CN111783051A - Identity authentication method and device and electronic equipment - Google Patents

Identity authentication method and device and electronic equipment Download PDF

Info

Publication number
CN111783051A
CN111783051A CN202010653267.6A CN202010653267A CN111783051A CN 111783051 A CN111783051 A CN 111783051A CN 202010653267 A CN202010653267 A CN 202010653267A CN 111783051 A CN111783051 A CN 111783051A
Authority
CN
China
Prior art keywords
application
container
service
identity information
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010653267.6A
Other languages
Chinese (zh)
Other versions
CN111783051B (en
Inventor
崔帅华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202010653267.6A priority Critical patent/CN111783051B/en
Publication of CN111783051A publication Critical patent/CN111783051A/en
Application granted granted Critical
Publication of CN111783051B publication Critical patent/CN111783051B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Abstract

The embodiment of the specification provides an identity authentication method and device and electronic equipment. The method comprises the following steps: the system comprises a kubernets system applied to deployment of application containers, wherein the kubernets system deploys a security container to the same Pod where the application container is located through an idecar mode, and the security container is used for providing identity authentication for the application container in the same Pod; the method comprises the following steps: a first application container where a service calling party is located acquires a service certificate from a first security container in the same Pod; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container; the first application container sends the service certificate to a second application container where a service provider is located; and the second application container sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate.

