CN111241492A - Product multi-tenant secure credit granting method, system and electronic equipment - Google Patents

Product multi-tenant secure credit granting method, system and electronic equipment Download PDF

Info

Publication number
CN111241492A
CN111241492A CN201911379305.7A CN201911379305A CN111241492A CN 111241492 A CN111241492 A CN 111241492A CN 201911379305 A CN201911379305 A CN 201911379305A CN 111241492 A CN111241492 A CN 111241492A
Authority
CN
China
Prior art keywords
tenant
information
authorized
verified
signature certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911379305.7A
Other languages
Chinese (zh)
Inventor
陈烈军
董喆
秦威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Fiberhome Integration Technologies Co ltd
Original Assignee
Wuhan Fiberhome Integration Technologies Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Fiberhome Integration Technologies Co ltd filed Critical Wuhan Fiberhome Integration Technologies Co ltd
Priority to CN201911379305.7A priority Critical patent/CN111241492A/en
Publication of CN111241492A publication Critical patent/CN111241492A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material
    • G06F21/105Tools for software license management or administration, e.g. managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention discloses a method, a system and electronic equipment for multi-tenant secure credit authorization of products, which comprises an authorization step and a verification step; the step of authorizing comprises: generating a unique pair of private key and public key for an authorized tenant by adopting an asymmetric encryption algorithm, and storing the incidence relation between the public key and the authorized tenant; reading personal information and authorization information of an authorized tenant, and generating an information abstract of the authorized tenant; generating a signature certificate of the authorized tenant by using a private key and an information abstract corresponding to the authorized tenant; the verifying step includes: receiving a verification request of a verified tenant, and reading verification information and an associated public key of the verified tenant; and acquiring the signature certificate of the verified tenant, and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key. The invention can generate the signature certificate for verification according to the private key and the information digest of the authorized tenant, and has better security.

Description

Product multi-tenant secure credit granting method, system and electronic equipment
Technical Field
The invention belongs to the technical field of software services, and particularly relates to a method, a system and electronic equipment for multi-tenant secure credit granting of a product.
Background
Multi-tenant means that the software architecture supports multiple users (customers) of one instance service, each user is called a tenant (tenant), and the software gives the tenant the ability to make partial customization on the system, such as user interface color or business rule, but they cannot customize the code for modifying the software. In the field of cloud computing, the meaning of multi-tenancy has been extended as new service models take advantage of virtualization and remote access. For example, a software as a service (SaaS) provider provides Web access services to a plurality of users using an application system running on one database instance. In this scenario, data between tenants is isolated and each tenant's data is guaranteed to be invisible to other tenants.
In both the traditional application scenario and the cloud computing application scenario, software providers need a set of secure trust method to ensure that their software and hardware products are not abused. In the existing multi-tenant secure credit granting method for products, when a tenant uses different services on a cloud platform, such as ECS (electronic communications systems) elastic computing resources, middleware, third-party services, and the like, authorization and authentication solutions possibly adopted by different service providers are inconsistent, requirements on software and hardware of the platform are high, and efficiency is low. In addition, the existing secure credit granting method for multiple tenants of products mostly adopts an RSA encryption algorithm, and the requirements cannot be met in speed and security.
Disclosure of Invention
Aiming at least one defect or improvement requirement in the prior art, the invention provides a method, a system and electronic equipment for multi-tenant secure credit authorization of products.
In order to achieve the above object, according to a first aspect of the present invention, there is provided a method for multi-tenant security trust of a product, comprising an authorization step and a verification step;
the step of authorizing comprises:
generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm, and storing the incidence relation between the public key and the authorized tenant;
reading personal information and authorization information of an authorized tenant, and generating an information abstract of the authorized tenant;
generating a signature certificate of the authorized tenant by using a private key and an information abstract corresponding to the authorized tenant;
the verifying step includes:
receiving a verification request of a verified tenant, and reading verification information and an associated public key of the verified tenant;
and acquiring the signature certificate of the verified tenant, and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
Preferably, the salt is added in the process of generating a unique pair of private key and public key for the authorized tenant by adopting the asymmetric encryption algorithm.
Preferably, the verifying the signature certificate of the verified tenant comprises:
decrypting the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key, and extracting the information abstract in the signature certificate;
and verifying the verification information of the verified tenant and the extracted information abstract.
Preferably, when the authorization information of the authorized tenant changes, a new information summary is generated for the authorized tenant according to the personal information of the authorized tenant and the changed authorization information;
and regenerating the signature certificate of the authorized tenant by using the private key corresponding to the authorized tenant and the new information digest.
Preferably, the authorizing step comprises: after the signature certificate of the authorized tenant is generated, encrypting the signature certificate by adopting an AES256 encryption algorithm;
the verifying step includes: before verifying the signature certificate of the verified tenant, decrypting the signature certificate of the tenant through a decryption algorithm.
Preferably, the asymmetric encryption algorithm is an elliptic curve digital signature algorithm.
According to a second aspect of the invention, a product multi-tenant security credit granting system is provided, which is characterized by comprising a credit granting device and a verification device;
the authorization apparatus includes:
the key generation module is used for generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm and storing the incidence relation between the public key and the authorized tenant;
the information abstract generating module is used for reading the personal information and the authorization information of the authorized tenant and generating an information abstract of the authorized tenant;
the signature certificate generation module is used for generating a signature certificate of each tenant by using a private key and an information abstract corresponding to each tenant;
the authentication apparatus includes:
the reading module is used for receiving a verification request of a verified tenant and reading verification information and a related public key of the verified tenant;
and the verification module is used for acquiring the signature certificate of the verified tenant and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
According to a third aspect of the present invention, there is provided an electronic device comprising a processor and a memory, wherein the processor runs a program corresponding to an executable program code stored in the memory by reading the executable program code for implementing any one of the above methods.
Generally, compared with the prior art, the technical scheme of the invention has the following beneficial effects:
(1) different service providers can adopt the same authorization and authentication scheme, the requirements on software and hardware of the platform are high, the efficiency is low, the shared scene of multiple tenants is met, only one set of encryption algorithm and verification algorithm needs to be maintained for different tenants, different signature certificates are generated for each tenant according to private keys and information digests of different tenants, and the safety and the efficiency are greatly improved compared with the prior art.
(2) And a salt value is added in the asymmetric encryption process, so that the security of the certificate is further improved. In addition, compared with the mainstream RSA digital signature algorithm, the invention further greatly improves the security and the high efficiency of the certificate by adopting the ECDSA asymmetric encryption algorithm.
(3) The process of generating the certificate by encrypting the private key and the process of decrypting the public key are separated, and the safety of the system is further enhanced.
(4) The storage of the certificate adopts secondary encryption, so that the different certificate decryption modes of different tenants in the cloud mode are ensured to be different, and the condition of 'abuse sharing' of the certificate is avoided.
(5) When the authorization information changes, the dynamic change of the information abstract can adopt the same algorithm to generate different certificates, and the same algorithm is adopted at the product end to decrypt the certificates and extract the information of the certificate abstract, so as to realize the dynamic renewal of the certificates.
(6) The security guarantee and the information abstract in the whole set of scheme can be dynamically expanded according to the actual product form and the service form.
Drawings
Fig. 1 is a schematic diagram illustrating a principle of a multi-tenant secure trust method for a product according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating authorization steps of a method for multi-tenant secure trust of a product according to an embodiment of the present invention;
fig. 3 is a flowchart of verification steps of a method for multi-tenant secure trust of a product according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The embodiment of the invention provides a method, a system and a principle of electronic equipment for multi-tenant secure credit authorization of a product, which are shown in figure 1. Generally, a software service system comprises a product server side and a product client side, and in order to perform secure credit authorization on a software service, the product multi-tenant secure credit authorization system is deployed on the software service system. The product multi-tenant security credit granting system comprises an authorization device and a verification device. The authorization device is deployed at a product server side and is used for providing authorization management of products for a product operation team. The verification device is deployed at a product client and used for verifying the tenant, judging whether the tenant has the use authority of the product and the like. The tenant obtains the use right of the product through purchasing and the like. In one specific implementation, the authorization and verification devices may be software gadgets that are isolated from the source code of the product for ease of maintenance.
The product multi-tenant security trust method provided by the embodiment of the invention comprises an authorization step and a verification step. The authorization step may be performed by an authorization means at the server side. The authenticating step may be performed by an authentication device embedded in the product client.
The authorization step, as shown in fig. 2, includes:
and S1, generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm, and storing the association relationship between the public key and the authorized tenant.
For example, when a tenant registers in the platform for the first time, the product multi-tenant security trust device generates a unique pair of private key and public key for each tenant based on a registration request of the tenant.
The public key information is sent to the verifying device, and the verifying device stores the public key of each tenant in association with the unique identifier of the tenant, that is, the public key and the tenant have a one-to-one correspondence relationship, so that the public key corresponding to the tenant can be read according to the verification request in step S4 to perform validity verification and information digest extraction on the signature certificate.
The private key is used to provide step S3 with the message digest to generate a signed certificate.
Preferably, an Elliptic Curve Digital Signature Algorithm (ECDSA) is used to generate a unique pair of private key and public key for each tenant.
Preferably, a salt (salt) is added in the process of generating a unique pair of private key and public key for an authorized tenant by using an asymmetric encryption algorithm, that is, a random key pair after hash of the salt is generated. The salt value is equivalent to an encrypted key, so that the difficulty of cracking is increased, and the safety of one-way hash calculation is enhanced. Common one-way hashing algorithms are MD5, SHA, etc. One feature of the one-way hashing algorithm is that any slight change in the input will result in a complete difference in the output. The salt value can be dynamically changed according to the actual product form and the service form, for example, in the conventional case such as a stand-alone product, the salt value can be a CPU, a main board or BIOS serial number, a MAC address, and the like, and in the cloud mirror image mode, the salt value generated by the key pair can be a tenant code, a UUID. The security of the credit can be further enhanced by adding salt value.
And S2, reading the personal information and the authorization information of the authorized tenant and generating an information abstract of the authorized tenant.
The personal information can be unique identification such as a tenant login name, a mobile phone number, a mailbox and the like.
The authorization information may be authorization information generated by the product operation team according to specific purchased contents after the tenant obtains authorization of the product through a purchase service or the like, for example, the number of supported users, storage space, validity time, an authorization network IP address field, and the like.
The authorization device reads the personal information and the authorization information of the authorized tenant and generates a corresponding information abstract according to the personal information and the authorization information of the tenant.
Preferably, when the authorization information of the authorized tenant changes, a new information summary is generated for the tenant according to the personal information of the authorized tenant and the changed authorization information; and regenerating the signature certificate of the tenant by using the private key corresponding to the tenant and the new information digest. For example, when a tenant needs to renew its product authorization time, expand the number of authorized users, expand the storage space, etc., new authorization information may be generated, so as to update the information digest, generate a new signature certificate, and implement hot update of the trust validity without restarting the product.
And S3, generating a signature certificate of the authorized tenant by using the private key and the information digest corresponding to each tenant.
The signed certificate is provided to the verification device for verification. Many specific implementations are possible. One way is to embed the generated signature certificate into the product client; another way is to send the generated signed certificate to a third-party signed certificate management center for management. The generated signature certificate can also be selectively issued to the tenant for reservation.
Preferably, the generated signature certificate is encrypted and protected by adopting an AES256 encryption algorithm, so that different tenant decryption keys of products are different, and certificate sharing among tenants is prevented.
The verification step, as shown in fig. 3, includes:
and S4, receiving the verification request of the verified tenant, and reading the verification information and the associated public key of the verified tenant.
The verification request can be a login request when the tenant logs in the product system, and can also be a preset timing verification request in the product.
The authentication information of the tenant may be user name, time, and the like when the user logs in.
The associated public key is searched according to the public key sent by the authorization device to the verification device and the association relationship between the public key and the authorized tenant in step S1.
And S5, acquiring the signature certificate of the verified tenant, and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
If the signature certificate generated in step S3 is embedded in the product client, the verification device obtains the signature certificate of the tenant from the product client after receiving the tenant verification request. If the signed certificate generated in step S3 is sent to the third-party signed certificate management center for management, when the verification apparatus receives the tenant verification request, the signed certificate of the tenant is obtained from the third-party signed certificate management center.
The process of performing the verification includes two steps: the first step is to decrypt the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key, verify whether the public key is matched with the private key in the signature certificate, and if the verification is successful, extract the information digest in the signature certificate. And the second step is to compare and check the verification information of the verified tenant with the recorded information in the extracted information abstract to judge whether the tenant has the corresponding operation permission of the product client.
Preferably, after the tenant logs in the product client, the product client may further determine whether the tenant is the tenant to which the product belongs, and if it is determined that the tenant is the tenant to which the product belongs, the product client reads the public key associated with the tenant.
Preferably, if the AES256 encryption algorithm is used to perform encryption protection on the generated signature certificate after step S3, the signature certificate of the tenant is decrypted by the decryption algorithm before the signature certificate of the tenant is verified.
Preferably, if the extracted information abstract is known to exceed the authorization validity period of the tenant, the tenant is prompted to renew the signature, the certificate abstract information is updated after the tenant completes the renewal operation, the system is triggered to regenerate a new certificate, or a product operation team uses an operation management platform tool to generate a new valid certificate, issues the new valid certificate to the tenant, and then updates the certificate on the platform.
It should be understood that the above steps, although numbered, are not necessarily performed in the order recited, unless explicitly stated herein or order can be inferred directly from the description herein.
The advantages of using the ECDSA asymmetric encryption algorithm are described in more detail below. The signature in the ECDSA algorithm adopts ECC, so that the security and the efficiency of the certificate can be greatly improved, and compared with the RSA digital signature algorithm generally adopted in the prior art, the ECDSA algorithm has absolute advantages in many aspects. Mainly embodied in the following aspects: the anti-attack performance is strong, the anti-attack performance is many times as strong as that of the same secret key length; the calculated amount is small, the processing speed is high, and the total speed of ECC is much higher than that of RSA and DSA; the memory space is small, the key size and system parameters of ECC are much smaller than those of RSA and DSA, which means that the memory space occupied by the ECC is much smaller, and the method has a particularly important meaning for the application of the encryption algorithm on the IC card; the bandwidth requirement is low, when long messages are encrypted and decrypted, the three types of cryptosystems have the same bandwidth requirement, but the ECC bandwidth requirement is much lower when the cryptosystems are applied to short messages, and the low bandwidth requirement enables the ECC to have wide application prospects in the field of wireless networks.
Tables 1 and 2 show the speed and security comparisons for RSA and ECC, respectively.
Table 1: RSA and ECC speed comparison
Table 2: RSA and ECC Security comparison
The product multi-tenant safety credit granting system comprises a credit granting device and a verification device;
the authorization apparatus includes:
the key generation module is used for generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm, and the public key, the public key and the incidence relation of the public key and the authorized tenant are sent to the verification device;
the information abstract generating module is used for reading the personal information and the authorization information of the authorized tenant and generating an information abstract of the authorized tenant;
the signature certificate generation module is used for generating a signature certificate of an authorized tenant by using a private key and an information abstract corresponding to each tenant;
the authentication device includes:
the reading module is used for receiving a verification request of a verified tenant and reading verification information and a related public key of the verified tenant;
and the verification module is used for acquiring the signature certificate of the verified tenant and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
In one embodiment, the authorization apparatus further includes an encryption module, configured to encrypt the signing certificate with an AES256 encryption algorithm after the generating of the signing certificate of each tenant;
the verifying device further comprises a decrypting module, which is used for decrypting the signature certificate of the tenant through a decrypting algorithm before the public key associated with the tenant is used for verifying the signature certificate of the tenant.
The implementation principle and technical effect of the product multi-tenant security trust system provided by the embodiment are similar to those of the method, and are not described herein again.
The following specifically describes a software implementation method of the product multi-tenant security trust method and system of the present invention. The software implementation of the present invention is not limited to development and design languages, and the following provides an implementation manner based on gold (Go language for short).
Software implementation on the product server side:
1. defining an information abstract structure body, and mainly having the following properties: unique Code, authorized user mailbox, total number of authorized users, authorization effective time (as above: can be dynamically expanded)
2. Defining key pair generation method and implementing, according to the development language, selecting mature basic library to call API to implement, according to the Go language can adopt "crypto/ecdsa" and "crypto/encapsulating" (as above: salt value random number can be dynamically added to intensify)
3. Defining and realizing a method for generating a random unique Code, wherein the realization mode comprises the following steps: generating random numbers with specified digits by taking the nanosecond number of the current timestamp as a random seed, and dynamically splicing the random numbers into a specified format, such as: XXXXXX-XXXX-XXXX-XXXXXX
4. A data encryption method under an AES256 algorithm is defined and realized, and main parameters are as follows: original data, encryption key, one implementation: dynamically assembling 32-bit grouping Key (rule self-defining, such as multiple repetition and missing filling) according to the length of the secret Key, then calling API (application programming interface) by means of mature basic library to realize encryption, and the Go language can adopt 'crypt/aes'
5. Defining and realizing a license generation method, wherein the main parameters are as follows: information summary data, tenant encryption key, one implementation: and the binary serialized information digest is reserved, then the defined secret key is called to generate a secret key by the generation method, then a certificate is generated by a hash signature algorithm in ECDSA according to the secret key and the digest information, after the certificate is subjected to Base32 or Base64 encoding, the tenant encryption key is used to call the defined AES256 encryption method to perform secondary encryption, and finally encrypted data are returned.
The software implementation of the product client can be placed in the product source code, and includes:
1. defining and realizing an AES256 decryption method, wherein the main parameters are as follows: encrypt data, decrypt key, one implementation: and generating a final 32-bit block Key corresponding to the dynamic processing mode of the secret Key in the AES256 encryption algorithm, calling the basic library API to decrypt the encrypted data, and returning the decrypted plaintext data.
2. Defining and realizing a license correctness verification method, wherein the main parameters are as follows: license data, an implementation manner, corresponding to the above license encoding method, firstly decrypts the Base32 or Base64 bit, then obtains the public key in the key pair generated in the earlier stage, and verifies the validity of the certificate by using the public key (as above, the basic library has corresponding API)
3. Defining and realizing a license abstract information acquisition method, wherein the main parameters are as follows: the encrypted license data is decrypted by calling the AES256 decryption algorithm to obtain plaintext data, then calling the correctness verification method of the license to verify the correctness, reading summary information by deserializing the verified license, and returning the summary information to the verified license
4. Defining and realizing a license validity verification method, wherein the main parameters are as follows: the encrypted license data is implemented by calling a digest information acquisition method to acquire digest information, and comparing the digest information according to the limiting conditions in the digest information, for example: and judging the validity of the certificate before and after the current time and the authorization valid time, the current number of registered users, the total number of authorized users and the like.
In order to implement the foregoing embodiment, an embodiment of the present invention further provides an electronic device, including: a processor and a memory. Wherein the memory and the processor are electrically connected, directly or indirectly, to enable transmission or interaction of data. The memory stores a computer program, and the computer program can implement the technical solution of any one of the above embodiments of the multi-tenant security trust method when executed by the processor. The processor executes various functional applications and data processing by executing software programs and modules stored in the memory. The processor may be an integrated circuit chip having signal processing capabilities. And the processor executes the program after receiving the execution instruction. Optionally, the software programs and modules within the above-described memory may also include an operating system, which may include various software components and/or drivers for managing system tasks and may communicate with various hardware or software components to provide an operating environment for other software components. The implementation principle and technical effect of the electronic device provided by this embodiment are similar to those of the above method, and are not described herein again.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A product multi-tenant security credit granting method is characterized by comprising an authorization step and a verification step;
the step of authorizing comprises:
generating a unique pair of private key and public key for an authorized tenant by adopting an asymmetric encryption algorithm, and storing the incidence relation between the public key and the authorized tenant;
reading personal information and authorization information of an authorized tenant, and generating an information abstract of the authorized tenant;
generating a signature certificate of the authorized tenant by using a private key and an information abstract corresponding to the authorized tenant;
the verifying step includes:
receiving a verification request of a verified tenant, and reading verification information and an associated public key of the verified tenant;
and acquiring the signature certificate of the verified tenant, and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
2. The method for multi-tenant secure trust of a product of claim 1, wherein a salt is added in the process of generating a unique pair of private key and public key for an authorized tenant by using an asymmetric encryption algorithm.
3. The product multi-tenant secure trust method as claimed in claim 1 or 2, wherein the verifying the signed certificate of the verified tenant comprises:
decrypting the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key, and extracting the information abstract in the signature certificate;
and verifying the verification information of the verified tenant and the extracted information abstract.
4. The product multi-tenant security trust method as claimed in any one of claims 1 or 2, characterized in that when the authorization information of the authorized tenant changes, a new information summary is generated for the authorized tenant according to the personal information of the authorized tenant and the changed authorization information;
and regenerating the signature certificate of the authorized tenant by using the private key corresponding to the authorized tenant and the new information digest.
5. The multi-tenant secure credit granting method of any one of claims 1 or 2,
the step of authorizing comprises: after the signature certificate of the authorized tenant is generated, encrypting the signature certificate by adopting an AES256 encryption algorithm;
the verifying step includes: before verifying the signature certificate of the verified tenant, decrypting the signature certificate of the tenant through a decryption algorithm.
6. The product multi-tenant secure credit granting method of claim 1 or 2, wherein the asymmetric encryption algorithm is an elliptic curve digital signature algorithm.
7. A product multi-tenant safety credit granting system is characterized by comprising a credit granting device and a verification device;
the authorization apparatus includes:
the key generation module is used for generating a unique pair of private key and public key for the authorized tenant by adopting an asymmetric encryption algorithm, and the public key are sent to the verification device according to the incidence relation with the authorized tenant;
the information abstract generating module is used for reading the personal information and the authorization information of the authorized tenant and generating an information abstract of the authorized tenant;
the signature certificate generation module is used for generating a signature certificate of an authorized tenant by using a private key and an information abstract corresponding to each tenant;
the authentication apparatus includes:
the reading module is used for receiving a verification request of a verified tenant and reading verification information and a related public key of the verified tenant;
and the verification module is used for acquiring the signature certificate of the verified tenant and verifying the signature certificate of the verified tenant by using the verification information of the verified tenant and the associated public key.
8. The product multi-tenant security trust system of claim 7,
the authorization device further comprises an encryption module, which is used for encrypting the signature certificate by adopting an AES256 encryption algorithm after the signature certificate of each tenant is generated;
the verifying device further comprises a decrypting module, which is used for decrypting the signature certificate of the tenant through a decrypting algorithm before the public key associated with the tenant is used for verifying the signature certificate of the tenant.
9. The product multi-tenant security trust system of claim 7 or 8, wherein the authorization device is deployed on a product server;
the verification device is deployed on a product client.
10. An electronic device comprising a processor and a memory, wherein,
wherein the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for implementing the method of any one of claims 1 to 6.
CN201911379305.7A 2019-12-27 2019-12-27 Product multi-tenant secure credit granting method, system and electronic equipment Pending CN111241492A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911379305.7A CN111241492A (en) 2019-12-27 2019-12-27 Product multi-tenant secure credit granting method, system and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911379305.7A CN111241492A (en) 2019-12-27 2019-12-27 Product multi-tenant secure credit granting method, system and electronic equipment

Publications (1)

Publication Number Publication Date
CN111241492A true CN111241492A (en) 2020-06-05

Family

ID=70864667

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911379305.7A Pending CN111241492A (en) 2019-12-27 2019-12-27 Product multi-tenant secure credit granting method, system and electronic equipment

Country Status (1)

Country Link
CN (1) CN111241492A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111917725A (en) * 2020-06-30 2020-11-10 北谷电子有限公司上海分公司 Encryption system and encryption method for multi-tenant SaaS platform

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111917725A (en) * 2020-06-30 2020-11-10 北谷电子有限公司上海分公司 Encryption system and encryption method for multi-tenant SaaS platform

Similar Documents

Publication Publication Date Title
CN108092776B (en) System based on identity authentication server and identity authentication token
CN108810029B (en) Authentication system and optimization method between micro-service architecture services
US8539241B2 (en) Method and system for securing communication
US8495383B2 (en) Method for the secure storing of program state data in an electronic device
WO2017020452A1 (en) Authentication method and authentication system
WO2018145127A1 (en) Electronic identification verification methods and systems with storage of certification records to a side chain
US20140006781A1 (en) Encapsulating the complexity of cryptographic authentication in black-boxes
US20200412554A1 (en) Id as service based on blockchain
CN103546289A (en) USB (universal serial bus) Key based secure data transmission method and system
CN109361668A (en) A kind of data trusted transmission method
CN103516524A (en) Security authentication method and system
WO2015054086A1 (en) Proof of device genuineness
CN109040079A (en) The establishment of live streaming chained address and verification method and related device
EP3133791B1 (en) Double authentication system for electronically signed documents
CN107634946A (en) A kind of micro services node legitimacy verification method and device
US10880100B2 (en) Apparatus and method for certificate enrollment
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
WO2008053279A1 (en) Logging on a user device to a server
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
WO2013067792A1 (en) Method, device and system for querying smart card
KR20170019308A (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
CN109714176B (en) Password authentication method, device and storage medium
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN111130770A (en) Block chain based information evidence storage method and system, user terminal, electronic equipment and storage medium
CN109495268B (en) Two-dimensional code authentication method and device and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination