CN111241492A - Product multi-tenant secure credit granting method, system and electronic equipment - Google Patents
Product multi-tenant secure credit granting method, system and electronic equipment Download PDFInfo
- Publication number
- CN111241492A CN111241492A CN201911379305.7A CN201911379305A CN111241492A CN 111241492 A CN111241492 A CN 111241492A CN 201911379305 A CN201911379305 A CN 201911379305A CN 111241492 A CN111241492 A CN 111241492A
- Authority
- CN
- China
- Prior art keywords
- tenant
- information
- authorized
- verified
- signature certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012795 verification Methods 0.000 claims abstract description 63
- 238000013475 authorization Methods 0.000 claims abstract description 52
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 44
- 150000003839 salts Chemical class 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 7
- 230000001172 regenerating effect Effects 0.000 claims description 3
- 230000008901 benefit Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- PCHJSUWPFVWCPO-UHFFFAOYSA-N gold Chemical compound [Au] PCHJSUWPFVWCPO-UHFFFAOYSA-N 0.000 description 1
- 239000010931 gold Substances 0.000 description 1
- 229910052737 gold Inorganic materials 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/105—Arrangements for software license management or administration, e.g. for managing licenses at corporate level
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses a method, a system and electronic equipment for multi-tenant secure credit authorization of products, which comprises an authorization step and a verification step; the step of authorizing comprises: generating a unique pair of private key and public key for an authorized tenant by adopting an asymmetric encryption algorithm, and storing the incidence relation between the public key and the authorized tenant; reading personal information and authorization information of an authorized tenant, and generating an information abstract of the authorized tenant; generating a signature certificate of the authorized tenant by using a private key and an information abstract corresponding to the authorized tenant; the verifying step includes: receiving a verification request of a verified tenant, and reading verification information and an associated public key of the verified tenant; and acquiring the signature certificate of the verified tenant, and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key. The invention can generate the signature certificate for verification according to the private key and the information digest of the authorized tenant, and has better security.
Description
Technical Field
The invention belongs to the technical field of software services, and particularly relates to a method, a system and electronic equipment for multi-tenant secure credit granting of a product.
Background
Multi-tenant means that the software architecture supports multiple users (customers) of one instance service, each user is called a tenant (tenant), and the software gives the tenant the ability to make partial customization on the system, such as user interface color or business rule, but they cannot customize the code for modifying the software. In the field of cloud computing, the meaning of multi-tenancy has been extended as new service models take advantage of virtualization and remote access. For example, a software as a service (SaaS) provider provides Web access services to a plurality of users using an application system running on one database instance. In this scenario, data between tenants is isolated and each tenant's data is guaranteed to be invisible to other tenants.
In both the traditional application scenario and the cloud computing application scenario, software providers need a set of secure trust method to ensure that their software and hardware products are not abused. In the existing multi-tenant secure credit granting method for products, when a tenant uses different services on a cloud platform, such as ECS (electronic communications systems) elastic computing resources, middleware, third-party services, and the like, authorization and authentication solutions possibly adopted by different service providers are inconsistent, requirements on software and hardware of the platform are high, and efficiency is low. In addition, the existing secure credit granting method for multiple tenants of products mostly adopts an RSA encryption algorithm, and the requirements cannot be met in speed and security.
Disclosure of Invention
Aiming at least one defect or improvement requirement in the prior art, the invention provides a method, a system and electronic equipment for multi-tenant secure credit authorization of products.
In order to achieve the above object, according to a first aspect of the present invention, there is provided a method for multi-tenant security trust of a product, comprising an authorization step and a verification step;
the step of authorizing comprises:
generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm, and storing the incidence relation between the public key and the authorized tenant;
reading personal information and authorization information of an authorized tenant, and generating an information abstract of the authorized tenant;
generating a signature certificate of the authorized tenant by using a private key and an information abstract corresponding to the authorized tenant;
the verifying step includes:
receiving a verification request of a verified tenant, and reading verification information and an associated public key of the verified tenant;
and acquiring the signature certificate of the verified tenant, and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
Preferably, the salt is added in the process of generating a unique pair of private key and public key for the authorized tenant by adopting the asymmetric encryption algorithm.
Preferably, the verifying the signature certificate of the verified tenant comprises:
decrypting the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key, and extracting the information abstract in the signature certificate;
and verifying the verification information of the verified tenant and the extracted information abstract.
Preferably, when the authorization information of the authorized tenant changes, a new information summary is generated for the authorized tenant according to the personal information of the authorized tenant and the changed authorization information;
and regenerating the signature certificate of the authorized tenant by using the private key corresponding to the authorized tenant and the new information digest.
Preferably, the authorizing step comprises: after the signature certificate of the authorized tenant is generated, encrypting the signature certificate by adopting an AES256 encryption algorithm;
the verifying step includes: before verifying the signature certificate of the verified tenant, decrypting the signature certificate of the tenant through a decryption algorithm.
Preferably, the asymmetric encryption algorithm is an elliptic curve digital signature algorithm.
According to a second aspect of the invention, a product multi-tenant security credit granting system is provided, which is characterized by comprising a credit granting device and a verification device;
the authorization apparatus includes:
the key generation module is used for generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm and storing the incidence relation between the public key and the authorized tenant;
the information abstract generating module is used for reading the personal information and the authorization information of the authorized tenant and generating an information abstract of the authorized tenant;
the signature certificate generation module is used for generating a signature certificate of each tenant by using a private key and an information abstract corresponding to each tenant;
the authentication apparatus includes:
the reading module is used for receiving a verification request of a verified tenant and reading verification information and a related public key of the verified tenant;
and the verification module is used for acquiring the signature certificate of the verified tenant and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
According to a third aspect of the present invention, there is provided an electronic device comprising a processor and a memory, wherein the processor runs a program corresponding to an executable program code stored in the memory by reading the executable program code for implementing any one of the above methods.
Generally, compared with the prior art, the technical scheme of the invention has the following beneficial effects:
(1) different service providers can adopt the same authorization and authentication scheme, the requirements on software and hardware of the platform are high, the efficiency is low, the shared scene of multiple tenants is met, only one set of encryption algorithm and verification algorithm needs to be maintained for different tenants, different signature certificates are generated for each tenant according to private keys and information digests of different tenants, and the safety and the efficiency are greatly improved compared with the prior art.
(2) And a salt value is added in the asymmetric encryption process, so that the security of the certificate is further improved. In addition, compared with the mainstream RSA digital signature algorithm, the invention further greatly improves the security and the high efficiency of the certificate by adopting the ECDSA asymmetric encryption algorithm.
(3) The process of generating the certificate by encrypting the private key and the process of decrypting the public key are separated, and the safety of the system is further enhanced.
(4) The storage of the certificate adopts secondary encryption, so that the different certificate decryption modes of different tenants in the cloud mode are ensured to be different, and the condition of 'abuse sharing' of the certificate is avoided.
(5) When the authorization information changes, the dynamic change of the information abstract can adopt the same algorithm to generate different certificates, and the same algorithm is adopted at the product end to decrypt the certificates and extract the information of the certificate abstract, so as to realize the dynamic renewal of the certificates.
(6) The security guarantee and the information abstract in the whole set of scheme can be dynamically expanded according to the actual product form and the service form.
Drawings
Fig. 1 is a schematic diagram illustrating a principle of a multi-tenant secure trust method for a product according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating authorization steps of a method for multi-tenant secure trust of a product according to an embodiment of the present invention;
fig. 3 is a flowchart of verification steps of a method for multi-tenant secure trust of a product according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The embodiment of the invention provides a method, a system and a principle of electronic equipment for multi-tenant secure credit authorization of a product, which are shown in figure 1. Generally, a software service system comprises a product server side and a product client side, and in order to perform secure credit authorization on a software service, the product multi-tenant secure credit authorization system is deployed on the software service system. The product multi-tenant security credit granting system comprises an authorization device and a verification device. The authorization device is deployed at a product server side and is used for providing authorization management of products for a product operation team. The verification device is deployed at a product client and used for verifying the tenant, judging whether the tenant has the use authority of the product and the like. The tenant obtains the use right of the product through purchasing and the like. In one specific implementation, the authorization and verification devices may be software gadgets that are isolated from the source code of the product for ease of maintenance.
The product multi-tenant security trust method provided by the embodiment of the invention comprises an authorization step and a verification step. The authorization step may be performed by an authorization means at the server side. The authenticating step may be performed by an authentication device embedded in the product client.
The authorization step, as shown in fig. 2, includes:
and S1, generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm, and storing the association relationship between the public key and the authorized tenant.
For example, when a tenant registers in the platform for the first time, the product multi-tenant security trust device generates a unique pair of private key and public key for each tenant based on a registration request of the tenant.
The public key information is sent to the verifying device, and the verifying device stores the public key of each tenant in association with the unique identifier of the tenant, that is, the public key and the tenant have a one-to-one correspondence relationship, so that the public key corresponding to the tenant can be read according to the verification request in step S4 to perform validity verification and information digest extraction on the signature certificate.
The private key is used to provide step S3 with the message digest to generate a signed certificate.
Preferably, an Elliptic Curve Digital Signature Algorithm (ECDSA) is used to generate a unique pair of private key and public key for each tenant.
Preferably, a salt (salt) is added in the process of generating a unique pair of private key and public key for an authorized tenant by using an asymmetric encryption algorithm, that is, a random key pair after hash of the salt is generated. The salt value is equivalent to an encrypted key, so that the difficulty of cracking is increased, and the safety of one-way hash calculation is enhanced. Common one-way hashing algorithms are MD5, SHA, etc. One feature of the one-way hashing algorithm is that any slight change in the input will result in a complete difference in the output. The salt value can be dynamically changed according to the actual product form and the service form, for example, in the conventional case such as a stand-alone product, the salt value can be a CPU, a main board or BIOS serial number, a MAC address, and the like, and in the cloud mirror image mode, the salt value generated by the key pair can be a tenant code, a UUID. The security of the credit can be further enhanced by adding salt value.
And S2, reading the personal information and the authorization information of the authorized tenant and generating an information abstract of the authorized tenant.
The personal information can be unique identification such as a tenant login name, a mobile phone number, a mailbox and the like.
The authorization information may be authorization information generated by the product operation team according to specific purchased contents after the tenant obtains authorization of the product through a purchase service or the like, for example, the number of supported users, storage space, validity time, an authorization network IP address field, and the like.
The authorization device reads the personal information and the authorization information of the authorized tenant and generates a corresponding information abstract according to the personal information and the authorization information of the tenant.
Preferably, when the authorization information of the authorized tenant changes, a new information summary is generated for the tenant according to the personal information of the authorized tenant and the changed authorization information; and regenerating the signature certificate of the tenant by using the private key corresponding to the tenant and the new information digest. For example, when a tenant needs to renew its product authorization time, expand the number of authorized users, expand the storage space, etc., new authorization information may be generated, so as to update the information digest, generate a new signature certificate, and implement hot update of the trust validity without restarting the product.
And S3, generating a signature certificate of the authorized tenant by using the private key and the information digest corresponding to each tenant.
The signed certificate is provided to the verification device for verification. Many specific implementations are possible. One way is to embed the generated signature certificate into the product client; another way is to send the generated signed certificate to a third-party signed certificate management center for management. The generated signature certificate can also be selectively issued to the tenant for reservation.
Preferably, the generated signature certificate is encrypted and protected by adopting an AES256 encryption algorithm, so that different tenant decryption keys of products are different, and certificate sharing among tenants is prevented.
The verification step, as shown in fig. 3, includes:
and S4, receiving the verification request of the verified tenant, and reading the verification information and the associated public key of the verified tenant.
The verification request can be a login request when the tenant logs in the product system, and can also be a preset timing verification request in the product.
The authentication information of the tenant may be user name, time, and the like when the user logs in.
The associated public key is searched according to the public key sent by the authorization device to the verification device and the association relationship between the public key and the authorized tenant in step S1.
And S5, acquiring the signature certificate of the verified tenant, and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
If the signature certificate generated in step S3 is embedded in the product client, the verification device obtains the signature certificate of the tenant from the product client after receiving the tenant verification request. If the signed certificate generated in step S3 is sent to the third-party signed certificate management center for management, when the verification apparatus receives the tenant verification request, the signed certificate of the tenant is obtained from the third-party signed certificate management center.
The process of performing the verification includes two steps: the first step is to decrypt the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key, verify whether the public key is matched with the private key in the signature certificate, and if the verification is successful, extract the information digest in the signature certificate. And the second step is to compare and check the verification information of the verified tenant with the recorded information in the extracted information abstract to judge whether the tenant has the corresponding operation permission of the product client.
Preferably, after the tenant logs in the product client, the product client may further determine whether the tenant is the tenant to which the product belongs, and if it is determined that the tenant is the tenant to which the product belongs, the product client reads the public key associated with the tenant.
Preferably, if the AES256 encryption algorithm is used to perform encryption protection on the generated signature certificate after step S3, the signature certificate of the tenant is decrypted by the decryption algorithm before the signature certificate of the tenant is verified.
Preferably, if the extracted information abstract is known to exceed the authorization validity period of the tenant, the tenant is prompted to renew the signature, the certificate abstract information is updated after the tenant completes the renewal operation, the system is triggered to regenerate a new certificate, or a product operation team uses an operation management platform tool to generate a new valid certificate, issues the new valid certificate to the tenant, and then updates the certificate on the platform.
It should be understood that the above steps, although numbered, are not necessarily performed in the order recited, unless explicitly stated herein or order can be inferred directly from the description herein.
The advantages of using the ECDSA asymmetric encryption algorithm are described in more detail below. The signature in the ECDSA algorithm adopts ECC, so that the security and the efficiency of the certificate can be greatly improved, and compared with the RSA digital signature algorithm generally adopted in the prior art, the ECDSA algorithm has absolute advantages in many aspects. Mainly embodied in the following aspects: the anti-attack performance is strong, the anti-attack performance is many times as strong as that of the same secret key length; the calculated amount is small, the processing speed is high, and the total speed of ECC is much higher than that of RSA and DSA; the memory space is small, the key size and system parameters of ECC are much smaller than those of RSA and DSA, which means that the memory space occupied by the ECC is much smaller, and the method has a particularly important meaning for the application of the encryption algorithm on the IC card; the bandwidth requirement is low, when long messages are encrypted and decrypted, the three types of cryptosystems have the same bandwidth requirement, but the ECC bandwidth requirement is much lower when the cryptosystems are applied to short messages, and the low bandwidth requirement enables the ECC to have wide application prospects in the field of wireless networks.
Tables 1 and 2 show the speed and security comparisons for RSA and ECC, respectively.
Table 1: RSA and ECC speed comparison
Table 2: RSA and ECC Security comparison
The product multi-tenant safety credit granting system comprises a credit granting device and a verification device;
the authorization apparatus includes:
the key generation module is used for generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm, and the public key, the public key and the incidence relation of the public key and the authorized tenant are sent to the verification device;
the information abstract generating module is used for reading the personal information and the authorization information of the authorized tenant and generating an information abstract of the authorized tenant;
the signature certificate generation module is used for generating a signature certificate of an authorized tenant by using a private key and an information abstract corresponding to each tenant;
the authentication device includes:
the reading module is used for receiving a verification request of a verified tenant and reading verification information and a related public key of the verified tenant;
and the verification module is used for acquiring the signature certificate of the verified tenant and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
In one embodiment, the authorization apparatus further includes an encryption module, configured to encrypt the signing certificate with an AES256 encryption algorithm after the generating of the signing certificate of each tenant;
the verifying device further comprises a decrypting module, which is used for decrypting the signature certificate of the tenant through a decrypting algorithm before the public key associated with the tenant is used for verifying the signature certificate of the tenant.
The implementation principle and technical effect of the product multi-tenant security trust system provided by the embodiment are similar to those of the method, and are not described herein again.
The following specifically describes a software implementation method of the product multi-tenant security trust method and system of the present invention. The software implementation of the present invention is not limited to development and design languages, and the following provides an implementation manner based on gold (Go language for short).
Software implementation on the product server side:
1. defining an information abstract structure body, and mainly having the following properties: unique Code, authorized user mailbox, total number of authorized users, authorization effective time (as above: can be dynamically expanded)
2. Defining key pair generation method and implementing, according to the development language, selecting mature basic library to call API to implement, according to the Go language can adopt "crypto/ecdsa" and "crypto/encapsulating" (as above: salt value random number can be dynamically added to intensify)
3. Defining and realizing a method for generating a random unique Code, wherein the realization mode comprises the following steps: generating random numbers with specified digits by taking the nanosecond number of the current timestamp as a random seed, and dynamically splicing the random numbers into a specified format, such as: XXXXXX-XXXX-XXXX-XXXXXX
4. A data encryption method under an AES256 algorithm is defined and realized, and main parameters are as follows: original data, encryption key, one implementation: dynamically assembling 32-bit grouping Key (rule self-defining, such as multiple repetition and missing filling) according to the length of the secret Key, then calling API (application programming interface) by means of mature basic library to realize encryption, and the Go language can adopt 'crypt/aes'
5. Defining and realizing a license generation method, wherein the main parameters are as follows: information summary data, tenant encryption key, one implementation: and the binary serialized information digest is reserved, then the defined secret key is called to generate a secret key by the generation method, then a certificate is generated by a hash signature algorithm in ECDSA according to the secret key and the digest information, after the certificate is subjected to Base32 or Base64 encoding, the tenant encryption key is used to call the defined AES256 encryption method to perform secondary encryption, and finally encrypted data are returned.
The software implementation of the product client can be placed in the product source code, and includes:
1. defining and realizing an AES256 decryption method, wherein the main parameters are as follows: encrypt data, decrypt key, one implementation: and generating a final 32-bit block Key corresponding to the dynamic processing mode of the secret Key in the AES256 encryption algorithm, calling the basic library API to decrypt the encrypted data, and returning the decrypted plaintext data.
2. Defining and realizing a license correctness verification method, wherein the main parameters are as follows: license data, an implementation manner, corresponding to the above license encoding method, firstly decrypts the Base32 or Base64 bit, then obtains the public key in the key pair generated in the earlier stage, and verifies the validity of the certificate by using the public key (as above, the basic library has corresponding API)
3. Defining and realizing a license abstract information acquisition method, wherein the main parameters are as follows: the encrypted license data is decrypted by calling the AES256 decryption algorithm to obtain plaintext data, then calling the correctness verification method of the license to verify the correctness, reading summary information by deserializing the verified license, and returning the summary information to the verified license
4. Defining and realizing a license validity verification method, wherein the main parameters are as follows: the encrypted license data is implemented by calling a digest information acquisition method to acquire digest information, and comparing the digest information according to the limiting conditions in the digest information, for example: and judging the validity of the certificate before and after the current time and the authorization valid time, the current number of registered users, the total number of authorized users and the like.
In order to implement the foregoing embodiment, an embodiment of the present invention further provides an electronic device, including: a processor and a memory. Wherein the memory and the processor are electrically connected, directly or indirectly, to enable transmission or interaction of data. The memory stores a computer program, and the computer program can implement the technical solution of any one of the above embodiments of the multi-tenant security trust method when executed by the processor. The processor executes various functional applications and data processing by executing software programs and modules stored in the memory. The processor may be an integrated circuit chip having signal processing capabilities. And the processor executes the program after receiving the execution instruction. Optionally, the software programs and modules within the above-described memory may also include an operating system, which may include various software components and/or drivers for managing system tasks and may communicate with various hardware or software components to provide an operating environment for other software components. The implementation principle and technical effect of the electronic device provided by this embodiment are similar to those of the above method, and are not described herein again.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A product multi-tenant security credit granting method is characterized by comprising an authorization step and a verification step;
the step of authorizing comprises:
generating a unique pair of private key and public key for an authorized tenant by adopting an asymmetric encryption algorithm, and storing the incidence relation between the public key and the authorized tenant;
reading personal information and authorization information of an authorized tenant, and generating an information abstract of the authorized tenant;
generating a signature certificate of the authorized tenant by using a private key and an information abstract corresponding to the authorized tenant;
the verifying step includes:
receiving a verification request of a verified tenant, and reading verification information and an associated public key of the verified tenant;
and acquiring the signature certificate of the verified tenant, and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
2. The method for multi-tenant secure trust of a product of claim 1, wherein a salt is added in the process of generating a unique pair of private key and public key for an authorized tenant by using an asymmetric encryption algorithm.
3. The product multi-tenant secure trust method as claimed in claim 1 or 2, wherein the verifying the signed certificate of the verified tenant comprises:
decrypting the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key, and extracting the information abstract in the signature certificate;
and verifying the verification information of the verified tenant and the extracted information abstract.
4. The product multi-tenant security trust method as claimed in any one of claims 1 or 2, characterized in that when the authorization information of the authorized tenant changes, a new information summary is generated for the authorized tenant according to the personal information of the authorized tenant and the changed authorization information;
and regenerating the signature certificate of the authorized tenant by using the private key corresponding to the authorized tenant and the new information digest.
5. The multi-tenant secure credit granting method of any one of claims 1 or 2,
the step of authorizing comprises: after the signature certificate of the authorized tenant is generated, encrypting the signature certificate by adopting an AES256 encryption algorithm;
the verifying step includes: before verifying the signature certificate of the verified tenant, decrypting the signature certificate of the tenant through a decryption algorithm.
6. The product multi-tenant secure credit granting method of claim 1 or 2, wherein the asymmetric encryption algorithm is an elliptic curve digital signature algorithm.
7. A product multi-tenant safety credit granting system is characterized by comprising a credit granting device and a verification device;
the authorization apparatus includes:
the key generation module is used for generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm, and the public key are sent to the verification device according to the incidence relation with the authorized tenant;
the information abstract generating module is used for reading the personal information and the authorization information of the authorized tenant and generating an information abstract of the authorized tenant;
the signature certificate generation module is used for generating a signature certificate of an authorized tenant by using a private key and an information abstract corresponding to each tenant;
the authentication apparatus includes:
the reading module is used for receiving a verification request of a verified tenant and reading verification information and a related public key of the verified tenant;
and the verification module is used for acquiring the signature certificate of the verified tenant and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
8. The product multi-tenant security trust system of claim 7,
the authorization device further comprises an encryption module, which is used for encrypting the signature certificate by adopting an AES256 encryption algorithm after the signature certificate of each tenant is generated;
the verifying device further comprises a decrypting module, which is used for decrypting the signature certificate of the tenant through a decrypting algorithm before the public key associated with the tenant is used for verifying the signature certificate of the tenant.
9. The product multi-tenant security trust system of claim 7 or 8, wherein the authorization device is deployed on a product server;
the verification device is deployed on a product client.
10. An electronic device comprising a processor and a memory, wherein,
wherein the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for implementing the method of any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911379305.7A CN111241492A (en) | 2019-12-27 | 2019-12-27 | Product multi-tenant secure credit granting method, system and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911379305.7A CN111241492A (en) | 2019-12-27 | 2019-12-27 | Product multi-tenant secure credit granting method, system and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111241492A true CN111241492A (en) | 2020-06-05 |
Family
ID=70864667
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911379305.7A Pending CN111241492A (en) | 2019-12-27 | 2019-12-27 | Product multi-tenant secure credit granting method, system and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111241492A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111783069A (en) * | 2020-06-24 | 2020-10-16 | 杭州海康机器人技术有限公司 | Operation method and device of rental equipment and equipment |
CN111917725A (en) * | 2020-06-30 | 2020-11-10 | 北谷电子有限公司上海分公司 | Encryption system and encryption method for multi-tenant SaaS platform |
CN114785845A (en) * | 2022-04-13 | 2022-07-22 | 浙江大华技术股份有限公司 | Session establishing method and device, storage medium and electronic device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140047533A1 (en) * | 2010-11-24 | 2014-02-13 | Shanjing Tang | Method and System for Authentication-based Multi-user Online Video Game |
CN103944881A (en) * | 2014-03-19 | 2014-07-23 | 华存数据信息技术有限公司 | Cloud resource authorizing method under cloud computing environment |
CN105184144A (en) * | 2015-07-31 | 2015-12-23 | 上海玖道信息科技股份有限公司 | Multi-system privilege management method |
CN109522698A (en) * | 2018-10-11 | 2019-03-26 | 平安科技(深圳)有限公司 | User authen method and terminal device based on block chain |
-
2019
- 2019-12-27 CN CN201911379305.7A patent/CN111241492A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140047533A1 (en) * | 2010-11-24 | 2014-02-13 | Shanjing Tang | Method and System for Authentication-based Multi-user Online Video Game |
CN103944881A (en) * | 2014-03-19 | 2014-07-23 | 华存数据信息技术有限公司 | Cloud resource authorizing method under cloud computing environment |
CN105184144A (en) * | 2015-07-31 | 2015-12-23 | 上海玖道信息科技股份有限公司 | Multi-system privilege management method |
CN109522698A (en) * | 2018-10-11 | 2019-03-26 | 平安科技(深圳)有限公司 | User authen method and terminal device based on block chain |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111783069A (en) * | 2020-06-24 | 2020-10-16 | 杭州海康机器人技术有限公司 | Operation method and device of rental equipment and equipment |
CN111917725A (en) * | 2020-06-30 | 2020-11-10 | 北谷电子有限公司上海分公司 | Encryption system and encryption method for multi-tenant SaaS platform |
CN114785845A (en) * | 2022-04-13 | 2022-07-22 | 浙江大华技术股份有限公司 | Session establishing method and device, storage medium and electronic device |
CN114785845B (en) * | 2022-04-13 | 2023-08-29 | 浙江大华技术股份有限公司 | Session establishment method and device, storage medium and electronic device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108810029B (en) | Authentication system and optimization method between micro-service architecture services | |
CN108092776B (en) | System based on identity authentication server and identity authentication token | |
CN109361668A (en) | A kind of data trusted transmission method | |
CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
US10880100B2 (en) | Apparatus and method for certificate enrollment | |
CN110958209B (en) | Bidirectional authentication method, system and terminal based on shared secret key | |
CN111130770B (en) | Information certification method and system based on blockchain, user terminal, electronic equipment and storage medium | |
CN109714176B (en) | Password authentication method, device and storage medium | |
US20200412554A1 (en) | Id as service based on blockchain | |
US11716206B2 (en) | Certificate based security using post quantum cryptography | |
CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
JP2010514000A (en) | Method for securely storing program state data in an electronic device | |
CN112737779A (en) | Service method and device for cipher machine, cipher machine and storage medium | |
CN107634946A (en) | A kind of micro services node legitimacy verification method and device | |
CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
US10158490B2 (en) | Double authentication system for electronically signed documents | |
CN114499892B (en) | Firmware starting method and device, computer equipment and readable storage medium | |
KR20120091618A (en) | Digital signing system and method using chained hash | |
CN110572392A (en) | Identity authentication method based on HyperLegger network | |
US20240106633A1 (en) | Account opening methods, systems, and apparatuses | |
CN112039857B (en) | Calling method and device of public basic module | |
EP3836478A1 (en) | Method and system of data encryption using cryptographic keys | |
WO2013067792A1 (en) | Method, device and system for querying smart card | |
CN108599936A (en) | A kind of OpenStack increases income the safety certifying method of cloud user |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200605 |