Description

Identity authentication method and device and electronic equipment
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to an identity authentication method and device and electronic equipment.
Background
When service calling is performed among different applications, the application providing the service generally needs to perform identity authentication on the application calling the service to ensure that the application calling the service is credible, and no security risk exists in the service calling process, so that the safety of the application calling the service is ensured.
Disclosure of Invention
The embodiment of the specification provides an identity authentication method and device and electronic equipment.
According to a first aspect of the embodiments of the present specification, an identity authentication method is provided, which is applied to a kubernets system for deploying application containers, and the kubernets system deploys a secure container to a Pod where the application container is located in a sidecar manner, where the secure container is used to provide an identity authentication function for the application container in the same Pod; the method comprises the following steps:
a first application container where a service calling party is located acquires a service certificate from a first security container in the same Pod; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate.
Optionally, the sending, by the first application container, the service credential to a second application container in which a service provider is located includes:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the following steps:
and the second application container responds to the calling request and provides the service requested to be called to the first application container under the condition that the second security container returns the identity authentication to pass.
Optionally, the method further includes:
and the second secure container returns the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the identity authentication is confirmed to pass.
Optionally, the authenticating, by the second secure container, the application identity information included in the service credential includes:
the second secure container verifying the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
Optionally, the service credential includes a token, and the service credential is generated by the first secure container based on application identity information corresponding to the first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
According to a second aspect of the embodiments of the present specification, there is provided an identity authentication method, which is applied to a kubernets system deploying an application container, and maps an interface of a secure container located in an external system into the application container through a netnamespace technology, so that the secure container obtains an identity authentication function from the application container based on the interface; the method comprises the following steps:
the first application container where the service calling party is located obtains a service certificate from a security container of the external system; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a security container of the external system, so that the security container authenticates the application identity information contained in the service certificate.
Optionally, the sending, by the first application container, the service credential to a second application container in which a service provider is located includes:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the following steps:
and the second application container responds to the calling request and provides the service requested to be called to the first application container under the condition that the received security container returns that the identity authentication is passed.
Optionally, the method further includes:
and the security container returns the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the identity authentication is confirmed to pass.
Optionally, the authenticating, by the secure container, the application identity information included in the service credential includes:
the secure container verifying the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
Optionally, the service credential includes a token, and the service credential is generated by the secure container based on application identity information corresponding to the first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
According to a third aspect of the embodiments of the present specification, there is provided an identity authentication apparatus, which is applied to a kubernets system that deploys application containers, and the kubernets system deploys security containers in a sidecar manner in the same Pod as the application containers, where the security containers are used to provide identity authentication functions for the application containers in the same Pod; the device comprises:
the acquiring unit is used for acquiring a service certificate from a first security container in the same Pod by a first application container where the service calling party is located; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate.
Optionally, the sending unit includes:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the device further comprises:
and the response unit is used for responding to the calling request and providing the service requested to be called to the first application container by the second application container under the condition that the second security container returns the identity authentication to pass.
Optionally, the apparatus further comprises:
and the control unit is used for returning the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the second security container confirms that the identity authentication passes.
Optionally, the authenticating, by the authentication unit, that the second secure container authenticates the application identity information included in the service credential, includes:
to cause the second secure container to verify the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
Optionally, the service credential includes a token, and the service credential is generated by the first secure container based on application identity information corresponding to the first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
According to a fourth aspect of the embodiments of the present specification, there is provided an identity authentication apparatus, which is applied to a kubernets system deploying an application container, and maps an interface of a secure container located in an external system into the application container through a netnamespace technology, so that the secure container obtains an identity authentication function from the application container based on the interface; the device comprises:
the acquisition unit is used for acquiring a service certificate from a security container of the external system by a first application container where a service calling party is located; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a security container of the external system so that the security container authenticates the application identity information contained in the service certificate.
Optionally, the sending unit includes:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the device further comprises:
and the response unit is used for responding to the calling request and providing the service requested to be called to the first application container by the second application container under the condition that the received security container returns that the identity authentication is passed.
Optionally, the apparatus further comprises:
and the control unit is used for returning the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the identity authentication is confirmed to pass.
Optionally, the authenticating, by the authentication unit, the enabling the secure container to authenticate the application identity information included in the service credential includes:
the secure container verifying the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
Optionally, the service credential includes a token, and the service credential is generated by the secure container based on application identity information corresponding to the first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
According to a fifth aspect of embodiments herein, there is provided an electronic apparatus including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
a first application container where a service calling party is located acquires a service certificate from a first security container in the same Pod; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate.
According to a sixth aspect of embodiments herein, there is provided an electronic apparatus comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
a first application container where a service calling party is located acquires a service certificate from a security container of an external system; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a security container of the external system, so that the security container authenticates the application identity information contained in the service certificate.
The embodiment of the specification aims to provide an identity authentication scheme with safety and universality. Specifically, applications are containerized through the kubernets system, and thus application containers of service invokers and service providers are deployed on the kubernets system. In addition, a security container is configured for the application container, and the application container is provided with identity authentication capability by the security container. In this way, the authentication logic is stripped (decoupled) from the business logic of the application, and authentication is performed solely by the secure container. Specifically, the service credential generation and issuance included in the identity authentication logic are realized by the secure container, and the secure container cannot be accessed to internal data from the outside, so that the leakage of the service credential is avoided. In addition, the service certificate is encrypted, the encryption algorithm is only stored in the secure container, the secure container cannot be accessed from the outside, and the service certificate cannot be decoded without the same encryption algorithm, so that the application identity information in the service certificate cannot be tampered. Thereby solving the problem that the service provider faces security risks.
On the other hand, because the identity authentication logic is decoupled from the service logic of the application, the identity authentication can be realized between different applications through the security container with the same identity authentication logic. No additional customization of the authentication logic is required. The problem of high access cost during service calling is solved.
Drawings
Fig. 1 is a flowchart of an identity authentication method provided in an embodiment of the present specification;
FIG. 2 is a schematic diagram of a kubernets system suitable for use with the embodiment of FIG. 1;
FIG. 3 is a flow chart of a method of identity authentication provided by an embodiment of the present description;
FIG. 4 is a schematic diagram of a kubernets system suitable for use with the embodiment of FIG. 3;
fig. 5 is a hardware configuration diagram of an identity authentication apparatus provided in an embodiment of the present specification;
fig. 6 is a block diagram of an identity authentication device according to an embodiment of the present disclosure;
fig. 7 is a block diagram of an identity authentication apparatus according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below do not represent all implementations consistent with this specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items. Plural in this context may refer to two or more.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In the related art, when a service is invoked between different applications, an application of a service provider performs identity authentication on an application of a service invoker. Generally, the logic of the identity authentication is usually written into the business logic of the application itself, that is, the identity authentication logic of the application is strongly coupled with the business logic. In addition, the service credentials required for identity authentication are maintained and managed by the application itself. Therefore, a certain complete hidden trouble is brought, and if the service certificate maintained by the application is leaked, a malicious application can use the service certificate to successfully call the service.
In practical applications, the authentication methods adopted by different applications may be different. If the application of the service caller needs to interface with the applications of different service providers, the authentication logic conforming to the authentication mode adopted by each service provider needs to be customized, and the authentication logic is written into the business logic of the application. It is conceivable that for the service invoker, many different authentication logic configurations are required and the cost of invoking the service becomes very high.
In order to solve the above technical problem, embodiments of the present specification aim to provide an identity authentication scheme with both security and versatility. Specifically, applications are containerized through the kubernets system, and thus application containers of service invokers and service providers are deployed on the kubernets system. In addition, a security container is configured for the application container, and the application container is provided with identity authentication capability by the security container. In this way, the authentication logic is stripped (decoupled) from the business logic of the application, and authentication is performed solely by the secure container. Specifically, the service credential generation and issuance included in the identity authentication logic are realized by the secure container, and the secure container cannot be accessed to internal data from the outside, so that the leakage of the service credential is avoided. In addition, the service certificate is encrypted, the encryption algorithm is only stored in the secure container, the secure container cannot be accessed from the outside, and the service certificate cannot be decoded without the same encryption algorithm, so that the application identity information in the service certificate cannot be tampered. Thereby solving the problem that the service provider faces security risks.
On the other hand, because the identity authentication logic is decoupled from the service logic of the application, the identity authentication can be realized between different applications through the security container with the same identity authentication logic. No additional customization of the authentication logic is required. The problem of high access cost during service calling is solved.
The service call between application containers in this specification may be an application container that makes a service call across clouds as an example. An application container across clouds may refer to a service call between application containers that employ different cloud environments. Such as public clouds, private clouds, hybrid clouds, etc. For example, making service calls between application containers of a public cloud and application containers of a private cloud involves cross-cloud service calls.
The present description provides an identity authentication method, which may be applied to a kubernets system that deploys application containers, and which may be described below with reference to the example shown in fig. 1, and which may include the steps of:
step 110: a first application container where a service calling party is located acquires a service certificate from a first security container in the same Pod; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
step 120: the first application container sends the service certificate to a second application container where a service provider is located;
step 130: and the second application container sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate.
As shown in fig. 2, a schematic diagram of a kubernets system to which this embodiment is applicable.
The kubernets system is an open source system for automatically deploying, extending and managing "containerized" applications. The containerized application is referred to in this specification simply as an application container.
Traditional application deployment requires installation of the application through a plug-in or script. Therefore, the operation, configuration, management, and all life cycles of the conventional application deployment need to be bound to the operating system. This does not facilitate upgrade update/rollback etc operations of the application.
By using the containerization deployment mode provided by the kubernets system, the isolation between each application container can be realized, each application container has a file system, the processes between the application containers cannot influence each other, and the computing resources can be distinguished. Deployment can be achieved quickly by using the containers through the kubernets system. In addition, because the container is decoupled from the underlying facilities, the machine file system and the business logic, the application container can be migrated among different cloud environments, different versions and different operating systems.
Among them, the smallest deployable computing unit created and managed in the kubernets system is Pod. The application container is deployed in the Pod.
In fig. 2, for an application container that can be subjected to sidecar modification, the system deploys a security container to the same Pod as the application container in a sidecar manner.
The sidecar system is also called sidecar mode, and is a system in which a function of an application is separated from the application itself and is used as a separate process. Additional functionality can be added to the application in a sidecar manner without intruding, avoiding the problem of adding additional configuration code to the application to meet third party component requirements.
The application container and the secure container deployed in the same Pod share the same life cycle, and the secure container is used for providing various security functions for the application container, such as an identity issuing function, an identity authentication function, an authority control function and the like. Specifically, the secure container may provide interfaces corresponding to respective functions for application containers within the same Pod. For example, the application container may obtain an identity token from the secure container through an identity issuance interface. Similarly, there are identity authentication interfaces, rights control interfaces, and the like.
The application identity information corresponding to the application container is stored in the security container. The application identity information may include an application identification of the application container. Wherein the application identification is unique for locating a specific application.
In one embodiment, the secure container may refer to a containerized Trusted Execution Environment (TEE).
A safe operating system which is isolated from the application container can be built in the trusted execution environment, and a safe application runs in the safe operating system. And opening up a memory space in the TEE as a safe memory space for the trusted application program to perform identity authentication related operation.
The safety container is isolated from the outside, so that the outside cannot access the data in the safety container. Thus, the service credential issued by the secure container, and the authentication of the service credential, may be considered trusted.
The safety container stores application identity information corresponding to the application container. The secure container may encrypt the application identity information as a service credential based on an internal credential algorithm (which may also be referred to as an encryption algorithm). The service credential is encrypted and the credential algorithm is stored only in the secure container, again not externally accessible by the secure container, without the same credential algorithm, the service credential cannot be deciphered. Only with the same credential algorithm can the application identity information be resolved backwards.
In one embodiment, the sending, by the first application container, the service credential to a second application container in which a service provider is located includes:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the following steps:
and the second application container responds to the calling request and provides the service requested to be called to the first application container under the condition that the second security container returns the identity authentication to pass.
The following description takes an HTTP service invocation scenario as an example:
step 1.1: a first application container where a service calling party is located initiates a request for acquiring a service certificate to a first security container through an identity issuing interface;
step 1.2: the first safety container generates a service certificate based on the application identity information corresponding to the first application container stored locally, and returns the generated service certificate to the first application container.
As shown in fig. 2, the first secure container and the first application container are located within the same Pod. The first application container initiates an acquisition request to the first security container through the identity issuing interface, and correspondingly, the first security container can also return the generated service certificate to the first application container through the identity issuing interface.
And after the first security container acquires the application identity information of the first application container from the local, generating a service certificate through a certificate algorithm.
In an embodiment, the service credential includes a token, and the service credential is generated by the first secure container based on application identity information corresponding to the first application container; and the generated token has an expiration date. the token only takes effect in the validity period after generation, and the token fails after the validity period.
Step 1.3: and the first application container puts the service certificate into an Http request header to access a second application container where the service provider is located.
Step 1.4: and the second application container of the service provider sends the service certificate in the Http request header to a second security container in the same Pod.
The second application container may initiate an authentication request to the second secure container through the identity authentication interface, thereby sending the service credential to the second secure container.
Step 1.5: and the second safety container authenticates the application identity information contained in the service certificate.
After the second secure container receives the service certificate, the validity of the service certificate needs to be verified; and verifying the authenticity of the application identity information contained by the service credential.
As previously described, when the service credential is a token, then its validity is determined by verifying whether the token is within the validity period. If the token is located within the validity period, the authenticity of the application identity information contained in the token is further verified. And if the identity authentication is not within the validity period, determining that the identity authentication fails.
And for verifying the authenticity of the application identity information contained by the service credential, comprising:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, matching the application identity information with locally stored application identity information, and judging whether the application identity information contained in the service certificate exists or not. And if so, determining that the identity authentication is passed, otherwise, determining that the identity authentication fails.
Step 1.6: and the second security container returns the identity authentication result to the second application container so that the second application container responds to the HTTP request according to the identity authentication result.
The second secure container may also return an authentication result to the second application container through the authentication interface. And if the identity authentication result is failure, the second application container does not respond to the http request of the first application container, and if the identity authentication result is passing, the second application container responds to the http request of the first application container.
It should be noted that the invocation of the HTTP service is an example provided in this specification, and may be applied to any other form of service invocation in practical applications, such as the invocation of an RPC service.
In an embodiment, the second secure container may further have an authority control function. In particular, the amount of the solvent to be used,
and the second secure container returns the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the identity authentication is confirmed to pass. So that the second application container determines the calling authority possessed by the first application container and provides corresponding services for the first application container based on the calling authority.
Wherein the permission control rules comprise role-based access control rules and/or attribute-based access control rules.
The present specification also provides an embodiment in which the first application container is taken as an execution subject, with respect to the embodiment in fig. 1:
a first application container where a service calling party is located acquires a service certificate from a first security container in the same Pod; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located; and the second application container sends the service certificate to a second security container in the same Pod, and the second security container authenticates the application identity information contained in the service certificate.
For details of the steps in this embodiment, reference may be made to the embodiment shown in fig. 1, and in addition, other contents of the embodiment shown in fig. 1 may also be used in this embodiment, which is not described herein again.
The present specification also provides an embodiment in which the second application container is used as an execution subject, with respect to the embodiment in fig. 1:
a second application container where a service provider is located receives a service certificate sent by a first application container where a service caller is located, wherein the service certificate is acquired from the first application container to a first security container in the same Pod; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
and the second application container where the service provider is located sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate.
For details of the steps in this embodiment, reference may be made to the embodiment shown in fig. 1, and in addition, other contents of the embodiment shown in fig. 1 may also be used in this embodiment, which is not described herein again.
The present specification also provides another identity authentication method, which may be applied to a kubernets system for deploying application containers, and which may include the following steps, as described below with reference to the example shown in fig. 3:
step 210: the first application container where the service calling party is located obtains a service certificate from a security container of the external system; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
step 220: the first application container sends the service certificate to a second application container where a service provider is located;
step 230: and the second application container sends the service certificate to a security container of the external system, so that the security container authenticates the application identity information contained in the service certificate.
As shown in fig. 4, a schematic diagram of a kubernets system to which this embodiment is applicable.
Among them, the smallest deployable computing unit created and managed in the kubernets system is Pod. The application container is deployed in the Pod.
In fig. 4, for an application container that does not support sidecar modification, the system may deploy a secure container to an external system through a daemoset technology, and map an interface of the secure container located in the external system into the application container through a netnamespace (netnamespace) technology, so that the secure container obtains an identity authentication function from the application container based on the interface. For example, the application container may obtain an identity token from the secure container through an identity issuance interface. Similarly, there are identity authentication interfaces, rights control interfaces, and the like.
The application identity information corresponding to the application container is stored in the security container. The application identity information may include an application identification of the application container. Wherein the application identification is unique for locating a specific application.
Where daemonset is a controller that ensures that a Pod copy runs on all or a portion of the nodes.
netnamespace can provide a separate network environment, just as a separate system. It may be possible to establish a connection between different systems.
In one embodiment, the secure container may refer to a containerized Trusted Execution Environment (TEE).
A safe operating system which is isolated from the application container can be built in the trusted execution environment, and a safe application runs in the safe operating system. And opening up a memory space in the TEE as a safe memory space for the trusted application program to perform identity authentication related operation.
The safety container is isolated from the outside, so that the outside cannot access the data in the safety container. Thus, the service credential issued by the secure container, and the authentication of the service credential, may be considered trusted.
The safety container stores application identity information corresponding to the application container. The secure container may encrypt the application identity information as a service credential based on an internal credential algorithm (which may also be referred to as an encryption algorithm). The service credential is encrypted and the credential algorithm is stored only in the secure container, again not externally accessible by the secure container, without the same credential algorithm, the service credential cannot be deciphered. Only with the same credential algorithm can the application identity information be resolved backwards.
In one embodiment, the sending, by the first application container, the service credential to a second application container in which a service provider is located includes:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the following steps:
and the second application container responds to the calling request and provides the service requested to be called to the first application container under the condition that the received security container returns that the identity authentication is passed.
The following description takes an HTTP service invocation scenario as an example:
step 2.1: a first application container where a service calling party is located initiates an identity token acquisition request to a security container of an external system through an identity signing and issuing interface;
step 2.2: and the security container of the external system generates a service certificate based on the application identity information corresponding to the first locally stored application container, and returns the generated service certificate to the first application container through the identity issuing interface.
And after the secure container acquires the application identity information of the first application container from the local, generating a service certificate through a certificate algorithm.
In an embodiment, the service credential includes a token, and the service credential is generated by the secure container based on application identity information corresponding to the first application container; and the generated token has an expiration date. the token only takes effect in the validity period after generation, and the token fails after the validity period.
Step 2.3: and the first application container puts the service certificate into an Http request header to access a second application container where the service provider is located.
Step 2.4: and the second application container where the service provider is located sends the service certificate in the Http request header to the security container of the external system through the identity authentication interface.
Step 2.5: and the secure container of the external system authenticates the application identity information contained in the service certificate.
After the secure container receives the service certificate, the validity of the service certificate needs to be verified; and verifying the authenticity of the application identity information contained by the service credential.
As previously described, when the service credential is a token, then its validity is determined by verifying whether the token is within the validity period. If the token is located within the validity period, the authenticity of the application identity information contained in the token is further verified. And if the identity authentication is not within the validity period, determining that the identity authentication fails.
And for verifying the authenticity of the application identity information contained by the service credential, comprising:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, matching the application identity information with locally stored application identity information, and judging whether the application identity information contained in the service certificate exists or not. And if so, determining that the identity authentication is passed, otherwise, determining that the identity authentication fails.
Step 2.6: and the security container of the external system returns the identity authentication result to the second application container through the identity authentication interface, so that the second application container responds to the HTTP request according to the identity authentication result.
And the safety container returns an identity authentication result to the second application container through the identity authentication interface. And if the identity authentication result is failure, the second application container does not respond to the http request of the first application container, and if the identity authentication result is passing, the second application container responds to the http request of the first application container.
It should be noted that the invocation of the HTTP service is an example provided in this specification, and may be applied to any other form of service invocation in practical applications, such as the invocation of an RPC service.
In an embodiment, the secure container of the external system may further have an authority control function. In particular, the amount of the solvent to be used,
and the security container returns the calling authority of the first application container to the second application container through an authority control interface based on a set authority control rule under the condition that the identity authentication is confirmed to pass. So that the second application container determines the calling authority possessed by the first application container and provides corresponding services for the first application container based on the calling authority.
Wherein the permission control rules comprise role-based access control rules and/or attribute-based access control rules.
The present specification also provides an embodiment in which the first application container is used as an execution subject, with respect to the embodiment in fig. 3:
the first application container where the service calling party is located obtains a service certificate from a security container of the external system; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located; so that the second application container sends the service credential to a secure container of the external system, and the secure container authenticates application identity information contained in the service credential.
For details of the steps in this embodiment, reference may be made to the embodiment shown in fig. 3, and in addition, other contents of the embodiment shown in fig. 3 may also be used in this embodiment, which is not described herein again.
The present specification also provides an embodiment in which the second application container is used as an execution subject, with respect to the embodiment in fig. 3:
a second application container where a service provider is located receives a service certificate sent by a first application container where a service caller is located, wherein the service certificate is acquired from the first application container to a security container of the external system; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
and the second application container where the service provider is located sends the service certificate to a security container of the external system, so that the security container authenticates the application identity information contained in the service certificate.
For details of the steps in this embodiment, reference may be made to the embodiment shown in fig. 3, and in addition, other contents of the embodiment shown in fig. 3 may also be used in this embodiment, which is not described herein again.
Corresponding to the foregoing embodiments of the identity authentication method, the present specification further provides embodiments of an identity authentication apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and as a logical device, the device is formed by reading corresponding computer business program instructions in the nonvolatile memory into the memory for operation through the processor of the device in which the device is located. From a hardware aspect, as shown in fig. 5, the hardware structure diagram of the device where the identity authentication apparatus is located in this specification is shown, except for the processor, the network interface, the memory, and the nonvolatile memory shown in fig. 5, the device where the apparatus is located in the embodiment may also include other hardware according to the actual function of identity authentication, which is not described again.
Referring to fig. 6, a block diagram of an identity authentication apparatus provided in an embodiment of the present disclosure is a block diagram, where the apparatus corresponds to the embodiment shown in fig. 1, and is applied to a kubernets system for deploying application containers, and the kubernets system deploys, in a sidecar manner, a secure container to a Pod where the application container is located, where the secure container is used to provide an identity authentication function for the application container in the same Pod; the device comprises:
the obtaining unit 610 obtains a service credential from a first secure container in the same Pod by using a first application container where the service caller is located; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
a sending unit 620, where the first application container sends the service credential to a second application container where a service provider is located;
an authentication unit 630, where the second application container sends the service credential to a second secure container in the same Pod, so that the second secure container authenticates the application identity information included in the service credential.
Optionally, the sending unit 620 includes:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the device further comprises:
and the response unit is used for responding to the calling request and providing the service requested to be called to the first application container by the second application container under the condition that the second security container returns the identity authentication to pass.
Optionally, the apparatus further comprises:
and the control unit is used for returning the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the second security container confirms that the identity authentication passes.
Optionally, the authenticating, by the authenticating unit 630, to enable the second secure container to authenticate the application identity information included in the service credential includes:
to cause the second secure container to verify the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
Optionally, the service credential includes a token, and the service credential is generated by the first secure container based on application identity information corresponding to the first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
Referring to fig. 7, a block diagram of an identity authentication apparatus provided in an embodiment of the present disclosure is a block diagram, where the apparatus corresponds to the embodiment shown in fig. 7, and is applied to a kubernets system for deploying an application container, and an interface of a secure container located in an external system is mapped into the application container through a netnamespace technology, so that the secure container obtains an identity authentication function from the application container based on the interface; the device comprises:
the obtaining unit 710, where the first application container where the service caller is located obtains the service credential from the secure container of the external system; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
a sending unit 720, where the first application container sends the service credential to a second application container where a service provider is located;
and an authentication unit 730, where the second application container sends the service credential to a secure container of the external system, so that the secure container authenticates application identity information included in the service credential.
Optionally, the sending unit 720 includes:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the device further comprises:
and the response unit is used for responding to the calling request and providing the service requested to be called to the first application container by the second application container under the condition that the received security container returns that the identity authentication is passed.
Optionally, the apparatus further comprises:
and the control unit is used for returning the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the identity authentication is confirmed to pass.
Optionally, the authenticating unit 730, so that the secure container authenticates the application identity information included in the service credential, includes:
the secure container verifying the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
Optionally, the service credential includes a token, and the service credential is generated by the secure container based on application identity information corresponding to the first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
Fig. 6 above describes the internal functional modules and the structural schematic of the identity authentication apparatus, and the substantial execution subject of the identity authentication apparatus may be an electronic device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
a first application container where a service calling party is located acquires a service certificate from a first security container in the same Pod; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
the second application container sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate;
the first application container and the second application container are deployed in a kubernets system, the kubernets system deploys the first security container to the same Pod where the first application container is located and deploys the second security container to the same Pod where the second application container is located through a sidecar mode, and the first security container and the second security container are used for providing identity authentication functions for the application containers in the same Pod.
Fig. 7 above describes the internal functional modules and the structural schematic of the identity authentication apparatus, and the substantial execution subject of the identity authentication apparatus may be an electronic device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
a first application container where a service calling party is located acquires a service certificate from a security container of an external system; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
the second application container sends the service certificate to a security container of the external system, so that the security container authenticates application identity information contained in the service certificate;
the first application container and the second application container are deployed in a kubernets system, and an interface of a security container of an external system is mapped into the first application container and the second application container through a netnamespace technology, so that the security container obtains an identity authentication function from the application container based on the interface.
In the above embodiments of the electronic device, it should be understood that the Processor may be a Central Processing Unit (CPU), other general-purpose processors, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. The general-purpose processor may be a microprocessor, or the processor may be any conventional processor, and the aforementioned memory may be a read-only memory (ROM), a Random Access Memory (RAM), a flash memory, a hard disk, or a solid state disk. The steps of a method disclosed in connection with the embodiments of the present specification may be embodied directly in a hardware processor, or in a combination of the hardware and software modules of the processor.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiment of the electronic device, since it is substantially similar to the embodiment of the method, the description is simple, and for the relevant points, reference may be made to part of the description of the embodiment of the method.
Other embodiments of the present disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the embodiments disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.

Claims (22)

1. An identity authentication method is applied to a kubernets system for deploying application containers, the kubernets system deploys security containers to the same Pod where the application containers are located through a sidecar mode, and the security containers are used for providing identity authentication functions for the application containers in the same Pod; the method comprises the following steps:
a first application container where a service calling party is located acquires a service certificate from a first security container in the same Pod; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate.
2. The method of claim 1, the first application container sending the service credential to a second application container in which a service provider is located, comprising:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the following steps:
and the second application container responds to the calling request and provides the service requested to be called to the first application container under the condition that the second security container returns the identity authentication to pass.
3. The method of claim 1, further comprising:
and the second secure container returns the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the identity authentication is confirmed to pass.
4. The method of claim 1, the second secure container authenticating application identity information contained in the service credential, comprising:
the second secure container verifying the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
5. The method of claim 4, the service credential comprising a token, the service credential generated by the token generated by the first secure container based on application identity information corresponding to the first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
6. An identity authentication method is applied to a kubernets system for deploying application containers, and an interface of a security container located in an external system is mapped into the application container through a netnamespace technology, so that the security container obtains an identity authentication function from the application container based on the interface; the method comprises the following steps:
the first application container where the service calling party is located obtains a service certificate from a security container of the external system; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a security container of the external system, so that the security container authenticates the application identity information contained in the service certificate.
7. The method of claim 6, the first application container sending the service credential to a second application container in which a service provider is located, comprising:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the following steps:
and the second application container responds to the calling request and provides the service requested to be called to the first application container under the condition that the received security container returns that the identity authentication is passed.
8. The method of claim 6, further comprising:
and the security container returns the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the identity authentication is confirmed to pass.
9. The method of claim 6, the secure container authenticating application identity information contained by the service credential, comprising:
the secure container verifying the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
10. The method of claim 9, the service credential comprising a token, the service credential generated by the secure container based on application identity information corresponding to a first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
11. An identity authentication device is applied to a kubernets system for deploying application containers, the kubernets system deploys security containers to the same Pod where the application containers are located through a sidecar mode, and the security containers are used for providing identity authentication functions for the application containers in the same Pod; the device comprises:
the acquiring unit is used for acquiring a service certificate from a first security container in the same Pod by a first application container where the service calling party is located; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate.
12. The apparatus of claim 11, the sending unit, comprising:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the device further comprises:
and the response unit is used for responding to the calling request and providing the service requested to be called to the first application container by the second application container under the condition that the second security container returns the identity authentication to pass.
13. The apparatus of claim 11, the apparatus further comprising:
and the control unit is used for returning the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the second security container confirms that the identity authentication passes.
14. The apparatus according to claim 11, wherein the authenticating unit to cause the second secure container to authenticate application identity information included in the service credential comprises:
to cause the second secure container to verify the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
15. The apparatus of claim 14, the service credential comprising a token, the service credential generated by the token generated by the first secure container based on application identity information corresponding to the first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
16. An identity authentication device is applied to a kubernets system for deploying application containers, and an interface of a security container located in an external system is mapped into the application container through a netnamespace technology, so that the security container obtains an identity authentication function from the application container based on the interface; the device comprises:
the acquisition unit is used for acquiring a service certificate from a security container of the external system by a first application container where a service calling party is located; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a security container of the external system so that the security container authenticates the application identity information contained in the service certificate.
17. The apparatus of claim 16, the sending unit, comprising:
the first application container sends the calling request carrying the service certificate to a second application container where a service provider is located;
the device further comprises:
and the response unit is used for responding to the calling request and providing the service requested to be called to the first application container by the second application container under the condition that the received security container returns that the identity authentication is passed.
18. The apparatus of claim 16, the apparatus further comprising:
and the control unit is used for returning the calling authority of the first application container to the second application container based on a set authority control rule under the condition that the identity authentication is confirmed to pass.
19. The apparatus of claim 16, the authentication unit to cause the secure container to authenticate application identity information contained in the service credential, comprising:
the secure container verifying the validity of the service credential; and verifying the authenticity of the application identity information contained by the service credential.
20. The apparatus of claim 19, the service credential comprising a token, the service credential generated by the secure container based on application identity information corresponding to a first application container; and said generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within the validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
and analyzing the application identity information contained in the service certificate based on a certificate algorithm adopted for generating the service certificate, and matching the application identity information with locally stored application identity information.
21. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
a first application container where a service calling party is located acquires a service certificate from a first security container in the same Pod; the service certificate is generated by the first security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a second security container in the same Pod, so that the second security container authenticates the application identity information contained in the service certificate.
22. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
a first application container where a service calling party is located acquires a service certificate from a security container of an external system; the service certificate is generated by the security container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a security container of the external system, so that the security container authenticates the application identity information contained in the service certificate.
CN202010653267.6A 2020-07-08 2020-07-08 Identity authentication method and device and electronic equipment Active CN111783051B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010653267.6A CN111783051B (en) 2020-07-08 2020-07-08 Identity authentication method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010653267.6A CN111783051B (en) 2020-07-08 2020-07-08 Identity authentication method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN111783051A true CN111783051A (en) 2020-10-16
CN111783051B CN111783051B (en) 2023-11-10

Family

ID=72759198

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010653267.6A Active CN111783051B (en) 2020-07-08 2020-07-08 Identity authentication method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN111783051B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112416528A (en) * 2020-12-04 2021-02-26 福建福诺移动通信技术有限公司 Method for realizing non-invasive micro-service room interface safe calling
CN113452677A (en) * 2021-05-28 2021-09-28 济南浪潮数据技术有限公司 Request processing method, system, equipment and medium
WO2022147331A1 (en) * 2020-12-30 2022-07-07 Synchronoss Technologies, Inc. Method and system for initial secret delivery for scalable and restart-able collocated containers with shared resources

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107425983A (en) * 2017-08-08 2017-12-01 北京明朝万达科技股份有限公司 A kind of unified identity authentication method and system platform based on WEB service
US20190349357A1 (en) * 2018-05-10 2019-11-14 Jayant Shukla Cloud-based identity management and authentication system for containers and applications

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107425983A (en) * 2017-08-08 2017-12-01 北京明朝万达科技股份有限公司 A kind of unified identity authentication method and system platform based on WEB service
US20190349357A1 (en) * 2018-05-10 2019-11-14 Jayant Shukla Cloud-based identity management and authentication system for containers and applications

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李建佳;王晶;: "基于JA-SIG CAS统一认证平台(SSO)的设计与实现", 广东海洋大学学报, no. 03 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112416528A (en) * 2020-12-04 2021-02-26 福建福诺移动通信技术有限公司 Method for realizing non-invasive micro-service room interface safe calling
CN112416528B (en) * 2020-12-04 2024-03-22 福建福诺移动通信技术有限公司 Method for realizing non-invasive micro service interface safety call
WO2022147331A1 (en) * 2020-12-30 2022-07-07 Synchronoss Technologies, Inc. Method and system for initial secret delivery for scalable and restart-able collocated containers with shared resources
US11804958B2 (en) 2020-12-30 2023-10-31 Synchronoss Technologies, Inc Method and system for initial secret delivery for scalable and restart-able collocated containers with shared resources
CN113452677A (en) * 2021-05-28 2021-09-28 济南浪潮数据技术有限公司 Request processing method, system, equipment and medium

Also Published As

Publication number Publication date
CN111783051B (en) 2023-11-10

Similar Documents

Publication Publication Date Title
US11489678B2 (en) Platform attestation and registration for servers
CN111090876B (en) Contract calling method and device
CN111680305B (en) Data processing method, device and equipment based on block chain
US6148083A (en) Application certification for an international cryptography framework
EP3061027B1 (en) Verifying the security of a remote server
ES2360005T3 (en) SYSTEM AND SIGNATURE METHOD THROUGH SOFTWARE CODE.
US9721101B2 (en) System wide root of trust chaining via signed applications
WO2018233536A1 (en) Authentication method, and authentication data processing method and device based on blockchain
CN111931154B (en) Service processing method, device and equipment based on digital certificate
CN111783051B (en) Identity authentication method and device and electronic equipment
JPH11355264A (en) Host system element for international cryptographic system
JP2012099128A (en) Seal release method of secret for calling program
CN112016106B (en) Authentication calling method, device and equipment of open interface and readable storage medium
CN108335105B (en) Data processing method and related equipment
EP3961456B1 (en) Data authorization information acquisition methods, apparatuses, and devices
CN110326266B (en) Data processing method and device
CN111770199A (en) Information sharing method, device and equipment
CN109560933B (en) Authentication method and system based on digital certificate, storage medium and electronic equipment
CN111770112A (en) Information sharing method, device and equipment
CN112765637A (en) Data processing method, password service device and electronic equipment
CN113704211B (en) Data query method and device, electronic equipment and storage medium
US8601544B1 (en) Computer system employing dual-band authentication using file operations by trusted and untrusted mechanisms
CN110602051B (en) Information processing method based on consensus protocol and related device
Park et al. TGVisor: A tiny hypervisor-based trusted geolocation framework for mobile cloud clients
Ren et al. AccGuard: Secure and trusted computation on remote FPGA accelerators

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant