CN108449358B - Cloud-based low-delay secure computing method - Google Patents
Cloud-based low-delay secure computing method Download PDFInfo
- Publication number
- CN108449358B CN108449358B CN201810317985.9A CN201810317985A CN108449358B CN 108449358 B CN108449358 B CN 108449358B CN 201810317985 A CN201810317985 A CN 201810317985A CN 108449358 B CN108449358 B CN 108449358B
- Authority
- CN
- China
- Prior art keywords
- terminal
- virtual machine
- service
- information
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a cloud-based low-delay secure computing method, which comprises the following steps: generating a first digital certificate according to the ID information of the terminal; retrieving terminal fingerprint information and an authentication server authorization private key from a local storage pool; encrypting the first digital certificate according to the terminal fingerprint information to obtain a first ciphertext; encrypting the first digital certificate and the terminal ID information according to the authentication server authorization private key to obtain a second ciphertext; retrieving authority list information of the terminal from a local storage pool, and generating and encrypting a second digital certificate; encrypting a second digital certificate and terminal ID information according to the target virtual machine cluster identification information; and sending the encrypted second digital certificate and the terminal ID information to the terminal. The invention provides a cloud-based low-delay security computing method, which realizes security verification on service access in a hybrid cloud by encrypting a service request of a terminal, and improves the data security of the hybrid cloud.
Description
Technical Field
The invention relates to cloud computing, in particular to a low-delay security computing method based on cloud.
Background
The hybrid cloud is connected with the public terminal and the private terminal node through a computer network. The management node and the stored data are respectively distributed on different nodes, and services such as file storage, reading and writing, deletion and the like are provided for a plurality of terminals. The existing hybrid cloud architecture uses a single named node to manage the named resources of the whole hybrid cloud cluster, so that the system control logic is simpler and more convenient to manage, but the defects in reliability and safety can also be caused. Traditional hybrid clouds assume that the cloud platform is always in a trusted environment and used by trusted terminals. But an illegal terminal can impersonate a certain trusted terminal to access the data of the terminal in the mixed cloud.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a cloud-based low-latency secure computing method, which comprises the following steps:
receiving terminal ID information, and judging whether the terminal is a registered terminal;
if yes, generating a first digital certificate according to the terminal ID information;
retrieving terminal fingerprint information and an authentication server authorization private key from a local storage pool;
encrypting the first digital certificate according to the terminal fingerprint information to obtain a first ciphertext;
encrypting the first digital certificate and the terminal ID information according to the authentication server authorization private key to obtain a second ciphertext;
retrieving authority list information of the terminal from a local storage pool, and generating a second digital certificate;
encrypting a second digital certificate according to the terminal fingerprint information;
encrypting a second digital certificate and terminal ID information according to the target virtual machine cluster identification information;
and sending the encrypted second digital certificate and the terminal ID information to the terminal.
Preferably, the receiving the terminal ID information, determining whether the terminal is a registered terminal, further includes:
the terminal sends the ID of the terminal, namely the UID, to the authentication server;
the authentication server retrieves whether the terminal UID has been stored by querying the local storage pool.
Preferably, the generating a first digital certificate according to the terminal ID information further includes:
if the terminal is registered, the authentication server generates a digital certificate CTE1 as a digital certificate between the terminal and the authentication server;
if the terminal is not registered, the authentication server discards the request message.
Preferably, after obtaining the first and second ciphertexts, the method further comprises:
and sending the first ciphertext and the second ciphertext to a terminal to receive the second ciphertext returned by the terminal and a third ciphertext encrypted by the first digital certificate, wherein the third ciphertext comprises the terminal ID information to be verified and the requested service ID.
Compared with the prior art, the invention has the following advantages:
the invention provides a cloud-based low-delay security computing method, which realizes security verification on service access in a hybrid cloud by encrypting a service request of a terminal, and improves the data security of the hybrid cloud.
Drawings
Fig. 1 is a flow diagram of a cloud-based low-latency secure computing method according to an embodiment of the present invention.
Detailed Description
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
One aspect of the invention provides a cloud-based low-latency secure computing method. Fig. 1 is a flow diagram of a cloud-based low-latency secure computing method according to an embodiment of the invention. The method of the invention comprises the following steps:
1. receiving terminal ID information, judging whether a terminal is a registered terminal, if so, generating a first digital certificate according to the terminal ID information, retrieving terminal fingerprint information and an authentication server authorization private key from a local storage pool, encrypting the first digital certificate according to the terminal fingerprint information to obtain a first ciphertext, and encrypting the first digital certificate and the terminal ID information according to the authentication server authorization private key to obtain a second ciphertext.
Specifically, the terminal transmits its ID, i.e., UID, to the authentication server, and the authentication server searches whether or not the terminal UID is stored by inquiring the local storage pool. If the terminal is registered, the authentication server generates a digital certificate CTE1 as a digital certificate between the terminal and the authentication server. If the terminal is not registered, the authentication server discards the request message.
The authentication server copies the generated CTE1, retrieves the terminal's fingerprint information and its own authorized private key from the local storage pool, encrypts the CTE1 using the terminal's fingerprint information,the package containing CTE1 and terminal UID is encrypted with its own authorized private key. The authentication server then sends back to the terminal two messages, respectively encrypted by the terminal fingerprint information and its own authorization private key, which can be denoted as Euser_fp(CTE1) and EAS_fp(CTE1+UID)。
2. And sending the first ciphertext and the second ciphertext to a terminal to receive the second ciphertext returned by the terminal and a third ciphertext encrypted by the first digital certificate, wherein the third ciphertext comprises the terminal ID information to be verified and the requested service ID.
Specifically, after receiving the information returned by the authentication server, the terminal decrypts CTE1 using its own fingerprint information, and then encrypts UID and the requested service ID with CTE1 to generate ECTE1(UID + requested service ID), together with EAS_fp(CTE1+ UID) are sent together to the authentication server.
3. And decrypting the third ciphertext according to the first digital certificate to obtain the ID information of the terminal to be verified, and judging and knowing that the terminal has the access right of the service execution virtual machine according to the consistency of the ID information of the terminal and the ID information of the terminal to be verified.
In particular, the authentication server decrypts E using its own authorized private keyAS_fp(CTE1+ UID) to obtain CTE1 and UID, and then use CTE1 to decrypt ECTE1And (UID + service ID of the request) obtaining the UID and the service ID of the request, comparing whether the UIDs obtained twice are the same, if so, finishing the authentication of the authentication server to the terminal, and granting the terminal the access right of the terminal to the execution virtual machine to which the service belongs.
4. Retrieving authority list information of the terminal from a local storage pool, generating a second digital certificate, encrypting the second digital certificate according to the terminal fingerprint information to obtain a fourth ciphertext, encrypting the second digital certificate and the terminal ID information according to the target virtual machine cluster identification information, and generating a fifth ciphertext; and sending the fourth ciphertext and the fifth ciphertext to the terminal.
Specifically, the authentication server searches a terminal database and extracts an authority list of the terminal, judges whether the terminal has access authority to the virtual machine cluster, and if the terminal has access authority to the virtual machine cluster, the authentication server searches the terminal database and extracts the authority list of the terminalAnd if not, the virtual machine cluster system suspends the service of the terminal. If yes, the authentication server generates a CTE2 again and copies it, encrypts one of the CTE2 and the address of the business execution virtual machine using the fingerprint information of the terminal, encrypts the other CTE2 and UID using the identification of the business execution virtual machine to be accessed, and then encrypts EUser_fp(CTE2+ virtual machine cluster address) and EVM_fp(CTE2+ UID) is sent to the terminal.
Said Euser_fp,EAS_fp,ECTE1,EVM_fpThe encryption functions are respectively the encryption functions which use the terminal fingerprint information, the authentication server authorized private key, the first digital certificate and the service execution virtual machine as the secret keys.
By the method, the terminal identity authentication in the authentication server in the hybrid cloud and the encrypted distribution of the terminal access authority are realized, and the data security of the hybrid cloud is improved.
On the basis of the above embodiment, the method further includes: and converting a single character in the request service ID into a corresponding number through service ID information, and calculating the virtual machine cluster identification according to the corresponding number.
Specifically, after receiving a service ID requested by a terminal, an authentication server analyzes the requested service ID to determine a virtual machine cluster to which the service belongs, and the determination method is as follows: the authentication server converts single characters in the service ID into corresponding numbers one by one, sums all the corresponding numbers, divides the sum result by the total number of the virtual machine clusters, obtains a remainder result as the identification of the virtual machine cluster to which the file belongs, and the identification of the virtual machine cluster is the ID of the service execution virtual machine.
In the virtual machine cluster system, the path information service data position information of the service is separately stored, and the metadata is managed in a grading way.
The path information includes a service ID, a complete path of the service, and an access right of the service. The service data comprises service data position information, and the mapping relation between the service data and the virtual machine is recorded. And managing different strategies for the metadata path and the service data.
