With, and then certification granularity is excessive;If the bill is stolen, it is possible to all applications that the user can access are accessed, so as to
Significantly reduce safety;(3) verification process is excessively complicated, and performance bottleneck is be easy to cause in Hadoop platform.
Therefore, how a kind of more stable, certification fine size and simple and safe authenticating party are provided in Hadoop platform
Method is a problem to be solved.
Invention content
In view of this, it is a primary object of the present invention to a kind of more stable, certification granularity is provided in Hadoop platform
Thin and simple and safe safety certifying method and device.
In order to achieve the above objectives, the technical proposal of the invention is realized in this way:
An embodiment of the present invention provides the processing method in a kind of safety certification, this method includes:
Receive the first user identifier and the first application identities;
After getting the license that the first application is accessed with the first identity, generation includes the first user identifier and the first application
The bill of mark obtains encrypted ticket based on bill described in Encryption Algorithm and encryption keys;
The identifier of the encrypted ticket is calculated based on preset algorithm, the encrypted ticket is being locally stored
Identifier, Encryption Algorithm and decruption key send encrypted ticket.
In said program, the identifier that the encrypted ticket is calculated based on preset algorithm is being locally stored
Identifier, Encryption Algorithm and the decruption key of the encrypted ticket, including:
The MD5 values of the encrypted ticket are calculated based on Message Digest 5 5MD5, described added is being locally stored
MD5 values, Encryption Algorithm and the decruption key of close bill.
It is described that the identifier of encrypted ticket, Encryption Algorithm and the decruption key, packet is being locally stored in said program
It includes:
The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.
It is described that encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys in said program, at this
The identifier of encrypted ticket, Encryption Algorithm and decruption key described in ground storage, including:
Encrypted ticket is obtained based on bill described in rivest, shamir, adelman and public key encryption, described added is being locally stored
Identifier, rivest, shamir, adelman and the private key of close bill.
It is described that encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys in said program, at this
The identifier of encrypted ticket, Encryption Algorithm and decruption key described in ground storage, including:
Encrypted ticket is obtained based on bill described in rivest, shamir, adelman and private key encryption, described added is being locally stored
Identifier, rivest, shamir, adelman and the public key of close bill.
An embodiment of the present invention provides a kind of method of the safety certification based on above-mentioned processing method, this method includes:
Receive encrypted ticket, second user mark and the second application identities;
The identifier of the encrypted ticket is calculated based on preset algorithm, according to the identifier of the encrypted ticket
Encryption Algorithm and decruption key are obtained, based on encrypted ticket decryption described in the Encryption Algorithm and decryption key pair, obtains ticket
According to;
Determine that the second user identifies consistent with the first user identifier in the bill and described second application identities
When consistent with the first application identities in the bill, allow to access the first application with the first identity.
An embodiment of the present invention provides the processing unit in a kind of safety certification, described device includes authentication information and receives mould
Module is replied in block, authorization handler module and mandate, wherein:
The authorization message receiving module, for receiving the first user identifier and the first application identities;
The authorization handler module, after getting the license that the first application is accessed with the first identity, generation includes
The bill of first user identifier and the first application identities has been encrypted based on bill described in Encryption Algorithm and encryption keys
Bill;
Described authorize replys module, for the identifier of the encrypted ticket to be calculated based on preset algorithm, at this
Ground the storage identifier of encrypted ticket, Encryption Algorithm and the decruption key, transmission encrypted ticket.
In said program, described authorize replys module, is specifically used for:
The MD5 values of the encrypted ticket are calculated based on Message Digest 5 5MD5, described added is being locally stored
MD5 values, Encryption Algorithm and the decruption key of close bill.
In said program, described authorize replys module, is specifically used for:
The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.
In said program, the authorization handler module is specifically used for, based on described in rivest, shamir, adelman and public key encryption
Bill obtains encrypted ticket;
Described authorize replys module, is specifically used for, and the identifier of encrypted ticket, the asymmetric encryption is being locally stored
Algorithm and private key.
In said program, the authorization handler module is specifically used for, based on described in rivest, shamir, adelman and private key encryption
Bill obtains encrypted ticket;
Described authorize replys module, is specifically used for, and the identifier of encrypted ticket, the asymmetric encryption is being locally stored
Algorithm and public key.
An embodiment of the present invention provides a kind of device of the safety certification of above-mentioned processing unit, which includes authentication information
Receiving module, information extraction modules and identification processing module, wherein:
The authentication information receiving module, for receiving encrypted ticket, second user mark and the second application identities;
Described information extraction module, for the identifier of the encrypted ticket to be calculated based on preset algorithm, according to
The identifier of the encrypted ticket obtains Encryption Algorithm and decruption key, based on described in the Encryption Algorithm and decryption key pair
Encrypted ticket is decrypted, obtains bill;
The identification processing module, for determining the second user mark and the first user identifier one in the bill
Cause and second application identities it is consistent with the first application identities in the bill when, allow with the first identity access first
Using.
The method and apparatus of a kind of safety certification that the embodiment of the present invention is provided, the method for generating encrypted ticket are:
Receive the first user identifier and the first application identities;After getting the license that the first application is accessed with the first identity, generation includes
There is the bill of the first user identifier and the first application identities, obtain having added based on bill described in Encryption Algorithm and encryption keys
Close bill;The identifier of the encrypted ticket is calculated based on preset algorithm, the encrypted ticket is being locally stored
Identifier, Encryption Algorithm and decruption key send encrypted ticket.Using encrypted ticket carry out authentication process be:
Receive encrypted ticket, second user mark and the second application identities;The encrypted ticket is calculated based on preset algorithm
Identifier, Encryption Algorithm and decruption key are obtained according to the identifier of the encrypted ticket, based on the Encryption Algorithm and
Decruption key decrypts the encrypted ticket, obtains bill;Determine the second user mark and first in the bill
When user identifier is unanimously and second application identities are consistent with the first application identities in the bill, allow with the first body
Part accesses the first application.In this way, a kind of more stable, certification fine size and simple and safe certification are provided in Hadoop platform
Method and apparatus.
Description of the drawings
Fig. 1 is the flow diagram of the processing method in the safety certification of the embodiment of the present invention;
Fig. 2 is the flow diagram of the method for the safety certification of the embodiment of the present invention;
Fig. 3 is the structure diagram of the processing unit in the safety certification of the embodiment of the present invention;
Fig. 4 is the structure diagram of the device of the safety certification of the embodiment of the present invention;
Fig. 5 is the structure diagram of the security certification system of the embodiment of the present invention;
Fig. 6 is the idiographic flow schematic diagram of the processing method in the safety certification of the embodiment of the present invention;
Fig. 7 is the idiographic flow schematic diagram of the method for the safety certification of the embodiment of the present invention.
Specific embodiment
In the embodiment of the present invention, the method for generating encrypted ticket is:Receive the first user identifier and the first application identities;
After getting the license that the first application is accessed with the first identity, generation includes the ticket of the first user identifier and the first application identities
According to obtaining encrypted ticket based on bill described in Encryption Algorithm and encryption keys;It is calculated based on preset algorithm described
The identifier of encrypted ticket is being locally stored the identifier of encrypted ticket, Encryption Algorithm and the decruption key, is sending
Encrypted ticket.Using encrypted ticket carry out authentication process be:Receive encrypted ticket, second user mark and second
Application identities;The identifier of the encrypted ticket is calculated based on preset algorithm, according to the mark of the encrypted ticket
Symbol obtains Encryption Algorithm and decruption key, based on encrypted ticket decryption described in the Encryption Algorithm and decryption key pair, obtains
Bill;Determine second user mark consistent with the first user identifier in the bill and second application identities and
When the first application identities in the bill are consistent, allow to access the first application with the first identity.
With reference to embodiment, the present invention is further described in more detail.
An embodiment of the present invention provides the processing method in a kind of safety certification, as shown in Figure 1, this method includes:
Step 101:Receive the first user identifier and the first application identities;
In general, some applications can be disposed in Hadoop platform, such as:HBase (Hadoop Database, Hadoop numbers
According to library), HDFS (Hadoop Distributed File System, Hadoop distributed file system), the applications such as Hive.Institute
State title, service type, IP (Internet Protocol, internetworking protocol) address that application identities can be the application
Etc. the identifier for being capable of the unique mark application;The user identifier can be that user name, User ID, IP address etc. can be unique
Identify the identifier of the user identity.It, can be simultaneously when user applies for the access rights of some application in Hadoop platform
The user identifier and the application identities are submitted, at this point, Hadoop platform can receive user identifier and application identities, i.e.,
For the first user identifier and the first application identities.
Step 102:Get with the first identity access first application license after, generation include the first user identifier and
The bill of first application identities obtains encrypted ticket based on bill described in Encryption Algorithm and encryption keys;
Here, the first identity can be understood as the user identity that the first user identifier is referred to.
General Hadoop platform has administrator, therefore, can be presented to the first user identifier and the first application identities
Administrator is decided whether to allow to access the first application with the first identity, if the input of administrator represents to allow, i.e., by administrator
Get corresponding license.
As an optional embodiment, a permission configuration file can be created in Hadoop platform, administrator can
The configuration item that a license accesses the first application with the first identity is written in the configuration file, this is read in the processing method
During configuration item, the license of response has just been got.In addition, administrator can also inform fortune by sending the modes such as signal designation
The process of the row processing method has got the license that the first application is accessed with the first identity.
In this step, a bill only corresponds to access of the identity to an application, i.e., for same user,
The corresponding different bill of different applications, if the user has multiple identity, access point of the different identity to different application
Different bills is not corresponded to, so as to possess thinner certification granularity.Therefore, when a user is in the Hadoop platform
It when having the access rights more applied, needs to be individually created encrypted ticket for each application, so as to not only refine certification granularity but also carry
The high safety of the Hadoop platform.
Step 103:The identifier of the encrypted ticket is calculated based on preset algorithm, described added is being locally stored
Identifier, Encryption Algorithm and the decruption key of close bill send encrypted ticket.
The identifier of the encrypted ticket for can with the character string of the unique mark encrypted ticket, such as:It has encrypted
MD5 (Message Digest Algorithm 5, message digest algorithm 5) value of bill, SHA256 (Secure Hash
Algorithm 256, secure hash algorithm 256) value etc..Correspondingly, the preset algorithm can be MD5, SHA256 etc..This
The identifier and Encryption Algorithm of the encrypted ticket of ground storage, there are correspondences for decruption key, you can passes through encrypted ticket
Identifier can determine that the corresponding Encryption Algorithm and decruption key.
Prevent the safety that encrypted ticket has been forged for Hadoop platform most important, in treatment method, by
Know the encryption key in only Hadoop platform, therefore, other devices are that can not generate can be by the decruption key just
The encrypted ticket really decrypted, you can with prevent encrypted ticket be forged.
In step 102 and step 103, if Encryption Algorithm is symmetric encipherment algorithm, it is close that encryption key is equal to decryption
Key;If Encryption Algorithm is rivest, shamir, adelman, encryption key is any one of public, private key, as public key is (private
Key), and decruption key is another, such as private key (public key).
In the embodiment of the present invention, the identifier that the encrypted ticket is calculated based on preset algorithm, in local
The identifier of encrypted ticket, Encryption Algorithm and decruption key described in storage, including:It is calculated based on Message Digest 5 5MD5
To the MD5 values of the encrypted ticket, in MD5 values, Encryption Algorithm and the decruption key that the encrypted ticket is locally stored.
Since the identifier of encrypted ticket and Encryption Algorithm, decruption key are there are correspondence, in storage,
It needs to prevent different encrypted tickets from corresponding to identical Encryption Algorithm and decruption key;And different encrypted tickets has
Different MD5 values, it is possible to effectively prevent the generation of this problem.
It is described that the identifier of encrypted ticket, Encryption Algorithm is being locally stored and is decrypting close in the embodiment of the present invention
Key, including:The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.Here,
When user has accidentally lost encrypted ticket, then administrator can also send the encrypted ticket stored in Hadoop platform
To user terminal.
It is described that encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys in the embodiment of the present invention,
The identifier of encrypted ticket, Encryption Algorithm and the decruption key is being locally stored, including:Based on rivest, shamir, adelman and
Bill described in public key encryption obtains encrypted ticket, and the identifier of encrypted ticket, asymmetric encryption calculation is being locally stored
Method and private key.
Here, rivest, shamir, adelman and private key are stored in local by Hadoop platform, by public key to discarding.
It is described that encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys in the embodiment of the present invention,
The identifier of encrypted ticket, Encryption Algorithm and the decruption key is being locally stored, including:Based on rivest, shamir, adelman and
Bill described in private key encryption obtains encrypted ticket, and the identifier of encrypted ticket, asymmetric encryption calculation is being locally stored
Method and public key.
Rivest, shamir, adelman and public key are stored in local by Hadoop platform, i.e., by private key to discarding.
Alternatively, the rivest, shamir, adelman is HMAC-SHA (Hash-based Message
Authentication Code-Secure Hash Algorithm, the relevant hash operation message authentication code of key-safety are breathed out
Uncommon algorithm).
Rivest, shamir, adelman is related to two keys:Public key and private key.Public key is a pair of with private key, if with public key pair
Data are encrypted, then could only be decrypted with corresponding private key;, whereas if data are encrypted with private key, then
It could only be decrypted with corresponding public key, that is, encrypt and decryption uses two different keys.Place in safety certification
In reason method, bill is encrypted using public key (private key), then must be decrypted using private key (public key), and public key (private key)
It has been abandoned that, then can not forge the encrypted ticket that can be decrypted by private key (public key), so as to further improve Hadoop
The safety of platform.
An embodiment of the present invention provides a kind of method of safety certification, as shown in Fig. 2, this method includes:
Step 201:Receive encrypted ticket, second user mark and the second application identities;
In actual use, user terminal is typically all by the application program in network access Hadoop platform;Therefore,
In step 201, in access application, user terminal needs to submit encrypted ticket, second user mark and the simultaneously
Two application identities are to Hadoop platform.
Step 202:The identifier of the encrypted ticket is calculated based on preset algorithm, according to the encrypted ticket
Identifier obtain Encryption Algorithm and decruption key, based on encrypted ticket solution described in the Encryption Algorithm and decryption key pair
It is close, obtain bill;
Here, it is identical when the preset algorithm is with the preset algorithm used in step 103, in this way, same encrypted
Bill can obtain identical identifier.Step 203:Determine that the second user mark is used with described first in the bill
When family mark is unanimously and second application identities are consistent with the first application identities in the bill, allow with the first identity
Access the first application.
Here, it is only necessary to encrypted ticket is decrypted, is then compared the access rights for being assured that user, from
It and can be fairly simple.It can be seen that the safety certifying method does not depend on any Third Party Authentication system, have lightweight, it is efficiently easy-to-use and
The advantages of High Availabitity.
An embodiment of the present invention provides the processing unit in a kind of safety certification, as shown in figure 3, described device includes authorizing
Module 3 is replied in information receiving module 1, authorization handler module 2 and mandate, wherein:
The authorization message receiving module 1, for receiving the first user identifier and the first application identities;
The authorization handler module 2, after getting the license that the first application is accessed with the first identity, generation includes
The bill of first user identifier and the first application identities has been encrypted based on bill described in Encryption Algorithm and encryption keys
Bill;
Described authorize replys module 3, for the identifier of the encrypted ticket to be calculated based on preset algorithm, at this
Ground the storage identifier of encrypted ticket, Encryption Algorithm and the decruption key, transmission encrypted ticket.
In general, some applications can be disposed in Hadoop platform, such as:HBase (Hadoop Database, Hadoop numbers
According to library), HDFS (Hadoop Distributed File System, Hadoop distributed file system), the applications such as Hive.Institute
State title, service type, IP (Internet Protocol, internetworking protocol) address that application identities can be the application
Etc. the identifier for being capable of the unique mark application;The user identifier can be that user name, User ID, IP address etc. can be unique
Identify the identifier of the user identity.It, can be simultaneously when user applies for the access rights of some application in Hadoop platform
The user identifier and the application identities are submitted, at this point, Hadoop platform can receive user identifier and application identities, i.e.,
For the first user identifier and the first application identities.
Here, the first identity can be understood as the user identity that the first user identifier is referred to.
General Hadoop platform has administrator, therefore, can be presented to the first user identifier and the first application identities
Administrator is decided whether to allow to access the first application with the first identity, if the input of administrator represents to allow, i.e., by administrator
Get corresponding license.
As an optional embodiment, a permission configuration file can be created in Hadoop platform, administrator can
The configuration item that a license accesses the first application with the first identity is written in the configuration file, this is read in the processing unit
During configuration item, the license of response has just been got.In addition, administrator can also inform fortune by sending the modes such as signal designation
The row processing unit has got the license that the first application is accessed with the first identity.
In the present apparatus, a bill only corresponds to access of the identity to an application, i.e., for same user,
The corresponding different bill of different applications, if the user has multiple identity, access point of the different identity to different application
Different bills is not corresponded to, so as to possess thinner certification granularity.Therefore, when a user is in the Hadoop platform
It when having the access rights more applied, needs to be individually created encrypted ticket for each application, so as to not only refine certification granularity but also carry
The high safety of the Hadoop platform.
The identifier of the encrypted ticket for can with the character string of the unique mark encrypted ticket, such as:It has encrypted
MD5 (Message Digest Algorithm 5, message digest algorithm 5) value of bill, SHA256 (Secure Hash
Algorithm 256, secure hash algorithm 256) value etc..Correspondingly, the preset algorithm can be MD5, SHA256 etc..This
The identifier and Encryption Algorithm of the encrypted ticket of ground storage, there are correspondences for decruption key, you can passes through encrypted ticket
Identifier can determine that the corresponding Encryption Algorithm and decruption key.
Prevent the safety that encrypted ticket has been forged for Hadoop platform most important, in treatment method, by
Know the encryption key in only Hadoop platform, therefore, other devices are that can not generate can be by the encryption key just
The encrypted ticket really decrypted, you can with prevent encrypted ticket be forged.
In the processing unit, if Encryption Algorithm is symmetric encipherment algorithm, encryption key is equal to decruption key;If
Encryption Algorithm is rivest, shamir, adelman, then encryption key is any one of for public, private key, such as public key (private key), and is decrypted
Key is another, such as private key (public key).
In the embodiment of the present invention, described authorize replys module 3, is specifically used for:It is calculated based on Message Digest 5 5MD5
To the MD5 values of the encrypted ticket, in MD5 values, Encryption Algorithm and the decruption key that the encrypted ticket is locally stored.
Since the identifier of encrypted ticket and Encryption Algorithm, decruption key are there are correspondence, in storage,
It needs to prevent different encrypted tickets from corresponding to identical Encryption Algorithm and decruption key;And different encrypted tickets has
Different MD5 values, it is possible to effectively prevent the generation of this problem.
In the embodiment of the present invention, described authorize replys module 3, is specifically used for:The encrypted ticket is being locally stored,
Identifier, Encryption Algorithm and the decruption key of encrypted ticket.
Here, when user has accidentally lost encrypted ticket, then administrator can also will store in Hadoop platform
Encrypted ticket is sent to user terminal.
In the embodiment of the present invention, the authorization handler module 2 is specifically used for, is added based on rivest, shamir, adelman and public key
The close bill obtains encrypted ticket;Described authorize replys module 3, is specifically used for, and the encrypted ticket is being locally stored
Identifier, rivest, shamir, adelman and private key.
Here, rivest, shamir, adelman and private key are stored in local by Hadoop platform, by public key to discarding.
In the embodiment of the present invention, the authorization handler module 2 is specifically used for, is added based on rivest, shamir, adelman and private key
The close bill obtains encrypted ticket;Described authorize replys module 3, is specifically used for, and the encrypted ticket is being locally stored
Identifier, rivest, shamir, adelman and public key.
Rivest, shamir, adelman and public key are stored in local by Hadoop platform, i.e., by private key to discarding.
Alternatively, the rivest, shamir, adelman is HMAC-SHA (Hash-based Message
Authentication Code-Secure Hash Algorithm, the relevant hash operation message authentication code of key-safety are breathed out
Uncommon algorithm).
Rivest, shamir, adelman is related to two keys:Public key and private key.Public key is a pair of with private key, if with public key pair
Data are encrypted, then could only be decrypted with corresponding private key;, whereas if data are encrypted with private key, then
It could only be decrypted with corresponding public key, that is, encrypt and decryption uses two different keys.Place in safety certification
It manages in device, bill is encrypted using public key (private key), then must be decrypted using private key (public key), and public key (private key)
It has been abandoned that, then can not forge the encrypted ticket that can be decrypted by private key (public key), so as to further improve Hadoop
The safety of platform.
An embodiment of the present invention provides a kind of device of safety certification, as shown in figure 4, the device is received including authentication information
Module 4, information extraction modules 5 and identification processing module 6, wherein:
The authentication information receiving module 4, for receiving encrypted ticket, second user mark and the second application identities;
Described information extraction module 5, for the identifier of the encrypted ticket to be calculated based on preset algorithm, according to
The identifier of the encrypted ticket obtains Encryption Algorithm and decruption key, based on described in the Encryption Algorithm and decryption key pair
Encrypted ticket is decrypted, obtains bill;
The identification processing module 6, for determining the second user mark and the first user identifier in the bill
When unanimously and second application identities are consistent with the first application identities in the bill, allow to access the with the first identity
One application.
In actual use, user terminal is typically all by the application program in network access Hadoop platform;Therefore,
In access application, user terminal needs submission simultaneously, and encrypted ticket, second user mark and the second application identities are given
Hadoop platform.
Here, which replys identical during the preset algorithm used in module 3 with authorizing, in this way, same
Encrypted ticket can obtain identical identifier.
Here, it is only necessary to encrypted ticket is decrypted, is then compared the access rights for being assured that user, from
It and can be fairly simple.It can be seen that the safety certification device does not depend on any Third Party Authentication system, have lightweight, it is efficiently easy-to-use and
The advantages of High Availabitity.
An embodiment of the present invention provides a kind of device of safety certification, as shown in figure 5, the device includes authentication administrative system
(AMS, Authtication Manager System), communication system (CS, Communication System), memory module
With big data platform bottom storage system, wherein:
1st, authentication administrative system AMS, for when user is authenticated, generating bill, and bill is encrypted to and has been encrypted
Bill;When user logs in, encrypted ticket is authenticated handling;Including following module:
(1) bill generation module, for receiving the first user identifier and the first application identities, generation is marked comprising the first user
Know the bill with the first application identities, the bill is sent to bill encrypting module;
(2) bill encrypting module for receiving bill, and obtains having added based on Encryption Algorithm and encryption keys bill
Close bill;And encrypted ticket is sent in communication system CS, the identifier of encrypted ticket is calculated, by encrypted ticket
Identifier, Encryption Algorithm and decruption key are sent to memory module;Rivest, shamir, adelman HMAC- can be used in the Encryption Algorithm
SHA;
(3) bill correction verification module, for receiving encrypted ticket, second user mark and the second application from communication system CS
Mark calculates the identifier of encrypted ticket and corresponding encryption is inquired from memory module according to the identifier of encrypted ticket
Algorithm and decruption key, and based on the Encryption Algorithm and the decryption key decryption encrypted ticket, so as to obtain the first user
Mark and the first application identities;Determine second user mark with the first user identifier in the bill consistent and institute
State the second application identities it is consistent with the first application identities in the bill when then to communication system CS send certification by disappear
It ceases, otherwise return authentication failure news.
As it can be seen that in authentication administrative system AMS, bill generation module and the mutual cooperation of bill encrypting module complete mandate
Processing module 2 and the function of authorizing reply module 3;Bill correction verification module completes information extraction modules 5 and the authentication processing
The function of module 6.
2nd, memory module, for storing the identifier of encrypted ticket, Encryption Algorithm and decruption key;And according to being received
The identifier of encrypted ticket arrived reads corresponding Encryption Algorithm and decruption key;Including following module:
(1) plug-in type memory module, for receiving comprising the identifier of encrypted ticket, adding from authentication administrative system AMS
The storage entry of close algorithm and decruption key, and the function of following storage entry change is provided:Storage entry is stored to big number
It is put down according to platform bottom storage system, by certain storage entries in big data platform bottom storage system to deletion, by big data
Certain storage entries in platform bottom storage system are modified;At the same time, also the instruction for storing entry change is sent
To dlm (dynamic loading module);It is also used for receiving the instruction for reading storage entry from dlm (dynamic loading module), and from big data platform bottom
All storage entries are read in storage system, and are sent to dlm (dynamic loading module);It is deposited to shield different big data platform bottoms
The difference of storage system, so as to provide authentication administrative system AMS unified data-interface, plug-in type memory module is preferably plug-in unit
Formula, can be with self-defined storage class, the storage for supporting the file, database, distributed memory system of clear and definite form etc. different
Type;
(2) dlm (dynamic loading module) for sending the instruction for reading storage entry to plug-in type memory module, and reception is deposited
It stores up in entry storage to memory;And the instruction changed according to the storage entry received in real time carries out the storage entry in memory
Update, so as to ensure that the storage entry in memory is consistent with the storage entry in big data platform bottom storage system.
In within the storage system, the identifier of encrypted ticket, Encryption Algorithm and decruption key have been already loaded into
In depositing, it is possible to greatly improve read or write speed, and then improve the performance of whole system.
3rd, big data platform bottom storage system, for receiving the identifier of the received encrypted ticket of storage, adding
Close algorithm and decruption key, can be there are many realization method, such as HDFS etc..
4th, communication system CS for providing the communication between client, authentication administrative system AMS, shields different system
Encoding variability provides unified communication interface, including following module:
(1) first communication interface, for completing the communication between authentication administrative system AMS;
(2) second communication interfaces, for the communication completed and between client and application server;
(3) control module for receiving the first user identifier and the first application identities from client, and is transmitted to certification pipe
Return the result (encrypted ticket or the authorization failure) that is obtained from authentication administrative system AMS is transmitted to client by reason system AMS
End;Encrypted ticket, second user mark and the second application identities, and be transmitted to authentication administrative system are obtained from application server
Return the result (certification success or the authentification failure) that is obtained from authentication administrative system AMS is transmitted to application server by AMS.
Communication system CS completes the function of authorization message receiving module 1 and authentication information receiving module 4.
As shown in fig. 6, the licensing process of the device of the safety certification is as follows:
Step 601:Client is sent to Admin Administration's system applies, needs to submit the first user identifier and first simultaneously
First user identifier and the first application identities can be presented to Hadoop platform administrator by application identities, Admin Administration's system;
Step 602:Administrator is judged, decides whether that the client is allowed to access the first application with the first identity, such as
Fruit allows, and performs step 603;Otherwise, terminate this process flow;
Step 603:Client sends the first user identifier and the first application identities to communication system CS;
Step 604:Communication system CS judges whether client realizes the second communication interface, and communication system CS is externally provided
The second unified communication interface, therefore, client sends the first user identifier and first according to the requirement of the second communication interface should
With mark;If it realizes, operating procedure 605;Otherwise, terminate this process flow;
Step 605:By the second communication interface, the first user identifier and the first application identities are sent to by communication system CS
Authentication administrative system AMS;
Step 606:Bill generation module utilizes the first user identifier and the first application identities generation bill, the bill packet
Include the first user identifier and the first application identities;
Step 607:Bill encrypting module is based on Encryption Algorithm and encryption keys bill obtains encrypted ticket, and will
The identifier of encrypted ticket, Encryption Algorithm and decruption key are sent to memory module, will and be sent to encrypted ticket logical
Letter system CS;
Step 608:In a storage module, plug-in type memory module conciliates the identifier of encrypted ticket, Encryption Algorithm
Close key storage is in big data platform bottom storage system;
Step 609:The identifier of encrypted ticket, Encryption Algorithm and decruption key are dynamically loaded by dlm (dynamic loading module)
In memory;
Step 610:Encrypted ticket is sent to client by communication system CS.
As shown in fig. 7, the verification process of the device of the safety certification is as follows:
Step 701:Client sends to the application server operated in Hadoop platform and accesses application, in order to just
Frequentation asks that client should provide encrypted ticket, second user mark and the second application identities;
Step 702:Application server judges whether application carries encrypted ticket, if it is not, being returned to client
Lack of competence accesses, and terminates this process flow;Otherwise operating procedure 703;
Step 703:Application server sends encrypted ticket, second user mark and the second application to communication system CS and marks
Know;
Step 704:Communication system CS judges whether application server realizes the second communication interface, and communication system CS is externally carried
The second unified communication interface is supplied, therefore, application server sends encrypted ticket, the according to the requirement of the second communication interface
Two user identifiers and the second application identities;If it realizes, operating procedure 605;Otherwise, denied access and terminate this processing stream
Journey;
Step 705:By the second communication interface, communication system CS should by encrypted ticket, second user mark and second
Authentication administrative system AMS is sent to mark;
Step 706:The identifier of encrypted ticket is calculated in bill correction verification module, and utilizes the mark of encrypted ticket
Symbol obtains its corresponding Encryption Algorithm and decruption key from memory module;
Step 707:Using Encryption Algorithm and decryption key pair, encrypted ticket is decrypted bill correction verification module, obtains the
One user identifier and the first application identities;
Step 708:Judge that the first user identifier is equal to second user mark and the first application identities are equal to the second application and mark
KnowIf NO, then operating procedure 709;Otherwise operating procedure 710;
Step 709:Authentication result is fails, operating procedure 711;
Step 710:Authentication result is successfully operating procedure 711;
Step 711:Communication system CS is to application server return authentication result;
Step 712:Application server judges that authentication result for success, then allows client to access application server;Otherwise
Forbid accessing.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.
Claims (12)
1. the processing method in a kind of safety certification, which is characterized in that this method includes:
Receive the first user identifier and the first application identities;
After getting the license that the first application is accessed with the first identity, generation includes the first user identifier and the first application identities
Bill, encrypted ticket is obtained based on bill described in Encryption Algorithm and encryption keys;
The identifier of the encrypted ticket is calculated based on preset algorithm, in the mark that the encrypted ticket is locally stored
Symbol, Encryption Algorithm and decruption key send encrypted ticket.
2. the processing method in safety certification according to claim 1, which is characterized in that described to be calculated based on preset algorithm
The identifier of the encrypted ticket is obtained, the identifier of encrypted ticket, Encryption Algorithm and decryption are close being locally stored
Key, including:
The MD5 values of the encrypted ticket are calculated based on Message Digest 5 5MD5, described ticket has been encrypted being locally stored
According to MD5 values, Encryption Algorithm and decruption key.
3. the processing method in safety certification according to claim 1, which is characterized in that it is described be locally stored it is described
Identifier, Encryption Algorithm and the decruption key of encrypted ticket, including:
The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.
4. the processing method in safety certification according to claim 1, which is characterized in that described to be based on Encryption Algorithm and add
Key encrypts the bill and obtains encrypted ticket, be locally stored the identifier of encrypted ticket, Encryption Algorithm and
Decruption key, including:
Encrypted ticket is obtained based on bill described in rivest, shamir, adelman and public key encryption, described ticket has been encrypted being locally stored
According to identifier, rivest, shamir, adelman and private key.
5. the processing method in safety certification according to claim 1, which is characterized in that described to be based on Encryption Algorithm and add
Key encrypts the bill and obtains encrypted ticket, be locally stored the identifier of encrypted ticket, Encryption Algorithm and
Decruption key, including:
Encrypted ticket is obtained based on bill described in rivest, shamir, adelman and private key encryption, described ticket has been encrypted being locally stored
According to identifier, rivest, shamir, adelman and public key.
A kind of 6. method of the safety certification based on any one of claim 1-5, which is characterized in that this method includes:
Receive encrypted ticket, second user mark and the second application identities;
The identifier of the encrypted ticket is calculated based on preset algorithm, is obtained according to the identifier of the encrypted ticket
Encryption Algorithm and decruption key based on encrypted ticket decryption described in the Encryption Algorithm and decryption key pair, obtain bill;
Determine that the second user identifies consistent with the first user identifier in the bill and described second application identities and institute
State the first application identities in bill it is consistent when, allow to access the first application with the first identity.
7. the processing unit in a kind of safety certification, which is characterized in that described device includes authentication information receiving module, at mandate
It manages module and authorizes and reply module, wherein:
The authorization message receiving module, for receiving the first user identifier and the first application identities;
The authorization handler module, after getting the license that the first application is accessed with the first identity, generation includes first
The bill of user identifier and the first application identities has been encrypted ticket based on bill described in Encryption Algorithm and encryption keys
According to;
Described authorize replys module, for the identifier of the encrypted ticket to be calculated based on preset algorithm, is deposited locally
The storage identifier of encrypted ticket, Encryption Algorithm and the decruption key, transmission encrypted ticket.
8. the processing unit in safety certification according to claim 7, which is characterized in that described authorize replys module, tool
Body is used for:
The MD5 values of the encrypted ticket are calculated based on Message Digest 5 5MD5, described ticket has been encrypted being locally stored
According to MD5 values, Encryption Algorithm and decruption key.
9. the processing unit in safety certification according to claim 7, which is characterized in that described authorize replys module, tool
Body is used for:
The encrypted ticket is being locally stored, the identifier of encrypted ticket, Encryption Algorithm and decruption key.
10. the processing unit in safety certification according to claim 7, it is characterised in that:
The authorization handler module, is specifically used for, and has been encrypted based on bill described in rivest, shamir, adelman and public key encryption
Bill;
Described authorize replys module, is specifically used for, and the identifier of encrypted ticket, the rivest, shamir, adelman is being locally stored
And private key.
11. the processing unit in safety certification according to claim 12, it is characterised in that:
The authorization handler module, is specifically used for, and has been encrypted based on bill described in rivest, shamir, adelman and private key encryption
Bill;
Described authorize replys module, is specifically used for, and the identifier of encrypted ticket, the rivest, shamir, adelman is being locally stored
And public key.
12. a kind of device of the safety certification based on any one of claim 7-11, which is characterized in that the device is believed including certification
Receiving module, information extraction modules and identification processing module are ceased, wherein:
The authentication information receiving module, for receiving encrypted ticket, second user mark and the second application identities;
Described information extraction module, for the identifier of the encrypted ticket to be calculated based on preset algorithm, according to described
The identifier of encrypted ticket obtains Encryption Algorithm and decruption key, based on having added described in the Encryption Algorithm and decryption key pair
Close bill decryption, obtains bill;
The identification processing module, for determine second user mark it is consistent with the first user identifier in the bill,
And second application identities it is consistent with the first application identities in the bill when, allow with the first identity access first should
With.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611219818.8A CN108243158A (en) | 2016-12-26 | 2016-12-26 | A kind of method and apparatus of safety certification |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611219818.8A CN108243158A (en) | 2016-12-26 | 2016-12-26 | A kind of method and apparatus of safety certification |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108243158A true CN108243158A (en) | 2018-07-03 |
Family
ID=62702076
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611219818.8A Pending CN108243158A (en) | 2016-12-26 | 2016-12-26 | A kind of method and apparatus of safety certification |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108243158A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111865991A (en) * | 2020-07-23 | 2020-10-30 | 北京睿知图远科技有限公司 | Dynamic encryption and decryption method for data encryption center |
WO2021248342A1 (en) * | 2020-06-10 | 2021-12-16 | Citrix Systems, Inc. | Provision of remote application action feed cards |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030084302A1 (en) * | 2001-10-29 | 2003-05-01 | Sun Microsystems, Inc., A Delaware Corporation | Portability and privacy with data communications network browsing |
CN101207482A (en) * | 2007-12-13 | 2008-06-25 | 深圳市戴文科技有限公司 | System and method for implementation of single login |
CN101340436A (en) * | 2008-08-14 | 2009-01-07 | 普天信息技术研究院有限公司 | Method and apparatus implementing remote access control based on portable memory apparatus |
CN101351027A (en) * | 2007-07-19 | 2009-01-21 | 中国移动通信集团公司 | Method and system for processing service authentication |
CN101727547A (en) * | 2008-10-30 | 2010-06-09 | 爱思开电讯投资(中国)有限公司 | Device and method used for protecting DRM license file |
CN102201915A (en) * | 2010-03-22 | 2011-09-28 | 中国移动通信集团公司 | Terminal authentication method and device based on single sign-on |
CN103037312A (en) * | 2011-10-08 | 2013-04-10 | 阿里巴巴集团控股有限公司 | Message push method and message push device |
CN103051630A (en) * | 2012-12-21 | 2013-04-17 | 微梦创科网络科技(中国)有限公司 | Method, device and system for implementing authorization of third-party application based on open platform |
CN103051628A (en) * | 2012-12-21 | 2013-04-17 | 微梦创科网络科技(中国)有限公司 | Method and system for obtaining authentication token based on servers |
CN103312515A (en) * | 2013-06-21 | 2013-09-18 | 百度在线网络技术(北京)有限公司 | Generation method, generation device, authentication method and authentication system for authorization token |
CN104113412A (en) * | 2013-04-22 | 2014-10-22 | 中国银联股份有限公司 | PaaS platform-based identity authentication method and identity authentication apparatus |
CN104426848A (en) * | 2013-08-22 | 2015-03-18 | 腾讯科技(深圳)有限公司 | Method and system for logging in web application |
CN104836664A (en) * | 2015-03-27 | 2015-08-12 | 腾讯科技(深圳)有限公司 | Method for executing business processing, device for executing business processing and system for executing business processing |
CN105450637A (en) * | 2015-11-09 | 2016-03-30 | 歌尔声学股份有限公司 | Single sign-on method and device for multiple application systems |
CN105978855A (en) * | 2016-04-18 | 2016-09-28 | 南开大学 | System and method for protecting personal information security in real-name system |
-
2016
- 2016-12-26 CN CN201611219818.8A patent/CN108243158A/en active Pending
Patent Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030084302A1 (en) * | 2001-10-29 | 2003-05-01 | Sun Microsystems, Inc., A Delaware Corporation | Portability and privacy with data communications network browsing |
CN101351027A (en) * | 2007-07-19 | 2009-01-21 | 中国移动通信集团公司 | Method and system for processing service authentication |
CN101207482A (en) * | 2007-12-13 | 2008-06-25 | 深圳市戴文科技有限公司 | System and method for implementation of single login |
CN101340436A (en) * | 2008-08-14 | 2009-01-07 | 普天信息技术研究院有限公司 | Method and apparatus implementing remote access control based on portable memory apparatus |
CN101727547A (en) * | 2008-10-30 | 2010-06-09 | 爱思开电讯投资(中国)有限公司 | Device and method used for protecting DRM license file |
CN102201915A (en) * | 2010-03-22 | 2011-09-28 | 中国移动通信集团公司 | Terminal authentication method and device based on single sign-on |
CN103037312A (en) * | 2011-10-08 | 2013-04-10 | 阿里巴巴集团控股有限公司 | Message push method and message push device |
CN103051630A (en) * | 2012-12-21 | 2013-04-17 | 微梦创科网络科技(中国)有限公司 | Method, device and system for implementing authorization of third-party application based on open platform |
CN103051628A (en) * | 2012-12-21 | 2013-04-17 | 微梦创科网络科技(中国)有限公司 | Method and system for obtaining authentication token based on servers |
CN104113412A (en) * | 2013-04-22 | 2014-10-22 | 中国银联股份有限公司 | PaaS platform-based identity authentication method and identity authentication apparatus |
CN103312515A (en) * | 2013-06-21 | 2013-09-18 | 百度在线网络技术(北京)有限公司 | Generation method, generation device, authentication method and authentication system for authorization token |
CN104426848A (en) * | 2013-08-22 | 2015-03-18 | 腾讯科技(深圳)有限公司 | Method and system for logging in web application |
CN104836664A (en) * | 2015-03-27 | 2015-08-12 | 腾讯科技(深圳)有限公司 | Method for executing business processing, device for executing business processing and system for executing business processing |
CN105450637A (en) * | 2015-11-09 | 2016-03-30 | 歌尔声学股份有限公司 | Single sign-on method and device for multiple application systems |
CN105978855A (en) * | 2016-04-18 | 2016-09-28 | 南开大学 | System and method for protecting personal information security in real-name system |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021248342A1 (en) * | 2020-06-10 | 2021-12-16 | Citrix Systems, Inc. | Provision of remote application action feed cards |
US11244255B2 (en) | 2020-06-10 | 2022-02-08 | Citrix Systems. Inc. | Provision of remote application action feed cards |
CN114144833A (en) * | 2020-06-10 | 2022-03-04 | 思杰系统有限公司 | Providing remote application action feed cards |
US11803789B2 (en) | 2020-06-10 | 2023-10-31 | Citrix Systems, Inc. | Provision of remote application action feed cards |
CN111865991A (en) * | 2020-07-23 | 2020-10-30 | 北京睿知图远科技有限公司 | Dynamic encryption and decryption method for data encryption center |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105095696B (en) | Method, system and the equipment of safety certification are carried out to application program | |
US7155616B1 (en) | Computer network comprising network authentication facilities implemented in a disk drive | |
US5548721A (en) | Method of conducting secure operations on an uncontrolled network | |
CN103685282B (en) | A kind of identity identifying method based on single-sign-on | |
CN106888084B (en) | Quantum fort machine system and authentication method thereof | |
CN108768963B (en) | Communication method and system of trusted application and secure element | |
US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
CN107465689A (en) | The key management system and method for virtual credible platform module under cloud environment | |
CN101515319B (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
CN113014444B (en) | Internet of things equipment production test system and safety protection method | |
CN1921395B (en) | Method for improving security of network software | |
CN113541935B (en) | Encryption cloud storage method, system, equipment and terminal supporting key escrow | |
CN107920052B (en) | Encryption method and intelligent device | |
CN112565265B (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
CN109688133A (en) | It is a kind of based on exempt from account login communication means | |
CN111954211B (en) | Novel authentication key negotiation system of mobile terminal | |
JP2017152880A (en) | Authentication system, key processing coordination method, and key processing coordination program | |
JP2022542095A (en) | Hardened secure encryption and decryption system | |
CN107040520A (en) | A kind of cloud computing data-sharing systems and method | |
CN103973698B (en) | User access right revoking method in cloud storage environment | |
CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
US10764260B2 (en) | Distributed processing of a product on the basis of centrally encrypted stored data | |
US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
US20140250499A1 (en) | Password based security method, systems and devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180703 |