CN113672888A - Cloud platform access method, device and system and cloud platform server - Google Patents

Cloud platform access method, device and system and cloud platform server Download PDF

Info

Publication number
CN113672888A
CN113672888A CN202110997963.3A CN202110997963A CN113672888A CN 113672888 A CN113672888 A CN 113672888A CN 202110997963 A CN202110997963 A CN 202110997963A CN 113672888 A CN113672888 A CN 113672888A
Authority
CN
China
Prior art keywords
request
cloud platform
client
login
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110997963.3A
Other languages
Chinese (zh)
Inventor
刘元松
李宪状
朱波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Data Technology Co Ltd
Original Assignee
Jinan Inspur Data Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Data Technology Co Ltd filed Critical Jinan Inspur Data Technology Co Ltd
Priority to CN202110997963.3A priority Critical patent/CN113672888A/en
Publication of CN113672888A publication Critical patent/CN113672888A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The invention discloses an access method, a device and a system of a cloud platform and a cloud platform server, wherein the method comprises the following steps: the method comprises the steps that a cloud platform server obtains a client login request; the client login request comprises login verification information, wherein the login verification information comprises Ukey user certificate information and user name password information; detecting whether a client login request is a target request; the target request is a request sent by the security gateway; if so, verifying the login request of the client according to the login verification information; according to the method, whether the login request of the client is a target request is detected, and the security gateway is used for ensuring the transmission security of the client and the cloud platform server; the client login request is verified according to the login verification information, the user is forcibly required to insert the Ukey into the client equipment, and the client login request is verified by using the information of the user certificate stored in the Ukey, so that the access security of the cloud platform is improved.

Description

Cloud platform access method, device and system and cloud platform server
Technical Field
The invention relates to the technical field of cloud platforms, in particular to an access method, device and system of a cloud platform and a cloud platform server.
Background
With the continuous development and growth of enterprises, the demands for services and computing power are increasing day by day. In the cloud computing era, the constraint of physical server equipment on enterprises is broken through successfully by cloud on the enterprises, the enterprises can increase or reduce the scale of the servers according to development requirements to realize the planned and economic development of on-demand and on-quantity acquisition, and the cloud on business becomes a development trend and mainstream.
The network environment is never secure. After an enterprise business is in the cloud, the biggest challenge is to be faced with security. In order to ensure the security of network space and standardize the behaviors of the network world, the construction of the network security law of China is continuously promoted, and a plurality of laws and regulations are successively developed, wherein the laws and regulations such as network security level protection (namely equal protection) and commercial password application security assessment (namely secret evaluation) are also steadily landed. The 'equal security' and 'close evaluation' put higher requirements on the safety of the application.
Therefore, how to improve the access security of the cloud platform and ensure the safe use of the cloud platform is a problem which needs to be solved urgently nowadays.
Disclosure of Invention
The invention aims to provide a cloud platform access method, a cloud platform access device, a cloud platform access system and a cloud platform server, so that the access security of a cloud platform is improved, and the safe use of the cloud platform is ensured.
In order to solve the above technical problem, the present invention provides an access method for a cloud platform, including:
the method comprises the steps that a cloud platform server obtains a client login request; the client login request comprises login authentication information, wherein the login authentication information comprises Ukey user certificate information and user name and password information;
detecting whether the client login request is a target request; the target request is a request sent by a security gateway;
and if so, verifying the client login request according to the login verification information.
Optionally, the verifying the client login request according to the login verification information includes:
verifying whether the user name password information and the Ukey user certificate information are matched with stored registered user information;
if so, determining that the user login corresponding to the client login request is successful;
if not, the client login request is rejected.
Optionally, the obtaining, by the cloud platform server, a client login request includes:
and the cloud platform server acquires the client login request sent by the security gateway through an encrypted channel.
Optionally, the method further includes:
acquiring a key operation request; the key operation request comprises data to be checked and signed, the data to be checked and signed comprises operation data and signature information, the signature information comprises a signature value and a certificate public key corresponding to the operation data, and the operation data comprises at least one item of operation type, operation resource id, operation resource name, operator id and timestamp;
checking the data to be checked;
if the signature verification is successful, executing the key operation request;
and if the signature verification fails, rejecting the key operation request.
Optionally, the method further includes:
performing secondary signature verification on the stored target data to be subjected to signature verification according to the acquired operation signature verification request; the target data to be checked is the data to be checked corresponding to the operation check request;
if the secondary signature verification is successful, determining that the operation corresponding to the target data to be signed verified can not be repudiated;
correspondingly, the executing the key operation request includes:
and storing the data to be checked and signed, and executing the key operation request.
The invention also provides an access device of the cloud platform, which is applied to the cloud platform server and comprises the following components:
the login acquisition module is used for acquiring a client login request; the client login request comprises login authentication information, wherein the login authentication information comprises Ukey user certificate information and user name and password information;
the request detection module is used for detecting whether the client login request is a target request; the target request is a request sent by a security gateway;
and the login verification module is used for verifying the client login request according to the login verification information if the target request is the target request.
The invention also provides a cloud platform server, comprising:
a memory for storing a computer program;
a processor configured to implement the steps of the access method of the cloud platform as described above when executing the computer program.
In addition, the invention also provides an access system of the cloud platform, which comprises:
the cloud platform server as described above;
the client equipment is connected with the cloud platform server and used for carrying out credibility verification on the user certificate in the Ukey according to the original login request by utilizing a security gateway; and if the user certificate is credible, generating a client login request according to the Ukey user certificate information of the user certificate and the original login request, and sending the client login request to the cloud platform server.
Optionally, the system further comprises:
the password service platform equipment is connected with the cloud platform server and is used for checking the data to be checked in the key operation request sent by the cloud platform server and returning a check result to the cloud platform server; wherein the signature verification data comprises operation data and signature information;
correspondingly, the cloud platform server is also used for acquiring the key operation request; checking the data to be checked by using the password service platform equipment; if the signature verification is successful, executing the key operation request; and if the signature verification fails, rejecting the key operation request.
Optionally, the system further comprises:
and the time stamp server is connected with the client equipment and is used for sending the time stamp requested by the client equipment to the client equipment.
The invention provides an access method of a cloud platform, which comprises the following steps: the method comprises the steps that a cloud platform server obtains a client login request; the client login request comprises login verification information, wherein the login verification information comprises Ukey user certificate information and user name password information; detecting whether a client login request is a target request; the target request is a request sent by the security gateway; if so, verifying the login request of the client according to the login verification information;
therefore, the method and the device have the advantages that the safety of transmission between the client and the cloud platform server is ensured by using the security gateway through detecting whether the login request of the client is a target request; the client login request is verified according to the login verification information, the user is forcibly required to insert the Ukey into the client equipment, and the client login request is verified by using the information of the user certificate stored in the Ukey, so that the access safety of the cloud platform is improved, and the safe use of the cloud platform is ensured. In addition, the invention also provides an access device and system of the cloud platform and a cloud platform server, and the cloud platform server also has the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an access method of a cloud platform according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an access system of a cloud platform according to an embodiment of the present invention;
fig. 3 is a flowchart of an access method of another cloud platform according to an embodiment of the present invention;
fig. 4 is a block diagram illustrating a structure of an access device of a cloud platform according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a cloud platform server according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a cloud platform server according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart illustrating an access method of a cloud platform according to an embodiment of the present invention. The method can comprise the following steps:
step 101: the method comprises the steps that a cloud platform server obtains a client login request; the client login request comprises login authentication information, and the login authentication information comprises Ukey user certificate information and user name and password information.
The cloud platform server in this step may be a server providing cloud platform services. The client login request in this step may be a request sent by the client device to log in the cloud platform.
Specifically, the specific content of the client login request in this step may be set by a designer according to a practical scene and user requirements, for example, the client login request may include login authentication information for performing login authentication; the login authentication information not only can comprise user name and password information, but also can comprise Ukey user certificate information, namely the certificate information of a user certificate in a Ukey (a small storage device which is directly connected with a computer through a USB (universal serial bus) interface, has a password authentication function, and is reliable and high-speed) inserted into the client device; that is to say, in this embodiment, the Ukey user certificate information is added to the client login request, and on the basis of the login verification of the existing user name and password, the verification process of the certificate information is added, so that the two-factor authentication of the user certificate and the user name and password is realized, and the access security of the cloud platform is further improved.
For example, a user certificate issued by a trusted authority can be stored in a Ukey, and a Ukey password is set, so that the security of the certificate is ensured; a security gateway must be installed on a client device accessing the cloud platform, and the security gateway can intercept all traffic of the client device; after recognizing an original login request of a user output user name and a password, which is sent to a cloud platform server through client equipment, a security gateway can intercept the original login request, prompt the user to insert a Ukey on the client equipment and read a user certificate in the Ukey; if the user certificate is not identified, rejecting the original login request; if the user certificate is identified, verifying the credibility of the user certificate by using the root certificate information stored by the security gateway; only the user certificate signed by the root certificate is credible, and if the user certificate is not credible, the original login request is rejected; if the user certificate is trusted, the security gateway may write the certificate information of the user certificate (i.e., the Ukey user certificate information) into the original login request, generate a client login request, for example, write the certificate information into a header (i.e., a request header) of the original login request, and send the client login request proxy to the cloud platform server.
Correspondingly, the user certificate may be issued by a trusted third party authority (e.g., the certificate server in fig. 2), and is bound with the user information in the cloud platform server one by one, so as to ensure one person and one certificate. The user certificate can be stored in the Ukey, the Ukey can be provided with independent password protection, and the storage safety of the user certificate is greatly ensured by setting a password with higher complexity and a password continuous error locking protection mechanism.
Further, in this embodiment, an encryption channel may be established between each security gateway and the cloud platform server, so as to communicate with the cloud platform server through the encryption channel, thereby preventing the request information from being stolen; that is to say, in this step, the cloud platform server may obtain the client login request sent by the security gateway through the encrypted channel.
Step 102: detecting whether a client login request is a target request; the target request is a request sent by the security gateway; if yes, go to step 103.
It can be understood that, in this step, the cloud platform server may determine whether the client login request is from the security gateway by detecting whether the client login request is a target request, so that, when it is determined that the client login request is the target request, step 103 is performed to verify the client login request.
Correspondingly, for the condition that the client login request is not a target request in the step, namely the client login request is not from the security gateway, the client login request can be set by a designer, for example, the cloud platform server can directly reject the client login request, namely, the cloud platform server can only verify the client login request from the security gateway, and directly reject the client login request not from the security gateway.
Specifically, the specific manner in which the cloud platform server detects whether the client login request is the target request in this step may be set by a designer, for example, the cloud platform server detects whether the client login request is the target request by using the gateway device; for example, the gateway device may check whether the client login request sent to the cloud platform server is from the security gateway; if so, forwarding the client login request to a cloud platform server; if not, the client login request is rejected. The cloud platform server may also detect whether the client login request is a target request, which is not limited in this embodiment.
Step 103: and verifying the login request of the client according to the login verification information.
It can be understood that, in this step, the cloud platform server verifies the client login request by using login verification information in the client login request sent by the security gateway, and determines whether a user corresponding to the client login request can successfully log in the cloud platform.
Specifically, the specific way in which the cloud platform server verifies the client login request according to the login verification information in the step can be set by a designer, for example, the cloud platform server can verify whether the user name and password information and the Ukey user certificate information in the login verification information are matched with the stored registered user information; if so, determining that the user login corresponding to the client login request is successful; if not, the client login request is rejected. For example, the cloud platform server may sequentially verify whether the username and password and the Ukey user certificate information match with pre-stored information of the current login user (i.e., registered user information); if the verification is passed, the user is determined to be successfully logged in, otherwise, the client login request is directly refused.
In the embodiment, whether a client login request is a target request is detected, and the security gateway is used for ensuring the transmission security between the client and the cloud platform server; the client login request is verified according to the login verification information, the user is forcibly required to insert the Ukey into the client equipment, and the client login request is verified by using the information of the user certificate stored in the Ukey, so that the access safety of the cloud platform is improved, and the safe use of the cloud platform is ensured.
Based on the foregoing embodiment, in order to further improve the security of the cloud platform, in this embodiment, for the key operation request of the client device, the cloud platform server may force the client device to perform interface signature by using the user certificate, so as to verify the signature of the key operation request including the signature information, and ensure the security of executing the key operation. Specifically, referring to fig. 3, fig. 3 is a flowchart of another cloud platform access method according to an embodiment of the present invention. The method can comprise the following steps:
step 201: the cloud platform server acquires the key operation request.
The key operation request comprises data to be checked and signed, the data to be checked and signed comprises operation data and signature information, the signature information comprises a signature value and a certificate public key corresponding to the operation data, and the operation data comprises at least one item of operation type, operation resource id, operation resource name, operator id and timestamp.
It is to be understood that the critical operation request in this step may be a request sent by the client device to control the cloud platform to perform a critical operation. The specific type of the key operation request, that is, the specific selection configuration of the key operation of the cloud platform, may be set by a designer according to a practical scenario and a user requirement, for example, the key operation of the cloud platform may include deleting a virtual machine operation, that is, the key operation request may include a request for deleting a virtual machine operation; the key operation of the cloud platform may further include other operations such as deleting the cloud hard disk operation, that is, the key operation request may include deleting the cloud hard disk operation, which is not limited in this embodiment.
Specifically, the specific content of the key operation request in this step may be set by the designer, for example, the key operation request may include data to be checked for checking; the data to be verified can comprise operation data and signature information; the signature information may include a signature value obtained by signing the operation data with a user certificate in the Ukey and a certificate public key of the user certificate; the operation data may include at least one of an operation type, an operation resource id, an operation resource name, an operator id, and a time stamp, and the data format of the operation data may be the operation type, the operation resource id, the operation resource name, the operator id, and the time stamp. For example, when the client device needs to control the cloud platform server to execute key operations, the user certificate in the Ukey can be read through the bottom layer drive, and signature operation is performed on operation data by utilizing the sm2 signature algorithm; if the signature is successful, writing the operation data, the signature value and the certificate public key as the data to be verified into a header of the key operation request, and requesting the cloud platform server for operation; the data format of the operation data can be defined as an operation type, an operation resource id, an operation resource name, an operator id and a time stamp.
Correspondingly, the timestamp in the operation data can be a timestamp sent by a timestamp server, so that the correctness of the data is ensured by utilizing the timestamp provided by an independent timestamp server; as shown in fig. 2, when the client device may generate the key operation request, it may request a timestamp from the timestamp server, and generate the key operation request by using the timestamp returned by the timestamp server.
Step 202: and (5) checking the data to be checked.
In this step, the cloud platform server may determine whether the key operation request can be executed by checking the data to be checked (i.e., the operation data and the signature information) in the key operation request, so that after the check is successful, the cloud platform server proceeds to step 204 to execute the key operation of the key operation request.
Specifically, the specific mode of the cloud platform server for checking the data to be checked and signed in the step can be set by a designer, and if the cloud platform server can utilize the password service platform, the data to be checked and signed can be checked and signed; as shown in fig. 2, the cloud platform server may send an authentication request including data to be authenticated to the cryptographic service platform device (e.g., a server), so that the cryptographic service platform may authenticate the data to be authenticated; if the signature verification result returned by the password service platform equipment is successful, entering step 204; if the returned result of the signature verification is that the signature verification fails, step 203 is entered. And the cloud platform server checks the data to be checked by itself. The present embodiment does not set any limit to this.
It can be understood that, in this step, before the cloud platform server performs signature verification on the data to be verified in the key operation request, it may also be detected whether the key operation request includes a target parameter; the target parameters may include data to be verified, that is, operation data, a signature value, and a certificate public key; if the target parameters are included, namely the parameters of the key operation request are complete, the signature verification is carried out on the key operation request; and if the target parameters are not included, directly rejecting the key operation request.
Correspondingly, before the cloud platform server checks the data to be checked in the key operation request, whether the key operation request is a target request or not can be detected; if the key operation request is a target request, namely the key operation request is a request sent by the security gateway, carrying out signature verification on the key operation request; and if the key operation request is not the target request, directly rejecting the key operation request.
Step 203: and if the signature verification fails, rejecting the key operation request.
In this step, the cloud platform server may directly reject the key operation request when the key operation request fails to check the signature.
Step 204: and if the signature verification is successful, executing the key operation request.
It can be understood that, in this step, the cloud platform server may execute the key operation corresponding to the key operation request when the key operation request is successfully checked and signed.
Specifically, in this embodiment, the cloud platform server may store the data to be checked (i.e., the operation data and the signature information) in the key operation request, so that when a subsequent disagreement occurs in the key operation, the data to be checked corresponding to the key operation may be checked for the second time, that is, the stored data to be checked corresponding to the key operation is checked for the second time, thereby achieving the anti-repudiation effect. For example, in step 204, the cloud platform server may execute the key operation request after the key operation request is successfully checked, and store the data to be checked in the key operation request; that is, the cloud platform server may store the data to be checked for which the check is successful; correspondingly, the cloud platform server can perform secondary signature verification on the stored target data to be subjected to signature verification according to the acquired operation signature verification request; if the secondary signature verification is successful, determining that the operation (namely the key operation) corresponding to the target data to be signed verified cannot be repudiated; and the target data to be checked is the data to be checked corresponding to the operation checking request.
Correspondingly, the cloud platform server can also store all data to be checked; for example, the cloud platform server may store the data to be checked in the key operation request to the database before checking the data to be checked; and after the data to be checked and signed is checked, updating the checking and signing result corresponding to the data to be checked and signed to the database.
In the embodiment of the invention, the data to be checked and signed in the key operation request is checked and signed, the key operation is further safely reinforced by using the operation data, the signature value and the signature checking process of the certificate public key in the key operation request, and the use safety of the cloud platform is further improved.
Corresponding to the above method embodiment, an embodiment of the present invention further provides an access device for a cloud platform, and the access device for a cloud platform described below and the access method for a cloud platform described above may be referred to in a corresponding manner.
Referring to fig. 4, fig. 4 is a block diagram illustrating an access apparatus of a cloud platform according to an embodiment of the present invention. The device is applied to the cloud platform server and can comprise:
a login acquisition module 10, configured to acquire a client login request; the client login request comprises login verification information, wherein the login verification information comprises Ukey user certificate information and user name password information;
a request detection module 20, configured to detect whether a client login request is a target request; the target request is a request sent by the security gateway;
and the login authentication module 30 is configured to authenticate the client login request according to the login authentication information if the target request is a target request.
Optionally, the login verification module 30 may be specifically configured to verify whether the username and password information and the Ukey user certificate information are matched with the stored registered user information; if so, determining that the user login corresponding to the client login request is successful; if not, the client login request is rejected.
Optionally, the login obtaining module 10 may include:
and the encryption acquisition submodule is used for acquiring a client login request sent by the security gateway through an encryption channel.
Optionally, the apparatus may further include:
the key acquisition module is used for acquiring a key operation request; the key operation request comprises data to be checked and signed, the data to be checked and signed comprises operation data and signature information, the signature information comprises a signature value and a certificate public key corresponding to the operation data, and the operation data comprises at least one of an operation type, an operation resource id, an operation resource name, an operator id and a timestamp;
the label checking module is used for checking the label to be checked;
the key execution module is used for executing the key operation request if the signature verification is successful;
and the key rejection module is used for rejecting the key operation request if the signature verification fails.
Optionally, the apparatus may further include:
the secondary signature checking module is used for carrying out secondary signature checking on the stored target data to be checked according to the acquired operation signature checking request; the target data to be checked is the data to be checked corresponding to the operation check request; if the secondary signature verification is successful, determining that the operation corresponding to the target data to be verified cannot be repudiated;
correspondingly, the key execution module may be specifically configured to store the data to be checked and execute the key operation request if the check and sign are successful.
In this embodiment, the request detection module 20 detects whether the client login request is a target request, and the security gateway is used to ensure the transmission security between the client and the cloud platform server; the client login request is verified according to the login verification information, the user is forcibly required to insert the Ukey into the client equipment, and the client login request is verified by using the information of the user certificate stored in the Ukey, so that the access safety of the cloud platform is improved, and the safe use of the cloud platform is ensured.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a cloud platform server, and a cloud platform server described below and an access method of a cloud platform described above may be referred to in a corresponding manner.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a cloud platform server according to an embodiment of the present invention. The cloud platform server may include:
a memory D1 for storing computer programs;
and a processor D2, configured to implement the steps of the access method of the cloud platform provided by the foregoing method embodiments when executing the computer program.
Specifically, referring to fig. 6, fig. 6 is a schematic structural diagram of a cloud platform server according to an embodiment of the present invention, the cloud platform server 310 may have a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing an application 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the storage medium 330, to execute a series of instruction operations in the storage medium 330 on the cloud platform server 310.
The cloud platform server 310 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
The steps in the access method of the cloud platform described above may be implemented by the structure of a cloud platform server.
Corresponding to the above method embodiment, an embodiment of the present invention further provides an access system of a cloud platform, and the access system of the cloud platform described below and the access method of the cloud platform described above may be referred to in a corresponding manner.
An access system of a cloud platform, comprising:
the cloud platform server provided by the above embodiment;
the client equipment is connected with the cloud platform server and used for carrying out credibility verification on the user certificate in the Ukey according to the original login request by utilizing the security gateway; and if the user certificate is credible, generating a client login request according to Ukey user certificate information of the user certificate and the original login request, and sending the client login request to the cloud platform server.
Optionally, the system may further include:
the password service platform equipment is connected with the cloud platform server and used for checking the data to be checked in the key operation request sent by the cloud platform server and returning a check result to the cloud platform server; the signature verification data comprises operation data and signature information;
correspondingly, the cloud platform server is also used for acquiring a key operation request; checking the data to be checked by using the password service platform equipment; if the signature verification is successful, executing a key operation request; and if the signature verification fails, rejecting the key operation request.
Optionally, the system further comprises:
and the time stamp server is connected with the client equipment and is used for sending the time stamp requested by the client equipment to the client equipment.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device, the system and the cloud platform server disclosed by the embodiment correspond to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The method, the device and the system for accessing the cloud platform and the cloud platform server provided by the invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.

Claims (10)

1. An access method of a cloud platform, comprising:
the method comprises the steps that a cloud platform server obtains a client login request; the client login request comprises login authentication information, wherein the login authentication information comprises Ukey user certificate information and user name and password information;
detecting whether the client login request is a target request; the target request is a request sent by a security gateway;
and if so, verifying the client login request according to the login verification information.
2. The method according to claim 1, wherein the verifying the client login request according to the login verification information includes:
verifying whether the user name password information and the Ukey user certificate information are matched with stored registered user information;
if so, determining that the user login corresponding to the client login request is successful;
if not, the client login request is rejected.
3. The method according to claim 1, wherein the step of obtaining the client login request by the cloud platform server comprises:
and the cloud platform server acquires the client login request sent by the security gateway through an encrypted channel.
4. The access method of the cloud platform according to any one of claims 1 to 3, further comprising:
acquiring a key operation request; the key operation request comprises data to be checked and signed, the data to be checked and signed comprises operation data and signature information, the signature information comprises a signature value and a certificate public key corresponding to the operation data, and the operation data comprises at least one item of operation type, operation resource id, operation resource name, operator id and timestamp;
checking the data to be checked;
if the signature verification is successful, executing the key operation request;
and if the signature verification fails, rejecting the key operation request.
5. The access method of the cloud platform according to claim 4, further comprising:
performing secondary signature verification on the stored target data to be subjected to signature verification according to the acquired operation signature verification request; the target data to be checked is the data to be checked corresponding to the operation check request;
if the secondary signature verification is successful, determining that the operation corresponding to the target data to be signed verified can not be repudiated;
correspondingly, the executing the key operation request includes:
and storing the data to be checked and signed, and executing the key operation request.
6. An access device of a cloud platform, which is applied to a cloud platform server, includes:
the login acquisition module is used for acquiring a client login request; the client login request comprises login authentication information, wherein the login authentication information comprises Ukey user certificate information and user name and password information;
the request detection module is used for detecting whether the client login request is a target request; the target request is a request sent by a security gateway;
and the login verification module is used for verifying the client login request according to the login verification information if the target request is the target request.
7. A cloud platform server, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the access method of the cloud platform according to any one of claims 1 to 5 when executing the computer program.
8. An access system of a cloud platform, comprising:
the cloud platform server of claim 7;
the client equipment is connected with the cloud platform server and used for carrying out credibility verification on the user certificate in the Ukey according to the original login request by utilizing a security gateway; and if the user certificate is credible, generating a client login request according to the Ukey user certificate information of the user certificate and the original login request, and sending the client login request to the cloud platform server.
9. The cloud platform access system of claim 8, further comprising:
the password service platform equipment is connected with the cloud platform server and is used for checking the data to be checked in the key operation request sent by the cloud platform server and returning a check result to the cloud platform server; wherein the signature verification data comprises operation data and signature information;
correspondingly, the cloud platform server is also used for acquiring the key operation request; checking the data to be checked by using the password service platform equipment; if the signature verification is successful, executing the key operation request; and if the signature verification fails, rejecting the key operation request.
10. The cloud platform access system of claim 8, further comprising:
and the time stamp server is connected with the client equipment and is used for sending the time stamp requested by the client equipment to the client equipment.
CN202110997963.3A 2021-08-27 2021-08-27 Cloud platform access method, device and system and cloud platform server Withdrawn CN113672888A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110997963.3A CN113672888A (en) 2021-08-27 2021-08-27 Cloud platform access method, device and system and cloud platform server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110997963.3A CN113672888A (en) 2021-08-27 2021-08-27 Cloud platform access method, device and system and cloud platform server

Publications (1)

Publication Number Publication Date
CN113672888A true CN113672888A (en) 2021-11-19

Family

ID=78547083

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110997963.3A Withdrawn CN113672888A (en) 2021-08-27 2021-08-27 Cloud platform access method, device and system and cloud platform server

Country Status (1)

Country Link
CN (1) CN113672888A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826746A (en) * 2022-04-28 2022-07-29 济南浪潮数据技术有限公司 Cloud platform identity authentication method, device and medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826746A (en) * 2022-04-28 2022-07-29 济南浪潮数据技术有限公司 Cloud platform identity authentication method, device and medium

Similar Documents

Publication Publication Date Title
CN108475312B (en) Single sign-on method for device security shell
US20170006020A1 (en) Authentication context transfer for accessing computing resources via single sign-on with single use access tokens
US9032217B1 (en) Device-specific tokens for authentication
CN110175448B (en) Trusted device login authentication method and application system with authentication function
CN110268406B (en) Password security
CN111698255A (en) Service data transmission method, device and system
WO2019205389A1 (en) Electronic device, authentication method based on block chain, and program and computer storage medium
RU2634174C1 (en) System and method of bank transaction execution
CN112491776B (en) Security authentication method and related equipment
CN105162775A (en) Logging method and device of virtual machine
CN109981680A (en) A kind of access control implementation method, device, computer equipment and storage medium
CN111147525A (en) Authentication method, system, server and storage medium based on API gateway
US8176533B1 (en) Complementary client and user authentication scheme
CN109033784A (en) Identity identifying method and device in a communication network
CN113268716A (en) Authorization verification system, method and device for application and storage medium
CN111143808A (en) System security authentication method and device, computing equipment and storage medium
CN102694776A (en) Authentication system and method based on dependable computing
CN113672888A (en) Cloud platform access method, device and system and cloud platform server
CN111783047A (en) RPA (resilient packet Access) automatic safety protection method and device
US20040177249A1 (en) Method and apparatus for authorizing execution for applications in a data processing system
CN110572371B (en) Identity uniqueness check control method based on HTML5 local storage mechanism
CN106533685B (en) Identity authentication method, device and system
US8250649B2 (en) Securing system and method using a security device
CN113901428A (en) Login method and device of multi-tenant system
CN113364798A (en) Redis-based user access frequency processing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20211119