CN108449358A - The safe computational methods of low delay based on cloud - Google Patents

The safe computational methods of low delay based on cloud Download PDF

Info

Publication number
CN108449358A
CN108449358A CN201810317985.9A CN201810317985A CN108449358A CN 108449358 A CN108449358 A CN 108449358A CN 201810317985 A CN201810317985 A CN 201810317985A CN 108449358 A CN108449358 A CN 108449358A
Authority
CN
China
Prior art keywords
terminal
virtual machine
digital certificate
info
business
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810317985.9A
Other languages
Chinese (zh)
Other versions
CN108449358B (en
Inventor
肖恒念
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Unionpay Easy Financial Services Co ltd
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201810317985.9A priority Critical patent/CN108449358B/en
Publication of CN108449358A publication Critical patent/CN108449358A/en
Application granted granted Critical
Publication of CN108449358B publication Critical patent/CN108449358B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of safe computational methods of low delay based on cloud, this method includes:The first digital certificate is generated according to terminal ID info;From searching terminal finger print information and certificate server mandate private key in pond is locally stored;The first digital certificate, which is encrypted, according to Terminal fingerprints information obtains the first ciphertext;According to the first digital certificate of certificate server mandate private key encryption and the terminal ID info, the second ciphertext is obtained;From the permissions list information that searching terminal in pond is locally stored, generates and encrypt the second digital certificate;The second digital certificate and terminal ID info are encrypted according to target virtual machine cluster identity information;And encrypted second digital certificate and terminal ID info are sent to terminal.The present invention proposes a kind of safe computational methods of low delay based on cloud, is encrypted by the service request to terminal, realizes the safety verification to Operational Visit in mixed cloud, improves the Information Security of mixed cloud.

Description

The safe computational methods of low delay based on cloud
Technical field
The present invention relates to cloud computing, more particularly to a kind of safe computational methods of low delay based on cloud.
Background technology
Mixed cloud is connected by computer network with publicly-owned terminal and privately owned terminal node.Management node and the number stored According to being respectively distributed on different nodes, the services such as storage, read-write, deletion for providing file for multiple terminals.Current mixing The name resource that cloud framework manages entire mixing cloud cluster using single name node can make system control logic simpler It is single, facilitate management, it can also cause the defect in terms of reliability and safety.Conventional hybrid cloud assumes that cloud platform is always located It is used in believable environment and by trusted terminal.But illegal terminal can pretend to be some trusted terminal to access the terminal to mix Data in cloud.
Invention content
To solve the problems of above-mentioned prior art, the present invention proposes a kind of low delay based on cloud calculating safely Method, including:
Terminal ID info is received, judges whether terminal is registration terminal;
If so, generating the first digital certificate according to the terminal ID info;
From searching terminal finger print information and certificate server mandate private key in pond is locally stored;
First digital certificate, which is encrypted, according to the Terminal fingerprints information obtains the first ciphertext;
According to the first digital certificate described in the certificate server mandate private key encryption and the terminal ID info, second is obtained Ciphertext;
From the permissions list information that searching terminal in pond is locally stored, the second digital certificate is generated;
The second digital certificate is encrypted according to the Terminal fingerprints information;
The second digital certificate and terminal ID info are encrypted according to target virtual machine cluster identity information;
And encrypted second digital certificate and terminal ID info are sent to terminal.
Preferably, the reception terminal ID info judges whether terminal is registration terminal, is further comprised:
ID, that is, the UID of oneself is sent to certificate server by terminal;
Certificate server is locally stored pond by inquiry and whether has stored terminal UID to retrieve.
Preferably, described that first digital certificate is generated according to the terminal ID info, further comprise:
If the terminal has been registered, certificate server generates digital certificate CTE1, and the digital certificate is as terminal and certification Digital certificate between server;
If the terminal is unregistered, certificate server abandons the request message.
Preferably, after obtaining the first and second ciphertexts, this method further includes:
First ciphertext and the second ciphertext are sent to terminal, with receive second ciphertext that the terminal returns and Include terminal ID info to be verified and request in the third ciphertext by the encrypted third ciphertext of first digital certificate Traffic ID.
The present invention compared with prior art, has the following advantages:
The present invention proposes a kind of safe computational methods of low delay based on cloud, is added by the service request to terminal It is close, the safety verification to Operational Visit in mixed cloud is realized, the Information Security of mixed cloud is improved.
Description of the drawings
Fig. 1 is the flow chart of the safe computational methods of low delay based on cloud according to the ... of the embodiment of the present invention.
Specific implementation mode
Retouching in detail to one or more embodiment of the invention is hereafter provided together with the attached drawing of the diagram principle of the invention It states.The present invention is described in conjunction with such embodiment, but the present invention is not limited to any embodiments.The scope of the present invention is only by right Claim limits, and the present invention covers many replacements, modification and equivalent.Illustrate in the following description many details with Just it provides a thorough understanding of the present invention.These details are provided for exemplary purposes, and without in these details Some or all details can also realize the present invention according to claims.
An aspect of of the present present invention provides a kind of safe computational methods of low delay based on cloud.Fig. 1 is according to of the invention real Apply the safe computational methods flow chart of low delay based on cloud of example.The method of the present invention includes the following steps:
1. receiving terminal ID info, judge whether terminal is registration terminal, if so, according to the terminal ID info, generates First digital certificate, from searching terminal finger print information and certificate server mandate private key in pond is locally stored, according to the terminal Finger print information encrypts first digital certificate, the first ciphertext is obtained, according to the certificate server mandate private key encryption First digital certificate and the terminal ID info obtain the second ciphertext.
Specifically, ID, that is, the UID of oneself is sent to certificate server by terminal, certificate server is locally stored by inquiry Whether pond has stored terminal UID to retrieve.If the terminal has been registered, certificate server generates a digital certificate CTE1, The digital certificate is as the digital certificate between terminal and certificate server.If the terminal is unregistered, certificate server abandons The request message.
Certificate server replicates the CTE1 of generation, and from be locally stored finger print information that terminal is retrieved in pond and The finger print information of the mandate private key of oneself, using terminal encrypts CTE1, includes CTE1 and terminal with the mandate private key encryption of oneself The packet of UID.Then certificate server is sent two by the information of Terminal fingerprints information and the mandate private key encryption of oneself respectively Terminal is returned, which is represented by Euser_fp(CTE1) and EAS_fp(CTE1+UID)。
2. first ciphertext and the second ciphertext are sent to terminal, to receive second ciphertext that the terminal returns It comprising terminal ID info to be verified and is asked with by the encrypted third ciphertext of first digital certificate, in the third ciphertext The traffic ID asked.
Specifically, after terminal receives the information that certificate server returns, the finger print information of using terminal oneself decrypts CTE1, the traffic ID that UID and request are then encrypted with CTE1 generate ECTE1(traffic ID of UID+ requests), together with EAS_fp(CTE1+ UID certificate server) is sent jointly to.
3. decrypting the third ciphertext according to the first digital certificate, the terminal ID info to be verified is obtained, according to institute The consistency of terminal ID info and the terminal ID info to be verified is stated, judgement knows that there is the terminal business to execute virtual machine Access right.
Specifically, certificate server decrypts E using the mandate private key of oneselfAS_fp(CTE1+UID) CTE1 and UID are obtained, so After reuse CTE1 decryption ECTE1(traffic ID of UID+ requests) obtains the traffic ID of UID and request, compares the UID obtained twice It is whether identical, certification of the certificate server to terminal is completed if identical, and it is authorized to being executed belonging to business to the terminal The access rights of virtual machine.
4. from the permissions list information that searching terminal in pond is locally stored, the second digital certificate is generated, according to the terminal Finger print information encrypts the second digital certificate, obtains the 4th ciphertext, according to the second number of target virtual machine cluster identity information encryption Certificate and terminal ID info generate the 5th ciphertext;And the 4th ciphertext and the 5th ciphertext are sent to terminal.
Specifically, certificate server searches terminal database and extracts the permissions list of the terminal, judge whether that its is right The cluster virtual machine has access rights, if service of the virtual machine cluster system pause to the terminal without if.Certification takes if having Business device generates a CTE2 and is replicated to it again, encrypts one of CTE2 using the finger print information of the terminal and business executes Virtual machine address, the mark that virtual machine is executed using the business to be accessed encrypts another CTE2 and UID, then by EUser_fp (CTE2+ cluster virtual machines address) and EVM_fp(CTE2+UID) it is sent to terminal together.
The Euser_fp, EAS_fp, ECTE1, EVM_fpRespectively using terminal finger print information, certificate server mandate private key, One digital certificate, business execute the encryption function for being identified as key of virtual machine.
By the method, terminal identity certification in the certificate server in mixed cloud is realized and to terminal access The encryption of permission is distributed, and the Information Security of mixed cloud is improved.
On the basis of the above embodiments, further include:By business id information, by single character in the requested service ID Corresponding number is converted to, according to the corresponding number, calculates cluster virtual machine mark.
Specifically, after certificate server is by the traffic ID of terminal request, requested traffic ID is parsed to judge business Affiliated cluster virtual machine, judgment method are:Single character in traffic ID is converted into corresponding number by certificate server one by one Word, all corresponding numbers of summing, and by summed result divided by cluster virtual machine sum, obtained remainder result is belonging to file The mark of cluster virtual machine, the mark of the cluster virtual machine are the ID that business executes virtual machine.
In the virtual machine cluster system of the present invention, the routing information business data positional information of business is stored separately, is gone forward side by side The differentiated control of row metadata.
Routing information includes traffic ID, the access rights of the fullpath of business, business.Business datum includes business datum Location information, record is business datum and the mapping relations of virtual machine.It is different from business datum progress to metadata path The management of strategy.
The path of business and business datum are stored separately by this system, will after path where business is carried out hash calculating The result substitutes into the ID that load balancing function obtains the business execution virtual machine of service path storage.Then according to current virtual The loading condition of machine cluster is that business datum location information distributes a suitable ID for executing virtual machine.
Wherein, path is effectively distributed to each business to execute in virtual machine, first carries out path path where business Hash calculates, and obtains a hashed result, such as following formula:
Result=Hash (path)
Obtained result is substituted into load balancing function f again, the business for obtaining service path storage executes virtual machine ID, such as following formula:
ID=f (result)
The path data of virtual machine cluster system can be evenly dispersed to by the mapping of load balancing function each In the control node of cluster virtual machine.
On the basis of the above embodiments, the method further includes terminal registration step, and terminal is connected with certificate server, Registration terminal id information, Terminal fingerprints information and permissions list information;Wherein, the Terminal fingerprints information is existed by terminal password Terminal carries out hash operations acquisition.
Specifically, terminal connection certificate server registers the UID of oneself, password, business roles domain, certificate server will be whole The log-on message deposit at end is locally stored in pond.Password is obtained into a hashed value, the hashed value in locally progress hash operations It is exactly the finger print information of certificate server verification terminal password.The domain that application is added when business roles domain is endpoint registration is added Certificate server can distribute a role for it after success, and the access rights of terminal are by three domain, role, terminal access controls The common limitation of information.
Terminal uses its finger print information to decrypt E after receiving informationUser_fp(CTE2+ cluster virtual machines address) obtain CTE2 and Virtual machine address, and create a certification packet E being made of UID, current time and requested service IDCTE2(UID+ current times+ Requested service ID), it is encrypted using CTE2, then together with EVM_fp(CTE2+UID) it is sent to the business with the address Execute virtual machine.
The loading condition according to current virtual machine cluster is that business datum location information distributes a suitable execution The ID of virtual machine, including, business datum is distributed to by each business according to the loading condition of current virtual machine cluster and is executed virtually Machine.Each business, which executes virtual machine, in virtual machine cluster system periodically to report its loading condition, including its to certificate server After cpu busy percentage, memory usage, certificate server are collected into all cluster virtual machine loading conditions, it is sent to each industry Business executes virtual machine.Virtual machine maintains a cluster load queue, selects the business of a most lightly loaded to hold according to this queue Business datum is distributed in the node by row virtual machine, and the ID of the node is recorded in the node of service path storage.
Then, the 5th ciphertext is decrypted using the target virtual machine cluster identity information, uses described The 6th ciphertext is decrypted in two digital certificates, judges the terminal ID info in the 5th ciphertext and the 6th ciphertext In terminal ID info consistency, the access rights of certification terminal.
I.e. business executes virtual machine and receives ECTE2(UID+ current times+requested service ID) and EVM_fp(CTE2+UID) after, E is decrypted using its finger print informationVM_fp(CTE2+UID) CTE2 and UID are obtained, then CTE2 is used to decrypt ECTE2(when UID+ is current Between+requested service ID) and UID, current time and requested service ID are obtained, whether two UID of comparison are consistent, completed if consistent Business executes certification of the virtual machine to terminal.
Business executes virtual machine and the permissions list information of the terminal is combined to generate access permission, and the format of license is as follows:
LicenseID={ time, keyID, UID, taskID, mode };
Wherein KeyID is that business executes increment value caused by virtual machine counter.Mode, time, taskID field point The mode, the term of validity, mission number of the terminal access business are not indicated.
Business executes virtual machine and sends the above-mentioned license of generation to terminal and with returning to the business belonging to the requested service Location, and by key key corresponding virtual machine is sent to by heartbeat signal.Terminal will need to access industry again after receiving information The taskID of business and corresponding access permission are transmitted to virtual machine together.
By the method, virtual machine access rights are provided the terminal with according to two level metadata, improve the data of mixed cloud Safety.
Wherein, it after the business executes virtual machine to terminal authentication, is arranged to the permission of the certificate server requesting terminal Table information.Terminal is completed to ask to certificate server the permissions list of the terminal after certification specifically, business executes virtual machine Information, certificate server execute virtual machine after the request that the business that receives executes virtual machine, to business and send the Termination ID Permissions list information.
After terminal receives the access permission that business executes virtual machine, it would be desirable to the taskID of access service and corresponding visit Ask that license is transmitted to virtual machine together, virtual machine verifies the legitimacy of the license after receiving, just allow after the completion of verification terminal-pair its Business is operated.
In service inquiry, terminal sends access permission and to corresponding virtual machine node request data, and business is divided into Task block of the same size, process are all task blocks that terminal concurrence returns to business.When reading the ending of a block, disconnect To the link of virtual machine, then proceed to select next virtual machine to obtain next business datum.When terminal is directly connected to When finding the inquiry of corresponding block progress business in virtual machine, check code can be verified first, detects whether read data have Effect is directly read out if effectively, if in vain, needing to send out request to business execution virtual machine, to the virtual of backup Data are read in machine node, and then valid data are synchronized to by backup virtual machine and are executed in virtual machine.
During business is submitted, virtual machine completes a series of verification work, confirms after allowing terminal to write business, to virtual Machine sends out business datum and creates instruction, returns to the block address of terminal virtual machine.Then, terminal is established with virtual machine and is connected, and is asked It asks and Business-to-Business is submitted to execute in the business datum that virtual machine is distributed, the address that can be actually submitted in virtual machine distribution block, Setting offset ID, is divided into task block of the same size by business, concurrently uploads in the upload buffering of virtual machine.When completion is submitted Afterwards, terminal can disconnect the connection with virtual machine.
After virtual machine receives the business to be committed of terminal, by the business of business asynchronous write backup virtual machine in order In data, executes virtual machine and connect with backup virtual machine, submitted in backup virtual machine in the same way.Active and standby virtual machine is submitted After the completion of, more new metadata, virtual machine deletes the submission caching that the business occupies.
Business executes virtual machine and is contacted with certificate server, and business is indexed in write-in directory system.If executed virtual There are one being written in disk to fail from upload cache resources in machine or backup virtual machine, executes virtual machine and executed to business Virtual machine request distributes another business datum and is written.By the method, after the verification of terminal identity twice, realize pair The inquiry and submission operation of mixed cloud business datum.
In the above embodiment of the present invention, further according to Operational Visit frequency by business datum be transferred to cache node or Storage pool quickly reads the business datum for operating in the different access frequency in mixed cloud.It specifically includes:
If step 1, terminal fail to the virtual machine node application resource of mixed cloud, it is slow to send transfer virtual machine node The order of deposit data.
Step 2 calculates transferable resource size in virtual machine node, if resource size meets business to virtual machine after transfer The requirement of node resource is then based on cache node and storage pool according to the transferable cache data access set of frequency of virtual machine node Mixed cloud jump address.
It is transferable data cached in step 3, release virtual machine node, shift transferable in virtual machine node data cached arrive Jump address changes transferable data cached persistence rank in virtual machine node, feedback transfer pass signal and transinformation.
Wherein, step 1 preferably further comprises:
The size to virtual machine node resource occupied by business datum execution business is calculated, to the virtual machine node of mixed cloud Apply for resource, and the size of virtual machine node resource occupied by business is made comparisons with the vacant resource of virtual machine node;Specifically , the scheduling of business, business of the resource to the identified caching of terminal in service operation are carried out by the task dispatcher of mixed cloud Data execute business, then reattempt the virtual machine node application resource to mixed cloud, if applying successfully, directly carry out business The storage work of data.
If the size of virtual machine node resource occupied by business is more than the vacant resource of virtual machine node, to mixed cloud Virtual machine node application resource fails, while sending the transferable data cached order of transfer virtual machine node and sending business Need the size of occupancy virtual machine node resource.
Mixed cloud is built with storage pool by introducing cache node, and is transferred to business datum according to Operational Visit frequency Cache node or storage pool alleviate the caching of mixed cloud business datum to storing area resource great demand.
The step 2 preferably further includes:
It is sent out to virtual machine node since storage resource deficiency needed for business datum execution business needs to shift virtual machine section The application of point resource;After virtual machine node receives the application that transfer logic unit is sent out, judge whether virtual machine node has Transferable resource.If applying successfully, transferable resource size in virtual machine node is calculated by replacement policy.
If transferable resource size is more than or equal to business datum execution business and needs to occupy resource size in virtual machine node. The transfer of mixed cloud based on cache node and storage pool is set according to the transferable data cached access frequency of virtual machine node Address.
If transferable resource size is less than business datum execution business and needs to occupy resource size in virtual machine node, terminate The transferable data cached transfer task of virtual machine node, and feed back the transfer transferable data cached failure signal of virtual machine node.
Wherein, after judging the transferable cache data access frequency of virtual machine node, if virtual machine node is transferable slow Deposit data access frequency then reads cache node address and will read in the first pre-set business access frequency numberical range Cache node address is set as jump address;First pre-set business access frequency numberical range is the transferable caching of virtual machine node Data access frequency is higher, and specific access frequency range can be arranged by free terminal;If the transferable caching number of virtual machine node According to access frequency in the second pre-set business access frequency numberical range, then the storage pool that stores pool address and will read is read Address is set as jump address.
The terminal is mapped using memory and security isolation, is applied for mobile service and creates trusted process in terminal, passed through The running log of the mixed cloud service application of startup is sent to mixed cloud certificate server, so that the mixed cloud remote authentication With the terminal operating data for monitoring the service application, the confidentiality of terminal key and data is protected.Wherein:
The terminal creates trusted process corresponding with the service application, while simultaneously for the trusted process storage allocation The service application is transferred to the trusted process memory source;
Memory function reading and the analytic function in the trusted process are called, obtains the service application local the One verification vectors;
First verification vectors are encapsulated as high in the clouds checking request, and the high in the clouds checking request is sent to and described is recognized Demonstrate,prove server so that the certificate server will first verification vectors and the service application on the certificate server The second verification vectors matched, and shielded authenticating result is sent to the terminal according to matching result;
Judge whether to trust the authenticating result;When judging to trust the authenticating result, allow the business It applies and starts in terminal;
The operation data of the service application of startup is sent to the certificate server in a manner of daily record, so that institute It states certificate server remote authentication and monitors the operation data of the service application.
The trusted process corresponding with the service application is wherein created to be as follows:
First, it would be desirable to which the virtual machine image of operation is loaded into disk;
Second, the code and data that need the service application loaded are encrypted;
Third, it would be desirable to which the code and data of the service application of load are first loaded into loader, for that will need to load Service application code and data be loaded onto trusted process and prepare;
4th, dynamic application one privilege process, that is, trusted process of structure;
5th, it would be desirable to which the code and data of the service application of load are decrypted in the form of page cache;
6th, it was demonstrated that the service application and data after decryption are credible, and the code of service application and data are loaded into can In letter process, then each caching of page content being loaded into trusted process is replicated;
7th, start trusted process initialization program, forbids continuing to load and verifying caching of page, generate trusted process identity Token, and this token is encrypted, to restore and verify its identity;
8th, trusted process initializes an independent and encrypted memory by starting initialization program, to institute The outside access for stating service application is also constrained to the entrance identified in code.Run in the trusted process and terminal its His service application is isolation.
Wherein, the operation data of the service application by startup is sent to the authentication service in a manner of daily record Device, specially:
The operation data is generated into journal file with log mode in the trusted process, and to the journal file It carries out hash operations and obtains server log hashed value i.e. message MSG;The message MSG is digitally signed, i.e., with signature Private key does asymmetric encryption to the message MSG;It enables TPM hardware the digital signature, the journal file and number are reflected The public key generation that is packaged together of power result is asserted, and is sent to the certificate server, so that the certificate server is to institute It states and asserts carry out watermark signature, and watermark signature result is sent to the terminal;When watermark signature fails, the industry is terminated The operation of business application.
The watermark signature is specially:The terminal utilizes the public key decryptions digital signature, exports the message MSG, And hash is done to the journal file and obtains terminal daily record hashed value i.e. message MD2.The certificate server is by the server Daily record hashed value and the terminal daily record hashed value are compared.When the server log hashed value and the terminal daily record dissipate It when train value is identical, then proves that data are not tampered with, receives the signature, i.e. watermark signature success, the certificate server is permitted Perhaps the data access of the described terminal;When the server log hashed value and the terminal daily record hashed value differ, then demonstrate,prove Bright data have been tampered, and refuse the signature, i.e. watermark signature fails, and the certificate server will refuse the data of the terminal It accesses.
The wherein described public key by the digital signature, the journal file and digital authenticating result is packaged together generation It asserts, can be that the integrity protection of the generation trusted process asserts RL:
RL=HASH (IPRO//I_fp//Random)
Wherein, IPROIt is the measurement for the code for generating the trusted process asserted;
I_fpIt is the preceding public key for the trusted process of signing of load;
Random is the arbitrary random number that can be specified by trusted process when requests verification is asserted.
In the authentication phase of multiple heterogeneous terminals and mixed cloud, the certificate server of the mixed cloud is preferably by can chase after Track authentication mode, i.e. terminal misbehave the true identity that can track client, and disabled user can not obtain virtual machine Legal service is calculated, the traceable authentication method carries out as follows:
Mixed cloud HC initializes the public and private key and systematic parameter of itself, and open systematic parameter, including security parameter λ, greatly Prime number p;Public and private key is generated for all virtual machine nodes simultaneously, remembers any one virtual machine node SjPublic key and private key be PKjWith skj;HC defines a rank and is the circled addition group G of q, and defines hash function h, h1, h2, h3
Mixed cloud HC chooses a random number s.Set virtual machine node SjPrivate key be sks, public key PKs.By system Common parameter defaults to all terminals and virtual machine node.
Any one terminal UiOne random number of selection simultaneously generates assumed name VX 'iAfterwards, by itself true identity UIDiWith assumed name VX′iSend jointly to mixed cloud HC.
Mixed cloud HC is according to the terminal U receivediItself true identity UIDiWith assumed name VX 'i, and utilize mixed cloud The private key computing terminal U of HC itselfiAnother assumed name VX "i;By assumed name VX 'iWith another assumed name VX "iConstitute terminal UiIt is complete empty Quasi- identity VXi={ VX ' i, VX " i };
Mixed cloud HC examines the legitimacy of the terminal identity Ci.If legal, mixed cloud HC calculates VX "i=UIDi⊕h (s,VXi)
Mixed cloud HC is terminal UiGenerate private key siWith public key parameter Wi, and by the complete virtual identity VX of terminal Uii, it is private Key siWith public key parameter WiIt is sent to terminal U by safe lanei
Mixed cloud HC randomly chooses wiAnd calculate Wi=h1(VXi,wi).By { VXi,Wi,siBy safe lane send end to Hold Ui
Terminal UiAccording to systematic parameter and public key parameter WiThe received private key s of verificationiLegitimacy, if verification is legal, Then receive private key siAnd select a random number as the trapdoor x of itselfi, and utilize trapdoor xiGenerate terminal UiPublic key PKi;By Trapdoor xiWith private key siCollectively constitute terminal UiComplete private key (xi,si);By public key PKiWith public key parameter WiCollectively constitute terminal UiComplete public key (PKi,Wi);
In terminal UiBefore preparing to send message to any virtual machine node, terminal UiIt calculates:
bi=h1(VXi,Xi)
yi=si+bixi
biIndicate terminal UiHashed value, h1() indicates hash function;yiIndicate terminal UiStatic signature;
In terminal UiIt determines to virtual machine node SjWhen sending message m, terminal UiAccording to message m and parameter biAnd yi, to institute The on-line signature of generation is encrypted:
hi=h2(m,VXi,Xi,t)
σi=hiyi
Qi=E (VXi||σi||Wi||PKi)
T is current time, | | indicate connection string symbol, QiIndicate terminal UiCiphertext;
Terminal UiBy the parameter { Q of information signaturei, t } and it is sent to virtual machine node Sj
If virtual machine node SjThe parameter of n information signature, n are received whithin a period of time>1 virtual machine node SjMake With the private key sk of itselfjAnd the parameter of n received information signature, batch validation is carried out to n information signature;If Effectively, then by (Qi||skj) it is used as virtual machine node SJ andTerminal UiSession token;Otherwise, virtual machine node SjRefusal is a with n Terminal carries out message communication.
In conclusion the present invention proposes a kind of safe computational methods of low delay based on cloud, pass through the business to terminal Request is encrypted, and realizes the safety verification to Operational Visit in mixed cloud, improves the Information Security of mixed cloud.
Obviously, it should be appreciated by those skilled in the art, each module of the above invention or each steps can be with general Computing system realize that they can be concentrated in single computing system, or be distributed in multiple computing systems and formed Network on, optionally, they can be realized with the program code that computing system can perform, it is thus possible to they are stored It is executed within the storage system by computing system.In this way, the present invention is not limited to any specific hardware and softwares to combine.
It should be understood that the above-mentioned specific implementation mode of the present invention is used only for exemplary illustration or explains the present invention's Principle, but not to limit the present invention.Therefore, that is done without departing from the spirit and scope of the present invention is any Modification, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.In addition, appended claims purport of the present invention Covering the whole variations fallen into attached claim scope and boundary or this range and the equivalent form on boundary and is repairing Change example.

Claims (4)

1. a kind of safe computational methods of low delay based on cloud, which is characterized in that including:
Terminal ID info is received, judges whether terminal is registration terminal;
If so, generating the first digital certificate according to the terminal ID info;
From searching terminal finger print information and certificate server mandate private key in pond is locally stored;
First digital certificate, which is encrypted, according to the Terminal fingerprints information obtains the first ciphertext;
According to the first digital certificate described in the certificate server mandate private key encryption and the terminal ID info, it is close to obtain second Text;
From the permissions list information that searching terminal in pond is locally stored, the second digital certificate is generated;
The second digital certificate is encrypted according to the Terminal fingerprints information;
The second digital certificate and terminal ID info are encrypted according to target virtual machine cluster identity information;
And encrypted second digital certificate and terminal ID info are sent to terminal.
2. according to the method described in claim 1, it is characterized in that, the reception terminal ID info, judges whether terminal is note Volume terminal, further comprises:
ID, that is, the UID of oneself is sent to certificate server by terminal;
Certificate server is locally stored pond by inquiry and whether has stored terminal UID to retrieve.
3. according to the method described in claim 1, it is characterized in that, described generate the first number card according to the terminal ID info Book further comprises:
If the terminal has been registered, certificate server generates digital certificate CTE1, and the digital certificate is as terminal and authentication service Digital certificate between device;
If the terminal is unregistered, certificate server abandons the request message.
4. according to the method described in claim 1, it is characterized in that, after obtaining the first and second ciphertexts, this method is also wrapped It includes:
First ciphertext and the second ciphertext are sent to terminal, to receive second ciphertext and pass through that the terminal returns The first digital certificate encrypted third ciphertext includes the industry of terminal ID info to be verified and request in the third ciphertext Be engaged in ID.
CN201810317985.9A 2018-04-10 2018-04-10 Cloud-based low-delay secure computing method Expired - Fee Related CN108449358B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810317985.9A CN108449358B (en) 2018-04-10 2018-04-10 Cloud-based low-delay secure computing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810317985.9A CN108449358B (en) 2018-04-10 2018-04-10 Cloud-based low-delay secure computing method

Publications (2)

Publication Number Publication Date
CN108449358A true CN108449358A (en) 2018-08-24
CN108449358B CN108449358B (en) 2021-04-09

Family

ID=63199148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810317985.9A Expired - Fee Related CN108449358B (en) 2018-04-10 2018-04-10 Cloud-based low-delay secure computing method

Country Status (1)

Country Link
CN (1) CN108449358B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110061983A (en) * 2019-04-09 2019-07-26 苏宁易购集团股份有限公司 A kind of data processing method and system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281314A (en) * 2011-01-30 2011-12-14 程旭 Realization method and apparatus for high-efficient and safe data cloud storage system
CN103152366A (en) * 2013-04-10 2013-06-12 珠海市魅族科技有限公司 Method, terminal and server for obtaining terminal authorization
US20140013108A1 (en) * 2012-07-06 2014-01-09 Jani Pellikka On-Demand Identity Attribute Verification and Certification For Services
CN103780583A (en) * 2012-10-22 2014-05-07 上海俊悦智能科技有限公司 Protection method for secure cloud computing terminal
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
CN106656481A (en) * 2016-10-28 2017-05-10 美的智慧家居科技有限公司 Identity authentication method, apparatus and system
CN107579991A (en) * 2017-09-28 2018-01-12 北京奇安信科技有限公司 A kind of method that high in the clouds protection certification is carried out to client, server and client side
US10110621B2 (en) * 2016-11-15 2018-10-23 Visa International Service Association Systems and methods for securing access to resources
US10264468B1 (en) * 2010-08-16 2019-04-16 Open Invention Network Llc Method and apparatus of supporting wireless femtocell clusters
US20190372785A1 (en) * 2018-02-23 2019-12-05 International Business Machines Corporation Secure Trust Based Distribution of Digital Certificates

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10264468B1 (en) * 2010-08-16 2019-04-16 Open Invention Network Llc Method and apparatus of supporting wireless femtocell clusters
CN102281314A (en) * 2011-01-30 2011-12-14 程旭 Realization method and apparatus for high-efficient and safe data cloud storage system
US20140013108A1 (en) * 2012-07-06 2014-01-09 Jani Pellikka On-Demand Identity Attribute Verification and Certification For Services
CN103780583A (en) * 2012-10-22 2014-05-07 上海俊悦智能科技有限公司 Protection method for secure cloud computing terminal
CN103152366A (en) * 2013-04-10 2013-06-12 珠海市魅族科技有限公司 Method, terminal and server for obtaining terminal authorization
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
CN106656481A (en) * 2016-10-28 2017-05-10 美的智慧家居科技有限公司 Identity authentication method, apparatus and system
US10110621B2 (en) * 2016-11-15 2018-10-23 Visa International Service Association Systems and methods for securing access to resources
CN107579991A (en) * 2017-09-28 2018-01-12 北京奇安信科技有限公司 A kind of method that high in the clouds protection certification is carried out to client, server and client side
US20190372785A1 (en) * 2018-02-23 2019-12-05 International Business Machines Corporation Secure Trust Based Distribution of Digital Certificates

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110061983A (en) * 2019-04-09 2019-07-26 苏宁易购集团股份有限公司 A kind of data processing method and system
CN110061983B (en) * 2019-04-09 2020-11-06 苏宁云计算有限公司 Data processing method and system

Also Published As

Publication number Publication date
CN108449358B (en) 2021-04-09

Similar Documents

Publication Publication Date Title
JP6968223B2 (en) Methods, devices, and systems for quantum key distribution
CN102404314B (en) Remote resources single-point sign on
JP6370722B2 (en) Inclusive verification of platform to data center
US20190312877A1 (en) Block chain mining method, device, and node apparatus
US7526649B2 (en) Session key exchange
US8997198B1 (en) Techniques for securing a centralized metadata distributed filesystem
CN104980477B (en) Data access control method and system under cloud storage environment
US20140270179A1 (en) Method and system for key generation, backup, and migration based on trusted computing
CN110572258B (en) Cloud password computing platform and computing service method
US20190245857A1 (en) Method for securing access by software modules
US8977857B1 (en) System and method for granting access to protected information on a remote server
CN108521424A (en) Distributed data processing method towards heterogeneous terminals equipment
WO2017033442A1 (en) Information processing device, authentication system, authentication method, and recording medium for recording computer program
KR101817152B1 (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
CN114826652A (en) Traceable access control method based on double block chains
CN112491544A (en) Method and system for dynamically encrypting platform data
CN111600903A (en) Communication method, system, equipment and readable storage medium
CN114697061B (en) Access control method, device, network side equipment, terminal and blockchain node
CN108616517A (en) highly reliable cloud platform service providing method
CN111131160B (en) User, service and data authentication system
CN108449358A (en) The safe computational methods of low delay based on cloud
CN108900555A (en) A kind of data processing method and device
CN114866328A (en) Block chain-based cross-domain access control method and system in edge computing environment
CN117879819B (en) Key management method, device, storage medium, equipment and computing power service system
George et al. Safest Secure and Consistent Data Services in the Storage of Cloud Computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20210322

Address after: 518000 No. 7018 CaiTian Road, Lianhua village community, Huafu street, Futian District, Shenzhen City, Guangdong Province a2701, a2702, a2703, a2705, a2706, Xinhao Yidu

Applicant after: Shenzhen UnionPay easy financial services Co.,Ltd.

Address before: No. 28-2, Zhongtian village group, Qinggang village committee, Tianxing Town, Daguan County, Zhaotong City, Yunnan Province

Applicant before: Xiao Hengnian

GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210409