CN111783051B - Identity authentication method and device and electronic equipment - Google Patents

Identity authentication method and device and electronic equipment Download PDF

Info

Publication number
CN111783051B
CN111783051B CN202010653267.6A CN202010653267A CN111783051B CN 111783051 B CN111783051 B CN 111783051B CN 202010653267 A CN202010653267 A CN 202010653267A CN 111783051 B CN111783051 B CN 111783051B
Authority
CN
China
Prior art keywords
container
application
service
credential
identity information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010653267.6A
Other languages
Chinese (zh)
Other versions
CN111783051A (en
Inventor
崔帅华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202010653267.6A priority Critical patent/CN111783051B/en
Publication of CN111783051A publication Critical patent/CN111783051A/en
Application granted granted Critical
Publication of CN111783051B publication Critical patent/CN111783051B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Abstract

The embodiment of the specification provides an identity authentication method and device and electronic equipment. The method comprises the following steps: the method comprises the steps that the method is applied to kubernetes systems for deploying application containers, the kubernetes systems deploy safety containers to the same Pod where the application containers are located in an idecar mode, and the safety containers are used for providing identity authentication for the application containers in the same Pod; the method comprises the following steps: the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container; the first application container sends the service certificate to a second application container where a service provider is located; and the second application container sends the service certificate to a second security container in the same Pod so that the second security container authenticates the application identity information contained in the service certificate.