The system stores the service path and the service data separately, and substitutes the result into a load balancing function after hash calculation is carried out on the path of the service to obtain the ID of the service execution virtual machine stored in the service path. And then, distributing an ID (identity) of a proper execution virtual machine for the service data position information according to the load condition of the current virtual machine cluster.
The path is effectively distributed to each service execution virtual machine, and the path where the service is located is hashed to obtain a hash result, which is as follows:
result=Hash(path)
substituting the obtained result into a load balancing function f to obtain the ID of the service execution virtual machine stored in the service path, which is as follows:
ID=f(result)
the path data of the virtual machine cluster system can be uniformly distributed to the control nodes of each virtual machine cluster through the mapping of the load balancing function.
On the basis of the above embodiment, the method further comprises a terminal registration step, wherein the terminal is connected with the authentication server and registers terminal ID information, terminal fingerprint information and authority list information; and the terminal fingerprint information is obtained by carrying out hash operation on the terminal through a terminal password.
Specifically, the terminal is connected with an authentication server to register the UID, the password and the service angle color gamut of the terminal, and the authentication server stores the registration information of the terminal into a local storage pool. And carrying out hash operation on the password locally to obtain a hash value, wherein the hash value is fingerprint information of the password of the authentication server verification terminal. The service corner color gamut is a domain applied for adding during terminal registration, the authentication server allocates a role for the terminal after the terminal is successfully added, and the access authority of the terminal is limited by the domain, the role and the access control information of the terminal.
After receiving the information, the terminal decrypts E by using the fingerprint informationUser_fp(CTE2+ virtual machine Cluster Address) gets CTE2 and virtual machine Address, and creates an authentication Package E consisting of UID, Current time, and request service IDCTE2(UID + Current time + request service ID), using CTE2 encrypts it, then in conjunction with EVM_fp(CTE2+ UID) is sent to the business execution virtual machine with that address.
And distributing an ID of a proper execution virtual machine for the service data position information according to the load condition of the current virtual machine cluster, wherein the ID comprises the service data distributed to each service execution virtual machine according to the load condition of the current virtual machine cluster. Each service execution virtual machine in the virtual machine cluster system reports the load condition of the service execution virtual machine to the authentication server periodically, wherein the load condition comprises the CPU utilization rate and the memory utilization rate of the service execution virtual machine, and the service execution virtual machine sends the load condition to each service execution virtual machine after the authentication server collects all the virtual machine cluster load conditions. The virtual machine maintains a cluster load queue, selects a service with the lightest load according to the queue to execute the virtual machine, distributes service data to the node, and records the ID of the node in the node stored in the service path.
And then, decrypting the fifth ciphertext by using the target virtual machine cluster identification information, decrypting the sixth ciphertext by using the second digital certificate, judging the consistency of the terminal ID information in the fifth ciphertext and the terminal ID information in the sixth ciphertext, and authenticating the access right of the terminal.
I.e. the service execution virtual machine receives ECTE2(UID + Current time + request service ID) and EVM_fp(CTE2+ UID), and then E is decrypted by using the fingerprint informationVM_fp(CTE2+ UID) obtaining CTE2 and UID, and then use CTE2 to decrypt ECTE2And (UID + current time + request service ID) obtaining the UID, the current time and the request service ID, comparing whether the two UIDs are consistent, and if so, finishing the authentication of the service execution virtual machine to the terminal.
And the service execution virtual machine generates access permission by combining the authority list information of the terminal, wherein the permission format is as follows:
licenseID={time,keyID,UID,taskID,mode};
where KeyID is the increment value generated by the service execution virtual machine counter. The mode, time and task ID fields respectively indicate the mode, validity period and task number of the terminal for accessing the service.
And the service execution virtual machine transmits the generated permission to the terminal and returns a service address to which the request service belongs, and transmits the key to the corresponding virtual machine through a heartbeat signal. And after receiving the information, the terminal transmits the taskID of the service to be accessed and the corresponding access permission to the virtual machine.
By the method, the virtual machine access authority is provided for the terminal according to the secondary metadata, and the data security of the hybrid cloud is improved.
And after the service execution virtual machine authenticates the terminal, the service execution virtual machine requests the authority list information of the terminal from the authentication server. Specifically, the service execution virtual machine requests the authorization list information of the terminal to the authentication server after completing authentication of the terminal, and the authentication server sends the authorization list information of the terminal ID to the service execution virtual machine after receiving the request of the service execution virtual machine.
And after receiving the access permission of the service execution virtual machine, the terminal transmits the task ID of the service to be accessed and the corresponding access permission to the virtual machine, the virtual machine verifies the validity of the permission after receiving the permission, and the terminal is allowed to operate the service after the verification is finished.
In service inquiry, the terminal sends access permission and requests data to corresponding virtual machine nodes, the service is divided into task blocks with consistent size, and the process concurrently returns all the task blocks of the service for the terminal. When the end of a block is read, the link to the virtual machine is broken and then the next virtual machine continues to be selected to obtain the next service data. When the terminal is directly connected to the virtual machine to find the corresponding block for service inquiry, the check code is firstly verified, whether the read data is valid or not is detected, if the read data is valid, the read data is directly read, if the read data is invalid, a request needs to be sent to the service execution virtual machine, the data is read from the backup virtual machine node, and then the backup virtual machine synchronizes the valid data to the execution virtual machine.
In the service submitting process, the virtual machine completes a series of verification work, and after the terminal write-in service is confirmed to be allowed, a service data creating instruction is sent to the virtual machine and returned to the block address of the terminal virtual machine. And then, the terminal establishes connection with the virtual machine, requests to submit the service to service data distributed by the service execution virtual machine, allocates an actual submittable address in a block by the virtual machine, sets an offset ID, divides the service into task blocks with consistent sizes, and uploads the task blocks to an upload buffer of the virtual machine. After the submission is completed, the terminal can be disconnected from the virtual machine.
And when the virtual machine receives the service to be submitted of the terminal, the service is written into the service data of the backup virtual machine in sequence and asynchronously, the execution virtual machine is connected with the backup virtual machine, and the service is submitted into the backup virtual machine in the same way. And after the primary and standby virtual machines complete submission, updating the metadata, and deleting the submission cache occupied by the service by the virtual machine.
And the service execution virtual machine contacts with the authentication server and writes the service index into the index system. And if one of the execution virtual machine or the backup virtual machine fails to write into the disk from the uploading cache resource, the execution virtual machine requests the service execution virtual machine to allocate another service data for writing. By the method, after the terminal identity authentication is performed twice, the query and submission operation of the mixed cloud service data is realized.
In the above embodiment of the present invention, the service data is further transferred to the cache node or the storage pool according to the service access frequency, and the service data with different access frequencies running in the hybrid cloud is quickly read. The method specifically comprises the following steps:
step 1, if the terminal fails to apply resources to the virtual machine nodes of the hybrid cloud, sending a command for transferring the cache data of the virtual machine nodes.
And 2, calculating the size of transferable resources in the virtual machine node, and if the size of the transferred resources meets the requirements of the service on the virtual machine node resources, setting a transfer address based on a mixed cloud of the cache node and the storage pool according to the access frequency of the transferable cache data of the virtual machine node.
And 3, releasing transferable cache data in the virtual machine node, transferring the transferable cache data in the virtual machine node to a transfer address, modifying the persistence level of the transferable cache data in the virtual machine node, and feeding back a transfer success signal and transfer information.
Wherein, step 1 preferably further comprises:
calculating the size of virtual machine node resources occupied by executing services on service data, applying for resources to the virtual machine nodes of the mixed cloud, and comparing the size of the virtual machine node resources occupied by the services with the resources not occupied by the virtual machine nodes; specifically, a task scheduler of the hybrid cloud schedules the service, the resources execute the service on the service data identified and cached by the terminal when the service runs, then try to apply for the resources to the virtual machine node of the hybrid cloud, and if the application is successful, directly perform the storage work of the service data.
If the size of the virtual machine node resources occupied by the service is larger than the size of the virtual machine node unoccupied resources, the application of the resource to the virtual machine node of the hybrid cloud fails, and meanwhile, a command for transferring the transferable cache data of the virtual machine node and the size of the virtual machine node resources occupied by the service are sent.
By introducing the cache nodes and the storage pool to construct the hybrid cloud and transferring the service data to the cache nodes or the storage pool according to the service access frequency, the huge requirement of the cache of the hybrid cloud service data on the storage area resources is relieved.
The step 2 preferably further comprises:
sending an application for transferring the virtual machine node resources to the virtual machine node due to the fact that the storage resources required by the service data execution service are insufficient; and after the virtual machine node receives the application sent by the transfer logic unit, judging whether the virtual machine node has transferable resources. And if the application is successful, calculating the size of the transferable resource in the virtual machine node according to the replacement strategy.
And if the size of the transferable resource in the virtual machine node is larger than or equal to the size of the resource occupied by the service data execution service. And setting a transfer address of a mixed cloud based on the cache node and the storage pool according to the access frequency of the transferable cache data of the virtual machine node.
If the size of the transferable resources in the virtual machine node is smaller than the size of the resources occupied by the service data execution service, terminating the transferable cache data transfer task of the virtual machine node, and feeding back a transferable cache data failure signal of the transferred virtual machine node.
After judging that the virtual machine node can transfer the cache data access frequency, if the virtual machine node can transfer the cache data access frequency within a numerical range of a first preset service access frequency, reading a cache node address and setting the read cache node address as a transfer address; the first preset service access frequency numerical range is higher than the access frequency of the transferable cache data of the virtual machine node, and the specific access frequency range can be freely set by the terminal; and if the access frequency of the transferable cache data of the virtual machine node is within the numerical range of the second preset service access frequency, reading the address of the storage pool and setting the read address of the storage pool as a transfer address.
The terminal establishes a trusted process for the mobile service application by using memory mapping and security isolation, and sends the running log of the started mixed cloud service application to the mixed cloud authentication server, so that the mixed cloud remotely authenticates and monitors the terminal running data of the service application, and the confidentiality of a terminal key and the data is protected. Wherein:
the terminal creates a trusted process corresponding to the service application, allocates a memory for the trusted process and transfers the service application to the trusted process memory resource;
calling a memory reading function and an analysis function in the trusted process to obtain a first verification vector of the service application in the local;
packaging the first verification vector into a cloud verification request, sending the cloud verification request to the authentication server, so that the authentication server matches the first verification vector with a second verification vector of the service application on the authentication server, and sending a protected authentication result to the terminal according to a matching result;
judging whether to trust the authentication result; when the authentication result is judged to be trusted, the service application is allowed to be started at the terminal;
and sending the started running data of the service application to the authentication server in a log mode so as to enable the authentication server to remotely authenticate and monitor the running data of the service application.
The specific steps of creating the trusted process corresponding to the business application are as follows:
firstly, loading a virtual machine image to be operated into a disk;
secondly, encrypting codes and data of the service application to be loaded;
thirdly, loading the codes and data of the service application to be loaded into a loader at first, and preparing for loading the codes and data of the service application to be loaded into a trusted process;
fourthly, dynamically applying for constructing a privileged process, namely a trusted process;
fifthly, decrypting the codes and data of the service application to be loaded in a page cache mode;
sixthly, proving that the decrypted service application and the decrypted data are credible, loading codes and data of the service application into a credible process, and copying cache contents of each page loaded into the credible process;
seventh, starting the trusted process initialization program, forbidding to continue loading and verifying page cache, generating a trusted process identity token, and encrypting the token for recovering and verifying the identity of the trusted process identity token;
eighth, the trusted process initializes a separate and encrypted memory by starting an initialization program, external access to the business application also being restricted to the entry point identified in the code. The trusted process is isolated from other business applications running on the terminal.
Wherein, the sending the running data of the started service application to the authentication server in a log manner specifically includes:
generating a log file in the trusted process by the running data in a log mode, and carrying out hash operation on the log file to obtain a server log hash value, namely a message MSG; carrying out digital signature on the message MSG, namely carrying out asymmetric encryption on the message MSG by using a signature private key; enabling TPM hardware to package the digital signature, the log file and a public key of a digital authentication result together to generate an assertion, and sending the assertion to the authentication server so that the authentication server performs watermark signature on the assertion and sends a watermark signature result to the terminal; and when the watermark signature fails, terminating the operation of the service application.
The watermark signature specifically comprises: and the terminal decrypts the digital signature by using the public key, derives the message MSG, and hashes the log file to obtain a terminal log hash value, namely a message MD 2. The authentication server compares the server log hash value and the terminal log hash value. When the server log hash value is the same as the terminal log hash value, the data is proved to be not tampered, the signature is accepted, namely the watermark signature is successful, and the authentication server allows the data access of the terminal; and when the server log hash value is different from the terminal log hash value, the data is proved to be tampered, the signature is rejected, namely the watermark signature fails, and the authentication server rejects the data access of the terminal.
Wherein said packaging together said digital signature, said log file and a public key of the digital authentication result generates an assertion, which may be an integrity protection assertion RL that generates said trusted process:
RL=HASH(IPRO//I_fp//Random)
wherein, IPROIs a measure of the code of the trusted process that generated the assertion;
I_fpis the public key used to sign the trusted process before loading;
random is any Random value that can be specified by a trusted process when requesting verification of an assertion.
In the authentication stage of the heterogeneous terminals and the hybrid cloud, the authentication server of the hybrid cloud preferably adopts a traceable authentication mode, that is, the real identity of the client can be traced due to misbehavior of the terminal, and an illegal user cannot obtain a service which is calculated by the virtual machine to be legal, and the traceable authentication method comprises the following steps:
the hybrid cloud HC initializes the public and private keys and system parameters of the hybrid cloud HC, and discloses the system parameters, wherein the system parameters comprise a security parameter lambda and a large prime number p; simultaneously generating public and private keys for all virtual machine nodes, and recording any one virtual machine node SjThe public key and the private key of (2) are PKjAnd skj(ii) a HC defines a cyclic addition group G of order q and defines a hash function h, h1,h2,h3:
The hybrid cloud HC selects a random number s. Setting virtual machine node SjThe private key of (2) is sks and the public key is PKs. And presetting system common parameters to all terminals and virtual machine nodes.
Any one terminal UiSelecting a random number and generating a pseudonym VX'iThen, the real identity UID of the user is obtainediAnd false name VX'iSent together to the hybrid cloud HC.
The hybrid cloud HC receives the terminal UiSelf true identity UIDiAnd false name VX'iAnd computing the terminal U by using the private key of the hybrid cloud HCiAnother pseudonym VX ″i(ii) a From 'false name VX'iAnd another pseudonym VX ″iForm terminal UiComplete virtual identity VXi={VX′i,VX″i};
And the hybrid cloud HC checks the validity of the terminal identity Ci. If the data is legal, the hybrid cloud HC calculates VX ″i=UIDi⊕h(s,VXi)
Mixed cloud HC as terminal UiGenerating a private key siAnd a public key parameter WiAnd the terminal Ui is integrated with the virtual identity VXiPrivate key siAnd a public key parameter WiSent to the terminal U through a secure channeli;
Hybrid cloud HC random selection wiAnd calculate Wi=h1(VXi,wi). Will { VXi,Wi,siIs transmitted to the terminal U through a safety channeli。
Terminal UiAccording to the system parameter and the public key parameter WiVerifying a received private key siIf the validity is verified, thenAccepting a private key siAnd selects a random number as its trapdoor xiAnd using trapdoors xiGenerating a terminal UiPublic key PKi(ii) a By trapdoors xiWith a private key siJointly constitute a terminal UiComplete private key (x)i,si) (ii) a By public key PKiAnd public key parameter WiJointly constitute a terminal UiComplete Public Key (PK)i,Wi);
At terminal UiBefore preparing to send message to any virtual machine node, the terminal UiAnd (3) calculating:
bi=h1(VXi,Xi)
yi=si+bixi
bipresentation terminal UiHash value of h1(. -) represents a hash function; y isiPresentation terminal UiThe off-line signature of (2);
at terminal UiDetermining a virtual machine node SjWhen sending message m, terminal UiAccording to message m and parameter biAnd yiEncrypting the generated online signature:
hi=h2(m,VXi,Xi,t)
σi=hiyi
Qi=E(VXi||σi||Wi||PKi)
t is the current time, | | represents the concatenated string symbol, QiPresentation terminal UiThe ciphertext of (1);
terminal UiParameters for signing messages QiT is sent to the virtual machine node Sj;
If virtual machine node SjReceiving n parameters of message signatures over a period of time, n>1 virtual machine node SjUsing its own private key skjAnd the parameters of the received n message signatures are used for carrying out batch verification on the n message signatures; if both are valid, then (Q)i||skj) As a virtual machine node Sj andterminal UiThe session token of (2); otherwise, the virtual machine node SjAnd refusing to carry out message communication with the n terminals.
In summary, the invention provides a cloud-based low-latency secure computing method, which realizes secure verification of service access in a hybrid cloud by encrypting a service request of a terminal, and improves data security of the hybrid cloud.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented in a general purpose computing system, centralized on a single computing system, or distributed across a network of computing systems, and optionally implemented in program code that is executable by the computing system, such that the program code is stored in a storage system and executed by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.
Claims (3)
1. A cloud-based low-latency secure computing method is characterized by comprising the following steps:
receiving terminal ID information, and judging whether the terminal is a registered terminal;
if yes, generating a first digital certificate according to the terminal ID information;
retrieving terminal fingerprint information and an authentication server authorization private key from a local storage pool;
encrypting the first digital certificate according to the terminal fingerprint information to obtain a first ciphertext;
encrypting the first digital certificate and the terminal ID information according to the authentication server authorization private key to obtain a second ciphertext;
sending the first ciphertext and the second ciphertext to a terminal to receive the second ciphertext returned by the terminal and a third ciphertext encrypted by the first digital certificate, wherein the third ciphertext comprises terminal ID information to be verified and a requested service ID;
decrypting the third ciphertext according to the first digital certificate to obtain the terminal ID information to be verified, and judging and acquiring that the terminal has the access right of a service execution virtual machine according to the consistency of the terminal ID information and the terminal ID information to be verified;
retrieving authority list information of the terminal from a local storage pool, and generating a second digital certificate;
encrypting a second digital certificate according to the terminal fingerprint information;
encrypting a second digital certificate and terminal ID information according to the target virtual machine cluster identification information;
sending the encrypted second digital certificate and the terminal ID information to the terminal;
the authentication server searches a terminal database and extracts an authority list of the terminal, judges whether the authentication server has access authority to the virtual machine cluster, and if not, the virtual machine cluster system suspends the service of the terminal;
after receiving the service ID requested by the terminal, the authentication server analyzes the requested service ID to judge the virtual machine cluster to which the service belongs, namely, the authentication server converts single characters in the service ID into corresponding numbers one by one, sums all the corresponding numbers, and divides the sum result by the total number of the virtual machine clusters to obtain a remainder result which is the identifier of the virtual machine cluster to which the file belongs, wherein the identifier of the virtual machine cluster is the ID of the service execution virtual machine;
after the service execution virtual machine authenticates the terminal, the service execution virtual machine requests the authority list information of the terminal from the authentication server, namely the service execution virtual machine requests the authority list information of the terminal from the authentication server after finishing authentication on the terminal, and the authentication server sends the authority list information of the terminal ID to the service execution virtual machine after receiving the request of the service execution virtual machine;
after receiving the access permission of the service execution virtual machine, the terminal transmits the task ID of the service to be accessed and the corresponding access permission to the virtual machine, the virtual machine verifies the validity of the permission after receiving the task ID, and after the verification is finished, the terminal is allowed to operate the service;
the method further comprises the following steps:
transferring the service data to a cache node or a storage pool according to the service access frequency, and reading the service data with different access frequencies running in the hybrid cloud; the reading the service data of different access frequencies further comprises:
step 1, if the terminal fails to apply resources to the virtual machine nodes of the hybrid cloud, sending a command for transferring the cache data of the virtual machine nodes;
step 2, calculating the size of transferable resources in the virtual machine node, and if the size of the transferred resources meets the requirements of the service on the virtual machine node resources, setting a transfer address based on a mixed cloud of the cache node and the storage pool according to the access frequency of the transferable cache data of the virtual machine node;
step 3, releasing transferable cache data in the virtual machine node, transferring the transferable cache data in the virtual machine node to a transfer address, modifying the persistence level of the transferable cache data in the virtual machine node, and feeding back a transfer success signal and transfer information;
wherein the step 1 further comprises:
calculating the size of virtual machine node resources occupied by executing services on service data, applying for resources to the virtual machine nodes of the mixed cloud, and comparing the size of the virtual machine node resources occupied by the services with the resources not occupied by the virtual machine nodes; scheduling the service by a task scheduler of the hybrid cloud, executing the service on the service data which is identified and cached by the terminal by using the resources when the service runs, then trying to apply for the resources from the virtual machine node of the hybrid cloud, and directly storing the service data if the application is successful; if the size of the virtual machine node resources occupied by the service is larger than the size of the virtual machine node unoccupied resources, the application of the resource to the virtual machine node of the hybrid cloud fails, and meanwhile, a command for transferring the transferable cache data of the virtual machine node and the size of the virtual machine node resources occupied by the service are sent.
2. The method of claim 1, wherein the receiving the terminal ID information and determining whether the terminal is a registered terminal further comprises:
the terminal sends the ID of the terminal, namely the terminal ID, to the authentication server;
the authentication server retrieves whether the terminal ID is already stored by querying the local storage pool.
3. The method of claim 1, wherein generating the first digital certificate according to the terminal ID information further comprises:
if the terminal is registered, the authentication server generates a digital certificate CTE1 as a digital certificate between the terminal and the authentication server;
if the terminal is not registered, the authentication server discards the request message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810317985.9A CN108449358B (en) | 2018-04-10 | 2018-04-10 | Cloud-based low-delay secure computing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810317985.9A CN108449358B (en) | 2018-04-10 | 2018-04-10 | Cloud-based low-delay secure computing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108449358A CN108449358A (en) | 2018-08-24 |
CN108449358B true CN108449358B (en) | 2021-04-09 |
Family
ID=63199148
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810317985.9A Expired - Fee Related CN108449358B (en) | 2018-04-10 | 2018-04-10 | Cloud-based low-delay secure computing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108449358B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110061983B (en) * | 2019-04-09 | 2020-11-06 | 苏宁云计算有限公司 | Data processing method and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102281314A (en) * | 2011-01-30 | 2011-12-14 | 程旭 | Realization method and apparatus for high-efficient and safe data cloud storage system |
CN103780583A (en) * | 2012-10-22 | 2014-05-07 | 上海俊悦智能科技有限公司 | Protection method for secure cloud computing terminal |
US10110621B2 (en) * | 2016-11-15 | 2018-10-23 | Visa International Service Association | Systems and methods for securing access to resources |
US10264468B1 (en) * | 2010-08-16 | 2019-04-16 | Open Invention Network Llc | Method and apparatus of supporting wireless femtocell clusters |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140013108A1 (en) * | 2012-07-06 | 2014-01-09 | Jani Pellikka | On-Demand Identity Attribute Verification and Certification For Services |
CN103152366B (en) * | 2013-04-10 | 2015-12-23 | 魅族科技(中国)有限公司 | Obtain the method for terminal authorization, terminal and server |
CN104184743B (en) * | 2014-09-10 | 2017-06-16 | 西安电子科技大学 | Towards three layers of Verification System and authentication method of cloud computing platform |
CN106656481B (en) * | 2016-10-28 | 2019-08-30 | 美的智慧家居科技有限公司 | Identity identifying method, device and system |
CN107579991B (en) * | 2017-09-28 | 2021-03-02 | 奇安信科技集团股份有限公司 | Method for performing cloud protection authentication on client, server and client |
US10812276B2 (en) * | 2018-02-23 | 2020-10-20 | International Business Machines Corporation | Secure trust based distribution of digital certificates |
-
2018
- 2018-04-10 CN CN201810317985.9A patent/CN108449358B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10264468B1 (en) * | 2010-08-16 | 2019-04-16 | Open Invention Network Llc | Method and apparatus of supporting wireless femtocell clusters |
CN102281314A (en) * | 2011-01-30 | 2011-12-14 | 程旭 | Realization method and apparatus for high-efficient and safe data cloud storage system |
CN103780583A (en) * | 2012-10-22 | 2014-05-07 | 上海俊悦智能科技有限公司 | Protection method for secure cloud computing terminal |
US10110621B2 (en) * | 2016-11-15 | 2018-10-23 | Visa International Service Association | Systems and methods for securing access to resources |
Also Published As
Publication number | Publication date |
---|---|
CN108449358A (en) | 2018-08-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111708991B (en) | Service authorization method, device, computer equipment and storage medium | |
WO2018112946A1 (en) | Registration and authorization method, device and system | |
JP4993733B2 (en) | Cryptographic client device, cryptographic package distribution system, cryptographic container distribution system, and cryptographic management server device | |
US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
CN105700945B (en) | A kind of secure virtual machine moving method based on clean | |
JP5100286B2 (en) | Cryptographic module selection device and program | |
CN108521424B (en) | Distributed data processing method for heterogeneous terminal equipment | |
WO2018145605A1 (en) | Authentication method and server, and access control device | |
CN111488598A (en) | Access control method, device, computer equipment and storage medium | |
US20140270179A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
US11121876B2 (en) | Distributed access control | |
US20110276490A1 (en) | Security service level agreements with publicly verifiable proofs of compliance | |
WO2020042822A1 (en) | Cryptographic operation method, method for creating work key, and cryptographic service platform and device | |
US20190245857A1 (en) | Method for securing access by software modules | |
US20230370265A1 (en) | Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control | |
WO2014194494A1 (en) | Method, server, host and system for protecting data security | |
CN116490868A (en) | System and method for secure and fast machine learning reasoning in trusted execution environments | |
US10298388B2 (en) | Workload encryption key | |
US11943345B2 (en) | Key management method and related device | |
JP2020535530A (en) | Resource processing methods, equipment, systems and computer readable media | |
EP4145763A1 (en) | Exporting remote cryptographic keys | |
CN108616517B (en) | High-reliability cloud platform service providing method | |
US10516655B1 (en) | Encrypted boot volume access in resource-on-demand environments | |
CN108449358B (en) | Cloud-based low-delay secure computing method | |
CN111131160B (en) | User, service and data authentication system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20210322 Address after: 518000 No. 7018 CaiTian Road, Lianhua village community, Huafu street, Futian District, Shenzhen City, Guangdong Province a2701, a2702, a2703, a2705, a2706, Xinhao Yidu Applicant after: Shenzhen UnionPay easy financial services Co.,Ltd. Address before: No. 28-2, Zhongtian village group, Qinggang village committee, Tianxing Town, Daguan County, Zhaotong City, Yunnan Province Applicant before: Xiao Hengnian |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210409 |
|
CF01 | Termination of patent right due to non-payment of annual fee |