CN115459925A - Cloud management platform two-factor identity authentication method and system based on national password Ukey - Google Patents

Cloud management platform two-factor identity authentication method and system based on national password Ukey Download PDF

Info

Publication number
CN115459925A
CN115459925A CN202211063410.1A CN202211063410A CN115459925A CN 115459925 A CN115459925 A CN 115459925A CN 202211063410 A CN202211063410 A CN 202211063410A CN 115459925 A CN115459925 A CN 115459925A
Authority
CN
China
Prior art keywords
ukey
management platform
cloud management
web client
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211063410.1A
Other languages
Chinese (zh)
Inventor
尹旦
刘玲星
唐卓
刘晓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changsha Zhengtong Cloud Calculating Co ltd
Shenzhen Zhengtong Cloud Computing Co ltd
Shenzhen Zhengtong Electronics Co Ltd
Original Assignee
Changsha Zhengtong Cloud Calculating Co ltd
Shenzhen Zhengtong Cloud Computing Co ltd
Shenzhen Zhengtong Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changsha Zhengtong Cloud Calculating Co ltd, Shenzhen Zhengtong Cloud Computing Co ltd, Shenzhen Zhengtong Electronics Co Ltd filed Critical Changsha Zhengtong Cloud Calculating Co ltd
Priority to CN202211063410.1A priority Critical patent/CN115459925A/en
Publication of CN115459925A publication Critical patent/CN115459925A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a cloud management platform two-factor identity authentication method and system based on a national password Ukey, wherein the Ukey applies for a digital certificate to a public CA platform according to the identity information of a user and establishes an encryption network transmission channel between a web client and a cloud management platform server; the web client sends the Ukey equipment ID and the Ukey password corresponding to the Ukey selected on the login interface of the cloud management platform to the server of the cloud management platform, and Ukey identity authentication and verification operation based on the SM2 secret is carried out between the web client and the server of the cloud management platform; and user name and password verification is carried out between the web client and the cloud management platform server. According to the method, the identity authentication based on the national password Ukey is added in the identity authentication of the cloud management platform, so that the corresponding relation between the Ukey and the user name of the cloud management platform is realized, the user name and password authentication stage of the cloud management platform is automatically entered after the Ukey authentication is completed, the problem that the identity authentication of a single account password of the cloud management platform is easy to break is effectively solved, and the confidentiality level is improved.

Description

Cloud management platform two-factor identity authentication method and system based on state password Ukey
Technical Field
The invention relates to the technical field of network security, in particular to a cloud management platform two-factor identity authentication method and system based on a national password Ukey.
Background
With the continuous development and improvement of cloud computing technology, more and more enterprises adopt cloud management platforms to realize the full life cycle management and operation and maintenance of computing, network and storage resources, so the safety of the platforms is particularly important. UKey (USB Key, electronic Key), is a kind of identity security authentication technology that is connected with computer directly through USB (universal serial bus interface), and has wider application.
Most of the existing cloud management platforms adopt a single account password identity authentication mode, and key information such as passwords and accounts are encrypted and decrypted by adopting a foreign password system based on RSA/DES and the like.
However, the above existing cloud management platform identity authentication method has some non-negligible drawbacks: firstly, a single account password identity authentication mode has the defect of easy breaking, and cannot meet the authentication scene with higher confidentiality level; secondly, the identity authentication and data encryption and decryption transmission are carried out by adopting a foreign password system based on RSA/DES and the like, which is not beneficial to information security, and the home-made substitution of software and hardware becomes a necessary way for guaranteeing the information security.
Disclosure of Invention
Based on the above, the invention aims to provide a cloud management platform two-factor identity authentication method and system based on a national password Ukey, which effectively solve the problem that the identity authentication of a single account number password of a cloud management platform is easy to break, and improve the confidentiality level.
In order to solve the technical problems, the invention adopts the following technical scheme:
the invention provides a cloud management platform two-factor identity authentication method based on a national password Ukey, which comprises the following steps:
step S110, the Ukey applies for a digital certificate to a public CA platform according to the identity information of the user and establishes an encrypted network transmission channel between the web client and the cloud management platform server; the identity information of the user comprises but is not limited to a user name, a user name and/or a mobile phone number, and the digital certificate comprises the identity information of the user, a device ID of Ukey, a Ukey password and public key information for signature verification by using SM 2;
step S120, the web client sends the Ukey equipment ID and the Ukey password corresponding to the Ukey to the cloud management platform server, and Ukey identity authentication and verification operation based on the SM2 secret is carried out between the web client and the cloud management platform server;
and S130, verifying the user name and the password between the web client and the cloud management platform server.
In one embodiment, the method in step S110 specifically includes:
step S111, the Ukey applies for a digital certificate to a public CA platform according to the identity information provided by the user, the web client loads the digital certificate in the Ukey, and establishes a VPN encryption transmission channel between the web client and a password service platform based on SM 4;
step S112, establishing a VPN encryption transmission channel between the web client and the cloud management platform; the password service platform and the cloud management platform are located in the same network area.
In one embodiment, before step S111, the method further includes
And S113, creating a user name of the user and a password corresponding to the user name in a user system of the cloud management platform.
In one embodiment, the method for loading the digital certificate in the Ukey by the web client in step S111 specifically includes:
and installing a plug-in at the web client, and after the web client is plugged in the Ukey through the USB interface, loading and reading the digital certificate stored in the Ukey by the web client through the plug-in.
In one embodiment, the method of step S120 specifically includes:
step S121, a web client sends a Ukey equipment ID and a Ukey password corresponding to the Ukey selected by a user on a login interface at the front end of the cloud management platform to a cloud management platform server, and the web client applies for a random number R to the cloud management platform server;
step S122, the cloud management platform server generates a random number R, and returns the random number R to the web client;
step S123, the web client calls an SM2 private key stored by the Ukey to sign the received random number R to obtain a signature value Svalue;
step S124, the web client acquires the digital certificate content from the Ukey;
step S125, the Ukey returns the digital certificate content to the web client;
step S126, the web client submits the random number R, the signature value Svalue and the digital certificate content to a cloud management platform server side for signature verification, and whether the random number R, the signature value Svalue and the digital certificate content succeed or not is verified; if yes, go to step S127, otherwise, go to step S129; specifically, a cloud management platform server calls a password service platform interface to perform signature verification processing on a random number R, a signature value Svalue and digital certificate content submitted by a web client;
step S127, after the cloud management platform server side verifies the random number R, the signature value Svalue and the digital certificate content successfully, generating a system certificate, and returning the system certificate to the web client side; after receiving the signature verification success message returned by the password service platform, the cloud management platform server generates a system certificate for the user and returns the system certificate to the web client;
s128, the web client accesses the cloud management platform server side by using the system certificate, and the Ukey identity authentication is successful;
step S129, the cloud management platform server side fails to verify the random number R, the signature value Svalue and the digital certificate content, and the Ukey identity authentication fails.
In one embodiment, the method in step S130 specifically includes:
step S131, the web client acquires a user name field corresponding to one digital certificate in the Ukey;
step S132, inputting a password corresponding to the username field by the user;
and S133, transmitting the user name and the password to a cloud management platform server through a VPN encryption transmission channel for verification, and acquiring a verification result.
In one embodiment, before step S131, the method further includes
S131-1, searching whether a user name field corresponding to one digital certificate in the Ukey exists in a user system of the cloud management platform; if yes, the step S131 is executed, and if not, a verification result of verification failure is directly obtained and returned to the cloud management platform front-end login interface.
In one embodiment, the web client is a browser.
In one embodiment, the password service platform is a domestic password machine management service platform.
A cloud management platform two-factor identity authentication system based on a state key comprises an encryption transmission channel establishing module, a public CA platform and an encryption network transmission channel, wherein the encryption transmission channel establishing module is used for the Ukey to apply a digital certificate to the public CA platform according to the identity information of a user and establish an encryption network transmission channel between a web client and a cloud management platform server; the identity information of the user comprises but is not limited to a user name, a user name and/or a mobile phone number, and the digital certificate comprises the identity information of the user, a device ID of Ukey, a Ukey password and public key information for signature verification by using SM 2;
the Ukey identity authentication module is used for the web client to send the Ukey equipment ID and the Ukey password corresponding to the Ukey to the cloud management platform server, and Ukey identity authentication verification operation based on the SM2 is carried out between the web client and the cloud management platform server;
and the user name and password verification module is used for verifying the user name and the password between the web client and the cloud management platform server.
In summary, according to the cloud management platform two-factor identity authentication method and system based on the country password Ukey provided by the invention, by adding the identity authentication based on the country password in the cloud management platform identity authentication, the Ukey applies a digital certificate to the public CA platform according to the identity information provided by the user, so that the corresponding relationship between the Ukey and the user name of the cloud management platform is realized, the user name and password authentication stage of the cloud management platform is ensured to be automatically entered after the Ukey authentication is completed, the problem that the identity authentication of a single account password of the cloud management platform is easy to break is effectively solved, and the confidentiality level is improved.
Drawings
Fig. 1 is a schematic flowchart of a method for reinforcing a cryptographic key of a ceph distributed object storage system according to an embodiment of the present invention;
fig. 2 is a structural block diagram of a cloud management platform two-factor identity authentication system based on a cryptographic Ukey according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating the Ukey authentication check according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a cloud management platform two-factor identity authentication method based on a national password Ukey according to an embodiment of the present invention, and as shown in fig. 1, the cloud management platform two-factor identity authentication method based on the national password Ukey specifically includes the following steps:
step S110, the Ukey applies for a digital certificate to a public CA platform according to the identity information of the user, an encrypted network transmission channel between the web client and the cloud management platform server is established, and the subsequent data of all the web clients and the cloud management platform server are transmitted based on the encrypted network transmission channel; the identity information of the user comprises but is not limited to information such as a user name, a user name and/or a mobile phone number, the digital certificate comprises the identity information of the user, a device ID of Ukey, a Ukey password, public key information for signature verification by using SM2 and the like, the digital certificate is an identity of the user, the user name in the identity information of the user is consistent with the user name in a login interface of a cloud management platform server, so that the corresponding relation between the Ukey and the user name in the login interface of the cloud management platform server is realized, and the web client is a browser; specifically, the login interface of the server of the cloud management platform is a login interface set by the cloud management platform itself, which is a known technology and is not described herein again.
One or more digital certificates can be applied in the same Ukey according to one or more pieces of identity information provided by the user, the login effect of different users under the same Ukey can be realized at the web client, the encryption protection of login of different users is realized through the same Ukey, and the use cost is effectively saved; specifically, when the same Ukey applies for a digital certificate to a public CA platform according to the identity information of a user, the applied digital certificate can contain the identity information provided by the user and a corresponding user name, under the same Ukey, the user can apply for the corresponding digital certificate by providing different identity information, each digital certificate corresponds to one user name under a login interface of a cloud management platform server, encryption protection for login of different user names is realized through the same Ukey, the quantity of requirements of the Ukey is reduced, and the use cost is effectively saved.
The method of step S110 specifically includes:
step S111, the Ukey applies for a digital certificate to a public CA platform according to the identity information provided by the user, the web client loads the digital certificate in the Ukey, and establishes a VPN encryption transmission channel between the web client and a password service platform based on SM 4; the password service platform is a domestic password machine management service platform, can provide a uniform interface to encrypt and decrypt data, sign and check labels and the like, and supports domestic password algorithms such as SM2, SM3, SM4, SM9 and the like;
step S112, establishing a VPN encryption transmission channel between the web client and the cloud management platform, wherein data of all the web clients and the cloud management platform in subsequent operation are transmitted based on the VPN encryption transmission channel; the password service platform and the cloud management platform are located in the same network area and are arranged in an isolated mode with an external internet, and therefore safety of information transmission is effectively guaranteed.
In an embodiment, the method for loading the digital certificate in the Ukey by the web client in step S111 specifically includes:
installing a plug-in at a web client, and after the web client is plugged in a Ukey through a USB interface, loading and reading a digital certificate stored in the Ukey by the web client through the plug-in; the plug-in is application software matched with the Ukey, is a known technology, and is not described herein any more, and when the Ukey successfully applies the digital certificate to the public CA platform, the digital certificate is stored in the Ukey.
In one embodiment, before step S111, the method further includes
Step S113, a user name of a user and a password corresponding to the user name are created in a user system of the cloud management platform; specifically, before the Ukey applies for a digital certificate to a public CA platform, a user name and a password input by a user at a login interface of a cloud management platform server side need to be created in a user system of the cloud management platform in advance, a user name field corresponding to the digital certificate is obtained in the login interface of the cloud management platform, the corresponding relation between the Ukey and the user name of the cloud management platform is achieved, and the user name and the password of the cloud management platform can be automatically authenticated after the Ukey authentication is completed.
Step S120, the web client sends the Ukey equipment ID and the Ukey password corresponding to the Ukey to the cloud management platform server, and Ukey identity authentication and verification operation based on the SM2 secret is carried out between the web client and the cloud management platform server; specifically, the web client sends the Ukey equipment ID and the Ukey password corresponding to the Ukey selected on the login interface at the front end of the cloud management platform to the cloud management platform server, and Ukey identity authentication and verification operation based on the SM2 secret is performed between the web client and the cloud management platform server.
The cloud management platform front-end login interface is used for login processing of the Ukey, construction of the cloud management platform front-end login interface can be achieved through coding, a user can achieve login effects of the Ukey according to the Ukey equipment ID and the Ukey password on the cloud management platform front-end login interface, a user name field corresponding to a digital certificate in the Ukey is obtained in the cloud management platform login interface, the Ukey equipment ID and the Ukey password corresponding to the Ukey selected on the cloud management platform front-end login interface are sent to the cloud management platform server by the web client, the corresponding relation between the Ukey and the user name in the cloud management platform server login interface is achieved, and the fact that the user name and the password of the cloud management platform can automatically enter the authentication stage of the user name and the password of the cloud management platform after the Ukey identity authentication based on the SM2 is completed is guaranteed.
As shown in fig. 3, the specific operations of the method in step S120 include:
step S121, a web client sends a Ukey equipment ID and a Ukey password corresponding to the Ukey selected by a user on a login interface at the front end of the cloud management platform to a cloud management platform server, and the web client applies for a random number R to the cloud management platform server; in the embodiment, the same web client supports simultaneous identification of a plurality of Ukeys, all Ukey equipment IDs (uid) of the Ukeys plugged through the USB interface can be displayed on a login interface of a cloud management platform at the same time, a user selects one Ukey equipment ID, and a password corresponding to the Ukey equipment ID is input for verification;
step S122, the cloud management platform server generates a random number R, and returns the random number R to the web client;
step S123, the web client calls an SM2 private key stored by the Ukey to sign the received random number R to obtain a signature value Svalue;
step S124, the web client acquires the digital certificate content from the Ukey;
step S125, the Ukey returns the digital certificate content to the web client;
step S126, the web client submits the random number R, the signature value Svalue and the digital certificate content to a cloud management platform server side for signature verification, and whether the random number R, the signature value Svalue and the digital certificate content are successful is verified; if yes, go to step S127, otherwise, go to step S129; specifically, a cloud management platform server calls a password service platform interface to perform signature verification processing on a random number R, a signature value Svalue and digital certificate content submitted by a web client;
step S127, after the cloud management platform server side verifies the random number R, the signature value Svalue and the digital certificate content successfully, generating a system certificate, and returning the system certificate to the web client side; after receiving the signature verification success message returned by the password service platform, the cloud management platform server generates a system certificate for the user, and returns the system certificate to the web client;
s128, the web client accesses the cloud management platform server side by using the system certificate, and the Ukey identity authentication is successful;
step S129, the cloud management platform server side fails to verify the random number R, the signature value Svalue and the digital certificate content, and the Ukey identity authentication fails.
Step S130, user name and password verification is conducted between the web client and the cloud management platform server, if the user name and the password are verified, then the two-factor identity authentication is passed, the cloud management platform two-factor identity authentication effect based on the national password Ukey is achieved, the problem that the password identity authentication of a single account of the cloud management platform is easy to break is effectively solved, and the confidentiality grade is improved.
The method of step S130 specifically includes:
s131, the web client acquires a user name field corresponding to one digital certificate in the Ukey; when the Ukey and the user name are in a one-to-many relationship, after the identity authentication of the Ukey is successful, the user can select different digital certificates to log in corresponding to different user names on the cloud management platform, and the same Ukey is used for realizing the encryption protection of the login of different user names, so that the demand of the Ukey is reduced, and the use cost is effectively saved;
step S132, inputting a password corresponding to the user name field by the user;
step S133, transmitting the user name and the password to a cloud management platform server through a VPN encryption transmission channel for verification, and acquiring a verification result; if the verification is passed, the two-factor identity authentication is passed, so that a cloud management platform two-factor identity authentication effect based on the national password Ukey is realized, the problem that the identity authentication of a single account number password of the cloud management platform is easy to break is effectively solved, and the confidentiality grade is improved; and if the verification fails, returning to the front-end login interface of the cloud management platform.
In one embodiment, before step S131, the method further includes
S131-1, searching whether a user name field corresponding to one digital certificate in the Ukey exists in a user system of the cloud management platform; if yes, the step S131 is executed, and if not, a verification result of verification failure is directly obtained and returned to the cloud management platform front-end login interface.
According to the cloud management platform two-factor identity authentication method based on the national password Ukey, the identity authentication mode based on the national password Ukey is added in the cloud management platform identity authentication, the Ukey applies a digital certificate to a public CA platform according to identity information provided by a user, the corresponding relation between the Ukey and a user name of the cloud management platform is realized, the automatic entry into the authentication stage of the user name and a password of the cloud management platform is ensured after the Ukey authentication is completed, the problem that the identity authentication of a single account password of the cloud management platform is easy to break is effectively solved, and the confidentiality level is improved; in addition, the invention realizes the localization substitution of the password and is more beneficial to information security.
Fig. 2 shows a structural block diagram of a cloud management platform two-factor identity authentication system based on a country key Ukey provided by the present invention, and as shown in fig. 2, the present invention also provides a cloud management platform two-factor identity authentication system based on a country key Ukey, which includes a module for executing the cloud management platform two-factor identity authentication method based on a country key Ukey, and the present invention provides a cloud management platform two-factor identity authentication system based on a country key Ukey, which, by adding a manner of identity authentication based on a country key Ukey in the cloud management platform identity authentication, applies a digital certificate to a public CA platform according to identity information provided by a user, realizes a corresponding relationship between a Ukey and a user name of the cloud management platform, ensures that the user name automatically enters the cloud management platform after the Ukey authentication is completed, effectively solves a stage of a single identity authentication password authentication of the cloud management platform, and improves a security level of the cloud management platform.
Specifically, referring to fig. 2, the cloud management platform two-factor identity authentication system based on the national password Ukey includes an encrypted transmission channel establishing module 100, a Ukey identity authentication module 200, and a user name and password verification module 300.
The encryption transmission channel establishing module 100 is used for the Ukey to apply a digital certificate to the public CA platform according to the identity information of the user and establish an encryption network transmission channel between the web client and the cloud management platform server; the identity information of the user comprises but is not limited to a user name, a user name and/or a mobile phone number, and the digital certificate comprises the identity information of the user, an equipment ID of a Ukey, a Ukey password and public key information for signature verification by using SM 2;
the Ukey identity authentication module 200 is used for the web client to send the Ukey equipment ID and the Ukey password corresponding to the Ukey to the cloud management platform server, and the Ukey identity authentication and verification operation based on the SM2 secret is carried out between the web client and the cloud management platform server;
and the user name and password verification module 300 is used for verifying the user name and the password between the web client and the cloud management platform server.
In an embodiment, the encrypted transmission channel establishing module 100 is specifically configured to perform the following steps:
step S113, a user name of a user and a password corresponding to the user name are created in a user system of the cloud management platform;
step S111, the Ukey applies for a digital certificate to a public CA platform according to the identity information provided by the user, the web client loads the digital certificate in the Ukey, and establishes a VPN encryption transmission channel between the web client and a password service platform based on SM 4;
and S112, establishing a VPN encryption transmission channel between the web client and the cloud management platform.
In an embodiment, the Ukey identity authentication module 200 is specifically configured to perform the following steps:
step S121, a web client sends a Ukey equipment ID and a Ukey password corresponding to the Ukey selected by a user on a login interface at the front end of the cloud management platform to a cloud management platform server, and the web client applies for a random number R to the cloud management platform server;
step S122, the cloud management platform server generates a random number R, and returns the random number R to the web client;
step S123, the web client calls an SM2 private key stored by the Ukey to sign the received random number R to obtain a signature value Svalue;
step S124, the web client acquires the digital certificate content from the Ukey;
step S125, the Ukey returns the digital certificate content to the web client;
step S126, the web client submits the random number R, the signature value Svalue and the digital certificate content to a cloud management platform server side for signature verification, and whether the random number R, the signature value Svalue and the digital certificate content are successful is verified; if yes, go to step S127, otherwise, go to step S129;
step S127, after the cloud management platform server side verifies the random number R, the signature value Svalue and the digital certificate content successfully, generating a system certificate, and returning the system certificate to the web client side;
s128, the web client accesses a cloud management platform server by using the system certificate, and the Ukey identity authentication is successful;
step S129, the cloud management platform server side does not succeed in verifying the random number R, the signature value Svalue and the digital certificate content, and Ukey identity authentication fails.
In an embodiment, the username-password verification module 300 is specifically configured to perform the following steps:
s131, the web client acquires a user name field corresponding to one digital certificate in the Ukey;
step S132, inputting a password corresponding to the username field by the user;
and S133, transmitting the user name and the password to a cloud management platform server through a VPN encryption transmission channel for verification, and acquiring a verification result.
In conclusion, according to the cloud management platform two-factor identity authentication method and system based on the national password Ukey, disclosed by the invention, by adding the identity authentication mode based on the national password Ukey in the cloud management platform identity authentication, the Ukey applies for a digital certificate to a public CA platform according to the identity information provided by a user, so that the corresponding relation between the Ukey and the user name of the cloud management platform is realized, the automatic entering of the authentication stage of the user name and the password of the cloud management platform is ensured after the Ukey authentication is completed, the problem that the identity authentication of the cloud management platform with a single account number password is easy to break is effectively solved, and the confidentiality level is improved; in addition, the invention realizes the domestic substitution of the password and is more beneficial to the information security.
Those of ordinary skill in the art will appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. For example, the system embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated in another system or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.
The above examples are merely illustrative of several embodiments of the present invention, and the description thereof is more specific and detailed, but not to be construed as limiting the scope of the invention. It should be noted that various changes and modifications can be made by those skilled in the art without departing from the spirit of the invention, and these changes and modifications are all within the scope of the invention. Therefore, the protection scope of the present invention should be subject to the appended claims.

Claims (10)

1. A cloud management platform two-factor identity authentication method based on a national password Ukey is characterized by comprising the following steps:
step S110, the Ukey applies for a digital certificate to a public CA platform according to the identity information of the user and establishes an encrypted network transmission channel between the web client and the cloud management platform server; the identity information of the user comprises but is not limited to a user name, a user name and/or a mobile phone number, and the digital certificate comprises the identity information of the user, an equipment ID of a Ukey, a Ukey password and public key information for signature verification by using SM 2;
step S120, the web client sends the Ukey equipment ID and the Ukey password corresponding to the Ukey to the cloud management platform server, and Ukey identity authentication and verification operation based on the SM2 secret is carried out between the web client and the cloud management platform server;
and S130, verifying the user name and the password between the web client and the cloud management platform server.
2. The cloud management platform two-factor identity authentication method based on the country key Ukey according to claim 1, wherein the method of the step S110 specifically comprises:
step S111, the Ukey applies for a digital certificate to a public CA platform according to the identity information provided by the user, the web client loads the digital certificate in the Ukey, and establishes a VPN encryption transmission channel between the web client and a password service platform based on SM 4;
step S112, establishing a VPN encryption transmission channel between the web client and the cloud management platform; the password service platform and the cloud management platform are located in the same network area.
3. The cloud management platform two-factor identity authentication method based on the cryptographic Ukey of claim 2, wherein before the step S111, the method further comprises
And S113, creating a user name of the user and a password corresponding to the user name in a user system of the cloud management platform.
4. The cloud management platform two-factor identity authentication method based on the country key Ukey according to claim 2, wherein the method for loading the digital certificate in the Ukey by the web client in the step S111 specifically comprises:
and installing a plug-in at the web client, and after the web client is plugged in the Ukey through the USB interface, loading and reading the digital certificate stored in the Ukey by the web client through the plug-in.
5. The cloud management platform two-factor identity authentication method based on the country key Ukey according to claim 1 or 2, wherein the method of the step S120 specifically comprises the following operations:
step S121, a web client sends a Ukey equipment ID and a Ukey password corresponding to a Ukey selected by a user on a front-end login interface of a cloud management platform to a cloud management platform server, and the web client applies for a random number R to the cloud management platform server;
step S122, the cloud management platform server generates a random number R, and returns the random number R to the web client;
step S123, the web client calls an SM2 private key stored by the Ukey to sign the received random number R to obtain a signature value Svalue;
step S124, the web client acquires the digital certificate content from the Ukey;
step S125, the Ukey returns the digital certificate content to the web client;
step S126, the web client submits the random number R, the signature value Svalue and the digital certificate content to a cloud management platform server side for signature verification, and whether the random number R, the signature value Svalue and the digital certificate content succeed or not is verified; if yes, go to step S127, otherwise, go to step S129; specifically, a cloud management platform server calls a password service platform interface to perform signature verification processing on a random number R, a signature value Svalue and digital certificate content submitted by a web client;
step S127, after the cloud management platform server side verifies the random number R, the signature value Svalue and the digital certificate content successfully, generating a system certificate, and returning the system certificate to the web client side; after receiving the signature verification success message returned by the password service platform, the cloud management platform server generates a system certificate for the user and returns the system certificate to the web client;
s128, the web client accesses the cloud management platform server side by using the system certificate, and the Ukey identity authentication is successful;
step S129, the cloud management platform server side fails to verify the random number R, the signature value Svalue and the digital certificate content, and the Ukey identity authentication fails.
6. The cloud management platform two-factor identity authentication method based on the national password Ukey as claimed in claim 1 or 2, wherein: the method of step S130 specifically includes:
s131, the web client acquires a user name field corresponding to one digital certificate in the Ukey;
step S132, inputting a password corresponding to the username field by the user;
and S133, transmitting the user name and the password to a cloud management platform server through a VPN encryption transmission channel for verification, and acquiring a verification result.
7. The cloud management platform two-factor identity authentication method based on the cryptographic Ukey of claim 6, wherein before the step S131, the method further comprises
S131-1, searching whether a user name field corresponding to one digital certificate in the Ukey exists in a user system of the cloud management platform; if yes, the step S131 is executed, and if not, a verification result of verification failure is directly obtained and returned to the cloud management platform front-end login interface.
8. The cloud management platform two-factor identity authentication method based on the national password Ukey as claimed in claim 1 or 2, wherein: the web client is a browser.
9. The cloud management platform two-factor identity authentication method based on the national password Ukey as claimed in claim 1 or 2, wherein the password service platform is a domestic password machine management service platform.
10. A cloud management platform two-factor identity authentication system based on a national password Ukey is characterized in that: comprises that
The encryption transmission channel establishing module is used for the Ukey to apply a digital certificate to the public CA platform according to the identity information of the user and establish an encryption network transmission channel between the web client and the cloud management platform server; the identity information of the user comprises but is not limited to a user name, a user name and/or a mobile phone number, and the digital certificate comprises the identity information of the user, an equipment ID of a Ukey, a Ukey password and public key information for signature verification by using SM 2;
the Ukey identity authentication module is used for the web client to send the Ukey equipment ID and the Ukey password corresponding to the Ukey to the cloud management platform server, and Ukey identity authentication verification operation based on the SM2 is carried out between the web client and the cloud management platform server;
and the user name and password verification module is used for verifying the user name and the password between the web client and the cloud management platform server.
CN202211063410.1A 2022-09-01 2022-09-01 Cloud management platform two-factor identity authentication method and system based on national password Ukey Pending CN115459925A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211063410.1A CN115459925A (en) 2022-09-01 2022-09-01 Cloud management platform two-factor identity authentication method and system based on national password Ukey

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211063410.1A CN115459925A (en) 2022-09-01 2022-09-01 Cloud management platform two-factor identity authentication method and system based on national password Ukey

Publications (1)

Publication Number Publication Date
CN115459925A true CN115459925A (en) 2022-12-09

Family

ID=84301832

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211063410.1A Pending CN115459925A (en) 2022-09-01 2022-09-01 Cloud management platform two-factor identity authentication method and system based on national password Ukey

Country Status (1)

Country Link
CN (1) CN115459925A (en)

Similar Documents

Publication Publication Date Title
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
US8433914B1 (en) Multi-channel transaction signing
CN111783068B (en) Device authentication method, system, electronic device and storage medium
CN111615105B (en) Information providing and acquiring method, device and terminal
CN108243176B (en) Data transmission method and device
US20060005033A1 (en) System and method for secure communications between at least one user device and a network entity
CN102201915A (en) Terminal authentication method and device based on single sign-on
CN113346995B (en) Method and system for preventing falsification in mail transmission process based on quantum security key
CN113285803B (en) Mail transmission system and transmission method based on quantum security key
CN111800377B (en) Mobile terminal identity authentication system based on safe multi-party calculation
CN113452687B (en) Method and system for encrypting sent mail based on quantum security key
CN112615834B (en) Security authentication method and system
US20090044007A1 (en) Secure Communication Between a Data Processing Device and a Security Module
CN111669351B (en) Authentication method, service server, client and computer readable storage medium
CN104426659A (en) Dynamic password generating method, authentication method, authentication system and corresponding equipment
CN114244530A (en) Resource access method and device, electronic equipment and computer readable storage medium
CN107819766B (en) Security authentication method, system and computer readable storage medium
CN114390524B (en) Method and device for realizing one-key login service
CN114338201B (en) Data processing method and device, electronic equipment and storage medium
CN111901303A (en) Device authentication method and apparatus, storage medium, and electronic apparatus
CN113438074B (en) Decryption method of received mail based on quantum security key
CN112084485B (en) Data acquisition method, device, equipment and computer storage medium
CN112953711B (en) Database security connection system and method
CN115086090A (en) Network login authentication method and device based on UKey
CN115459925A (en) Cloud management platform two-factor identity authentication method and system based on national password Ukey

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination