CN111416807B - Data acquisition method, device and storage medium - Google Patents

Data acquisition method, device and storage medium Download PDF

Info

Publication number
CN111416807B
CN111416807B CN202010174984.0A CN202010174984A CN111416807B CN 111416807 B CN111416807 B CN 111416807B CN 202010174984 A CN202010174984 A CN 202010174984A CN 111416807 B CN111416807 B CN 111416807B
Authority
CN
China
Prior art keywords
cloud platform
password
server
random number
management server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010174984.0A
Other languages
Chinese (zh)
Other versions
CN111416807A (en
Inventor
雷心田
胡传文
顾志松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Keda Technology Co Ltd
Original Assignee
Suzhou Keda Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Keda Technology Co Ltd filed Critical Suzhou Keda Technology Co Ltd
Priority to CN202010174984.0A priority Critical patent/CN111416807B/en
Publication of CN111416807A publication Critical patent/CN111416807A/en
Application granted granted Critical
Publication of CN111416807B publication Critical patent/CN111416807B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a data acquisition method, a data acquisition device and a storage medium, which belong to the technical field of communication, and the method comprises the following steps: acquiring a user name and a password; logging in a pre-registered key management server by using a username and password; after logging in the key management server successfully, establishing communication connection with the key management server based on a security protocol; obtaining sensitive data and/or secure data from a key management server using a communication connection; the problem that sensitive data are stored in the cloud platform locally when data transmission between the cloud platform and a client is realized by using an encryption algorithm realized by software, so that the security of the sensitive data is not high can be solved; sensitive data are managed and security services are provided through the additionally added key management server, the cloud platform establishes communication connection with the key management server to acquire the sensitive data when the sensitive data need to be acquired and the security services need to be accessed, the security of the sensitive data can be improved, and therefore the security of communication between the cloud platform and the client side is improved.

Description

Data acquisition method, device and storage medium
Technical Field
The application relates to a data acquisition method, a data acquisition device and a storage medium, and belongs to the technical field of communication.
Background
To ensure the security of data, a platform server is usually deployed in a local area network to provide services for clients. However, the platform server deployed in the local area network cannot be connected to the external network client, so that the application range of the platform server is limited, and therefore the platform server in the local area network is gradually migrated to the cloud platform. At this time, the extranet client may connect to a server on the cloud platform.
In order to ensure the security of data transmission of the server on the cloud platform, communication, encryption and the like between terminals are generally encrypted by using an algorithm realized by software. Such as: data encryption is performed by using encryption algorithms such as RSA and AES.
However, compared with deploying a platform server in a local area network (connecting other devices through a private network, or deploying encryption hardware inside, such as a signature verification server, an encryption machine, an electronic signature server or a PCI encryption card, a usb key, etc.), the server on the cloud platform cannot implement connection on hardware, and both the algorithm and the function used by the server can only be implemented by software. And a key used by an encryption algorithm realized by software when encrypting data or a communication channel is stored on the cloud platform, and if the cloud platform is attacked, the potential safety hazard of the data is large.
Disclosure of Invention
The application provides a data acquisition method, a data acquisition device and a storage medium, which can solve the problem that sensitive data is stored locally on a cloud platform when data transmission between the cloud platform and a client is realized by using an encryption algorithm realized by software, so that the security of the sensitive data is not high. The application provides the following technical scheme:
in a first aspect, a data acquisition method is provided, and the method includes:
acquiring a user name and a password;
logging in a pre-registered key management server by using the username and password, wherein the key management server is used for managing sensitive data corresponding to the username and password and providing security service;
after logging in the key management server successfully, establishing communication connection with the key management server based on a security protocol;
obtaining the sensitive data and/or the security data generated by the security service from the key management server using the communication connection.
Optionally, before logging in a pre-registered key management server using the username and password, the method further includes:
sending a registration request to the key management server, wherein the registration request carries the username and password and the device information corresponding to the username and password, and the registration request is used for triggering the key management server to register the username and password and the device information and returning configuration information after the registration is successful;
receiving configuration information sent by the key management server;
and storing the configuration information after the configuration information is verified.
Optionally, the obtaining a username and password includes:
calculating a protection key;
obtaining an encrypted user name and password, wherein the encrypted user name and password are obtained by symmetrically encrypting by using the protection key;
and decrypting the encrypted user name and password by using the protection key to obtain the user name and password.
Optionally, the calculating a protection key includes:
acquiring an MAC address and authorization information of the cloud platform, wherein the authorization information is information sent after the key management server passes the authorization of the cloud platform;
and calculating the MAC address and the authorization information based on a first digest algorithm and a first encryption algorithm to obtain the protection key.
Optionally, the logging in a pre-registered key management server using the username and password includes:
sending an authentication request to the key management server, wherein the authentication request carries a serial number of a cloud platform encryption certificate so as to trigger the key management server to generate and return an inquiry message; the challenge message comprises a server random number ciphertext and server domain information generated by the key management server;
receiving the inquiry message;
using a cloud platform encryption private key to asymmetrically decrypt the server random number ciphertext in the challenge message to obtain the server random number;
generating a cloud platform random number;
performing digest operation on the user name password and the server domain information in the challenge message by using a second digest algorithm to obtain a temporary digest value;
performing digest operation on the temporary digest value, the cloud platform random number and the server random number to obtain a final digest value;
encrypting the cloud platform random number by using a server encryption certificate based on a second encryption algorithm to obtain a cloud platform random number ciphertext;
the final digest value, the cloud platform random number ciphertext and the server random number ciphertext are pieced together to obtain authentication information;
sending the authentication information to the key management server to trigger the key management server to authenticate the authentication information, and returning authentication passing feedback when the authentication passes;
receiving the authentication pass feedback.
Optionally, the certificate used in the security protocol is an encrypted and signed double certificate issued by a CA.
In a second aspect, a data acquisition method is provided, the method comprising:
after successfully logging in by using a user name and a password, the cloud platform establishes communication connection with the cloud platform based on a security protocol;
sending sensitive data and/or security service generated security data to the cloud platform using the communication connection.
Optionally, before establishing a communication connection with the cloud platform based on a security protocol after the cloud platform successfully logs in using the username and the password, the method includes:
receiving a registration request sent by the cloud platform, wherein the registration request carries the user name and the equipment information corresponding to the user name and the password;
registering the user name and the password and the equipment information;
and returning configuration information after the registration is successful, wherein the configuration information is used for the cloud platform to verify the key management server.
Optionally, the method further comprises:
receiving an authentication request sent by the cloud platform, wherein the authentication request carries a serial number of a cloud platform encryption certificate;
determining a cloud platform encryption public key corresponding to the serial number of the cloud platform encryption certificate;
generating a server random number and service domain information;
encrypting the server random number by using the cloud platform encryption public key based on a second encryption algorithm to obtain a server random number ciphertext;
generating an inquiry message, wherein the inquiry message comprises a server random number ciphertext and server domain information;
sending the challenge message to the cloud platform so that the cloud platform can generate authentication information; the authentication information comprises a final abstract value, a cloud platform random number ciphertext and the server random number ciphertext;
receiving the authentication information sent by the cloud platform;
decrypting the cloud platform random number ciphertext in the authentication information by using a server encryption private key to obtain the cloud platform random number;
using the second abstract algorithm to perform abstract operation on the registered user name and password and the corresponding service domain information to obtain a template temporary abstract value;
performing digest operation on the template temporary digest value, the cloud platform random number and the server random number corresponding to the registered user name and password to obtain a final digest value of the template;
splicing the template final digest value, the cloud platform random number ciphertext in the authentication information and the server random number ciphertext corresponding to the registered user name and password to obtain template information;
and sending authentication passing feedback to the cloud platform when the authentication information is matched with the template information so as to inform the cloud platform of successful login.
Optionally, the cloud platform includes a plurality of cloud hosts, and different cloud hosts correspond to different user names and passwords; the registering the username and password and the device information includes:
acquiring working modes of the cloud platform, wherein the working modes comprise a synchronous mode and an asynchronous mode;
when the working mode is the synchronous mode, generating a first session handle corresponding to the username and password, wherein the first session handle is a session handle shared by all the username and password in the cloud platform;
when the working mode is the asynchronous mode, generating a second session handle corresponding to the username and password; the second session handle is a session handle dedicated to the username and password;
wherein the session handle is used for mapping the sensitive data and the security data corresponding to the username and password.
In a third aspect, a data acquisition apparatus is provided, the apparatus comprising:
the password acquisition module is used for acquiring a user name and a password;
the user login module is used for logging in a pre-registered key management server by using the username and password, and the key management server is used for managing sensitive data corresponding to the username and password and providing security service;
the connection establishing module is used for establishing communication connection with the key management server based on a security protocol after logging in the key management server successfully;
and the data acquisition module is used for acquiring the sensitive data and/or the safety data generated by the safety service from the key management server by using the communication connection.
In a fourth aspect, there is provided a data acquisition apparatus, the apparatus comprising:
the connection establishing module is used for establishing communication connection with the cloud platform based on a security protocol after the cloud platform successfully logs in by using a user name and a password;
and the data sending module is used for sending the sensitive data and/or the safety data generated by the safety service to the cloud platform by using the communication connection.
In a fifth aspect, a data acquisition apparatus is provided, the apparatus comprising a processor and a memory; the memory stores a program, which is loaded and executed by the processor to implement the data acquisition method of the first aspect; or, the data acquisition method of the second aspect is implemented.
A sixth aspect provides a computer-readable storage medium having a program stored therein, the program being loaded and executed by the processor to implement the data acquisition method of the first aspect; or, the data acquisition method of the second aspect is implemented.
The beneficial effect of this application lies in: obtaining a user name and a password; logging in a pre-registered key management server by using a user name password, wherein the key management server is used for managing sensitive data corresponding to the user name password and providing security service; after logging in the key management server successfully, establishing communication connection with the key management server based on a security protocol; obtaining sensitive data and/or security data generated by a security service from a key management server using a communication connection; the problem that sensitive data are stored in the cloud platform locally when data transmission between the cloud platform and a client is realized by using an encryption algorithm realized by software, so that the security of the sensitive data is not high can be solved; because the key management server can be additionally added, the key management server manages the sensitive data and provides the security service, the cloud platform establishes communication connection with the key management server to acquire the sensitive data when the sensitive data needs to be acquired, the sensitive data is not stored locally on the cloud platform any more, and the security of the data can be improved.
In addition, the key management server is used for providing the security service, so that the problem that the security service is provided by the key management server when the cloud platform has low processing capacity or cannot provide the security service can be solved, and on one hand, the security of the security service can be ensured when the cloud platform is attacked; and on the other hand, the processing load of the cloud platform can be reduced.
The foregoing description is only an overview of the technical solutions of the present application, and in order to make the technical solutions of the present application more clear and clear, and to implement the technical solutions according to the content of the description, the following detailed description is made with reference to the preferred embodiments of the present application and the accompanying drawings.
Drawings
Fig. 1 is a flowchart of a one-way authentication process when establishing communication based on an SSL protocol according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a data acquisition system according to an embodiment of the present application;
FIG. 3 is a flow chart of a data acquisition method provided by an embodiment of the present application;
FIG. 4 is a flow diagram of a logon key management server as provided by one embodiment of the present application;
fig. 5 is a flowchart for registering a cloud platform in a key management server according to an embodiment of the present application;
FIG. 6 is a block diagram of a data acquisition device provided in one embodiment of the present application;
FIG. 7 is a block diagram of a data acquisition device provided in one embodiment of the present application;
fig. 8 is a block diagram of a data acquisition device according to an embodiment of the present application.
Detailed Description
The following detailed description of embodiments of the present application will be described in conjunction with the accompanying drawings and examples. The following examples are intended to illustrate the present application but are not intended to limit the scope of the present application.
First, several terms referred to in the present application will be described.
A Key Management Service (KMS) provides services such as secure escrow of keys, cryptographic operations, and the like. The built-in key rotation and other security practices support other cloud platforms to encrypt and protect user data managed by the cloud platforms in a party integration mode. Optionally, the key management service is implemented by a key management server. In this application, the key management server not only provides secure escrow and cryptographic operation of the key, but also can implement escrow of other sensitive data, such as: the CA certificate, the random number, and other sensitive data related to communication and encryption are not limited in the present embodiment.
Certificate Authority (CA): refers to an authority responsible for issuing and managing digital certificates, and serves as a trusted third party in e-commerce transactions, and assumes responsibility for validity verification of public keys in a public key system.
The CA center issues a digital certificate (CA certificate) for each user who uses the public key, and the role of the digital certificate is to prove that the user listed in the certificate has legitimate possession of the public key listed in the certificate. A public user on the network trusts the CA by verifying its signature, and anyone can obtain the CA's certificate (including the public key) to verify the certificate it issued.
If the user wants to obtain a certificate belonging to the user, the user applies to the CA. After the CA identifies the identity of the applicant, a public key is distributed to the applicant, and the CA binds the public key with the identity information of the applicant and signs the public key, so that a CA certificate is formed and sent to the applicant.
If a user wants to identify the authenticity of another certificate, the signature on the CA certificate is verified by using the public key of the CA certificate; if the authentication is passed, the CA certificate is valid.
Optionally, the content of the CA certificate includes: information of the electronic visa, public key user information, public keys, signature and expiration date of the authority, etc.
Strong digest authentication: to provide a higher security level authentication than standard digest authentication.
The strong abstract authentication process at least comprises the following characteristics;
1. the password is not transmitted in clear text, but is replaced by the digest, the password SM3 algorithm is used for generating, and the server compares the locally stored digest with the digest sent by the client.
2. The server side sends a cipher text value of a random number nonce to the client side, the original text nonce is encrypted by using a client side certificate public key, the client side decrypts by using a private key when generating the digest to obtain the original text nonce so as to place the nonce in the password, the server side decrypts the cipher text cnonce by using the encrypted private key, knows the original digest value and nonce of the user at the same time, and temporarily generates the digest and compares the generated digest with the stored original digest value after receiving the request.
3. The serial number of the encrypted certificate is uploaded by the client, and the server inquires the registered encrypted certificate corresponding to the serial number, so that the server authenticates the client. The random number cnonce is generated by the client, and the server certificate public key is used for encryption, so that the client authenticates the server.
4. By adding abstract calculation to the content, the falsification of the message content can be selectively prevented.
Here, nonce (abbreviation of Number used once or Number once) is an arbitrary or non-repetitive random Number value that is used only once in cryptography, and is generated by the server during the digest authentication process.
Secure Sockets Layer (SSL) is a security protocol that provides security and data integrity for network communications. The SSL protocol uses both symmetric encryption and asymmetric encryption (public key encryption). When a transmission link is established, the SSL firstly carries out asymmetric encryption on a key which is symmetrically encrypted by using a public key, and after the link is established, the SSL carries out symmetric encryption on transmission contents.
Referring to the one-way authentication procedure in establishing communication based on SSL protocol shown in fig. 1, the procedure at least includes the following steps:
step 11, the client sends client information to the server, wherein the client information comprises information such as SSL versions supported by the client;
step 12, the server receives the client information; returning server information to the client based on the client information, wherein the server information comprises information such as SSL version, random number and server public key supported by the server;
step 13, the client receives the information of the server; verifying whether the server certificate is legal or not by using the server public key; if yes, go to step 14; if not, outputting an alarm, and ending the process;
step 14, the client sends a symmetric encryption algorithm supported by the client to the server;
step 15, the server receives a symmetric encryption algorithm supported by the client; selecting a target symmetric encryption algorithm from symmetric encryption algorithms supported by a client; sending the selected target symmetric encryption algorithm to the client;
step 16, the client receives a target symmetric encryption algorithm and generates a symmetric encryption key; encrypting the symmetric encryption key by using a server public key; sending the encrypted symmetric encryption key to a server;
step 17, the server decrypts the encrypted symmetric encryption key by using a private key to obtain a symmetric encryption key;
and step 18, the client and the server symmetrically encrypt the data based on the symmetric encryption key.
SSL Virtual Private Network (VPN): the method refers to a novel VPN technology for realizing remote access by adopting an SSL protocol. It includes: server authentication, client authentication, data integrity over SSL link, and data confidentiality over SSL link. Specifically, a user uses a built-in Secure Socket Layer packet processing function of a browser to connect the browser to a remotely accessed SSL VPN server through an SSL VPN gateway, and then the user can execute an application program on a remote computer to read remote server data in a network packet forwarding manner. The data packet in transmission is encrypted by adopting a standard secure socket layer SSL, so that the security of the data is protected at an application layer. The high quality SSLVPN solution may ensure secure global access by the enterprise. The SSL VPN gateway plays an irreplaceable role in the process of connecting the client and the server.
Fig. 2 is a schematic structural diagram of a data acquisition system according to an embodiment of the present application, and as shown in fig. 2, the system at least includes: client 110, cloud platform 120, and key management server 130.
The client 110 establishes a communication connection with the cloud platform 120. The client 110 is used for service access to the cloud platform 120. Optionally, in the present application, when the client 110 performs service access to the cloud platform 120, the cloud platform 120 needs to encrypt data transmitted to the client 110.
Optionally, the manner of encrypting the data transmitted to the client 110 by the cloud platform 120 may be symmetric encryption or asymmetric encryption, and this embodiment does not limit this encryption manner.
The cloud platform 120 is composed of independent cloud hosts 121; alternatively, the service cluster is configured by a plurality of cloud hosts 121. The cloud platform 120 and the key management server 130 establish a communication connection based on a security protocol (such as a national secret-based SSLVPN protocol or a non-national secret SSL VPN protocol). When providing a service server for the client 110, the cloud platform 120 acquires the sensitive data from the key management server 130 if the sensitive data needs to be used; if the security service (such as an encryption service or a decryption service, etc.) needs to be accessed, a request may also be initiated to the key management server 130, and accordingly, the key management server 130 generates security data (such as encrypted data or decrypted data) using the security service and returns the security data to the cloud platform 120.
The security protocol is a protocol for ensuring security and confidentiality in a data transmission process. In the present application, the security protocol is a SSL VPN protocol based on a national secret or a non-national secret, and in other embodiments, the protocol capable of ensuring security and confidentiality in the data transmission process all belong to the protection scope of the security protocol described in the present application. The SSL VPN protocol based on the national password is a protocol for encrypting and decrypting data by using a national password encryption algorithm or a national password decryption algorithm in the process of transmitting the data by using the SSL VPN protocol; the SSL VPN protocol based on the non-national password is a protocol for performing encryption and decryption processing on data by using other encryption and decryption algorithms except for the national password encryption and decryption algorithm in the process of performing data transmission by using the SSL VPN protocol.
The sensitive data refers to data needing to be kept secret in the cloud platform. The sensitive data may also be referred to as private data, non-public data, and the like, and the name of the sensitive data is not limited in this embodiment. Sensitive data includes, but is not limited to: the type of the sensitive data may be defined by a user, and this embodiment does not limit the type of the sensitive data.
The key management server 130 may be located in the same intranet environment as the cloud platform; alternatively, it may be located on the public network. The key management server 130 is configured with an access white list for filtering illegal accesses when it is located in a public network.
Optionally, the key management server 130 may also be connected to other cryptographic devices, such as an encryption machine, a signature verification server, and the like, to provide more and faster cryptographic services for the cloud platform 120.
Illustratively, the key management server 120 is connected to an encryption device via an intranet, and the encryption device may be a stand-alone crypto engine or a device with an encryption card, or may be a UKEY or the like inserted in the key management server. The communication interface used by the key management service for connecting the external password device is compatible with GMT0019-2012 Universal password service interface specification, GMT 0018 + 2012 password device application interface specification and GMT 0048 + 2016 Intelligent password Key password detection specification, so that the purpose of arbitrary expansion of the password device can be achieved.
Before the cloud platform 120 establishes a communication connection with the key management server 130, the cloud platform 120 needs to perform user registration in the key management server 130 by using a user name and a password and device information corresponding to the user name and the password, and store configuration information of the key management server 130. The equipment information comprises a cloud platform encryption certificate, and the cloud platform encryption certificate corresponds to a serial number.
Alternatively, the configuration information of the key management server 130 includes a CA certificate and a server encryption certificate of the key management server 130.
Alternatively, the number of cloud platforms 120 communicatively connected to the key management server 130 may be one; there may be a plurality of cloud platforms 120, and the number of cloud platforms 120 is not limited in this embodiment.
When multiple cloud platforms 120 are simultaneously connected to the key management server 130, the key management server 130 distinguishes the different cloud platforms by the username and password and the serial number of the encryption certificate, and the stored sensitive data and security data are associated with the username and password.
Alternatively, the plurality of cloud hosts 121 of a single cloud platform 120 may be set to a synchronized mode or an unsynchronized mode, depending on traffic requirements.
In the asynchronous mode, the plurality of cloud hosts 121 of the cloud platform 120 forward and log in the key management server 130 through the cloud platform 120 by using different user names and passwords, and the key management server 130 generates a plurality of session handles, wherein the session handles are in one-to-one correspondence with the user names and passwords and do not affect each other.
In the synchronization mode, a plurality of cloud hosts 121 of the same cloud platform 120 forward and log in to the key management server 130 through the cloud platform 120 by using different user name passwords, the key management server 130 generates a session handle, a single session handle corresponds to each user name password in the same cloud platform 120, and each cloud platform 120 corresponds to a session handle. Such as: in the synchronization mode, the cloud host A generates a private key, and after a private key handle is obtained, other cloud hosts under the same cloud platform can use the private key handle to perform data signature. Session handle and key container, private key usage rights, etc.
In the asynchronous mode, a plurality of cloud hosts 121 of the same cloud platform 120 can autonomously perform key operation, and the method is suitable for scenes with various operation requirements at the same time. In the synchronous mode, a plurality of cloud hosts 121 of the same cloud platform 120 may perform cooperative operation, and are suitable for a scene with a single operation high performance requirement.
Wherein the session handle is used to identify a unique integer for an object created or used by the application. In other words, the session handle is an identifier for representing an object or item. In the present application, the session handle is used to map the sensitive data and the security data of the corresponding username and password.
Fig. 3 is a flowchart of a data acquisition method according to an embodiment of the present application, and the embodiment takes the method as an example to be applied to the data acquisition system shown in fig. 2 for description. The method at least comprises the following steps:
step 301, the cloud platform acquires a user name and a password.
Optionally, the username password comprises a username and a login password.
Optionally, the cloud platform acquiring the username and password includes, but is not limited to, the following implementation manners:
the first method comprises the following steps: and the cloud platform reads the locally stored user name and password.
And the second method comprises the following steps: computing a protection key by the cloud platform; acquiring an encrypted user name and password; and decrypting the encrypted user name and password by using the protection key to obtain the user name and password. The encrypted username and password are obtained by symmetric encryption by using a protection key.
Optionally, the symmetric encryption scheme includes but is not limited to: the SM1 algorithm and/or the SM4 algorithm, the AES algorithm, etc., and the present embodiment does not limit the type of symmetric encryption.
In the second mode, the username and password are stored in the cloud platform in an encrypted form and are decrypted only when in use; the problem that the user name and the password are leaked due to the fact that the cloud platform is attacked can be solved, and the safety of the user name and the password can be improved.
The symmetric encryption algorithm may be the SM4 algorithm, and of course, may also be other types of symmetric encryption algorithms, and the embodiment does not limit the type of the symmetric encryption algorithm.
Optionally, the manner of obtaining the protection key by the cloud platform includes, but is not limited to, the following implementation manners:
the first method comprises the following steps: and the cloud platform reads the locally stored protection key.
And the second method comprises the following steps: the cloud platform acquires a local MAC address and authorization information; and calculating the MAC address and the authorization information based on the first encryption algorithm and the first digest algorithm to obtain a protection key. The authorization information is information (such as an authorization number) sent by the key management server after the authorization of the cloud platform passes.
In the second mode, the protection key is obtained by calculation through a first encryption algorithm and a first digest algorithm; the problem that malicious personnel directly decrypt the encrypted user name and password after obtaining the protection key to obtain the user name and password, so that the safety of the user name and password is low can be solved; the security of the username and password can be further improved.
Optionally, in the present application, the first digest algorithm is an SM3 algorithm; the first encryption algorithm is an exclusive or algorithm, and of course, when the first encryption algorithm is actually implemented, the first digest algorithm and the first encryption algorithm may also be other types of algorithms, which is not limited in this embodiment.
Illustratively, calculating the MAC address and the authorization information based on the first encryption algorithm and the first digest algorithm includes: the cloud platform splices the MAC address and the authorization information; performing digest calculation on the spliced character strings by using an SM3 encryption algorithm to obtain a 32-byte digest value; carrying out exclusive or operation on the first 16 bytes and the second 16 bytes of the 32-byte digest value to obtain a 16-byte temporary key; and performing exclusive-or operation by using the 16-byte local key and the 16-byte temporary key to obtain a 16-byte protection key.
Step 302, the cloud platform logs in a pre-registered key management server using a username and password.
The key management server is used for managing sensitive data corresponding to the user name and the password and providing security service.
Optionally, the cloud platform logs in the key management server based on a digest authentication method by using a username and a password. As shown in fig. 4, the process of the cloud platform logging in the key management server based on the digest authentication method by using the username and password at least comprises steps 41 to 413:
step 41, the cloud platform sends an authentication request to the key management server, where the authentication request carries a serial number of the cloud platform encryption certificate.
The authentication request is used for triggering the key management server to generate and return an inquiry message, and the inquiry message comprises a server random number ciphertext generated by the key management server and server domain information realm.
The server random number ciphertext is obtained by encrypting the newly generated server random number through the cloud platform encryption public key based on the second encryption algorithm, and the cloud platform encryption public key is obtained by searching the serial number of the registered cloud platform encryption certificate.
Wherein the second encryption algorithm may be the SM2 algorithm, and the second digest algorithm is the SM3 algorithm. Of course, other algorithms are possible, and this example is not intended to be limiting. In this embodiment, by using the SM2 algorithm as the encryption algorithm and the SM3 algorithm as the digest algorithm, the security of the authentication process can be improved compared with the SHA-256 and MD5 algorithms of the general authentication process.
And step 42, the key management server receives an authentication request sent by the cloud platform.
Step 43, the key management server determines a cloud platform encryption public key corresponding to the serial number of the cloud platform encryption certificate; generating a server random number and service domain information; encrypting the server random number by using the cloud platform encryption public key based on a second encryption algorithm to obtain a server random number ciphertext; and generating a challenge message, wherein the challenge message comprises the server random number ciphertext and the server domain information.
The key management server stores the corresponding relation between the cloud platform encryption certificate and the serial number, the cloud platform encryption certificate corresponding to the serial number can be determined according to the corresponding relation, and then the cloud platform encryption public key is read from the cloud platform encryption certificate. The corresponding relation between the cloud platform encryption certificate and the serial number is established in the key management server when the cloud platform is registered in the key management server.
Illustratively, the challenge message includes the server random number nonce and the server domain information realm.
And step 44, the key management server sends the inquiry message to the cloud platform.
The inquiry message is used for the cloud platform to generate authentication information.
And step 45, the cloud platform receives the inquiry message.
Step 46, the cloud platform uses the cloud platform encryption private key to asymmetrically decrypt the server random number ciphertext in the inquiry message to obtain a server random number; generating a cloud platform random number; performing digest operation on the user name password and the server domain information in the challenge message by using a second digest algorithm to obtain a temporary digest value; performing abstract operation on the temporary abstract value, the cloud platform random number and the server random number to obtain a final abstract value; encrypting the cloud platform random number by using the server encryption certificate based on a second encryption algorithm to obtain a cloud platform random number ciphertext; and piecing together the final digest value, the cloud platform random number ciphertext and the server random number ciphertext to obtain authentication information.
And the cloud platform encryption private key corresponding to the cloud platform encryption public key in the cloud platform encryption certificate is stored in the cloud platform.
The server encryption certificate comprises a server encryption public key, and a server encryption private key corresponding to the server encryption public key is stored in the key management server.
Illustratively, the cloud platform calculates the values of the username and password and realm by using an SM3 algorithm to obtain a temporary digest value; calculating the temporary digest value, the server random number and the cloud platform random number generated by the cloud platform by using an SM3 algorithm to obtain a final digest value; and combining the final digest value, the server random number ciphertext nonce and the cloud platform random number ciphertext cnonce to obtain the authentication information.
And step 47, the cloud platform sends the authentication information to the key management server.
The authentication information is used for triggering the key management server to decrypt a cloud platform random number ciphertext in the authentication information by using the server encryption private key to obtain a cloud platform random number; performing abstract operation on the registered user name and password and corresponding service domain information by using a second abstract algorithm to obtain a template temporary abstract value; performing digest operation on the template temporary digest value, the cloud platform random number and the server random number corresponding to the registered user name and password to obtain a final digest value of the template; splicing the final abstract value of the template, the cloud platform random number ciphertext in the authentication information and the server random number ciphertext corresponding to the registered user name and password to obtain template information; and returning authentication passing feedback when the authentication information is matched with the template information.
And step 48, the key management server receives authentication information sent by the cloud platform, wherein the authentication information comprises a final digest value, a cloud platform random number ciphertext and a server random number ciphertext.
Step 49, the key management server uses the server encryption private key to decrypt the cloud platform random number ciphertext in the authentication information to obtain a cloud platform random number; performing abstract operation on the registered user name and password and corresponding service domain information by using a second abstract algorithm to obtain a template temporary abstract value; performing digest operation on the template temporary digest value, the cloud platform random number and the server random number corresponding to the registered user name and password to obtain a final digest value of the template; and splicing the final abstract value of the template, the cloud platform random number ciphertext in the authentication information and the server random number ciphertext corresponding to the registered user name and password to obtain template information.
Illustratively, the key management server acquires the registered username and password, and calculates the values of the registered username and password and the corresponding service domain information realm by using an SM3 algorithm to obtain a template temporary digest value; thirdly, calculating the template temporary digest value, the cloud platform random number obtained after decrypting the cloud platform random number ciphertext in the authentication information and the server random number corresponding to the registered user name password by using the SM3 algorithm to obtain a final digest value of the template; and splicing the final abstract value of the template, the cloud platform random number ciphertext in the authentication information and the server random number ciphertext corresponding to the registered user name and password to obtain template information. If the template information is consistent with the authentication letter, the authentication is passed; and if the template information is inconsistent with the authentication information, the authentication fails.
Step 410, the key management server sends authentication passing feedback to the cloud platform when the authentication information is matched with the template information so as to inform the cloud platform that the login is successful, and step 411 is executed; and sending authentication failure feedback to the cloud platform when the authentication information is matched with the template information, and executing step 412.
In step 411, the cloud platform receives authentication pass feedback, and the process ends.
In step 412, the cloud platform receives the authentication failure feedback and outputs an authentication failure prompt.
Step 303, after the key management server is successfully logged in, the cloud platform and the key management server establish communication connection based on a security protocol.
The security protocol is a protocol for ensuring security and confidentiality in a data transmission process. In the present application, the security protocol is a SSL VPN protocol based on a national secret or a non-national secret, and in other embodiments, the protocol capable of ensuring security and confidentiality in the data transmission process all belong to the protection scope of the security protocol described in the present application. The SSL VPN protocol based on the national password is a protocol for encrypting and decrypting data by using a national password encryption algorithm or a national password decryption algorithm in the process of transmitting the data by using the SSL VPN protocol; the SSL VPN protocol based on the non-national password is a protocol for performing encryption and decryption processing on data by using other encryption and decryption algorithms except for the national password encryption and decryption algorithm in the process of performing data transmission by using the SSL VPN protocol.
The sensitive data refers to data needing to be kept secret in the cloud platform. The sensitive data may also be referred to as private data, non-public data, and the like, and the name of the sensitive data is not limited in this embodiment. Sensitive data includes, but is not limited to: the type of the sensitive data may be defined by a user, and this embodiment does not limit the type of the sensitive data.
The communication connection is established after the cloud platform acquires the user name and the password and logs in a pre-registered key management server by using the user name and the password.
After the cloud platform successfully logs in by using the user name and the password, the cloud platform establishes communication connection with a key management server based on a security protocol; and the key management server establishes communication connection with the cloud platform based on a security protocol.
In this embodiment, the cloud platform and the key management server establish a communication connection process based on a security protocol, and the encryption algorithm uses an encryption suite of SM2+ SM3+ SM4, that is, the handshake phase shown in fig. 1 uses an SM2 algorithm, the authentication phase (login phase) uses an SM3 algorithm, and the symmetric algorithm uses an SM4 algorithm. By using a common cryptographic algorithm, the security of the communication process can be improved.
Optionally, public key operations and SM4 symmetric arithmetic operations and SM3 digest operations on the cloud platform are handled locally by the cloud platform. Private key operation, SM1 symmetric algorithm operation and random number seed generation can be processed by cryptographic equipment such as a key management server or a built-up encryption machine with higher performance according to the performance requirement of the service.
At step 304, the cloud platform obtains the sensitive data and/or the security data generated by the security service from the key management server using the communication connection.
Step 305, the key management server sends the sensitive data and/or the security service generated security data to the cloud platform using the communication connection.
In one example, the communication connection is established based on a national security socket layer (SSL VPN) protocol, and at the moment, after the sensitive data and/or the security data are encrypted by using a national cryptographic algorithm, the key management server transmits the encrypted data to the cloud platform based on the SSLVPN protocol; and the cloud platform decrypts by using the corresponding national cryptographic algorithm to obtain the sensitive data and/or the security data.
In another example, the communication connection is established based on a non-national-secret SSL VPN protocol, and at this time, after the sensitive data and/or the security data are encrypted by using a non-national-secret algorithm, the key management server transmits the encrypted data to the cloud platform based on the SSL VPN protocol; and the cloud platform decrypts by using a corresponding non-national cryptographic algorithm to obtain the sensitive data and/or the security data.
In summary, the data acquisition method provided in this embodiment acquires the username and password; logging in a pre-registered key management server by using a user name password, wherein the key management server is used for managing sensitive data corresponding to the user name password; after logging in the key management server successfully, establishing communication connection with the key management server based on a security protocol; obtaining sensitive data from a key management server using a communication connection; the problem that sensitive data are stored in the cloud platform locally when data transmission between the cloud platform and a client is realized by using an encryption algorithm realized by software, so that the security of the sensitive data is not high can be solved; the key management server can be additionally added to manage the sensitive data and provide the security service, the cloud platform establishes communication connection with the key management server to acquire the sensitive data and access the security service when the sensitive data and the access security service are required to be acquired, the sensitive data are not stored locally in the cloud platform any more, the security of the sensitive data can be improved, and therefore the security of communication between the cloud platform and the client and the security of access to the security service are improved.
In addition, the username and password are stored in the cloud platform in an encrypted form and are only decrypted when in use; the problem that the user name and the password are leaked due to the fact that the cloud platform is attacked can be solved, and the safety of the user name and the password can be improved.
In addition, the communication connection between the cloud platform and the key management server is established by using the security protocol, so that the secure transmission of sensitive data and secure data can be ensured, and the data security is improved.
In addition, the cloud platform and the key management server establish a communication connection process based on a security protocol, and an encryption algorithm uses an encryption suite of SM2+ SM3+ SM4, namely, an SM2 algorithm is used in a handshake phase, an SM3 algorithm is used in an authentication phase (login phase), and an SM4 algorithm is adopted in a symmetric algorithm; by using a common cryptographic algorithm, the security of the communication process can be improved.
Optionally, the steps executed by the cloud platform side may be implemented separately as an embodiment of the cloud platform side; the steps performed on the key management server side may be implemented separately as embodiments on the key management server side.
Optionally, the cloud platform needs to register in the key management server before step 302. Fig. 5 is a flowchart of a data acquisition method according to an embodiment of the present application, and this embodiment explains an example in which the method is applied to the data acquisition system shown in fig. 2. Before step 302, the method comprises at least the following steps:
step 501, the cloud platform sends a registration request to a key management server, where the registration request carries a username and a password and device information corresponding to the username and the password.
The registration request is used for triggering the key management server to register the user name password and the equipment information, and the configuration information is returned after the registration is successful.
The device information includes a cloud platform encryption certificate.
Step 502, the key management server receives a registration request sent by the cloud platform.
In step 503, the key management server registers the username and password and the device information corresponding to the username and password.
The device information includes a cloud platform encryption certificate. Optionally, the device information may also include, but is not limited to: a MAC address, a device name, and/or an IP address of the cloud platform.
Optionally, the key management server may verify the username and password when registering the username and password and the device information; registering the user name and the password and the corresponding equipment information when the authentication is passed; and when the authentication is not passed, the user name and the password and the corresponding equipment information are not registered.
Registering the username and password and the corresponding device information, comprising: and establishing a corresponding relation among the username and the password, the cloud platform encryption certificate and the serial number of the cloud platform encryption certificate. The cloud platform encryption certificate comprises a cloud platform encryption public key.
The verification of the username and password can be to verify whether the username and password are registered; and/or, verifying whether the username and password are valid, and the like, and the embodiment does not limit the verification manner of the username and password.
Optionally, registering, by the key management server, the username and password and the corresponding device information includes: acquiring working modes of a cloud platform, wherein the working modes comprise a synchronous mode and an asynchronous mode; when the working mode is a synchronous mode, generating a first session handle corresponding to the username and password, wherein the first session handle is a session handle shared by all the username and password in the cloud platform; and when the working mode is the synchronous mode, generating a second session handle corresponding to the username and the password, wherein the second session handle is a session handle special for the username and the password. In other words, the second session handle corresponding to the username and password is different from the session handles corresponding to other username and passwords in the cloud platform.
Wherein, the working mode can be carried in the registration request; or, transmitted by the cloud platform; or, the operation mode is stored locally, and the embodiment does not limit the obtaining manner of the operation mode.
Step 504, the key management server returns configuration information after the registration is successful.
The configuration information is used for the cloud platform to verify the key management server.
Optionally, the configuration information includes a server encryption certificate of the key management server and a CA certificate.
The CA certificate (or called signature certificate) is used during signature and used for verifying the identity of the key management server, and the public key and the private key of the CA certificate are both generated by the key management server and are kept by the key management server. The server encryption certificate is used when transferring encrypted data, and a server encryption private key and a server encryption public key of the server encryption certificate are generated by the CA and kept (stub) by the CA. The server encryption certificate includes a server encryption public key.
Step 505, the cloud platform receives the configuration information sent by the key management server.
Step 506, the cloud platform stores the configuration information after the configuration information is verified.
The cloud platform verifying the configuration information comprises: the CA certificate of the key management server is verified. Such as: the cloud platform verifies the signature on the CA certificate by using the public key of the CA certificate; if the verification is passed, the CA certificate is valid; if the verification fails, the CA certificate is invalid, the device sending the CA certificate is an insecure device, and communication connection is not established with the device.
In summary, in the embodiment, by automatically switching the manner of registering the user name and the password according to the working mode of the cloud host, the requirements for meeting various working scenes of the cloud host can be provided at a fixed cost.
Fig. 6 is a block diagram of a data acquisition apparatus according to an embodiment of the present application, and this embodiment takes the cloud platform 120 of the data acquisition system shown in fig. 2 as an example for explanation. The device at least comprises the following modules: a password acquisition module 610, a user login module 620, a connection establishment module 630, and a data acquisition module 640.
A password obtaining module 610, configured to obtain a username and a password;
a user login module 620, configured to log in a pre-registered key management server using the username and password, where the key management server is configured to manage sensitive data corresponding to the username and password and provide security service;
a connection establishing module 630, configured to establish a communication connection with the key management server based on a security protocol after logging in the key management server successfully;
a data obtaining module 640, configured to obtain the sensitive data and/or the security data generated by the security service from the key management server using the communication connection.
Fig. 7 is a block diagram of a data acquisition apparatus according to an embodiment of the present application, and the present embodiment is described by taking the key management server 130 applied to the data acquisition system shown in fig. 2 as an example. The device at least comprises the following modules: a connection establishing module 710 and a data sending module 720.
The connection establishing module 710 is configured to establish a communication connection with the cloud platform based on a security protocol after the cloud platform successfully logs in using the username and password;
a data sending module 720, configured to send the sensitive data and/or the security data generated by the security service to the cloud platform using the communication connection.
For relevant details reference is made to the above-described method embodiments.
It should be noted that: in the data acquisition apparatus provided in the above embodiment, when data is acquired, only the division of the above functional modules is taken as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the data acquisition apparatus is divided into different functional modules to complete all or part of the above described functions. In addition, the data acquisition device and the data acquisition method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
Fig. 8 is a block diagram of a data acquisition apparatus provided in an embodiment of the present application, where the apparatus may be the cloud platform 120 or the key management server 130 in the data acquisition system shown in fig. 2. The apparatus comprises at least a processor 801 and a memory 802.
Processor 801 may include one or more processing cores, such as: 4 core processors, 8 core processors, etc. The processor 801 may be a Digital Signal Processing (DSP), a Field Programmable Gate Array (FPGA), a Programmable Gate Array (PLA), or the like
(Programmable Logic Array ) in a Programmable Logic Array. The processor 801 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 801 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.
Memory 802 may include one or more computer-readable storage media, which may be non-transitory. Memory 802 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 802 is used to store at least one instruction for execution by processor 801 to implement the data acquisition methods provided by method embodiments herein.
In some embodiments, the data acquisition device may further include: a peripheral interface and at least one peripheral. The processor 801, memory 802 and peripheral interface may be connected by bus or signal lines. Each peripheral may be connected to the peripheral interface via a bus, signal line, or circuit board. Illustratively, peripheral devices include, but are not limited to: radio frequency circuit, touch display screen, audio circuit, power supply, etc.
Of course, the data acquisition device may also include fewer or more components, which is not limited in this embodiment.
Optionally, the present application further provides a computer-readable storage medium, in which a program is stored, and the program is loaded and executed by a processor to implement the data acquisition method of the foregoing method embodiment.
Optionally, the present application further provides a computer product, which includes a computer-readable storage medium, in which a program is stored, and the program is loaded and executed by a processor to implement the data acquisition method of the above-mentioned method embodiment.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (11)

1. A data acquisition method is applied to a cloud platform, and the method comprises the following steps:
acquiring a user name and a password;
logging in a pre-registered key management server by using the username and password, wherein the key management server is used for managing sensitive data corresponding to the username and password and providing security service;
after logging in the key management server successfully, establishing communication connection with the key management server based on a security protocol;
obtaining the sensitive data and/or the security service generated security data from the key management server using the communication connection;
the logging in a pre-registered key management server using the username and password comprises:
sending an authentication request to the key management server, wherein the authentication request carries a serial number of a cloud platform encryption certificate so as to trigger the key management server to generate and return an inquiry message; the challenge message comprises a server random number ciphertext and server domain information generated by the key management server;
receiving the inquiry message;
the server random number ciphertext in the challenge message is asymmetrically decrypted by using a cloud platform encryption private key to obtain the server random number;
generating a cloud platform random number;
performing digest operation on the user name password and the server domain information in the challenge message by using a second digest algorithm to obtain a temporary digest value;
performing digest operation on the temporary digest value, the cloud platform random number and the server random number to obtain a final digest value;
encrypting the cloud platform random number by using a server encryption certificate based on a second encryption algorithm to obtain a cloud platform random number ciphertext;
the final digest value, the cloud platform random number ciphertext and the server random number ciphertext are pieced together to obtain authentication information;
sending the authentication information to the key management server to trigger the key management server to authenticate the authentication information, and returning authentication passing feedback when the authentication passes;
receiving the authentication pass feedback.
2. The method of claim 1, wherein prior to logging in to a pre-registered key management server using the username and password, further comprising:
sending a registration request to the key management server, wherein the registration request carries the username and password and the device information corresponding to the username and password, and the registration request is used for triggering the key management server to register the username and password and the device information and returning configuration information after the registration is successful;
receiving configuration information sent by the key management server;
and storing the configuration information after the configuration information is verified.
3. The method of claim 1, wherein obtaining the username and password comprises:
calculating a protection key;
obtaining an encrypted user name and password, wherein the encrypted user name and password are obtained by symmetrically encrypting by using the protection key;
and decrypting the encrypted user name and password by using the protection key to obtain the user name and password.
4. The method of claim 3, wherein computing the protection key comprises:
acquiring an MAC address and authorization information of the cloud platform, wherein the authorization information is information sent after the key management server passes the authorization of the cloud platform;
and calculating the MAC address and the authorization information based on a first encryption algorithm and a first digest algorithm to obtain the protection key.
5. A data acquisition method applied to a key management server, the method comprising:
after successfully logging in by using a user name and a password, the cloud platform establishes communication connection with the cloud platform based on a security protocol;
sending sensitive data and/or security data generated by the security service to the cloud platform using the communication connection;
receiving an authentication request sent by the cloud platform, wherein the authentication request carries a serial number of a cloud platform encryption certificate;
determining a cloud platform encryption public key corresponding to the serial number of the cloud platform encryption certificate;
generating a server random number and server domain information;
encrypting the server random number by using the cloud platform encryption public key based on a second encryption algorithm to obtain a server random number ciphertext;
generating an inquiry message, wherein the inquiry message comprises the server random number ciphertext and the server domain information;
sending the challenge message to the cloud platform so that the cloud platform can generate authentication information; the authentication information comprises a final abstract value, a cloud platform random number ciphertext and the server random number ciphertext;
receiving the authentication information sent by the cloud platform;
decrypting the cloud platform random number ciphertext in the authentication information by using a server encryption private key to obtain the cloud platform random number;
using a second abstract algorithm to perform abstract operation on the registered user name and password and the corresponding server domain information to obtain a template temporary abstract value;
performing digest operation on the template temporary digest value, the cloud platform random number and the server random number corresponding to the registered user name and password to obtain a final digest value of the template;
splicing the template final digest value, the cloud platform random number ciphertext in the authentication information and the server random number ciphertext corresponding to the registered user name and password to obtain template information; and sending authentication passing feedback to the cloud platform when the authentication information is matched with the template information so as to inform the cloud platform of successful login.
6. The method of claim 5, wherein before establishing a communication connection with the cloud platform based on a security protocol after the cloud platform successfully logs in using the username and password, the method comprises:
receiving a registration request sent by the cloud platform, wherein the registration request carries the user name and the equipment information corresponding to the user name and the password;
registering the user name and the password and the equipment information;
and returning configuration information after the registration is successful, wherein the configuration information is used for the cloud platform to verify the key management server.
7. The method of claim 6, wherein the cloud platform comprises a plurality of cloud hosts, and wherein different cloud hosts correspond to different user names and passwords; the registering the username and password and the device information includes:
acquiring working modes of the cloud platform, wherein the working modes comprise a synchronous mode and an asynchronous mode;
when the working mode is the synchronous mode, generating a first session handle corresponding to the username and password, wherein the first session handle is a session handle shared by all the username and password in the cloud platform;
when the working mode is the asynchronous mode, generating a second session handle corresponding to the username and password; the second session handle is a session handle dedicated to the username and password;
wherein the session handle is used for mapping the sensitive data and the security data corresponding to the username and password.
8. A data acquisition apparatus, characterized in that the apparatus comprises:
the password acquisition module is used for acquiring a user name and a password;
the user login module is used for logging in a pre-registered key management server by using the username and password, and the key management server is used for managing sensitive data corresponding to the username and password and providing security service;
the connection establishing module is used for establishing communication connection with the key management server based on a security protocol after logging in the key management server successfully;
a data acquisition module for acquiring the sensitive data and/or the security data generated by the security service from the key management server using the communication connection;
the logging in a pre-registered key management server using the username and password comprises:
sending an authentication request to the key management server, wherein the authentication request carries a serial number of a cloud platform encryption certificate so as to trigger the key management server to generate and return an inquiry message; the challenge message comprises a server random number ciphertext and server domain information generated by the key management server;
receiving the inquiry message;
the server random number ciphertext in the challenge message is asymmetrically decrypted by using a cloud platform encryption private key to obtain the server random number;
generating a cloud platform random number;
performing digest operation on the user name password and the server domain information in the challenge message by using a second digest algorithm to obtain a temporary digest value;
performing digest operation on the temporary digest value, the cloud platform random number and the server random number to obtain a final digest value;
encrypting the cloud platform random number by using a server encryption certificate based on a second encryption algorithm to obtain a cloud platform random number ciphertext;
the final digest value, the cloud platform random number ciphertext and the server random number ciphertext are pieced together to obtain authentication information;
sending the authentication information to the key management server to trigger the key management server to authenticate the authentication information, and returning authentication passing feedback when the authentication passes;
receiving the authentication pass feedback.
9. A data acquisition apparatus, characterized in that the apparatus comprises:
the connection establishing module is used for establishing communication connection with the cloud platform based on a security protocol after the cloud platform successfully logs in by using a user name and a password;
the data sending module is used for sending the sensitive data and/or the safety data generated by the safety service to the cloud platform by using the communication connection;
receiving an authentication request sent by the cloud platform, wherein the authentication request carries a serial number of a cloud platform encryption certificate;
determining a cloud platform encryption public key corresponding to the serial number of the cloud platform encryption certificate;
generating a server random number and server domain information;
encrypting the server random number by using the cloud platform encryption public key based on a second encryption algorithm to obtain a server random number ciphertext;
generating an inquiry message, wherein the inquiry message comprises the server random number ciphertext and the server domain information;
sending the challenge message to the cloud platform so that the cloud platform can generate authentication information; the authentication information comprises a final abstract value, a cloud platform random number ciphertext and the server random number ciphertext;
receiving the authentication information sent by the cloud platform;
decrypting the cloud platform random number ciphertext in the authentication information by using a server encryption private key to obtain the cloud platform random number;
using a second abstract algorithm to perform abstract operation on the registered user name and password and the corresponding server domain information to obtain a template temporary abstract value;
performing digest operation on the template temporary digest value, the cloud platform random number and the server random number corresponding to the registered user name and password to obtain a final digest value of the template;
splicing the template final digest value, the cloud platform random number ciphertext in the authentication information and the server random number ciphertext corresponding to the registered user name and password to obtain template information; and sending authentication passing feedback to the cloud platform when the authentication information is matched with the template information so as to inform the cloud platform of successful login.
10. A data acquisition apparatus, characterized in that the apparatus comprises a processor and a memory; the memory stores therein a program that is loaded and executed by the processor to implement the data acquisition method according to any one of claims 1 to 4; or implementing a data acquisition method as claimed in any one of claims 5 to 7.
11. A computer-readable storage medium, characterized in that a program is stored in the storage medium, which program, when executed by a processor, is configured to implement the data acquisition method according to any one of claims 1 to 4; or implementing a data acquisition method as claimed in any one of claims 5 to 7.
CN202010174984.0A 2020-03-13 2020-03-13 Data acquisition method, device and storage medium Active CN111416807B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010174984.0A CN111416807B (en) 2020-03-13 2020-03-13 Data acquisition method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010174984.0A CN111416807B (en) 2020-03-13 2020-03-13 Data acquisition method, device and storage medium

Publications (2)

Publication Number Publication Date
CN111416807A CN111416807A (en) 2020-07-14
CN111416807B true CN111416807B (en) 2022-06-07

Family

ID=71492943

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010174984.0A Active CN111416807B (en) 2020-03-13 2020-03-13 Data acquisition method, device and storage medium

Country Status (1)

Country Link
CN (1) CN111416807B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112165381B (en) * 2020-08-18 2023-12-05 远景智能国际私人投资有限公司 Key management system and method
CN111984966B (en) * 2020-08-31 2024-06-18 深圳平安医疗健康科技服务有限公司 Password detection method, device, equipment and storage medium based on Linux cloud platform
CN112491787B (en) * 2020-10-18 2022-12-27 苏州浪潮智能科技有限公司 Method and equipment for safety management of user data
CN112003881B (en) * 2020-10-28 2021-02-02 湖南天琛信息科技有限公司 Safety cloud mobile phone system based on private cloud
CN112989027B (en) * 2021-02-01 2024-04-12 中金金融认证中心有限公司 Method for querying lists and for providing list querying services and related products
CN112919271A (en) * 2021-02-02 2021-06-08 简东 System and method for user to use in elevator
CN113347157B (en) * 2021-05-13 2022-10-14 浪潮软件股份有限公司 Web application encryption system and method based on SM series encryption algorithm
CN113780798B (en) * 2021-09-07 2024-05-28 杭州天宽科技有限公司 Key index display system based on cloud computing
CN114024767B (en) * 2021-11-25 2023-06-02 郑州信大信息技术研究院有限公司 Method for constructing password definition network security system, system architecture and data forwarding method
CN114499954B (en) * 2021-12-21 2024-05-10 海光信息技术股份有限公司 Management device and method for sensitive data
CN115599596B (en) * 2022-09-16 2023-07-18 花瓣云科技有限公司 Data processing method, electronic device, system and storage medium
CN117997519A (en) * 2022-10-27 2024-05-07 财付通支付科技有限公司 Data processing method, apparatus, program product, computer device, and medium
CN116582267B (en) * 2023-05-15 2023-10-31 合芯科技(苏州)有限公司 Data encryption system, method and device, storage medium and electronic equipment

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6088799A (en) * 1997-12-11 2000-07-11 International Business Machines Corporation Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same
US6151676A (en) * 1997-12-24 2000-11-21 Philips Electronics North America Corporation Administration and utilization of secret fresh random numbers in a networked environment
CN101183932B (en) * 2007-12-03 2011-02-16 宇龙计算机通信科技(深圳)有限公司 Security identification system of wireless application service and login and entry method thereof
CN102420821B (en) * 2011-11-28 2015-05-27 飞天诚信科技股份有限公司 Method and system for improving transmission security of file
CN102970299B (en) * 2012-11-27 2015-06-03 西安电子科技大学 File safe protection system and method thereof
CN104281814B (en) * 2013-07-03 2018-11-02 江苏保旺达软件技术有限公司 File anti-disclosure system and its working method
CN103888451B (en) * 2014-03-10 2017-09-26 百度在线网络技术(北京)有限公司 Authorization method, the apparatus and system of certification
CN105337935B (en) * 2014-07-09 2018-12-21 阿里巴巴集团控股有限公司 A kind of method and apparatus for establishing client and the long connection of server-side
CN106161368B (en) * 2015-04-07 2020-04-14 阿里巴巴集团控股有限公司 Method, device and system for remotely accessing cloud application
US20190384934A1 (en) * 2016-11-29 2019-12-19 Renomedia Co., Ltd. Method and system for protecting personal information infringement using division of authentication process and biometric authentication
KR101955449B1 (en) * 2016-11-29 2019-03-11 주식회사 리노미디어 Method and system for protecting personal information infingement using division of authentication process and biometrics authentication
CN108449568A (en) * 2018-01-31 2018-08-24 苏州科达科技股份有限公司 Identity identifying method and device for video conference
CN108737442B (en) * 2018-06-12 2019-05-10 北京多采多宜网络科技有限公司 A kind of cryptographic check processing method

Also Published As

Publication number Publication date
CN111416807A (en) 2020-07-14

Similar Documents

Publication Publication Date Title
CN111416807B (en) Data acquisition method, device and storage medium
CN109309565B (en) Security authentication method and device
US9847882B2 (en) Multiple factor authentication in an identity certificate service
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
US9467430B2 (en) Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware
US7992193B2 (en) Method and apparatus to secure AAA protocol messages
JP5860815B2 (en) System and method for enforcing computer policy
US9065637B2 (en) System and method for securing private keys issued from distributed private key generator (D-PKG) nodes
EP3073668B1 (en) Apparatus and method for authenticating network devices
US8291231B2 (en) Common key setting method, relay apparatus, and program
US20150039890A1 (en) Method and device for secure communications over a network using a hardware security engine
WO2016065321A1 (en) Secure communication channel with token renewal mechanism
CN101605137A (en) Safe distribution file system
CN112235235A (en) SDP authentication protocol implementation method based on state cryptographic algorithm
WO2022100356A1 (en) Identity authentication system, method and apparatus, device, and computer readable storage medium
WO2018202109A1 (en) Certificate request message sending method and receiving method and apparatus
CN115277168B (en) Method, device and system for accessing server
CN114244508B (en) Data encryption method, device, equipment and storage medium
EP4096147A1 (en) Secure enclave implementation of proxied cryptographic keys
KR102591826B1 (en) Apparatus and method for authenticating device based on certificate using physical unclonable function
CN113411187A (en) Identity authentication method and system, storage medium and processor
EP4096160A1 (en) Shared secret implementation of proxied cryptographic keys
CN114513339A (en) Security authentication method, system and device
CA3172049A1 (en) Exporting remote cryptographic keys
WO2022135391A1 (en) Identity authentication method and apparatus, and storage medium, program and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant