CN108616517A - highly reliable cloud platform service providing method - Google Patents
highly reliable cloud platform service providing method Download PDFInfo
- Publication number
- CN108616517A CN108616517A CN201810317120.2A CN201810317120A CN108616517A CN 108616517 A CN108616517 A CN 108616517A CN 201810317120 A CN201810317120 A CN 201810317120A CN 108616517 A CN108616517 A CN 108616517A
- Authority
- CN
- China
- Prior art keywords
- terminal
- cte1
- uid
- certificate server
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The present invention provides a kind of highly reliable cloud platform service providing method, this method includes:UID is sent to certificate server by terminal, and certificate server generates digital certificate CTE1;From the mandate private key that the finger print information and oneself that retrieve terminal in pond is locally stored, the finger print information of using terminal encrypts CTE1, and the packet of CTE1 and terminal UID are included with the mandate private key encryption of oneself;Certificate server sends back terminal by the information of Terminal fingerprints information and the mandate private key encryption of oneself respectively by two;Terminal decrypts CTE1 using the finger print information of oneself, and the traffic ID that UID and request are then encrypted with CTE1 is sent to certificate server;It whether identical compares the UID obtained twice, certification of the certificate server to terminal is completed if identical, and its access rights to execution virtual machine belonging to business is authorized to the terminal.The present invention proposes a kind of highly reliable cloud platform service providing method, is encrypted by the service request to terminal, realizes the safety verification to Operational Visit in mixed cloud, improves the Information Security of mixed cloud.
Description
Technical field
The present invention relates to cloud computing, more particularly to a kind of highly reliable cloud platform service providing method.
Background technology
Mixed cloud is connected by computer network with publicly-owned terminal and privately owned terminal node.Management node and the number stored
According to being respectively distributed on different nodes, the services such as storage, read-write, deletion for providing file for multiple terminals.Current mixing
The name resource that cloud framework manages entire mixing cloud cluster using single name node can make system control logic simpler
It is single, facilitate management, it can also cause the defect in terms of reliability and safety.Conventional hybrid cloud assumes that cloud platform is always located
It is used in believable environment and by trusted terminal.But illegal terminal can pretend to be some trusted terminal to access the terminal to mix
Data in cloud.
Invention content
To solve the problems of above-mentioned prior art, the present invention proposes a kind of highly reliable cloud platform service provider
Method, including:
ID, that is, the UID of oneself is sent to certificate server by terminal, and Chi Laijian is locally stored by inquiry in certificate server
Whether rope has stored terminal UID;
If the terminal has been registered, certificate server generate a digital certificate CTE1, the digital certificate as terminal with
Digital certificate between certificate server;
Certificate server replicates the CTE1 of generation, and from be locally stored finger print information that terminal is retrieved in pond and
The finger print information of the mandate private key of oneself, using terminal encrypts CTE1, includes CTE1 and terminal with the mandate private key encryption of oneself
The packet of UID;
Then certificate server is sent two by the information of Terminal fingerprints information and the mandate private key encryption of oneself respectively
Terminal is returned, Euser_fp (CTE1) and E is expressed asAS_fp(CTE1+UID);
After terminal receives the information of certificate server return, the finger print information of using terminal oneself decrypts CTE1, then
The traffic ID that UID and request are encrypted with CTE1 generates ECTE1(traffic ID of UID+ requests), together with EAS_fp(CTE1+UID) together
It is sent to certificate server;
Certificate server decrypts E using the mandate private key of oneselfAS_fp(CTE1+UID) CTE1 and UID are obtained, is then made again
E is decrypted with CTE1CTE1The traffic ID of request (UID+) obtains the traffic ID of UID and request, compare the UID that obtains twice whether phase
Together, certification of the certificate server to terminal is completed if identical, and authorizes it to executing virtual machine belonging to business to the terminal
Access rights,
The present invention compared with prior art, has the following advantages:
The present invention proposes a kind of highly reliable cloud platform service providing method, is added by the service request to terminal
It is close, the safety verification to Operational Visit in mixed cloud is realized, the Information Security of mixed cloud is improved.
Description of the drawings
Fig. 1 is the flow chart of highly reliable cloud platform service providing method according to the ... of the embodiment of the present invention.
Specific implementation mode
Retouching in detail to one or more embodiment of the invention is hereafter provided together with the attached drawing of the diagram principle of the invention
It states.The present invention is described in conjunction with such embodiment, but the present invention is not limited to any embodiments.The scope of the present invention is only by right
Claim limits, and the present invention covers many replacements, modification and equivalent.Illustrate in the following description many details with
Just it provides a thorough understanding of the present invention.These details are provided for exemplary purposes, and without in these details
Some or all details can also realize the present invention according to claims.
An aspect of of the present present invention provides a kind of highly reliable cloud platform service providing method.Fig. 1 is implemented according to the present invention
The highly reliable cloud platform service providing method flow chart of example.The method of the present invention includes the following steps:
1. receiving terminal ID info, judge whether terminal is registration terminal, if so, according to the terminal ID info, generates
First digital certificate, from searching terminal finger print information and certificate server mandate private key in pond is locally stored, according to the terminal
Finger print information encrypts first digital certificate, the first ciphertext is obtained, according to the certificate server mandate private key encryption
First digital certificate and the terminal ID info obtain the second ciphertext.
Specifically, ID, that is, the UID of oneself is sent to certificate server by terminal, certificate server is locally stored by inquiry
Whether pond has stored terminal UID to retrieve.If the terminal has been registered, certificate server generates a digital certificate CTE1,
The digital certificate is as the digital certificate between terminal and certificate server.If the terminal is unregistered, certificate server abandons
The request message.
Certificate server replicates the CTE1 of generation, and from be locally stored finger print information that terminal is retrieved in pond and
The finger print information of the mandate private key of oneself, using terminal encrypts CTE1, includes CTE1 and terminal with the mandate private key encryption of oneself
The packet of UID.Then certificate server is sent two by the information of Terminal fingerprints information and the mandate private key encryption of oneself respectively
Terminal is returned, which is represented by Euser_fp(CTE1) and EAS_fp(CTE1+UID)。
2. first ciphertext and the second ciphertext are sent to terminal, to receive second ciphertext that the terminal returns
It comprising terminal ID info to be verified and is asked with by the encrypted third ciphertext of first digital certificate, in the third ciphertext
The traffic ID asked.
Specifically, after terminal receives the information that certificate server returns, the finger print information of using terminal oneself decrypts
CTE1, the traffic ID that UID and request are then encrypted with CTE1 generate ECTE1(traffic ID of UID+ requests), together with EAS_fp(CTE1+
UID certificate server) is sent jointly to.
3. decrypting the third ciphertext according to the first digital certificate, the terminal ID info to be verified is obtained, according to institute
The consistency of terminal ID info and the terminal ID info to be verified is stated, judgement knows that there is the terminal business to execute virtual machine
Access right.
Specifically, certificate server decrypts E using the mandate private key of oneselfAS_fp(CTE1+UID) CTE1 and UID are obtained, so
After reuse CTE1 decryption ECTE1(traffic ID of UID+ requests) obtains the traffic ID of UID and request, compares the UID obtained twice
It is whether identical, certification of the certificate server to terminal is completed if identical, and it is authorized to being executed belonging to business to the terminal
The access rights of virtual machine.
4. from the permissions list information that searching terminal in pond is locally stored, the second digital certificate is generated, according to the terminal
Finger print information encrypts the second digital certificate, obtains the 4th ciphertext, according to the second number of target virtual machine cluster identity information encryption
Certificate and terminal ID info generate the 5th ciphertext;And the 4th ciphertext and the 5th ciphertext are sent to terminal.
Specifically, certificate server searches terminal database and extracts the permissions list of the terminal, judge whether that its is right
The cluster virtual machine has access rights, if service of the virtual machine cluster system pause to the terminal without if.Certification takes if having
Business device generates a CTE2 and is replicated to it again, encrypts one of CTE2 using the finger print information of the terminal and business executes
Virtual machine address, the mark that virtual machine is executed using the business to be accessed encrypts another CTE2 and UID, then by EUser_fp
(CTE2+ cluster virtual machines address) and EVM_fp(CTE2+UID) it is sent to terminal together.
The Euser_fp, EAS_fp, ECTE1, EVM_fpRespectively using terminal finger print information, certificate server mandate private key,
One digital certificate, business execute the encryption function for being identified as key of virtual machine.
By the method, terminal identity certification in the certificate server in mixed cloud is realized and to terminal access
The encryption of permission is distributed, and the Information Security of mixed cloud is improved.
On the basis of the above embodiments, further include:By business id information, by single character in the requested service ID
Corresponding number is converted to, according to the corresponding number, calculates cluster virtual machine mark.
Specifically, after certificate server is by the traffic ID of terminal request, requested traffic ID is parsed to judge business
Affiliated cluster virtual machine, judgment method are:Single character in traffic ID is converted into corresponding number by certificate server one by one
Word, all corresponding numbers of summing, and by summed result divided by cluster virtual machine sum, obtained remainder result is belonging to file
The mark of cluster virtual machine, the mark of the cluster virtual machine are the ID that business executes virtual machine.
In the virtual machine cluster system of the present invention, the routing information business data positional information of business is stored separately, is gone forward side by side
The differentiated control of row metadata.
Routing information includes traffic ID, the access rights of the fullpath of business, business.Business datum includes business datum
Location information, record is business datum and the mapping relations of virtual machine.It is different from business datum progress to metadata path
The management of strategy.
The path of business and business datum are stored separately by this system, will after path where business is carried out hash calculating
The result substitutes into the ID that load balancing function obtains the business execution virtual machine of service path storage.Then according to current virtual
The loading condition of machine cluster is that business datum location information distributes a suitable ID for executing virtual machine.
Wherein, path is effectively distributed to each business to execute in virtual machine, first carries out path path where business
Hash calculates, and obtains a hashed result, such as following formula:
Result=Hash (path)
Obtained result is substituted into load balancing function f again, the business for obtaining service path storage executes virtual machine
ID, such as following formula:
ID=f (result)
The path data of virtual machine cluster system can be evenly dispersed to by the mapping of load balancing function each
In the control node of cluster virtual machine.
On the basis of the above embodiments, the method further includes terminal registration step, and terminal is connected with certificate server,
Registration terminal id information, Terminal fingerprints information and permissions list information;Wherein, the Terminal fingerprints information is existed by terminal password
Terminal carries out hash operations acquisition.
Specifically, terminal connection certificate server registers the UID of oneself, password, business roles domain, certificate server will be whole
The log-on message deposit at end is locally stored in pond.Password is obtained into a hashed value, the hashed value in locally progress hash operations
It is exactly the finger print information of certificate server verification terminal password.The domain that application is added when business roles domain is endpoint registration is added
Certificate server can distribute a role for it after success, and the access rights of terminal are by three domain, role, terminal access controls
The common limitation of information.
Terminal uses its finger print information to decrypt E after receiving informationUser_fp(CTE2+ cluster virtual machines address) obtain CTE2 and
Virtual machine address, and create a certification packet E being made of UID, current time and requested service IDCTE2(UID+ current times+
Requested service ID), it is encrypted using CTE2, then together with EVM_fp(CTE2+UID) it is sent to the business with the address
Execute virtual machine.
The loading condition according to current virtual machine cluster is that business datum location information distributes a suitable execution
The ID of virtual machine, including, business datum is distributed to by each business according to the loading condition of current virtual machine cluster and is executed virtually
Machine.Each business, which executes virtual machine, in virtual machine cluster system periodically to report its loading condition, including its to certificate server
After cpu busy percentage, memory usage, certificate server are collected into all cluster virtual machine loading conditions, it is sent to each industry
Business executes virtual machine.Virtual machine maintains a cluster load queue, selects the business of a most lightly loaded to hold according to this queue
Business datum is distributed in the node by row virtual machine, and the ID of the node is recorded in the node of service path storage.
Then, the 5th ciphertext is decrypted using the target virtual machine cluster identity information, uses described
The 6th ciphertext is decrypted in two digital certificates, judges the terminal ID info in the 5th ciphertext and the 6th ciphertext
In terminal ID info consistency, the access rights of certification terminal.
I.e. business executes virtual machine and receives ECTE2(UID+ current times+requested service ID) and EVM_fp(CTE2+UID) after,
E is decrypted using its finger print informationVM_fp(CTE2+UID) CTE2 and UID are obtained, then CTE2 is used to decrypt ECTE2(when UID+ is current
Between+requested service ID) and UID, current time and requested service ID are obtained, whether two UID of comparison are consistent, completed if consistent
Business executes certification of the virtual machine to terminal.
Business executes virtual machine and the permissions list information of the terminal is combined to generate access permission, and the format of license is as follows:
LicenseID={ time, keyID, UID, taskID, mode };
Wherein KeyID is that business executes increment value caused by virtual machine counter.Mode, time, taskID field point
The mode, the term of validity, mission number of the terminal access business are not indicated.
Business executes virtual machine and sends the above-mentioned license of generation to terminal and with returning to the business belonging to the requested service
Location, and by key key corresponding virtual machine is sent to by heartbeat signal.Terminal will need to access industry again after receiving information
The taskID of business and corresponding access permission are transmitted to virtual machine together.
By the method, virtual machine access rights are provided the terminal with according to two level metadata, improve the data of mixed cloud
Safety.
Wherein, it after the business executes virtual machine to terminal authentication, is arranged to the permission of the certificate server requesting terminal
Table information.Terminal is completed to ask to certificate server the permissions list of the terminal after certification specifically, business executes virtual machine
Information, certificate server execute virtual machine after the request that the business that receives executes virtual machine, to business and send the Termination ID
Permissions list information.
After terminal receives the access permission that business executes virtual machine, it would be desirable to the taskID of access service and corresponding visit
Ask that license is transmitted to virtual machine together, virtual machine verifies the legitimacy of the license after receiving, just allow after the completion of verification terminal-pair its
Business is operated.
In service inquiry, terminal sends access permission and to corresponding virtual machine node request data, and business is divided into
Task block of the same size, process are all task blocks that terminal concurrence returns to business.When reading the ending of a block, disconnect
To the link of virtual machine, then proceed to select next virtual machine to obtain next business datum.When terminal is directly connected to
When finding the inquiry of corresponding block progress business in virtual machine, check code can be verified first, detects whether read data have
Effect is directly read out if effectively, if in vain, needing to send out request to business execution virtual machine, to the virtual of backup
Data are read in machine node, and then valid data are synchronized to by backup virtual machine and are executed in virtual machine.
During business is submitted, virtual machine completes a series of verification work, confirms after allowing terminal to write business, to virtual
Machine sends out business datum and creates instruction, returns to the block address of terminal virtual machine.Then, terminal is established with virtual machine and is connected, and is asked
It asks and Business-to-Business is submitted to execute in the business datum that virtual machine is distributed, the address that can be actually submitted in virtual machine distribution block,
Setting offset ID, is divided into task block of the same size by business, concurrently uploads in the upload buffering of virtual machine.When completion is submitted
Afterwards, terminal can disconnect the connection with virtual machine.
After virtual machine receives the business to be committed of terminal, by the business of business asynchronous write backup virtual machine in order
In data, executes virtual machine and connect with backup virtual machine, submitted in backup virtual machine in the same way.Active and standby virtual machine is submitted
After the completion of, more new metadata, virtual machine deletes the submission caching that the business occupies.
Business executes virtual machine and is contacted with certificate server, and business is indexed in write-in directory system.If executed virtual
There are one being written in disk to fail from upload cache resources in machine or backup virtual machine, executes virtual machine and executed to business
Virtual machine request distributes another business datum and is written.By the method, after the verification of terminal identity twice, realize pair
The inquiry and submission operation of mixed cloud business datum.
In the above embodiment of the present invention, further according to Operational Visit frequency by business datum be transferred to cache node or
Storage pool quickly reads the business datum for operating in the different access frequency in mixed cloud.It specifically includes:
If step 1, terminal fail to the virtual machine node application resource of mixed cloud, it is slow to send transfer virtual machine node
The order of deposit data.
Step 2 calculates transferable resource size in virtual machine node, if resource size meets business to virtual machine after transfer
The requirement of node resource is then based on cache node and storage pool according to the transferable cache data access set of frequency of virtual machine node
Mixed cloud jump address.
It is transferable data cached in step 3, release virtual machine node, shift transferable in virtual machine node data cached arrive
Jump address changes transferable data cached persistence rank in virtual machine node, feedback transfer pass signal and transinformation.
Wherein, step 1 preferably further comprises:
The size to virtual machine node resource occupied by business datum execution business is calculated, to the virtual machine node of mixed cloud
Apply for resource, and the size of virtual machine node resource occupied by business is made comparisons with the vacant resource of virtual machine node;Specifically
, the scheduling of business, business of the resource to the identified caching of terminal in service operation are carried out by the task dispatcher of mixed cloud
Data execute business, then reattempt the virtual machine node application resource to mixed cloud, if applying successfully, directly carry out business
The storage work of data.
If the size of virtual machine node resource occupied by business is more than the vacant resource of virtual machine node, to mixed cloud
Virtual machine node application resource fails, while sending the transferable data cached order of transfer virtual machine node and sending business
Need the size of occupancy virtual machine node resource.
Mixed cloud is built with storage pool by introducing cache node, and is transferred to business datum according to Operational Visit frequency
Cache node or storage pool alleviate the caching of mixed cloud business datum to storing area resource great demand.
The step 2 preferably further includes:
It is sent out to virtual machine node since storage resource deficiency needed for business datum execution business needs to shift virtual machine section
The application of point resource;After virtual machine node receives the application that transfer logic unit is sent out, judge whether virtual machine node has
Transferable resource.If applying successfully, transferable resource size in virtual machine node is calculated by replacement policy.
If transferable resource size is more than or equal to business datum execution business and needs to occupy resource size in virtual machine node.
The transfer of mixed cloud based on cache node and storage pool is set according to the transferable data cached access frequency of virtual machine node
Address.
If transferable resource size is less than business datum execution business and needs to occupy resource size in virtual machine node, terminate
The transferable data cached transfer task of virtual machine node, and feed back the transfer transferable data cached failure signal of virtual machine node.
Wherein, after judging the transferable cache data access frequency of virtual machine node, if virtual machine node is transferable slow
Deposit data access frequency then reads cache node address and will read in the first pre-set business access frequency numberical range
Cache node address is set as jump address;First pre-set business access frequency numberical range is the transferable caching of virtual machine node
Data access frequency is higher, and specific access frequency range can be arranged by free terminal;If the transferable caching number of virtual machine node
According to access frequency in the second pre-set business access frequency numberical range, then the storage pool that stores pool address and will read is read
Address is set as jump address.
The terminal is mapped using memory and security isolation, is applied for mobile service and creates trusted process in terminal, passed through
The running log of the mixed cloud service application of startup is sent to mixed cloud certificate server, so that the mixed cloud remote authentication
With the terminal operating data for monitoring the service application, the confidentiality of terminal key and data is protected.Wherein:
The terminal creates trusted process corresponding with the service application, while simultaneously for the trusted process storage allocation
The service application is transferred to the trusted process memory source;
Memory function reading and the analytic function in the trusted process are called, obtains the service application local the
One verification vectors;
First verification vectors are encapsulated as high in the clouds checking request, and the high in the clouds checking request is sent to and described is recognized
Demonstrate,prove server so that the certificate server will first verification vectors and the service application on the certificate server
The second verification vectors matched, and shielded authenticating result is sent to the terminal according to matching result;
Judge whether to trust the authenticating result;When judging to trust the authenticating result, allow the business
It applies and starts in terminal;
The operation data of the service application of startup is sent to the certificate server in a manner of daily record, so that institute
It states certificate server remote authentication and monitors the operation data of the service application.
The trusted process corresponding with the service application is wherein created to be as follows:
First, it would be desirable to which the virtual machine image of operation is loaded into disk;
Second, the code and data that need the service application loaded are encrypted;
Third, it would be desirable to which the code and data of the service application of load are first loaded into loader, for that will need to load
Service application code and data be loaded onto trusted process and prepare;
4th, dynamic application one privilege process, that is, trusted process of structure;
5th, it would be desirable to which the code and data of the service application of load are decrypted in the form of page cache;
6th, it was demonstrated that the service application and data after decryption are credible, and the code of service application and data are loaded into can
In letter process, then each caching of page content being loaded into trusted process is replicated;
7th, start trusted process initialization program, forbids continuing to load and verifying caching of page, generate trusted process identity
Token, and this token is encrypted, to restore and verify its identity;
8th, trusted process initializes an independent and encrypted memory by starting initialization program, to institute
The outside access for stating service application is also constrained to the entrance identified in code.Run in the trusted process and terminal its
His service application is isolation.
Wherein, the operation data of the service application by startup is sent to the authentication service in a manner of daily record
Device, specially:
The operation data is generated into journal file with log mode in the trusted process, and to the journal file
It carries out hash operations and obtains server log hashed value i.e. message MSG;The message MSG is digitally signed, i.e., with signature
Private key does asymmetric encryption to the message MSG;It enables TPM hardware the digital signature, the journal file and number are reflected
The public key generation that is packaged together of power result is asserted, and is sent to the certificate server, so that the certificate server is to institute
It states and asserts carry out watermark signature, and watermark signature result is sent to the terminal;When watermark signature fails, the industry is terminated
The operation of business application.
The watermark signature is specially:The terminal utilizes the public key decryptions digital signature, exports the message MSG,
And hash is done to the journal file and obtains terminal daily record hashed value i.e. message MD2.The certificate server is by the server
Daily record hashed value and the terminal daily record hashed value are compared.When the server log hashed value and the terminal daily record dissipate
It when train value is identical, then proves that data are not tampered with, receives the signature, i.e. watermark signature success, the certificate server is permitted
Perhaps the data access of the described terminal;When the server log hashed value and the terminal daily record hashed value differ, then demonstrate,prove
Bright data have been tampered, and refuse the signature, i.e. watermark signature fails, and the certificate server will refuse the data of the terminal
It accesses.
The wherein described public key by the digital signature, the journal file and digital authenticating result is packaged together generation
It asserts, can be that the integrity protection of the generation trusted process asserts RL:
RL=HASH (IPRO//I_fp//Random)
Wherein, IPROIt is the measurement for the code for generating the trusted process asserted;
I_fpIt is the preceding public key for the trusted process of signing of load;
Random is the arbitrary random number that can be specified by trusted process when requests verification is asserted.
In the authentication phase of multiple heterogeneous terminals and mixed cloud, the certificate server of the mixed cloud is preferably by can chase after
Track authentication mode, i.e. terminal misbehave the true identity that can track client, and disabled user can not obtain virtual machine
Legal service is calculated, the traceable authentication method carries out as follows:
Mixed cloud HC initializes the public and private key and systematic parameter of itself, and open systematic parameter, including security parameter λ, greatly
Prime number p;Public and private key is generated for all virtual machine nodes simultaneously, remembers any one virtual machine node SjPublic key and private key be PKjWith
skj;HC defines a rank and is the circled addition group G of q, and defines hash function h, h1, h2, h3:
Mixed cloud HC chooses a random number s.Set virtual machine node SjPrivate key be sks, public key PKs.By system
Common parameter defaults to all terminals and virtual machine node.
Any one terminal UiOne random number of selection simultaneously generates assumed name VX 'iAfterwards, by itself true identity UIDiWith assumed name
VX′iSend jointly to mixed cloud HC.
Mixed cloud HC is according to the terminal U receivediItself true identity UIDiWith assumed name VX 'i, and utilize mixed cloud
The private key computing terminal U of HC itselfiAnother assumed name VX "i;By assumed name VX 'iWith another assumed name VX "iConstitute terminal UiIt is complete empty
Quasi- identity VXi={ VX ' i, VX " i };
Mixed cloud HC examines the legitimacy of the terminal identity Ci.If legal, mixed cloud HC calculates VX "i=UIDi⊕h
(s,VXi)
Mixed cloud HC is terminal UiGenerate private key siWith public key parameter Wi, and by the complete virtual identity VX of terminal Uii, it is private
Key siWith public key parameter WiIt is sent to terminal U by safe lanei;
Mixed cloud HC randomly chooses wiAnd calculate Wi=h1(VXi,wi).By { VXi,Wi,siBy safe lane send end to
Hold Ui。
Terminal UiAccording to systematic parameter and public key parameter WiThe received private key s of verificationiLegitimacy, if verification is legal,
Then receive private key siAnd select a random number as the trapdoor x of itselfi, and utilize trapdoor xiGenerate terminal UiPublic key PKi;By
Trapdoor xiWith private key siCollectively constitute terminal UiComplete private key (xi,si);By public key PKiWith public key parameter WiCollectively constitute terminal
UiComplete public key (PKi,Wi);
In terminal UiBefore preparing to send message to any virtual machine node, terminal UiIt calculates:
bi=h1(VXi,Xi)
yi=si+bixi
biIndicate terminal UiHashed value, h1() indicates hash function;yiIndicate terminal UiStatic signature;
In terminal UiIt determines to virtual machine node SjWhen sending message m, terminal UiAccording to message m and parameter biAnd yi, to institute
The on-line signature of generation is encrypted:
hi=h2(m,VXi,Xi,t)
σi=hiyi
Qi=E (VXi||σi||Wi||PKi)
T is current time, | | indicate connection string symbol, QiIndicate terminal UiCiphertext;
Terminal UiBy the parameter { Q of information signaturei, t } and it is sent to virtual machine node Sj;
If virtual machine node SjThe parameter of n information signature, n are received whithin a period of time>1 virtual machine node SjMake
With the private key sk of itselfjAnd the parameter of n received information signature, batch validation is carried out to n information signature;If
Effectively, then by (Qi||skj) it is used as virtual machine node SJ andTerminal UiSession token;Otherwise, virtual machine node SjRefusal is a with n
Terminal carries out message communication.
In conclusion the present invention proposes a kind of highly reliable cloud platform service providing method, asked by the business to terminal
It asks and is encrypted, realize the safety verification to Operational Visit in mixed cloud, improve the Information Security of mixed cloud.
Obviously, it should be appreciated by those skilled in the art, each module of the above invention or each steps can be with general
Computing system realize that they can be concentrated in single computing system, or be distributed in multiple computing systems and formed
Network on, optionally, they can be realized with the program code that computing system can perform, it is thus possible to they are stored
It is executed within the storage system by computing system.In this way, the present invention is not limited to any specific hardware and softwares to combine.
It should be understood that the above-mentioned specific implementation mode of the present invention is used only for exemplary illustration or explains the present invention's
Principle, but not to limit the present invention.Therefore, that is done without departing from the spirit and scope of the present invention is any
Modification, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.In addition, appended claims purport of the present invention
Covering the whole variations fallen into attached claim scope and boundary or this range and the equivalent form on boundary and is repairing
Change example.
Claims (1)
1. a kind of highly reliable cloud platform service providing method, the terminal identity for being authenticated in mixed cloud in server are recognized
It demonstrate,proves and the encryption of terminal access permission is distributed, which is characterized in that including:
ID, that is, the UID of oneself is sent to certificate server by terminal, and pond is locally stored by inquiry in certificate server is to retrieve
It is no to have stored terminal UID;
If the terminal has been registered, certificate server generates a digital certificate CTE1, and the digital certificate is as terminal and certification
Digital certificate between server;
Certificate server replicates the CTE1 of generation, and from the finger print information for retrieving terminal in pond and oneself is locally stored
Mandate private key, the finger print information of using terminal encrypts CTE1, with the mandates private key encryption of oneself comprising CTE1 and terminal UID
Packet;
Then certificate server sends back end by the information of Terminal fingerprints information and the mandate private key encryption of oneself respectively by two
End, is expressed as Euser_fp (CTE1) and EAS_fp(CTE1+UID);
After terminal receives the information of certificate server return, the finger print information of using terminal oneself decrypts CTE1, then uses
CTE1 encrypts UID and the traffic ID of request generates ECTE1(traffic ID of UID+ requests), together with EAS_fp(CTE1+UID) it one rises
Give certificate server;
Certificate server decrypts E using the mandate private key of oneselfAS_fp(CTE1+UID) CTE1 and UID are obtained, is then reused
CTE1 decrypts ECTE1The traffic ID of request (UID+) obtains the traffic ID of UID and request, compare the UID that obtains twice whether phase
Together, certification of the certificate server to terminal is completed if identical, and authorizes it to executing virtual machine belonging to business to the terminal
Access rights.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810317120.2A CN108616517B (en) | 2018-04-10 | 2018-04-10 | High-reliability cloud platform service providing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810317120.2A CN108616517B (en) | 2018-04-10 | 2018-04-10 | High-reliability cloud platform service providing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108616517A true CN108616517A (en) | 2018-10-02 |
CN108616517B CN108616517B (en) | 2021-07-09 |
Family
ID=63659764
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810317120.2A Active CN108616517B (en) | 2018-04-10 | 2018-04-10 | High-reliability cloud platform service providing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108616517B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112491545A (en) * | 2020-11-30 | 2021-03-12 | 山东可信云信息技术研究院 | Credible hybrid cloud management platform, access method and system |
CN115150419A (en) * | 2022-09-05 | 2022-10-04 | 杭州华卓信息科技有限公司 | Configuration and access method and system for hybrid cloud object storage |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005093581A1 (en) * | 2004-03-26 | 2005-10-06 | Shanghai Sanlen Info Security Co., Ltd. | Title: secret file access authorization system with fingerprint limiation |
CN101741561A (en) * | 2008-11-17 | 2010-06-16 | 联想(北京)有限公司 | Method and system for authenticating two-way hardware |
CN101794363A (en) * | 2010-01-29 | 2010-08-04 | 华中科技大学 | Network multimedia copyright active following and monitoring system |
CN104184743A (en) * | 2014-09-10 | 2014-12-03 | 西安电子科技大学 | Three-layer authentication system and method oriented to cloud computing platform |
WO2015013474A2 (en) * | 2013-07-25 | 2015-01-29 | Siemens Healthcare Diagnostics Inc. | Anti-piracy protection for software |
US20160241558A1 (en) * | 2015-02-13 | 2016-08-18 | International Business Machines Corporation | Automatic Key Management Using Enterprise User Identity Management |
CN107135219A (en) * | 2017-05-05 | 2017-09-05 | 四川长虹电器股份有限公司 | A kind of Internet of Things information secure transmission method |
-
2018
- 2018-04-10 CN CN201810317120.2A patent/CN108616517B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005093581A1 (en) * | 2004-03-26 | 2005-10-06 | Shanghai Sanlen Info Security Co., Ltd. | Title: secret file access authorization system with fingerprint limiation |
CN101741561A (en) * | 2008-11-17 | 2010-06-16 | 联想(北京)有限公司 | Method and system for authenticating two-way hardware |
CN101794363A (en) * | 2010-01-29 | 2010-08-04 | 华中科技大学 | Network multimedia copyright active following and monitoring system |
WO2015013474A2 (en) * | 2013-07-25 | 2015-01-29 | Siemens Healthcare Diagnostics Inc. | Anti-piracy protection for software |
CN104184743A (en) * | 2014-09-10 | 2014-12-03 | 西安电子科技大学 | Three-layer authentication system and method oriented to cloud computing platform |
US20160241558A1 (en) * | 2015-02-13 | 2016-08-18 | International Business Machines Corporation | Automatic Key Management Using Enterprise User Identity Management |
CN107135219A (en) * | 2017-05-05 | 2017-09-05 | 四川长虹电器股份有限公司 | A kind of Internet of Things information secure transmission method |
Non-Patent Citations (2)
Title |
---|
MENG SHEN等: "《Certificate-Aware Encrypted Traffic Classification》", 《2016 IEEE/ACM 24TH INTERNATIONAL SYMPOSIUM ON QUALITY OF SERVICE (IWQOS)》 * |
蔡龙飞: "《一种公钥密码体制下指纹识别与数字水印的身份认证协议》", 《中山大学学报 ( 自然科学版)》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112491545A (en) * | 2020-11-30 | 2021-03-12 | 山东可信云信息技术研究院 | Credible hybrid cloud management platform, access method and system |
CN112491545B (en) * | 2020-11-30 | 2023-02-10 | 山东可信云信息技术研究院 | Credible hybrid cloud management platform, access method and system |
CN115150419A (en) * | 2022-09-05 | 2022-10-04 | 杭州华卓信息科技有限公司 | Configuration and access method and system for hybrid cloud object storage |
Also Published As
Publication number | Publication date |
---|---|
CN108616517B (en) | 2021-07-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102404314B (en) | Remote resources single-point sign on | |
US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
US7526649B2 (en) | Session key exchange | |
EP1914658B1 (en) | Identity controlled data center | |
JP5611768B2 (en) | Inclusive verification of platform to data center | |
US20190312877A1 (en) | Block chain mining method, device, and node apparatus | |
KR100746030B1 (en) | Method and apparatus for generating rights object with representation by commitment | |
EP2278514B1 (en) | System and method for providing secure virtual machines | |
US20140270179A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
US20190245857A1 (en) | Method for securing access by software modules | |
WO2022073264A1 (en) | Systems and methods for secure and fast machine learning inference in trusted execution environment | |
US8977857B1 (en) | System and method for granting access to protected information on a remote server | |
CN106789059B (en) | A kind of long-range two-way access control system and method based on trust computing | |
WO2014194494A1 (en) | Method, server, host and system for protecting data security | |
CN108521424A (en) | Distributed data processing method towards heterogeneous terminals equipment | |
WO2017033442A1 (en) | Information processing device, authentication system, authentication method, and recording medium for recording computer program | |
KR101817152B1 (en) | Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential | |
CN115803735A (en) | Database access control service in a network | |
CN108616517A (en) | highly reliable cloud platform service providing method | |
CN112491544A (en) | Method and system for dynamically encrypting platform data | |
CN108449358A (en) | The safe computational methods of low delay based on cloud | |
CN114697061B (en) | Access control method, device, network side equipment, terminal and blockchain node | |
CN116707849A (en) | Cloud service access authority setting method and cloud management platform for enclave instance | |
CN114866328A (en) | Block chain-based cross-domain access control method and system in edge computing environment | |
CN109802927A (en) | A kind of security service providing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20210604 Address after: 730000 room 2-1, 4th floor, building 13, No.5 south of Gaoxin s625 Road, Chengguan District, Lanzhou City, Gansu Province Applicant after: Gansu Bailong E-Commerce Technology Co.,Ltd. Address before: No. 28-2, Zhongtian village group, Qinggang village committee, Tianxing Town, Daguan County, Zhaotong City, Yunnan Province Applicant before: Xiao hengnian |
|
GR01 | Patent grant | ||
GR01 | Patent grant |