CN108616517A - highly reliable cloud platform service providing method - Google Patents

highly reliable cloud platform service providing method Download PDF

Info

Publication number
CN108616517A
CN108616517A CN201810317120.2A CN201810317120A CN108616517A CN 108616517 A CN108616517 A CN 108616517A CN 201810317120 A CN201810317120 A CN 201810317120A CN 108616517 A CN108616517 A CN 108616517A
Authority
CN
China
Prior art keywords
terminal
cte1
uid
certificate server
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810317120.2A
Other languages
Chinese (zh)
Other versions
CN108616517B (en
Inventor
肖恒念
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gansu Bailong E-Commerce Technology Co.,Ltd.
Original Assignee
肖恒念
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 肖恒念 filed Critical 肖恒念
Priority to CN201810317120.2A priority Critical patent/CN108616517B/en
Publication of CN108616517A publication Critical patent/CN108616517A/en
Application granted granted Critical
Publication of CN108616517B publication Critical patent/CN108616517B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The present invention provides a kind of highly reliable cloud platform service providing method, this method includes:UID is sent to certificate server by terminal, and certificate server generates digital certificate CTE1;From the mandate private key that the finger print information and oneself that retrieve terminal in pond is locally stored, the finger print information of using terminal encrypts CTE1, and the packet of CTE1 and terminal UID are included with the mandate private key encryption of oneself;Certificate server sends back terminal by the information of Terminal fingerprints information and the mandate private key encryption of oneself respectively by two;Terminal decrypts CTE1 using the finger print information of oneself, and the traffic ID that UID and request are then encrypted with CTE1 is sent to certificate server;It whether identical compares the UID obtained twice, certification of the certificate server to terminal is completed if identical, and its access rights to execution virtual machine belonging to business is authorized to the terminal.The present invention proposes a kind of highly reliable cloud platform service providing method, is encrypted by the service request to terminal, realizes the safety verification to Operational Visit in mixed cloud, improves the Information Security of mixed cloud.

Description

Highly reliable cloud platform service providing method
Technical field
The present invention relates to cloud computing, more particularly to a kind of highly reliable cloud platform service providing method.
Background technology
Mixed cloud is connected by computer network with publicly-owned terminal and privately owned terminal node.Management node and the number stored According to being respectively distributed on different nodes, the services such as storage, read-write, deletion for providing file for multiple terminals.Current mixing The name resource that cloud framework manages entire mixing cloud cluster using single name node can make system control logic simpler It is single, facilitate management, it can also cause the defect in terms of reliability and safety.Conventional hybrid cloud assumes that cloud platform is always located It is used in believable environment and by trusted terminal.But illegal terminal can pretend to be some trusted terminal to access the terminal to mix Data in cloud.
Invention content
To solve the problems of above-mentioned prior art, the present invention proposes a kind of highly reliable cloud platform service provider Method, including:
ID, that is, the UID of oneself is sent to certificate server by terminal, and Chi Laijian is locally stored by inquiry in certificate server Whether rope has stored terminal UID;
If the terminal has been registered, certificate server generate a digital certificate CTE1, the digital certificate as terminal with Digital certificate between certificate server;
Certificate server replicates the CTE1 of generation, and from be locally stored finger print information that terminal is retrieved in pond and The finger print information of the mandate private key of oneself, using terminal encrypts CTE1, includes CTE1 and terminal with the mandate private key encryption of oneself The packet of UID;
Then certificate server is sent two by the information of Terminal fingerprints information and the mandate private key encryption of oneself respectively Terminal is returned, Euser_fp (CTE1) and E is expressed asAS_fp(CTE1+UID);
After terminal receives the information of certificate server return, the finger print information of using terminal oneself decrypts CTE1, then The traffic ID that UID and request are encrypted with CTE1 generates ECTE1(traffic ID of UID+ requests), together with EAS_fp(CTE1+UID) together It is sent to certificate server;
Certificate server decrypts E using the mandate private key of oneselfAS_fp(CTE1+UID) CTE1 and UID are obtained, is then made again E is decrypted with CTE1CTE1The traffic ID of request (UID+) obtains the traffic ID of UID and request, compare the UID that obtains twice whether phase Together, certification of the certificate server to terminal is completed if identical, and authorizes it to executing virtual machine belonging to business to the terminal Access rights,
The present invention compared with prior art, has the following advantages:
The present invention proposes a kind of highly reliable cloud platform service providing method, is added by the service request to terminal It is close, the safety verification to Operational Visit in mixed cloud is realized, the Information Security of mixed cloud is improved.
Description of the drawings
Fig. 1 is the flow chart of highly reliable cloud platform service providing method according to the ... of the embodiment of the present invention.
Specific implementation mode
Retouching in detail to one or more embodiment of the invention is hereafter provided together with the attached drawing of the diagram principle of the invention It states.The present invention is described in conjunction with such embodiment, but the present invention is not limited to any embodiments.The scope of the present invention is only by right Claim limits, and the present invention covers many replacements, modification and equivalent.Illustrate in the following description many details with Just it provides a thorough understanding of the present invention.These details are provided for exemplary purposes, and without in these details Some or all details can also realize the present invention according to claims.
An aspect of of the present present invention provides a kind of highly reliable cloud platform service providing method.Fig. 1 is implemented according to the present invention The highly reliable cloud platform service providing method flow chart of example.The method of the present invention includes the following steps:
1. receiving terminal ID info, judge whether terminal is registration terminal, if so, according to the terminal ID info, generates First digital certificate, from searching terminal finger print information and certificate server mandate private key in pond is locally stored, according to the terminal Finger print information encrypts first digital certificate, the first ciphertext is obtained, according to the certificate server mandate private key encryption First digital certificate and the terminal ID info obtain the second ciphertext.
Specifically, ID, that is, the UID of oneself is sent to certificate server by terminal, certificate server is locally stored by inquiry Whether pond has stored terminal UID to retrieve.If the terminal has been registered, certificate server generates a digital certificate CTE1, The digital certificate is as the digital certificate between terminal and certificate server.If the terminal is unregistered, certificate server abandons The request message.
Certificate server replicates the CTE1 of generation, and from be locally stored finger print information that terminal is retrieved in pond and The finger print information of the mandate private key of oneself, using terminal encrypts CTE1, includes CTE1 and terminal with the mandate private key encryption of oneself The packet of UID.Then certificate server is sent two by the information of Terminal fingerprints information and the mandate private key encryption of oneself respectively Terminal is returned, which is represented by Euser_fp(CTE1) and EAS_fp(CTE1+UID)。
2. first ciphertext and the second ciphertext are sent to terminal, to receive second ciphertext that the terminal returns It comprising terminal ID info to be verified and is asked with by the encrypted third ciphertext of first digital certificate, in the third ciphertext The traffic ID asked.
Specifically, after terminal receives the information that certificate server returns, the finger print information of using terminal oneself decrypts CTE1, the traffic ID that UID and request are then encrypted with CTE1 generate ECTE1(traffic ID of UID+ requests), together with EAS_fp(CTE1+ UID certificate server) is sent jointly to.
3. decrypting the third ciphertext according to the first digital certificate, the terminal ID info to be verified is obtained, according to institute The consistency of terminal ID info and the terminal ID info to be verified is stated, judgement knows that there is the terminal business to execute virtual machine Access right.
Specifically, certificate server decrypts E using the mandate private key of oneselfAS_fp(CTE1+UID) CTE1 and UID are obtained, so After reuse CTE1 decryption ECTE1(traffic ID of UID+ requests) obtains the traffic ID of UID and request, compares the UID obtained twice It is whether identical, certification of the certificate server to terminal is completed if identical, and it is authorized to being executed belonging to business to the terminal The access rights of virtual machine.
4. from the permissions list information that searching terminal in pond is locally stored, the second digital certificate is generated, according to the terminal Finger print information encrypts the second digital certificate, obtains the 4th ciphertext, according to the second number of target virtual machine cluster identity information encryption Certificate and terminal ID info generate the 5th ciphertext;And the 4th ciphertext and the 5th ciphertext are sent to terminal.
Specifically, certificate server searches terminal database and extracts the permissions list of the terminal, judge whether that its is right The cluster virtual machine has access rights, if service of the virtual machine cluster system pause to the terminal without if.Certification takes if having Business device generates a CTE2 and is replicated to it again, encrypts one of CTE2 using the finger print information of the terminal and business executes Virtual machine address, the mark that virtual machine is executed using the business to be accessed encrypts another CTE2 and UID, then by EUser_fp (CTE2+ cluster virtual machines address) and EVM_fp(CTE2+UID) it is sent to terminal together.
The Euser_fp, EAS_fp, ECTE1, EVM_fpRespectively using terminal finger print information, certificate server mandate private key, One digital certificate, business execute the encryption function for being identified as key of virtual machine.
By the method, terminal identity certification in the certificate server in mixed cloud is realized and to terminal access The encryption of permission is distributed, and the Information Security of mixed cloud is improved.
On the basis of the above embodiments, further include:By business id information, by single character in the requested service ID Corresponding number is converted to, according to the corresponding number, calculates cluster virtual machine mark.
Specifically, after certificate server is by the traffic ID of terminal request, requested traffic ID is parsed to judge business Affiliated cluster virtual machine, judgment method are:Single character in traffic ID is converted into corresponding number by certificate server one by one Word, all corresponding numbers of summing, and by summed result divided by cluster virtual machine sum, obtained remainder result is belonging to file The mark of cluster virtual machine, the mark of the cluster virtual machine are the ID that business executes virtual machine.
In the virtual machine cluster system of the present invention, the routing information business data positional information of business is stored separately, is gone forward side by side The differentiated control of row metadata.
Routing information includes traffic ID, the access rights of the fullpath of business, business.Business datum includes business datum Location information, record is business datum and the mapping relations of virtual machine.It is different from business datum progress to metadata path The management of strategy.
The path of business and business datum are stored separately by this system, will after path where business is carried out hash calculating The result substitutes into the ID that load balancing function obtains the business execution virtual machine of service path storage.Then according to current virtual The loading condition of machine cluster is that business datum location information distributes a suitable ID for executing virtual machine.
Wherein, path is effectively distributed to each business to execute in virtual machine, first carries out path path where business Hash calculates, and obtains a hashed result, such as following formula:
Result=Hash (path)
Obtained result is substituted into load balancing function f again, the business for obtaining service path storage executes virtual machine ID, such as following formula:
ID=f (result)
The path data of virtual machine cluster system can be evenly dispersed to by the mapping of load balancing function each In the control node of cluster virtual machine.
On the basis of the above embodiments, the method further includes terminal registration step, and terminal is connected with certificate server, Registration terminal id information, Terminal fingerprints information and permissions list information;Wherein, the Terminal fingerprints information is existed by terminal password Terminal carries out hash operations acquisition.
Specifically, terminal connection certificate server registers the UID of oneself, password, business roles domain, certificate server will be whole The log-on message deposit at end is locally stored in pond.Password is obtained into a hashed value, the hashed value in locally progress hash operations It is exactly the finger print information of certificate server verification terminal password.The domain that application is added when business roles domain is endpoint registration is added Certificate server can distribute a role for it after success, and the access rights of terminal are by three domain, role, terminal access controls The common limitation of information.
Terminal uses its finger print information to decrypt E after receiving informationUser_fp(CTE2+ cluster virtual machines address) obtain CTE2 and Virtual machine address, and create a certification packet E being made of UID, current time and requested service IDCTE2(UID+ current times+ Requested service ID), it is encrypted using CTE2, then together with EVM_fp(CTE2+UID) it is sent to the business with the address Execute virtual machine.
The loading condition according to current virtual machine cluster is that business datum location information distributes a suitable execution The ID of virtual machine, including, business datum is distributed to by each business according to the loading condition of current virtual machine cluster and is executed virtually Machine.Each business, which executes virtual machine, in virtual machine cluster system periodically to report its loading condition, including its to certificate server After cpu busy percentage, memory usage, certificate server are collected into all cluster virtual machine loading conditions, it is sent to each industry Business executes virtual machine.Virtual machine maintains a cluster load queue, selects the business of a most lightly loaded to hold according to this queue Business datum is distributed in the node by row virtual machine, and the ID of the node is recorded in the node of service path storage.
Then, the 5th ciphertext is decrypted using the target virtual machine cluster identity information, uses described The 6th ciphertext is decrypted in two digital certificates, judges the terminal ID info in the 5th ciphertext and the 6th ciphertext In terminal ID info consistency, the access rights of certification terminal.
I.e. business executes virtual machine and receives ECTE2(UID+ current times+requested service ID) and EVM_fp(CTE2+UID) after, E is decrypted using its finger print informationVM_fp(CTE2+UID) CTE2 and UID are obtained, then CTE2 is used to decrypt ECTE2(when UID+ is current Between+requested service ID) and UID, current time and requested service ID are obtained, whether two UID of comparison are consistent, completed if consistent Business executes certification of the virtual machine to terminal.
Business executes virtual machine and the permissions list information of the terminal is combined to generate access permission, and the format of license is as follows:
LicenseID={ time, keyID, UID, taskID, mode };
Wherein KeyID is that business executes increment value caused by virtual machine counter.Mode, time, taskID field point The mode, the term of validity, mission number of the terminal access business are not indicated.
Business executes virtual machine and sends the above-mentioned license of generation to terminal and with returning to the business belonging to the requested service Location, and by key key corresponding virtual machine is sent to by heartbeat signal.Terminal will need to access industry again after receiving information The taskID of business and corresponding access permission are transmitted to virtual machine together.
By the method, virtual machine access rights are provided the terminal with according to two level metadata, improve the data of mixed cloud Safety.
Wherein, it after the business executes virtual machine to terminal authentication, is arranged to the permission of the certificate server requesting terminal Table information.Terminal is completed to ask to certificate server the permissions list of the terminal after certification specifically, business executes virtual machine Information, certificate server execute virtual machine after the request that the business that receives executes virtual machine, to business and send the Termination ID Permissions list information.
After terminal receives the access permission that business executes virtual machine, it would be desirable to the taskID of access service and corresponding visit Ask that license is transmitted to virtual machine together, virtual machine verifies the legitimacy of the license after receiving, just allow after the completion of verification terminal-pair its Business is operated.
In service inquiry, terminal sends access permission and to corresponding virtual machine node request data, and business is divided into Task block of the same size, process are all task blocks that terminal concurrence returns to business.When reading the ending of a block, disconnect To the link of virtual machine, then proceed to select next virtual machine to obtain next business datum.When terminal is directly connected to When finding the inquiry of corresponding block progress business in virtual machine, check code can be verified first, detects whether read data have Effect is directly read out if effectively, if in vain, needing to send out request to business execution virtual machine, to the virtual of backup Data are read in machine node, and then valid data are synchronized to by backup virtual machine and are executed in virtual machine.
During business is submitted, virtual machine completes a series of verification work, confirms after allowing terminal to write business, to virtual Machine sends out business datum and creates instruction, returns to the block address of terminal virtual machine.Then, terminal is established with virtual machine and is connected, and is asked It asks and Business-to-Business is submitted to execute in the business datum that virtual machine is distributed, the address that can be actually submitted in virtual machine distribution block, Setting offset ID, is divided into task block of the same size by business, concurrently uploads in the upload buffering of virtual machine.When completion is submitted Afterwards, terminal can disconnect the connection with virtual machine.
After virtual machine receives the business to be committed of terminal, by the business of business asynchronous write backup virtual machine in order In data, executes virtual machine and connect with backup virtual machine, submitted in backup virtual machine in the same way.Active and standby virtual machine is submitted After the completion of, more new metadata, virtual machine deletes the submission caching that the business occupies.
Business executes virtual machine and is contacted with certificate server, and business is indexed in write-in directory system.If executed virtual There are one being written in disk to fail from upload cache resources in machine or backup virtual machine, executes virtual machine and executed to business Virtual machine request distributes another business datum and is written.By the method, after the verification of terminal identity twice, realize pair The inquiry and submission operation of mixed cloud business datum.
In the above embodiment of the present invention, further according to Operational Visit frequency by business datum be transferred to cache node or Storage pool quickly reads the business datum for operating in the different access frequency in mixed cloud.It specifically includes:
If step 1, terminal fail to the virtual machine node application resource of mixed cloud, it is slow to send transfer virtual machine node The order of deposit data.
Step 2 calculates transferable resource size in virtual machine node, if resource size meets business to virtual machine after transfer The requirement of node resource is then based on cache node and storage pool according to the transferable cache data access set of frequency of virtual machine node Mixed cloud jump address.
It is transferable data cached in step 3, release virtual machine node, shift transferable in virtual machine node data cached arrive Jump address changes transferable data cached persistence rank in virtual machine node, feedback transfer pass signal and transinformation.
Wherein, step 1 preferably further comprises:
The size to virtual machine node resource occupied by business datum execution business is calculated, to the virtual machine node of mixed cloud Apply for resource, and the size of virtual machine node resource occupied by business is made comparisons with the vacant resource of virtual machine node;Specifically , the scheduling of business, business of the resource to the identified caching of terminal in service operation are carried out by the task dispatcher of mixed cloud Data execute business, then reattempt the virtual machine node application resource to mixed cloud, if applying successfully, directly carry out business The storage work of data.
If the size of virtual machine node resource occupied by business is more than the vacant resource of virtual machine node, to mixed cloud Virtual machine node application resource fails, while sending the transferable data cached order of transfer virtual machine node and sending business Need the size of occupancy virtual machine node resource.
Mixed cloud is built with storage pool by introducing cache node, and is transferred to business datum according to Operational Visit frequency Cache node or storage pool alleviate the caching of mixed cloud business datum to storing area resource great demand.
The step 2 preferably further includes:
It is sent out to virtual machine node since storage resource deficiency needed for business datum execution business needs to shift virtual machine section The application of point resource;After virtual machine node receives the application that transfer logic unit is sent out, judge whether virtual machine node has Transferable resource.If applying successfully, transferable resource size in virtual machine node is calculated by replacement policy.
If transferable resource size is more than or equal to business datum execution business and needs to occupy resource size in virtual machine node. The transfer of mixed cloud based on cache node and storage pool is set according to the transferable data cached access frequency of virtual machine node Address.
If transferable resource size is less than business datum execution business and needs to occupy resource size in virtual machine node, terminate The transferable data cached transfer task of virtual machine node, and feed back the transfer transferable data cached failure signal of virtual machine node.
Wherein, after judging the transferable cache data access frequency of virtual machine node, if virtual machine node is transferable slow Deposit data access frequency then reads cache node address and will read in the first pre-set business access frequency numberical range Cache node address is set as jump address;First pre-set business access frequency numberical range is the transferable caching of virtual machine node Data access frequency is higher, and specific access frequency range can be arranged by free terminal;If the transferable caching number of virtual machine node According to access frequency in the second pre-set business access frequency numberical range, then the storage pool that stores pool address and will read is read Address is set as jump address.
The terminal is mapped using memory and security isolation, is applied for mobile service and creates trusted process in terminal, passed through The running log of the mixed cloud service application of startup is sent to mixed cloud certificate server, so that the mixed cloud remote authentication With the terminal operating data for monitoring the service application, the confidentiality of terminal key and data is protected.Wherein:
The terminal creates trusted process corresponding with the service application, while simultaneously for the trusted process storage allocation The service application is transferred to the trusted process memory source;
Memory function reading and the analytic function in the trusted process are called, obtains the service application local the One verification vectors;
First verification vectors are encapsulated as high in the clouds checking request, and the high in the clouds checking request is sent to and described is recognized Demonstrate,prove server so that the certificate server will first verification vectors and the service application on the certificate server The second verification vectors matched, and shielded authenticating result is sent to the terminal according to matching result;
Judge whether to trust the authenticating result;When judging to trust the authenticating result, allow the business It applies and starts in terminal;
The operation data of the service application of startup is sent to the certificate server in a manner of daily record, so that institute It states certificate server remote authentication and monitors the operation data of the service application.
The trusted process corresponding with the service application is wherein created to be as follows:
First, it would be desirable to which the virtual machine image of operation is loaded into disk;
Second, the code and data that need the service application loaded are encrypted;
Third, it would be desirable to which the code and data of the service application of load are first loaded into loader, for that will need to load Service application code and data be loaded onto trusted process and prepare;
4th, dynamic application one privilege process, that is, trusted process of structure;
5th, it would be desirable to which the code and data of the service application of load are decrypted in the form of page cache;
6th, it was demonstrated that the service application and data after decryption are credible, and the code of service application and data are loaded into can In letter process, then each caching of page content being loaded into trusted process is replicated;
7th, start trusted process initialization program, forbids continuing to load and verifying caching of page, generate trusted process identity Token, and this token is encrypted, to restore and verify its identity;
8th, trusted process initializes an independent and encrypted memory by starting initialization program, to institute The outside access for stating service application is also constrained to the entrance identified in code.Run in the trusted process and terminal its His service application is isolation.
Wherein, the operation data of the service application by startup is sent to the authentication service in a manner of daily record Device, specially:
The operation data is generated into journal file with log mode in the trusted process, and to the journal file It carries out hash operations and obtains server log hashed value i.e. message MSG;The message MSG is digitally signed, i.e., with signature Private key does asymmetric encryption to the message MSG;It enables TPM hardware the digital signature, the journal file and number are reflected The public key generation that is packaged together of power result is asserted, and is sent to the certificate server, so that the certificate server is to institute It states and asserts carry out watermark signature, and watermark signature result is sent to the terminal;When watermark signature fails, the industry is terminated The operation of business application.
The watermark signature is specially:The terminal utilizes the public key decryptions digital signature, exports the message MSG, And hash is done to the journal file and obtains terminal daily record hashed value i.e. message MD2.The certificate server is by the server Daily record hashed value and the terminal daily record hashed value are compared.When the server log hashed value and the terminal daily record dissipate It when train value is identical, then proves that data are not tampered with, receives the signature, i.e. watermark signature success, the certificate server is permitted Perhaps the data access of the described terminal;When the server log hashed value and the terminal daily record hashed value differ, then demonstrate,prove Bright data have been tampered, and refuse the signature, i.e. watermark signature fails, and the certificate server will refuse the data of the terminal It accesses.
The wherein described public key by the digital signature, the journal file and digital authenticating result is packaged together generation It asserts, can be that the integrity protection of the generation trusted process asserts RL:
RL=HASH (IPRO//I_fp//Random)
Wherein, IPROIt is the measurement for the code for generating the trusted process asserted;
I_fpIt is the preceding public key for the trusted process of signing of load;
Random is the arbitrary random number that can be specified by trusted process when requests verification is asserted.
In the authentication phase of multiple heterogeneous terminals and mixed cloud, the certificate server of the mixed cloud is preferably by can chase after Track authentication mode, i.e. terminal misbehave the true identity that can track client, and disabled user can not obtain virtual machine Legal service is calculated, the traceable authentication method carries out as follows:
Mixed cloud HC initializes the public and private key and systematic parameter of itself, and open systematic parameter, including security parameter λ, greatly Prime number p;Public and private key is generated for all virtual machine nodes simultaneously, remembers any one virtual machine node SjPublic key and private key be PKjWith skj;HC defines a rank and is the circled addition group G of q, and defines hash function h, h1, h2, h3
Mixed cloud HC chooses a random number s.Set virtual machine node SjPrivate key be sks, public key PKs.By system Common parameter defaults to all terminals and virtual machine node.
Any one terminal UiOne random number of selection simultaneously generates assumed name VX 'iAfterwards, by itself true identity UIDiWith assumed name VX′iSend jointly to mixed cloud HC.
Mixed cloud HC is according to the terminal U receivediItself true identity UIDiWith assumed name VX 'i, and utilize mixed cloud The private key computing terminal U of HC itselfiAnother assumed name VX "i;By assumed name VX 'iWith another assumed name VX "iConstitute terminal UiIt is complete empty Quasi- identity VXi={ VX ' i, VX " i };
Mixed cloud HC examines the legitimacy of the terminal identity Ci.If legal, mixed cloud HC calculates VX "i=UIDi⊕h (s,VXi)
Mixed cloud HC is terminal UiGenerate private key siWith public key parameter Wi, and by the complete virtual identity VX of terminal Uii, it is private Key siWith public key parameter WiIt is sent to terminal U by safe lanei
Mixed cloud HC randomly chooses wiAnd calculate Wi=h1(VXi,wi).By { VXi,Wi,siBy safe lane send end to Hold Ui
Terminal UiAccording to systematic parameter and public key parameter WiThe received private key s of verificationiLegitimacy, if verification is legal, Then receive private key siAnd select a random number as the trapdoor x of itselfi, and utilize trapdoor xiGenerate terminal UiPublic key PKi;By Trapdoor xiWith private key siCollectively constitute terminal UiComplete private key (xi,si);By public key PKiWith public key parameter WiCollectively constitute terminal UiComplete public key (PKi,Wi);
In terminal UiBefore preparing to send message to any virtual machine node, terminal UiIt calculates:
bi=h1(VXi,Xi)
yi=si+bixi
biIndicate terminal UiHashed value, h1() indicates hash function;yiIndicate terminal UiStatic signature;
In terminal UiIt determines to virtual machine node SjWhen sending message m, terminal UiAccording to message m and parameter biAnd yi, to institute The on-line signature of generation is encrypted:
hi=h2(m,VXi,Xi,t)
σi=hiyi
Qi=E (VXi||σi||Wi||PKi)
T is current time, | | indicate connection string symbol, QiIndicate terminal UiCiphertext;
Terminal UiBy the parameter { Q of information signaturei, t } and it is sent to virtual machine node Sj
If virtual machine node SjThe parameter of n information signature, n are received whithin a period of time>1 virtual machine node SjMake With the private key sk of itselfjAnd the parameter of n received information signature, batch validation is carried out to n information signature;If Effectively, then by (Qi||skj) it is used as virtual machine node SJ andTerminal UiSession token;Otherwise, virtual machine node SjRefusal is a with n Terminal carries out message communication.
In conclusion the present invention proposes a kind of highly reliable cloud platform service providing method, asked by the business to terminal It asks and is encrypted, realize the safety verification to Operational Visit in mixed cloud, improve the Information Security of mixed cloud.
Obviously, it should be appreciated by those skilled in the art, each module of the above invention or each steps can be with general Computing system realize that they can be concentrated in single computing system, or be distributed in multiple computing systems and formed Network on, optionally, they can be realized with the program code that computing system can perform, it is thus possible to they are stored It is executed within the storage system by computing system.In this way, the present invention is not limited to any specific hardware and softwares to combine.
It should be understood that the above-mentioned specific implementation mode of the present invention is used only for exemplary illustration or explains the present invention's Principle, but not to limit the present invention.Therefore, that is done without departing from the spirit and scope of the present invention is any Modification, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.In addition, appended claims purport of the present invention Covering the whole variations fallen into attached claim scope and boundary or this range and the equivalent form on boundary and is repairing Change example.

Claims (1)

1. a kind of highly reliable cloud platform service providing method, the terminal identity for being authenticated in mixed cloud in server are recognized It demonstrate,proves and the encryption of terminal access permission is distributed, which is characterized in that including:
ID, that is, the UID of oneself is sent to certificate server by terminal, and pond is locally stored by inquiry in certificate server is to retrieve It is no to have stored terminal UID;
If the terminal has been registered, certificate server generates a digital certificate CTE1, and the digital certificate is as terminal and certification Digital certificate between server;
Certificate server replicates the CTE1 of generation, and from the finger print information for retrieving terminal in pond and oneself is locally stored Mandate private key, the finger print information of using terminal encrypts CTE1, with the mandates private key encryption of oneself comprising CTE1 and terminal UID Packet;
Then certificate server sends back end by the information of Terminal fingerprints information and the mandate private key encryption of oneself respectively by two End, is expressed as Euser_fp (CTE1) and EAS_fp(CTE1+UID);
After terminal receives the information of certificate server return, the finger print information of using terminal oneself decrypts CTE1, then uses CTE1 encrypts UID and the traffic ID of request generates ECTE1(traffic ID of UID+ requests), together with EAS_fp(CTE1+UID) it one rises Give certificate server;
Certificate server decrypts E using the mandate private key of oneselfAS_fp(CTE1+UID) CTE1 and UID are obtained, is then reused CTE1 decrypts ECTE1The traffic ID of request (UID+) obtains the traffic ID of UID and request, compare the UID that obtains twice whether phase Together, certification of the certificate server to terminal is completed if identical, and authorizes it to executing virtual machine belonging to business to the terminal Access rights.
CN201810317120.2A 2018-04-10 2018-04-10 High-reliability cloud platform service providing method Active CN108616517B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810317120.2A CN108616517B (en) 2018-04-10 2018-04-10 High-reliability cloud platform service providing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810317120.2A CN108616517B (en) 2018-04-10 2018-04-10 High-reliability cloud platform service providing method

Publications (2)

Publication Number Publication Date
CN108616517A true CN108616517A (en) 2018-10-02
CN108616517B CN108616517B (en) 2021-07-09

Family

ID=63659764

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810317120.2A Active CN108616517B (en) 2018-04-10 2018-04-10 High-reliability cloud platform service providing method

Country Status (1)

Country Link
CN (1) CN108616517B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491545A (en) * 2020-11-30 2021-03-12 山东可信云信息技术研究院 Credible hybrid cloud management platform, access method and system
CN115150419A (en) * 2022-09-05 2022-10-04 杭州华卓信息科技有限公司 Configuration and access method and system for hybrid cloud object storage

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005093581A1 (en) * 2004-03-26 2005-10-06 Shanghai Sanlen Info Security Co., Ltd. Title: secret file access authorization system with fingerprint limiation
CN101741561A (en) * 2008-11-17 2010-06-16 联想(北京)有限公司 Method and system for authenticating two-way hardware
CN101794363A (en) * 2010-01-29 2010-08-04 华中科技大学 Network multimedia copyright active following and monitoring system
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
WO2015013474A2 (en) * 2013-07-25 2015-01-29 Siemens Healthcare Diagnostics Inc. Anti-piracy protection for software
US20160241558A1 (en) * 2015-02-13 2016-08-18 International Business Machines Corporation Automatic Key Management Using Enterprise User Identity Management
CN107135219A (en) * 2017-05-05 2017-09-05 四川长虹电器股份有限公司 A kind of Internet of Things information secure transmission method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005093581A1 (en) * 2004-03-26 2005-10-06 Shanghai Sanlen Info Security Co., Ltd. Title: secret file access authorization system with fingerprint limiation
CN101741561A (en) * 2008-11-17 2010-06-16 联想(北京)有限公司 Method and system for authenticating two-way hardware
CN101794363A (en) * 2010-01-29 2010-08-04 华中科技大学 Network multimedia copyright active following and monitoring system
WO2015013474A2 (en) * 2013-07-25 2015-01-29 Siemens Healthcare Diagnostics Inc. Anti-piracy protection for software
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
US20160241558A1 (en) * 2015-02-13 2016-08-18 International Business Machines Corporation Automatic Key Management Using Enterprise User Identity Management
CN107135219A (en) * 2017-05-05 2017-09-05 四川长虹电器股份有限公司 A kind of Internet of Things information secure transmission method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MENG SHEN等: "《Certificate-Aware Encrypted Traffic Classification》", 《2016 IEEE/ACM 24TH INTERNATIONAL SYMPOSIUM ON QUALITY OF SERVICE (IWQOS)》 *
蔡龙飞: "《一种公钥密码体制下指纹识别与数字水印的身份认证协议》", 《中山大学学报 ( 自然科学版)》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491545A (en) * 2020-11-30 2021-03-12 山东可信云信息技术研究院 Credible hybrid cloud management platform, access method and system
CN112491545B (en) * 2020-11-30 2023-02-10 山东可信云信息技术研究院 Credible hybrid cloud management platform, access method and system
CN115150419A (en) * 2022-09-05 2022-10-04 杭州华卓信息科技有限公司 Configuration and access method and system for hybrid cloud object storage

Also Published As

Publication number Publication date
CN108616517B (en) 2021-07-09

Similar Documents

Publication Publication Date Title
CN102404314B (en) Remote resources single-point sign on
US8997198B1 (en) Techniques for securing a centralized metadata distributed filesystem
US7526649B2 (en) Session key exchange
EP1914658B1 (en) Identity controlled data center
JP5611768B2 (en) Inclusive verification of platform to data center
US20190312877A1 (en) Block chain mining method, device, and node apparatus
KR100746030B1 (en) Method and apparatus for generating rights object with representation by commitment
EP2278514B1 (en) System and method for providing secure virtual machines
US20140270179A1 (en) Method and system for key generation, backup, and migration based on trusted computing
US20190245857A1 (en) Method for securing access by software modules
WO2022073264A1 (en) Systems and methods for secure and fast machine learning inference in trusted execution environment
US8977857B1 (en) System and method for granting access to protected information on a remote server
CN106789059B (en) A kind of long-range two-way access control system and method based on trust computing
WO2014194494A1 (en) Method, server, host and system for protecting data security
CN108521424A (en) Distributed data processing method towards heterogeneous terminals equipment
WO2017033442A1 (en) Information processing device, authentication system, authentication method, and recording medium for recording computer program
KR101817152B1 (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
CN115803735A (en) Database access control service in a network
CN108616517A (en) highly reliable cloud platform service providing method
CN112491544A (en) Method and system for dynamically encrypting platform data
CN108449358A (en) The safe computational methods of low delay based on cloud
CN114697061B (en) Access control method, device, network side equipment, terminal and blockchain node
CN116707849A (en) Cloud service access authority setting method and cloud management platform for enclave instance
CN114866328A (en) Block chain-based cross-domain access control method and system in edge computing environment
CN109802927A (en) A kind of security service providing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20210604

Address after: 730000 room 2-1, 4th floor, building 13, No.5 south of Gaoxin s625 Road, Chengguan District, Lanzhou City, Gansu Province

Applicant after: Gansu Bailong E-Commerce Technology Co.,Ltd.

Address before: No. 28-2, Zhongtian village group, Qinggang village committee, Tianxing Town, Daguan County, Zhaotong City, Yunnan Province

Applicant before: Xiao hengnian

GR01 Patent grant
GR01 Patent grant