Description

Identity authentication method and device and electronic equipment
Technical Field
Embodiments of the present disclosure relate to the field of computer technologies, and in particular, to an identity authentication method and apparatus, and an electronic device.
Background
When service call is carried out between different applications, the application which normally provides the service needs to carry out identity verification on the application which calls the service so as to ensure that the application which calls the service is credible, and the safety risk cannot exist in the service call process, so that the safety of the application is ensured.
Disclosure of Invention
The embodiment of the specification provides an identity authentication method and device and electronic equipment.
According to a first aspect of embodiments of the present disclosure, an identity authentication method is provided, which is applied to a kubernetes system for deploying an application container, where the kubernetes system deploys a secure container to the same Pod where the application container is located in a sidecar manner, where the secure container is used for providing an identity authentication function for the application container in the same Pod; the method comprises the following steps:
the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
And the second application container sends the service certificate to a second security container in the same Pod so that the second security container authenticates the application identity information contained in the service certificate.
Optionally, the first application container sends the service credential to a second application container where a service provider is located, including:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the steps of:
and the second application container responds to the call request and provides the service requesting the call for the first application container under the condition that the second security container returns that the identity authentication passes.
Optionally, the method further comprises:
and the second security container returns the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the identity authentication is confirmed to pass.
Optionally, the authenticating the application identity information contained in the service credential by the second secure container includes:
the second secure container verifies the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
Optionally, the service credential includes a token, where the service credential is generated by the first secure container based on application identity information corresponding to a first application container; and the generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
According to a second aspect of embodiments of the present disclosure, there is provided an identity authentication method applied to kubernetes system deploying an application container, mapping an interface of a secure container located in an external system into the application container through a netnaspace technology, so that the secure container obtains a function of identity authentication from the application container based on the interface; the method comprises the following steps:
the first application container where the service calling party is located acquires a service credential from the security container of the external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
The first application container sends the service certificate to a second application container where a service provider is located;
the second application container sends the service credential to a secure container of the external system, so that the secure container authenticates the application identity information contained in the service credential.
Optionally, the first application container sends the service credential to a second application container where a service provider is located, including:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the steps of:
and the second application container responds to the call request and provides the service requesting the call for the first application container under the condition that the second application container receives the pass of the identity authentication returned by the security container.
Optionally, the method further comprises:
and the security container returns the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the identity authentication is confirmed to pass.
Optionally, the security container authenticates the application identity information contained in the service credential, including:
The secure container verifies the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
Optionally, the service credential includes a token, and the service credential is generated by the secure container based on application identity information corresponding to the first application container; and the generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
According to a third aspect of embodiments of the present disclosure, an identity authentication device is provided, which is applied to a kubernetes system for deploying an application container, where the kubernetes system deploys a secure container to the same Pod where the application container is located in a sidecar manner, where the secure container is used for providing an identity authentication function for the application container in the same Pod; the device comprises:
the acquiring unit is used for acquiring a service certificate from a first application container where a service calling party is located to a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
The sending unit is used for sending the service certificate to a second application container where a service provider is located by the first application container;
and the authentication unit is used for sending the service certificate to a second security container in the same Pod by the second application container so that the second security container authenticates the application identity information contained in the service certificate.
Optionally, the sending unit includes:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the apparatus further comprises:
and the response unit is used for responding to the call request and providing the service requesting the call for the first application container under the condition that the second application container receives the passing of the identity authentication returned by the second security container.
Optionally, the apparatus further includes:
and the control unit is used for returning the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the second security container confirms that the identity authentication passes.
Optionally, the authentication unit is configured to enable the second secure container to authenticate the application identity information contained in the service credential, and includes:
To cause the second secure container to verify the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
Optionally, the service credential includes a token, where the service credential is generated by the first secure container based on application identity information corresponding to a first application container; and the generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
According to a fourth aspect of embodiments of the present disclosure, there is provided an identity authentication device, applied to a kubernetes system deploying an application container, for mapping an interface of a secure container located in an external system into the application container through a netnaspace technology, so that the secure container obtains a function of identity authentication from the application container based on the interface; the device comprises:
The acquisition unit is used for acquiring a service credential from a first application container where a service calling party is located to a security container of the external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
the sending unit is used for sending the service certificate to a second application container where a service provider is located by the first application container;
and the second application container sends the service certificate to a security container of the external system so that the security container authenticates the application identity information contained in the service certificate.
Optionally, the sending unit includes:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the apparatus further comprises:
and the response unit is used for responding to the call request and providing the service requesting the call for the first application container under the condition that the second application container receives the pass of the identity authentication returned by the security container.
Optionally, the apparatus further includes:
and the control unit is used for returning the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the identity authentication is confirmed to pass by the security container.
Optionally, the authentication unit is configured to enable the secure container to authenticate the application identity information contained in the service credential, and includes:
the secure container verifies the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
Optionally, the service credential includes a token, and the service credential is generated by the secure container based on application identity information corresponding to the first application container; and the generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
According to a fifth aspect of embodiments of the present specification, there is provided an electronic device comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
The first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a second security container in the same Pod so that the second security container authenticates the application identity information contained in the service certificate.
According to a sixth aspect of embodiments of the present specification, there is provided an electronic device comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a security container of an external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
the second application container sends the service credential to a secure container of the external system, so that the secure container authenticates the application identity information contained in the service credential.
The embodiment of the specification aims to provide an identity authentication scheme with safety and universality. Specifically, applications are containerized by the kubernetes system, deploying application containers for service invokers and service providers on the kubernetes system. In addition, a secure container is configured for the application container, and the secure container provides identity authentication capability for the application container. In this way, the authentication logic is stripped (decoupled) from the business logic of the application, and the authentication is performed solely by the secure container. In particular, the generation and issuance of the service credentials contained by the authentication logic is implemented by the secure container, which cannot be externally accessed to the internal data, thus avoiding disclosure of the service credentials. In addition, the service credential is encrypted, and the encryption algorithm is stored only in the secure container, and likewise cannot be externally accessed by the secure container, and without the same encryption algorithm, the service credential cannot be decrypted, and thus the application identity information in the service credential cannot be tampered with. Thereby solving the problem of security risk in service provision.
On the other hand, since the identity authentication logic is decoupled from the service logic of the application, the identity authentication can be realized between different applications through the secure container of the same identity authentication logic. No additional custom identity authentication logic is required. The problem of high access cost during service call is solved.
Drawings
FIG. 1 is a flow chart of an identity authentication method according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of a kubernetes system to which the embodiment of FIG. 1 is applicable;
FIG. 3 is a flow chart of an authentication method according to an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a kubernetes system to which the embodiment of FIG. 3 is applicable;
fig. 5 is a hardware configuration diagram of an identity authentication device according to an embodiment of the present disclosure;
FIG. 6 is a schematic block diagram of an identity authentication device according to an embodiment of the present disclosure;
fig. 7 is a schematic block diagram of an identity authentication device according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present description as detailed in the accompanying claims.
The terminology used in the description presented herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items. Plural herein may refer to two or more cases.
It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
In the related art, when a service call is performed between different applications, an application of a service provider performs identity authentication on the application of the service caller. Typically, the authentication logic is typically written into the service logic of the application itself, i.e. there is a strong coupling between the application's authentication logic and the service logic. In addition, the service credentials required for identity authentication are maintained and managed by the application itself. This presents a certain potential for a malicious application to successfully invoke a service using the service credentials maintained by the application if the service credentials are compromised.
In practical applications, the authentication methods adopted by different applications may also be different. If the application of the service caller needs to dock applications of different service providers, it is necessary to customize authentication logic conforming to the authentication mode adopted by each service provider and write these authentication logic into the business logic of the application. It is conceivable that many different authentication logics need to be configured for the service invoker, and the cost of invoking the service becomes very high.
In order to solve the technical problems, the embodiment of the specification aims to provide an identity authentication scheme with safety and universality. Specifically, applications are containerized by the kubernetes system, deploying application containers for service invokers and service providers on the kubernetes system. In addition, a secure container is configured for the application container, and the secure container provides identity authentication capability for the application container. In this way, the authentication logic is stripped (decoupled) from the business logic of the application, and the authentication is performed solely by the secure container. In particular, the generation and issuance of the service credentials contained by the authentication logic is implemented by the secure container, which cannot be externally accessed to the internal data, thus avoiding disclosure of the service credentials. In addition, the service credential is encrypted, and the encryption algorithm is stored only in the secure container, and likewise cannot be externally accessed by the secure container, and without the same encryption algorithm, the service credential cannot be decrypted, and thus the application identity information in the service credential cannot be tampered with. Thereby solving the problem of security risk in service provision.
On the other hand, since the identity authentication logic is decoupled from the service logic of the application, the identity authentication can be realized between different applications through the secure container of the same identity authentication logic. No additional custom identity authentication logic is required. The problem of high access cost during service call is solved.
Service calls between application containers in this specification may be exemplified by application containers that make service calls across clouds. Cross-cloud application containers may refer to service calls between application containers employing different cloud environments. Such as public cloud, private cloud, hybrid cloud, etc. For example, making service calls between public cloud application containers and private cloud application containers involves cross-cloud service calls.
The present specification provides an identity authentication method, which may be introduced with reference to the example shown in fig. 1, and the method may be applied to kubernetes system for deploying application containers, and the method may include the following steps:
step 110: the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
Step 120: the first application container sends the service certificate to a second application container where a service provider is located;
step 130: and the second application container sends the service certificate to a second security container in the same Pod so that the second security container authenticates the application identity information contained in the service certificate.
As shown in fig. 2, a schematic diagram of a kubernetes system to which this embodiment is applicable.
The kubernetes system is an open source system for automatically deploying, expanding and managing "containerized" applications. The containerized application is referred to herein simply as an application container.
Legacy application deployment requires that applications be installed through plug-ins or scripts. Thus, the running, configuration, management, and all lifecycle of a legacy application deployment need to be tied to the operating system in which it resides. Doing so is not beneficial to the upgrade update/rollback operations of the application.
The adoption of the containerized deployment mode provided by the kubernetes system can realize mutual isolation among each application container, each application container has a file system, processes among the application containers cannot be influenced mutually, and computing resources can be distinguished. Deployment can be quickly achieved through the kubernetes system application container. In addition, because the container is decoupled from the underlying facilities, machine file systems, business logic, the application container can migrate between different cloud environments, different versions, different operating systems.
The smallest deployable computing unit created and managed in the kubernetes system is Pod. The application container is deployed in Pod.
In fig. 2, for an application container that can be modified by the sidecar, the system deploys the secure container in the same Pod as the application container.
The sidecar mode is also called sidecar mode, and is a mode in which the functions of an application are stripped from the application itself and then used as a separate process. Additional functionality can be added to the application non-invasively by the sidecar approach, avoiding the problem of adding additional configuration code to the application to meet third party component requirements.
The application container and the security container deployed in the same Pod share the same lifecycle, and the security container is used to provide functions of various security aspects such as an identity issue function, an identity authentication function, a rights control function, and the like for the application container. Specifically, the secure container may provide interfaces corresponding to respective functions for application containers within the same Pod. For example, the application container may obtain an identity token from the secure container through the identity issuance interface. Similarly, there are identity authentication interfaces, rights control interfaces, etc.
The safety container stores application identity information corresponding to the application container. The application identity information may include an application identification of the application container. Wherein the application identifier is unique and is used for locating a specific application.
In an embodiment, the secure container may refer to a containerized trusted execution environment (Trusted Execution Environment, TEE).
And a safe operating system which is kept isolated from the application container can be built in the trusted execution environment, and a safe application is operated in the safe operating system. And independently opening a memory space in the TEE as a safe memory space for the trusted application program to perform identity authentication related operation.
The safety container is isolated from the outside, so that the outside cannot access the data in the safety container. Thus, the service credentials issued by the secure container, as well as the authentication of the service credentials, may be considered trusted.
The security container stores application identity information corresponding to the application container. The secure container may encrypt the application identity information into service credentials based on an internal credential algorithm (which may also be referred to as an encryption algorithm). The service credentials are encrypted and the credential algorithm is stored only within the secure container, and likewise cannot be accessed externally by the secure container, without the same credential algorithm, the service credentials cannot be decrypted. Only using the same credential algorithm can the application identity information be parsed in reverse.
In an embodiment, the first application container sends the service credential to a second application container where a service provider is located, including:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the steps of:
and the second application container responds to the call request and provides the service requesting the call for the first application container under the condition that the second security container returns that the identity authentication passes.
The following describes a call scenario of HTTP service as an example:
step 1.1: the first application container where the service calling party is located initiates a request for acquiring the service certificate to the first security container through the identity issuing interface;
step 1.2: the first secure container generates a service credential based on locally stored application identity information corresponding to the first application container, and returns the generated service credential to the first application container.
As shown in fig. 2, the first secure container and the first application container are located within the same Pod. The first application container initiates an acquisition request to the first security container through the identity issuing interface, and correspondingly, the first security container can also return the generated service certificate to the first application container through the identity issuing interface.
The first security container obtains the application identity information of the first application container from the local and generates a service credential through a credential algorithm.
In one embodiment, the service credential includes a token, which is generated by the first secure container based on application identity information corresponding to a first application container; and the generated token has a validity period. the token is valid only in the generated validity period, and is invalid after the validity period.
Step 1.3: the first application container puts the service certificate into the Http request header to access a second application container where the service provider is located.
Step 1.4: the second application container where the service provider is located sends the service credential in the Http request header to the second secure container within the same Pod.
The second application container may initiate an authentication request to the second secure container via the identity authentication interface to send the service credential to the second secure container.
Step 1.5: and the second secure container authenticates the application identity information contained in the service credential.
After the second secure container receives the service credential, it needs to verify the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
As previously described, when the service credential is a token, then its validity is determined by verifying whether the token is within the validity period. If the application identity information is within the validity period, the authenticity of the application identity information contained in the token is further verified. If the identity authentication fails, the identity authentication is determined to fail.
And for verifying the authenticity of the application identity information contained by the service credential, comprising:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential, and matching the application identity information with the locally stored application identity information to judge whether the application identity information contained in the service credential exists. If so, determining that the identity authentication passes, otherwise, determining that the identity authentication fails.
Step 1.6: and the second security container returns the identity authentication result to the second application container so that the second application container responds to the HTTP request according to the identity authentication result.
The second secure container may also return an authentication result to the second application container via the authentication interface. If the identity authentication result is failed, the second application container does not respond to the http request of the first application container, and if the identity authentication result is passed, the second application container responds to the http request of the first application container.
It should be noted that the invocation of the HTTP service is an example provided in the present specification, and may be applied to any other service invocation, such as the invocation of the RPC service, in practical applications.
In an embodiment, the second secure container may also have a rights control function. In particular, the method comprises the steps of,
and the second security container returns the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the identity authentication is confirmed to pass. The second application container determines the calling authority possessed by the first application container, and provides corresponding services for the first application container based on the calling authority.
Wherein the permission control rules comprise role-based access control rules and/or attribute-based access control rules.
The present disclosure further provides, for the embodiment of fig. 1, an embodiment in which the first application container is the execution subject:
the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
The first application container sends the service certificate to a second application container where a service provider is located; and the second application container sends the service certificate to a second security container in the same Pod, and the second security container authenticates the application identity information contained in the service certificate.
The details of the steps in this embodiment may refer to the embodiment shown in fig. 1, and in addition, other details of the embodiment shown in fig. 1 may also be used in this embodiment, which will not be described herein.
The present specification further provides, with respect to the embodiment of fig. 1, an embodiment in which the second application container is an execution subject:
the method comprises the steps that a second application container where a service provider is located receives a service credential sent by a first application container where a service caller is located, and the service credential is acquired from the first application container to a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
and the second application container where the service provider is located sends the service certificate to a second security container in the same Pod so that the second security container authenticates the application identity information contained in the service certificate.
The details of the steps in this embodiment may refer to the embodiment shown in fig. 1, and in addition, other details of the embodiment shown in fig. 1 may also be used in this embodiment, which will not be described herein.
The present specification also provides another identity authentication method, which may be applied to kubernetes system for deploying application containers, and may be described with reference to the example shown in fig. 3, and the method may include the following steps:
step 210: the first application container where the service calling party is located acquires a service credential from the security container of the external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
step 220: the first application container sends the service certificate to a second application container where a service provider is located;
step 230: the second application container sends the service credential to a secure container of the external system, so that the secure container authenticates the application identity information contained in the service credential.
As shown in fig. 4, a schematic diagram of a kubernetes system to which this embodiment is applicable.
The smallest deployable computing unit created and managed in the kubernetes system is Pod. The application container is deployed in Pod.
In fig. 4, for an application container that does not support the sidecar transformation, the system may deploy a secure container to an external system through a daemonset technology, and map an interface of the secure container located in the external system into the application container through a netnamespace technology, so that the secure container obtains a function of identity authentication from the application container based on the interface. For example, the application container may obtain an identity token from the secure container through the identity issuance interface. Similarly, there are identity authentication interfaces, rights control interfaces, etc.
The safety container stores application identity information corresponding to the application container. The application identity information may include an application identification of the application container. Wherein the application identifier is unique and is used for locating a specific application.
Where daemonset is a controller that ensures that one Pod copy runs on all or part of the nodes.
netnaspace may provide a stand-alone network environment, just as a stand-alone system. But may instead establish a connection between the different systems.
In an embodiment, the secure container may refer to a containerized trusted execution environment (Trusted Execution Environment, TEE).
And a safe operating system which is kept isolated from the application container can be built in the trusted execution environment, and a safe application is operated in the safe operating system. And independently opening a memory space in the TEE as a safe memory space for the trusted application program to perform identity authentication related operation.
The safety container is isolated from the outside, so that the outside cannot access the data in the safety container. Thus, the service credentials issued by the secure container, as well as the authentication of the service credentials, may be considered trusted.
The security container stores application identity information corresponding to the application container. The secure container may encrypt the application identity information into service credentials based on an internal credential algorithm (which may also be referred to as an encryption algorithm). The service credentials are encrypted and the credential algorithm is stored only within the secure container, and likewise cannot be accessed externally by the secure container, without the same credential algorithm, the service credentials cannot be decrypted. Only using the same credential algorithm can the application identity information be parsed in reverse.
In an embodiment, the first application container sends the service credential to a second application container where a service provider is located, including:
The first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the steps of:
and the second application container responds to the call request and provides the service requesting the call for the first application container under the condition that the second application container receives the pass of the identity authentication returned by the security container.
The following describes a call scenario of HTTP service as an example:
step 2.1: the method comprises the steps that a first application container where a service calling party is located initiates an acquisition request of an identity token to a security container of an external system through an identity issuing interface;
step 2.2: the security container of the external system generates a service credential based on the locally stored application identity information corresponding to the first application container, and returns the generated service credential to the first application container through the identity issuing interface.
After the secure container obtains the application identity information of the first application container locally, a service credential is generated through a credential algorithm.
In one embodiment, the service credential includes a token, the service credential being generated by the secure container based on application identity information corresponding to a first application container; and the generated token has a validity period. the token is valid only in the generated validity period, and is invalid after the validity period.
Step 2.3: the first application container puts the service certificate into the Http request header to access a second application container where the service provider is located.
Step 2.4: and the second application container where the service provider is located sends the service certificate in the Http request header to the security container of the external system through the identity authentication interface.
Step 2.5: and the secure container of the external system authenticates the application identity information contained in the service certificate.
After the security container receives the service credentials, the security container needs to verify the validity of the service credentials; and verifying the authenticity of the application identity information contained in the service credential.
As previously described, when the service credential is a token, then its validity is determined by verifying whether the token is within the validity period. If the application identity information is within the validity period, the authenticity of the application identity information contained in the token is further verified. If the identity authentication fails, the identity authentication is determined to fail.
And for verifying the authenticity of the application identity information contained by the service credential, comprising:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential, and matching the application identity information with the locally stored application identity information to judge whether the application identity information contained in the service credential exists. If so, determining that the identity authentication passes, otherwise, determining that the identity authentication fails.
Step 2.6: and the security container of the external system returns an identity authentication result to the second application container through the identity authentication interface so that the second application container responds to the HTTP request according to the identity authentication result.
And the security container returns an identity authentication result to the second application container through the identity authentication interface. If the identity authentication result is failed, the second application container does not respond to the http request of the first application container, and if the identity authentication result is passed, the second application container responds to the http request of the first application container.
It should be noted that the invocation of the HTTP service is an example provided in the present specification, and may be applied to any other service invocation, such as the invocation of the RPC service, in practical applications.
In an embodiment, the secure container of the external system may also have a rights control function. In particular, the method comprises the steps of,
and the security container returns the calling authority of the first application container to the second application container through the authority control interface based on the set authority control rule under the condition that the identity authentication is confirmed to pass. The second application container determines the calling authority possessed by the first application container, and provides corresponding services for the first application container based on the calling authority.
Wherein the permission control rules comprise role-based access control rules and/or attribute-based access control rules.
The present specification further provides, for the embodiment of fig. 3, an embodiment in which the first application container is the execution subject:
the first application container where the service calling party is located acquires a service credential from the security container of the external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located; and the second application container sends the service certificate to a security container of the external system, and the security container authenticates the application identity information contained in the service certificate.
The details of the steps in this embodiment may refer to the embodiment shown in fig. 3, and in addition, other details of the embodiment shown in fig. 3 may also be used in this embodiment, which will not be described herein.
The present specification further provides, for the embodiment of fig. 3, an embodiment in which the second application container is an execution subject:
the second application container where the service provider is located receives a service credential sent by the first application container where the service caller is located, wherein the service credential is acquired from the first application container to a secure container of the external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
And the second application container where the service provider is located sends the service certificate to the security container of the external system so that the security container authenticates the application identity information contained in the service certificate.
The details of the steps in this embodiment may refer to the embodiment shown in fig. 3, and in addition, other details of the embodiment shown in fig. 3 may also be used in this embodiment, which will not be described herein.
Corresponding to the foregoing embodiment of the identity authentication method, the present specification also provides an embodiment of the identity authentication device. The embodiment of the device can be implemented by software, or can be implemented by hardware or a combination of hardware and software. Taking a software implementation as an example, the device in a logic sense is formed by reading corresponding computer service program instructions in the nonvolatile memory into the memory by the processor of the device where the device is located for operation. In terms of hardware, as shown in fig. 5, a hardware structure diagram of a device where the identity authentication device in the present specification is located is shown in fig. 5, and in addition to the processor, the network interface, the memory and the nonvolatile memory shown in fig. 5, the device where the device in the embodiment is located may further include other hardware according to the actual identity authentication function, which is not described herein.
Referring to fig. 6, a block diagram of an identity authentication device according to an embodiment of the present disclosure is provided, where the device corresponds to the embodiment shown in fig. 1, and is applied to a kubernetes system for deploying an application container, and the kubernetes system deploys a secure container in a sidecar manner to the same Pod where the application container is located, where the secure container is used to provide an identity authentication function for the application container in the same Pod; the device comprises:
an acquiring unit 610, where a first application container where a service caller is located acquires a service credential from a first secure container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
a transmitting unit 620, configured to transmit the service credential to a second application container where a service provider is located by the first application container;
and an authentication unit 630, where the second application container sends the service credential to a second secure container in the same Pod, so that the second secure container authenticates the application identity information contained in the service credential.
Optionally, the sending unit 620 includes:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
The apparatus further comprises:
and the response unit is used for responding to the call request and providing the service requesting the call for the first application container under the condition that the second application container receives the passing of the identity authentication returned by the second security container.
Optionally, the apparatus further includes:
and the control unit is used for returning the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the second security container confirms that the identity authentication passes.
Optionally, the authenticating unit 630, configured to enable the second secure container to authenticate the application identity information included in the service credential, includes:
to cause the second secure container to verify the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
Optionally, the service credential includes a token, where the service credential is generated by the first secure container based on application identity information corresponding to a first application container; and the generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
The verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
Referring to fig. 7, a block diagram of an identity authentication device according to an embodiment of the present disclosure is provided, where the device corresponds to the embodiment shown in fig. 7, and is applied to a kubernetes system for deploying an application container, and an interface of a secure container located in an external system is mapped into the application container through a netnamespace technology, so that the secure container obtains a function of identity authentication from the application container based on the interface; the device comprises:
an obtaining unit 710, configured to obtain a service credential from a secure container of the external system by using a first application container where a service caller is located; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
a sending unit 720, where the first application container sends the service credential to a second application container where the service provider is located;
and an authentication unit 730, where the second application container sends the service credential to a secure container of the external system, so that the secure container authenticates the application identity information included in the service credential.
Optionally, the sending unit 720 includes:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the apparatus further comprises:
and the response unit is used for responding to the call request and providing the service requesting the call for the first application container under the condition that the second application container receives the pass of the identity authentication returned by the security container.
Optionally, the apparatus further includes:
and the control unit is used for returning the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the identity authentication is confirmed to pass by the security container.
Optionally, the authentication unit 730 is configured to enable the secure container to authenticate the application identity information included in the service credential, and includes:
the secure container verifies the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
Optionally, the service credential includes a token, and the service credential is generated by the secure container based on application identity information corresponding to the first application container; and the generated token has a validity period;
The verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Fig. 6 above describes an internal functional module and a schematic of an identity authentication device, and the substantial execution subject thereof may be an electronic device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
the second application container sends the service certificate to a second security container in the same Pod so that the second security container authenticates application identity information contained in the service certificate;
the first application container and the second application container are deployed in a kubernetes system, the kubernetes system deploys a first secure container to the same Pod where the first application container is located and deploys a second secure container to the same Pod where the second application container is located in a side car mode, and the first secure container and the second secure container are used for providing identity authentication functions for application containers in the same Pod.
Fig. 7 above describes an internal functional module and a schematic of an identity authentication device, and the substantial execution subject thereof may be an electronic device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a security container of an external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
the second application container sends the service certificate to a security container of the external system so that the security container authenticates application identity information contained in the service certificate;
the first application container and the second application container are deployed in a kubernetes system, and an interface of a security container of an external system is mapped into the first application container and the second application container through a netnaspace technology, so that the security container obtains an identity authentication function from the application container based on the interface.
In the above embodiment of the electronic device, it should be understood that the processor may be a central processing unit (english: central Processing Unit, abbreviated as CPU), or may be other general purpose processors, digital signal processors (english: digital Signal Processor, abbreviated as DSP), application specific integrated circuits (english: application Specific Integrated Circuit, abbreviated as ASIC), or the like. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc., and the aforementioned memory may be a read-only memory (ROM), a random access memory (random access memory, RAM), a flash memory, a hard disk, or a solid state disk. The steps of a method disclosed in connection with the embodiments of the present specification may be embodied directly in a hardware processor, or in a combination of hardware and software modules in a processor.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the electronic device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
Other embodiments of the present disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the examples disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It is to be understood that the present description is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.

Claims (22)

1. The identity authentication method is applied to a kubernetes system for deploying an application container, and the kubernetes system deploys a safety container to the same Pod where the application container is located in a side car mode, wherein the safety container is used for providing an identity authentication function for the application container in the same Pod; the method comprises the following steps:
The method comprises the steps that a first application container where a service calling party is located obtains a service credential from a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a second security container in the same Pod so that the second security container authenticates the application identity information contained in the service certificate.
2. The method of claim 1, the first application container sending the service credential to a second application container at which a service provider resides, comprising:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the method further comprises the steps of:
and the second application container responds to the call request and provides the service requesting the call for the first application container under the condition that the second security container returns that the identity authentication passes.
3. The method of claim 1, the method further comprising:
And the second security container returns the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the identity authentication is confirmed to pass.
4. The method of claim 1, the second secure container authenticating application identity information contained by the service credential, comprising:
the second secure container verifies the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
5. The method of claim 4, the service credential comprising a token, the service credential generated by the first secure container based on application identity information corresponding to a first application container; and the generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
6. The identity authentication method is applied to a kubernetes system for deploying an application container, and an interface of a security container located in an external system is mapped into the application container through a netnaspace technology, so that the security container obtains an identity authentication function from the application container based on the interface; the method comprises the following steps:
the first application container where the service calling party is located acquires a service credential from the security container of the external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
the second application container sends the service credential to a secure container of the external system, so that the secure container authenticates the application identity information contained in the service credential.
7. The method of claim 6, the first application container sending the service credential to a second application container at which a service provider resides, comprising:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
The method further comprises the steps of:
and the second application container responds to the call request and provides the service requesting the call for the first application container under the condition that the second application container receives the pass of the identity authentication returned by the security container.
8. The method of claim 6, the method further comprising:
and the security container returns the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the identity authentication is confirmed to pass.
9. The method of claim 6, the secure container authenticating application identity information contained by the service credential, comprising:
the secure container verifies the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
10. The method of claim 9, the service credential comprising a token, the service credential generated by the secure container based on application identity information corresponding to a first application container; and the generated token has a validity period;
the verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
The verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
11. The identity authentication device is applied to a kubernetes system for deploying an application container, the kubernetes system deploys a safety container to the same Pod where the application container is located in a side car mode, and the safety container is used for providing an identity authentication function for the application container in the same Pod; the device comprises:
the acquiring unit is used for acquiring a service certificate from a first application container where a service calling party is located to a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
the sending unit is used for sending the service certificate to a second application container where a service provider is located by the first application container;
and the authentication unit is used for sending the service certificate to a second security container in the same Pod by the second application container so that the second security container authenticates the application identity information contained in the service certificate.
12. The apparatus of claim 11, the transmitting unit comprising:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the apparatus further comprises:
and the response unit is used for responding to the call request and providing the service requesting the call for the first application container under the condition that the second application container receives the passing of the identity authentication returned by the second security container.
13. The apparatus of claim 11, the apparatus further comprising:
and the control unit is used for returning the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the second security container confirms that the identity authentication passes.
14. The apparatus of claim 11, the authentication unit in the authentication unit to cause the second secure container to authenticate application identity information contained by the service credential, comprising:
to cause the second secure container to verify the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
15. The apparatus of claim 14, the service credential comprising a token, the service credential generated by the first secure container based on application identity information corresponding to a first application container; and the generated token has a validity period;
The verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
16. An identity authentication device is applied to a kubernetes system for deploying an application container, and an interface of a security container located in an external system is mapped into the application container through a netnaspace technology, so that the security container obtains an identity authentication function from the application container based on the interface; the device comprises:
the acquisition unit is used for acquiring a service credential from a first application container where a service calling party is located to a security container of the external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
the sending unit is used for sending the service certificate to a second application container where a service provider is located by the first application container;
and the second application container sends the service certificate to a security container of the external system so that the security container authenticates the application identity information contained in the service certificate.
17. The apparatus of claim 16, the transmitting unit comprising:
the first application container sends a calling request carrying the service certificate to a second application container where a service provider is located;
the apparatus further comprises:
and the response unit is used for responding to the call request and providing the service requesting the call for the first application container under the condition that the second application container receives the pass of the identity authentication returned by the security container.
18. The apparatus of claim 16, the apparatus further comprising:
and the control unit is used for returning the calling authority of the first application container to the second application container based on the set authority control rule under the condition that the identity authentication is confirmed to pass by the security container.
19. The apparatus of claim 16, the authentication unit in the authentication unit to cause the secure container to authenticate application identity information contained in the service credential, comprising:
the secure container verifies the validity of the service credential; and verifying the authenticity of the application identity information contained in the service credential.
20. The apparatus of claim 19, the service credential comprising a token, the service credential generated by the secure container based on application identity information corresponding to a first application container; and the generated token has a validity period;
The verifying the validity of the service credential includes:
verifying whether the token is located within a validity period;
the verifying the authenticity of the application identity information contained in the service credential comprises:
based on a credential algorithm adopted for generating the service credential, analyzing the application identity information contained in the service credential and matching with the locally stored application identity information.
21. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a first security container in the same Pod; the service credential is generated by the first secure container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
and the second application container sends the service certificate to a second security container in the same Pod so that the second security container authenticates the application identity information contained in the service certificate.
22. An electronic device, comprising:
A processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
the method comprises the steps that a first application container where a service calling party is located obtains a service credential from a security container of an external system; the service credential is generated by the secure container according to locally stored application identity information corresponding to the first application container;
the first application container sends the service certificate to a second application container where a service provider is located;
the second application container sends the service credential to a secure container of the external system, so that the secure container authenticates the application identity information contained in the service credential.
CN202010653267.6A 2020-07-08 2020-07-08 Identity authentication method and device and electronic equipment Active CN111783051B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010653267.6A CN111783051B (en) 2020-07-08 2020-07-08 Identity authentication method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010653267.6A CN111783051B (en) 2020-07-08 2020-07-08 Identity authentication method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN111783051A CN111783051A (en) 2020-10-16
CN111783051B true CN111783051B (en) 2023-11-10

Family

ID=72759198

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010653267.6A Active CN111783051B (en) 2020-07-08 2020-07-08 Identity authentication method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN111783051B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112416528B (en) * 2020-12-04 2024-03-22 福建福诺移动通信技术有限公司 Method for realizing non-invasive micro service interface safety call
US11804958B2 (en) * 2020-12-30 2023-10-31 Synchronoss Technologies, Inc Method and system for initial secret delivery for scalable and restart-able collocated containers with shared resources
CN113452677A (en) * 2021-05-28 2021-09-28 济南浪潮数据技术有限公司 Request processing method, system, equipment and medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107425983A (en) * 2017-08-08 2017-12-01 北京明朝万达科技股份有限公司 A kind of unified identity authentication method and system platform based on WEB service

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10673840B2 (en) * 2018-05-10 2020-06-02 Jayant Shukla Cloud-based identity management and authentication system for containers and applications

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107425983A (en) * 2017-08-08 2017-12-01 北京明朝万达科技股份有限公司 A kind of unified identity authentication method and system platform based on WEB service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于JA-SIG CAS统一认证平台(SSO)的设计与实现;李建佳;王晶;;广东海洋大学学报(03);全文 *

Also Published As

Publication number Publication date
CN111783051A (en) 2020-10-16

Similar Documents

Publication Publication Date Title
US11489678B2 (en) Platform attestation and registration for servers
CN111090876B (en) Contract calling method and device
CN111783051B (en) Identity authentication method and device and electronic equipment
JP5060652B2 (en) How to unlock the secret of the calling program
JP5497171B2 (en) System and method for providing a secure virtual machine
EP3676743B1 (en) Application certificate
CN110326266B (en) Data processing method and device
EP4191453A1 (en) Platform security
CN112016106B (en) Authentication calling method, device and equipment of open interface and readable storage medium
CN108335105B (en) Data processing method and related equipment
CN111885196B (en) Method, device and system for accessing equipment data of Internet of things cloud platform
CN112765637A (en) Data processing method, password service device and electronic equipment
CN111932261A (en) Asset data management method and device based on verifiable statement
US8601544B1 (en) Computer system employing dual-band authentication using file operations by trusted and untrusted mechanisms
CN113301107A (en) Node computing platform, implementation method thereof and trusted cloud platform implementation method
Ren et al. AccGuard: Secure and trusted computation on remote FPGA accelerators
US9240988B1 (en) Computer system employing dual-band authentication
TWI673621B (en) Information registration, authentication method and device
Lenard et al. A Key to Embedded System Security: Locking and Unlocking Secrets with a Trusted Platform Module
CN117579331A (en) Remote proving method, device, electronic equipment and storage medium
Andréasson et al. Device Attestation for In-Vehicle Network
JP2023154299A (en) Secure component, device, execution platform, and process execution management method
CN116886374A (en) Identity authentication method and cloud computing service platform
CN113987461A (en) Identity authentication method and device and electronic equipment
CN116232741A (en) Account key setting method, user equipment and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant