CN116933334B - Calculation element authentication method and device based on data operation project - Google Patents
Calculation element authentication method and device based on data operation project Download PDFInfo
- Publication number
- CN116933334B CN116933334B CN202311206352.8A CN202311206352A CN116933334B CN 116933334 B CN116933334 B CN 116933334B CN 202311206352 A CN202311206352 A CN 202311206352A CN 116933334 B CN116933334 B CN 116933334B
- Authority
- CN
- China
- Prior art keywords
- computing element
- task
- computing
- certificate
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 238000004364 calculation method Methods 0.000 title claims description 39
- 230000003993 interaction Effects 0.000 claims abstract description 9
- 238000004422 calculation algorithm Methods 0.000 claims description 74
- 238000012795 verification Methods 0.000 claims description 17
- 230000005540 biological transmission Effects 0.000 claims description 16
- 238000010276 construction Methods 0.000 claims description 16
- 230000006855 networking Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002035 prolonged effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
- G06Q10/103—Workflow collaboration or project management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Strategic Management (AREA)
- Human Resources & Organizations (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Entrepreneurship & Innovation (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- General Health & Medical Sciences (AREA)
- Economics (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention relates to a method and a device for authenticating computing elements based on a data operation project, wherein the method comprises the following steps: receiving an identity certificate signature request file sent by a computing element instance node, and sending an identity certificate to the computing element instance node after authentication is carried out according to the identity certificate signature request file; and receiving a task certificate signing request file sent by a task-related computing element instance node, and sending a task certificate to the computing element instance node after authenticating according to the task certificate signing request file. According to the technical scheme provided by the embodiment of the invention, the computing elements involved in the data operation project form the computing element example to carry out integral authentication, and the authentication certificate is effective in the whole project execution period, so that a server of the supervision system can realize supervision on related computing elements in the whole project execution device, and the reliability of authentication and the safety of data interaction are improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of authentication of data calculation, in particular to a calculation element authentication method and device based on a data operation project.
Background
In the existing authentication scheme of the supervisory system, the supervised service only completes identity registration from the supervisory system, and can communicate with other supervised services at will (communication without time limitation and times) after obtaining a long-term authorization certificate. There are significant problems in this approach: the supervisory system cannot control the detailed calculation process after distributing the certificates.
Disclosure of Invention
Based on the above situation in the prior art, an object of an embodiment of the present invention is to provide a method and an apparatus for authenticating a computing element based on a data operation item, which are capable of integrally authenticating computing elements related to the data operation item by forming a computing element instance, thereby improving reliability of authentication and security of data.
To achieve the above object, according to one aspect of the present invention, there is provided an item-based computing element authentication method applied to a supervision server, the method comprising:
receiving an identity certificate signature request file sent by a computing element instance node, and sending an identity certificate to the computing element instance node after authentication is carried out according to the identity certificate signature request file;
and receiving a task certificate signing request file sent by a computing element instance node related to a task, and sending a task certificate to the computing element instance node after authentication is carried out according to the task certificate signing request file, so that each computing element instance node carries out data transmission and/or data calculation after authentication is carried out between the computing element instance node and a supervision server or other computing element instance nodes according to the task certificate during execution of the task.
Further, the method further comprises:
forming a project element set according to a preset project, wherein the project element set comprises a plurality of computing element examples which can be called according to the project;
and sending building instructions to the computing element providers related to the computing element instances, so that each computing element provider builds the computing element instances in the project element set according to the building instructions to form computing element instance nodes.
Further, the method further comprises: acquiring task information of a task in the project, selecting one or more computing element examples according to the task information, constructing a task computing framework, and sending a notification instruction to the selected computing element example nodes, wherein the selected computing element example nodes are computing element example nodes related to the task; the task computing framework comprises the selected computing element examples and the task information;
and storing the working states of all computing element examples in the project element set in a computing element example list, wherein the working states at least comprise the current task and the predicted completion time of the current task.
Further, sending a construction instruction to the computing element providers related to the plurality of computing element instances, so that each computing element provider constructs a computing element instance in the project element set according to the construction instruction, including:
Determining a corresponding relation between a computing element and each computing element involved in a computing element instance, wherein the computing element comprises hardware, a platform and an algorithm or hardware, a platform and data;
and deploying the algorithm or the data to a corresponding platform, and deploying the platform with the deployed algorithm or data to corresponding hardware.
Further, deploying the algorithm or the data to a corresponding platform, and deploying the platform with the deployed algorithm or data to corresponding hardware includes:
sending the hash value of the corresponding platform and the hash value of the corresponding algorithm or data to the hardware;
sending a hash value of corresponding hardware to the platform;
sending the hash value of the corresponding hardware and the hash value of the corresponding platform to the algorithm or the data;
such that the hardware, platform and algorithm, or hardware, platform and data, are verified by hash values and a connection is established to build the computing element instance.
Further, the method further comprises: and after the computing element instance nodes are authenticated according to the identity certificate signature request file, combining according to the computing element instance nodes after identity authentication to form a plurality of safe computing spaces.
Further, the identity certificate signature request file of the computing element instance node comprises hash values of computing elements forming the algorithm element instance, wherein the computing elements are hardware, a platform, an algorithm or data; authenticating according to the identity certificate signature request file comprises the following steps:
extracting a hash value of a computing element in the identity certificate signature request file;
comparing the hash value of the computing element with a locally registered and stored computing element hash table and a blacklist to obtain a comparison result, wherein the computing element hash table comprises at least one of a hardware hash table, a platform hash table, an algorithm instance hash table and a data instance hash table;
and if the comparison result meets the requirement, sending the signed identity certificate to the computing element instance node.
Further, the step of authenticating according to the task certificate signature request file includes:
receiving an identity certificate sent by a computing element instance node;
performing identity verification according to the identity certificate of the computing element example;
and if the identity verification is passed, sending a signed task certificate to the computing element instance node.
According to a second aspect of the present invention, there is provided an item-based computational element authentication method applied to a computational element instance node, the method comprising:
Sending an identity certificate signing request file to a supervision server to acquire an identity certificate from the supervision server;
receiving a notification instruction sent by a supervision server, wherein the notification instruction indicates a role of the computing element instance in a task, networking rules related to the task, an encryption mode of intermediate data and result data and estimated time of interaction with other computing element instances;
and sending a task certificate signing request file to the supervision server to acquire a task certificate from the supervision server, and carrying out data transmission and/or data calculation after authenticating with the supervision server or other calculation element instance nodes according to the task certificate during the task execution.
Further, the method further comprises:
and encrypting and/or decrypting the instruction and related information issued by the supervision server according to the key carried by the task certificate, and encrypting and/or decrypting related data of other computing element instance nodes.
According to a third aspect of the present invention, there is provided an item-based computing element authentication apparatus applied to a supervision server, the apparatus comprising:
the identity certificate issuing module is used for receiving an identity certificate signing request file sent by the computing element instance node, and sending an identity certificate to the computing element instance node after authentication is carried out according to the identity certificate signing request file;
The task certificate issuing module is used for receiving a task certificate signing request file sent by a task related computing element instance node, and sending a task certificate to the computing element instance node after authentication is carried out according to the task certificate signing request file, so that each computing element instance node carries out data transmission and/or data calculation after authentication is carried out between the task certificate and a supervision server or other computing element instance nodes during execution of the task.
In summary, the embodiment of the invention provides a method and a device for authenticating computing elements based on a data operation project, wherein the method comprises the following steps: receiving an identity certificate signature request file sent by a computing element instance node, and sending an identity certificate to the computing element instance node after authentication is carried out according to the identity certificate signature request file; and receiving a task certificate signing request file sent by a computing element instance node related to a task, and sending a task certificate to the computing element instance node after authentication is carried out according to the task certificate signing request file, so that each computing element instance node carries out data transmission and/or data calculation after authentication is carried out between the computing element instance node and a supervision server or other computing element instance nodes according to the task certificate during execution of the task. According to the technical scheme provided by the embodiment of the invention, the computing elements involved in the data operation project form the computing element example to carry out integral authentication, and the authentication certificate is effective in the whole project execution period, so that a server of the supervision system can realize supervision on related computing elements in the whole project execution device, and the reliability of authentication and the safety of data interaction are improved.
Drawings
FIG. 1 is a flow chart of a method for computing element authentication according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of the relationship between the factors involved in an embodiment of the present invention;
FIG. 3 is a schematic diagram of the implementation of an example of a technical element in an embodiment of the present invention;
FIG. 4 is a schematic diagram of an example algorithm element construction process;
FIG. 5 is a schematic diagram of a process by which a supervisory server issues task certificates to compute element instance nodes;
FIG. 6 is a flowchart of a method for computing element authentication according to another embodiment of the present invention;
FIG. 7 is a schematic diagram of a computing element instance node acquiring an identity certificate from an identity certificate signing request file;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The objects, technical solutions and advantages of the present invention will become more apparent by the following detailed description of the present invention with reference to the accompanying drawings. It should be understood that the description is only illustrative and is not intended to limit the scope of the invention. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present invention.
It is to be noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present invention should be taken in a general sense as understood by one of ordinary skill in the art to which the present invention belongs. The use of the terms "first," "second," and the like in one or more embodiments of the present invention does not denote any order, quantity, or importance, but rather the terms "first," "second," and the like are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect.
The technical scheme of the invention is described in detail below with reference to the accompanying drawings. The embodiment of the invention provides a computing element authentication method based on items, which is applied to a supervision server, and a flow chart of the computing element authentication method is shown in fig. 1, and the method comprises the following steps:
s202, receiving an identity certificate signing request file sent by a computing element instance node, and sending an identity certificate to the computing element instance node after authentication is carried out according to the identity certificate signing request file.
S204, receiving a task certificate signing request file sent by a computing element instance node related to a task, and after authentication is carried out according to the task certificate signing request file, sending a task certificate to the computing element instance node, so that each computing element instance node carries out data transmission and/or data calculation after authentication is carried out between the computing element instance node and a supervision server or other computing element instance nodes according to the task certificate during execution of the task.
According to the method for authenticating the computing element, for example, based on the computing element authentication of the data operation project, firstly, the computing element instance node sends an identity certificate signing request file to the supervision server to obtain an identity certificate, and then the computing element instance node sends a task certificate signing request file to the supervision server to obtain a task certificate. The identity certificate is issued by the supervision server, defines the identity of the computing element instance, takes effect in the scope of one project and is used for proving the identity to the supervision server; the task certificate is a certificate issued by the supervision server and validated in a certain computing task for mutually proving identity between computing element instances. The identity certificate signature request file of the computing element example node comprises hash values of computing elements forming the algorithm element example, wherein the computing elements are hardware, a platform, an algorithm or data. In the step S202, identity authentication may be performed based on the hash value of each computing element, including the following steps:
S2021, extracting a hash value of a computing element in the identity certificate signature request file; the computing element instance nodes comprise algorithm element instance nodes and data element instance nodes, and the hash value of the algorithm element instance comprises the hash value of an algorithm, a platform carrying the algorithm and the hash value of hardware; the hash value of the data element instance includes the hash value of the data, the hash value of the platform and hardware on which the data is mounted. And verifying the platform hash table, the hardware hash table, the algorithm component hash table/data hash table and the blacklist registered and stored at the monitoring server according to the extracted hash value, and if the platform hash exists, the hardware hash exists, the algorithm component/data hash exists and is not in the blacklist, issuing the identity certificate of the computing element instance. The method comprises the following steps: and generating a certificate signing request based on the private key, sending the certificate signing request to the supervision server, digitally signing the certificate by the supervision server, returning a signature certificate, and storing the signature certificate in the computing element instance node. The identity certificate content includes: a hardware number, a platform model number, a version number, an algorithm/data name, an algorithm component version number, a dataset size, dataset metadata, an element unique identifier (hardware, platform, algorithm/data), an expiration time, and an item number, etc.
S2022, comparing the hash value of the computing element with a locally registered and stored computing element hash table and a blacklist to obtain a comparison result, wherein the computing element hash table comprises at least one of a hardware hash table, a platform hash table, an algorithm instance hash table and a data instance hash table;
s2023, if the comparison result meets the requirement, sending the signed identity certificate to the computing element instance node.
In the step S204, before issuing the task certificate, identity verification is performed according to the identity certificate of the computing element instance node, if the identity verification is passed, the signed task certificate is sent to the computing element instance node, so that each computing element instance node obtaining the task certificate can perform data transmission and/or data calculation after authentication according to the task certificate and the supervision server or other computing element instance nodes during execution of the task.
According to certain alternative embodiments, the method further comprises: and after the computing element instance nodes are authenticated according to the identity certificate signature request file, combining according to the computing element instance nodes after identity authentication to form a plurality of safe computing spaces. The secure computation space may be formed from various node features including privacy computation policies, participating node amounts, data sources, and computing capabilities. The secure computation space can be formed according to different privacy computation policies, for example, computation element instance nodes with computation policies of federal learning form the secure computation space, and computation element instance nodes with computation policies of multiparty secure computation form the secure computation space; the safe calculation space can be formed according to different node amounts, for example, the safe calculation space is formed by calculating element example nodes of which the number of the corresponding federal learning participation nodes is 10, and the safe calculation space is formed by calculating element example nodes of which the number of the corresponding federal learning participation nodes is 3; the safe calculation space can be formed according to different data sources, for example, the data sources respectively treat, finance and government affair related data, and the safe calculation space is respectively formed by the mixed calculation element example nodes of the data sources; secure computation spaces may also be formed in terms of different computing capabilities, e.g., computing element instance nodes with the same level of data throughput are partitioned into the same computation space. Therefore, a user can input calculation requirements, such as privacy calculation strategies, node number, scenes and the like, and can directly call the corresponding safe calculation space to calculate according to the calculation requirements.
A schematic diagram of the relationship between the factors involved in an embodiment of the present invention is shown in fig. 2. As shown in FIG. 2, items, which generally refer to a general project involving multiple computing parties, may involve multiple instances of computing elements associated with a project. The project information is basic information of the project synchronized to the supervision server, and mainly comprises calculation elements related to the project, calculation element examples are formed after the calculation elements are arranged and combined, an authentication mode among the calculation elements, information transmitted among the calculation elements and a transmission mode. The computing element examples are managed, controlled and scheduled by the supervision server and are formed by arranging and combining computing elements. The computing elements include data, algorithms, platforms, and hardware. Task computing frameworks refer to computing frameworks that serve a computing task in a project, including the computing element instances and task messages involved. Wherein the computing element instance node is determined according to the target item, for example, by the following steps:
forming a project element set according to a preset project, wherein the project element set comprises a plurality of computing element examples which can be called according to the project;
Sending building instructions to the computing element providers related to the computing element instances, so that each computing element provider builds the computing element instances in the project element set according to the building instructions to form computing element instance nodes: determining a corresponding relation between a computing element and each computing element involved in a computing element instance, wherein the computing element comprises hardware, a platform and an algorithm or hardware, a platform and data; and deploying the algorithm or the data to a corresponding platform, and deploying the platform with the deployed algorithm or data to corresponding hardware. The content of the build instructions may include: project elements, element roles (data provider, security calculator and result) networking rules (matching of data provider and security calculator, transmission flow direction and data reading mode between elements), encryption mode of each intermediate data, encryption mode of result data, mapping relation of algorithm component parameters and data parameters), and calculating estimation of time required for interaction between element instances in the task.
Fig. 3 shows a schematic diagram of the construction of an example of a technical element, and as shown in fig. 3, project information may be sent to computing elements registered in advance at a monitoring server to construct an example of computing elements related to the project (computing elements involved in the project, arrangement and combination information of computing elements (computing element examples), authentication method between computing elements, information transmitted between computing elements, and transmission method. The computing elements receiving the project information are interacted, the platform is deployed to the hardware, and then the algorithm is deployed to the hardware on which the platform is deployed, so that the construction of the algorithm element examples comprising the algorithm, the platform and the hardware is realized; similarly, the data element instance is constructed as such.
Deployment may be achieved by sending a hash value of a computing element to be deployed, including: sending the hash value of the corresponding platform and the hash value of the corresponding algorithm or data to the hardware, and sending the hash value of the corresponding hardware to the platform; sending the hash value of the corresponding hardware and the hash value of the corresponding platform to the algorithm or the data; such that the hardware, platform and algorithm, or hardware, platform and data, are verified by hash values and a connection is established to build the computing element instance. Fig. 4 shows a schematic diagram of a construction process taking an example of an algorithm element example a, where the algorithm example is formed by combining an algorithm 01, hardware 01 and a platform 01, and as shown in fig. 4, the construction process of the algorithm element example is as follows: (1) Transmitting the hash value of the hardware 01 and the hash value of the platform 01 to the algorithm 01; (2) sending the hash value of hardware 01 to platform 01; (3) Transmitting the hash value of the platform 01 and the hash value of the algorithm 01 to hardware 01; after the hardware 01, the platform 01 and the algorithm 01 obtain the information, the platform 01 and the hardware 01 are verified through hash values, a connection is established, and the platform 01 is deployed on the hardware 01 through the connection. And verifying and establishing connection between the algorithm 01 and the hardware on which the platform is deployed through the hash value, and deploying the algorithm 01 on the hardware on which the platform is deployed so as to form the algorithm element example.
According to certain alternative embodiments, the method further comprises: acquiring task information of a task in the project, selecting one or more computing element examples according to the task information, constructing a task computing framework, and sending a notification instruction to the selected computing element example nodes, wherein the selected computing element example nodes are computing element example nodes related to the task; the task computing framework comprises the selected computing element examples and the task information; and storing the working states of all computing element examples in the project element set in a computing element example list, wherein the working states at least comprise the current task and the predicted completion time of the current task. When the computing element is selected, confirming a computing element instance related to the task in the project element set according to the task information; and selecting the computing element example with the shortest predicted completion time of the current task or the task which belongs to the current task from the stored computing element example list. Task configuration and distribution can be carried out on task information through a task engine, and the distribution rules are as follows: and preferentially selecting an algorithm element example with short total consumption in a queuing queue (based on the maximum calculated concurrency number supported by hardware associated with the algorithm element example and the total number of tasks in the current queue) from an algorithm element example list of the same type in a supervision server or an item associated with the task. Fig. 5 is a schematic diagram illustrating a process of issuing a task certificate by a supervision server to a computing element instance node, where the computing element instance is, for example, a federal learning algorithm element instance, a cryptographic algorithm element instance, and the like. After the task engine finishes distribution, the supervision server side issues task information to each algorithm element instance and each data element instance in the task computing framework, and each algorithm element instance and each data element instance request a task certificate to the supervision server side. The supervision server verifies the identity of the computing element instance through the identity certificate of each computing element instance. After the verification is passed, a task certificate is issued to the computing element instance. The issuing process comprises the steps of digitally signing a certificate signing request generated by a private key of the computing element instance and returning the certificate signing request to the computing element instance. The task certificate content may include identity certificate content information, certificate validity period (determined according to the estimated result of the time required for calculation), data reading mode, element instance networking object, element instance transmission stream, element instance role information, and the like.
After the task is finished, the method further comprises:
and receiving task computing frame dismantling information sent by the computing element instance node, and dismantling the task computing frame according to the dismantling information.
The embodiment of the invention also provides a computing element authentication method based on the project, which is applied to the computing element example node, and a flow chart of the computing element authentication method is shown in fig. 6, and the method comprises the following steps:
s402, an identity certificate signing request file is sent to the supervision server to acquire an identity certificate from the supervision server. Sending an identity certificate signature request file to a supervision server, and acquiring a hash value of hardware corresponding to the computing element instance, a hash value of a corresponding platform and a hash value of a corresponding algorithm or data in advance; generating an identity certificate signature request file based on each hash value; and the identity certificate signing request file is signed by a private key and then sent to the supervision server, and the supervision server adopts a corresponding public key to verify and sign.
The identity certificate signing request file (CSR) contains a hash value of the instance of the computational element. The computing element instance contains the computing elements that make up the instance, such as the data element instance, including data, platform, and hardware; examples of algorithm elements include algorithms, platforms, and hardware. The hash value of the data element example comprises the hash value of the data composing the data element example, the hash value of the platform and the hash value of the hardware; the hash value of the algorithm element example comprises the hash value of the algorithm, the hash value of the platform and the hash value of the hardware. The identity certificate signature request file may generate a hash value of each computing element by combining corresponding data information of the computing element through a local professional registration tool (for example, a specific application program) to which the computing element belongs. A schematic diagram of a computing element instance node obtaining an identity certificate from an identity certificate signing request file is shown in fig. 7.
S404, receiving a notification instruction sent by the supervision server, wherein the notification instruction indicates the role of the computing element instance in the task, networking rules related to the task, encryption modes of intermediate data and result data and estimated time of interaction with other computing element instances.
S406, a task certificate signing request file is sent to the supervision server to acquire a task certificate from the supervision server, and data transmission and/or data calculation are carried out after authentication is carried out between the task certificate and the supervision server or other calculation element instance nodes during execution of the task. Authentication can be performed by using an asymmetric key pair according to the task certificate and other computing element instance nodes. The computing element instance node can encrypt and/or decrypt the instruction and related information issued by the supervision server according to the key carried by the task certificate, and encrypt and/or decrypt related data of other computing element instance nodes. The key carried by the task certificate is a key issued along with the task certificate, and the carried key can comprise an instruction encryption key, an instruction decryption key, a data encryption key, a data decryption key and the like. The related information may be task related information, and the related data may be data that the task calculation needs to transmit. Acquiring a verification public key carried in a task certificate, wherein the verification public key corresponds to a private key of the identity certificate signature request file; and adopting the verification public key to authenticate the signature in the task certificate of other computing element instance nodes. The verification can generate an original hash value corresponding to the computing element example according to the agreed hash function and rule; the original hash value is sent to a supervision server, so that the supervision server signs the original hash value to obtain a signed hash value; receiving a signature hash value sent by a supervision server and an original hash value sent by an instance node of other computing elements to be authenticated; decrypting the signature hash value by adopting the verification public key to obtain a decrypted hash value; and comparing the decrypted hash value with the received original hash value, and if the comparison result is consistent, passing the authentication. For example, 3 computing element instances A, B, C need to authenticate each other, in the task, computing element instance a and computing element instance B need to transmit intermediate parameters to computing element instance C, then computing element instance C needs to verify task certificates of computing element instance a and computing element instance B, and computing element instance a and computing element instance B need to verify task certificates of computing element instance C, the task certificates are issued by the supervision server, and the issued task certificates carry verification public keys corresponding to private keys of the supervision server digital signature, so that computing element instance C verifies digital signatures in the computing element instance a and computing element instance B certificates through the obtained verification public keys, and similarly computing element instance a and computing element instance B verify computing element instance C. In the verification process, the computing element example generates a hash value (hash value can be used) corresponding to the computing element example according to the agreed hash function and rule, the supervision server signs the hash value, the verifier receives the signed hash value 1 and the unsigned hash value 2 of the element example, the signed hash value 1 is decrypted by using a public key of the supervision server to obtain the hash value 1, the hash value 1 is compared with the hash value 2, and if the hash value is consistent, the verification is passed.
According to certain alternative embodiments, the method further comprises: acquiring the valid period of a task certificate of other computing element instance nodes to be authenticated, wherein the valid period of the task certificate generates delay authentication of the other computing element instance nodes to be authenticated at a first time point smaller than the valid period of the task certificate according to the estimated time of interaction with other computing element instances; if the interaction with other computing element examples is not completed at the first time point, sending data information to be interacted to the supervision server so as to apply for prolonging the valid period of the task certificate of the computing element example node to the supervision server; and when the task is executed, sending task computing frame dismantling information to the supervision server side, so that the supervision server side can dismantle the task computing frame according to the dismantling information. Processing for certificate timeout case: because each task certificate is issued to form a task certificate validity period through the estimated time of the task unit, in the computing element example C, the task certificate validity periods of the computing element example A and the computing element example B are acquired, the time points of the task certificate verification (the time points smaller than the validity period and the time points equal to the validity period) are set, the certificates of the computing element example A and the computing element example B are verified again under the time stamps smaller than the validity period, if the computing task of the task unit is not completed, the element which needs to expire the task certificate is sent to the supervision server to apply for the deferred task certificate, if the application is passed, the certificate time is prolonged, if the application is not passed, the certificate is not prolonged, and the certificate is destroyed, and the task unit is stopped when the certificate is verified at the time points equal to the validity period.
The embodiment of the invention also provides a computing element authentication device based on the project, which is applied to the supervision server, and comprises:
the identity certificate issuing module is used for receiving an identity certificate signing request file sent by the computing element instance node, and sending an identity certificate to the computing element instance node after authentication is carried out according to the identity certificate signing request file;
the task certificate issuing module is used for receiving a task certificate signing request file sent by a task related computing element instance node, and sending a task certificate to the computing element instance node after authentication is carried out according to the task certificate signing request file, so that each computing element instance node carries out data transmission and/or data calculation after authentication is carried out between the task certificate and a supervision server or other computing element instance nodes during execution of the task.
The specific procedure of each module in the calculation element authentication apparatus provided in the above embodiment of the present invention to realize the function thereof is the same as each step of the calculation element authentication method provided in the above embodiment of the present invention, and thus, a repetitive description thereof will be omitted here.
The embodiment of the invention also provides electronic equipment, and fig. 8 is a schematic structural diagram of the electronic equipment according to the embodiment of the invention. As shown in fig. 8, the electronic device 800 includes: one or more processors 801 and memory 802; and computer program instructions stored in the memory 802 that, when executed by the processor 801, cause the processor 801 to perform the computational element authentication method of any of the embodiments described above. The processor 801 may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities and may control other components in the electronic device to perform desired functions.
Memory 802 may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. Volatile memory can include, for example, random Access Memory (RAM) and/or cache memory (cache) and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. One or more computer program instructions may be stored on a computer readable storage medium and the processor 801 may execute the program instructions to implement the steps in the computing element authentication method and/or other desired functions of the various embodiments of the present invention above.
In some embodiments, the electronic device 800 may further include: an input device 803 and an output device 804, which are interconnected by a bus system and/or other forms of connection mechanisms (not shown in fig. 8). For example, when the electronic device is a stand-alone device, the input means 803 may be a communication network connector for receiving the acquired input signal from an external removable device. In addition, the input device 803 may also include, for example, a keyboard, a mouse, a microphone, and the like. The output device 804 may output various information to the outside, and may include, for example, a display, a speaker, a printer, a communication network, a remote output apparatus connected thereto, and the like.
In addition to the methods and apparatus described above, embodiments of the invention may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps in a method of computing element authentication as in any of the embodiments described above.
The computer program product may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present invention may also be a computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, cause the processor to perform steps in a computing element authentication method of various embodiments of the present invention.
A computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is to be appreciated that the processor in embodiments of the invention may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In summary, the embodiment of the invention relates to a method and a device for authenticating computing elements based on data operation items, wherein the method comprises the following steps: receiving an identity certificate signature request file sent by a computing element instance node, and sending an identity certificate to the computing element instance node after authentication is carried out according to the identity certificate signature request file; and receiving a task certificate signing request file sent by a computing element instance node related to a task, and sending a task certificate to the computing element instance node after authentication is carried out according to the task certificate signing request file, so that each computing element instance node carries out data transmission and/or data calculation after authentication is carried out between the computing element instance node and a supervision server or other computing element instance nodes according to the task certificate during execution of the task. According to the technical scheme provided by the embodiment of the invention, the computing elements involved in the data operation project form the computing element example to carry out integral authentication, and the authentication certificate is effective in the whole project execution period, so that a server of the supervision system can realize supervision on related computing elements in the whole project execution device, and the reliability of authentication and the safety of data interaction are improved.
It should be understood that the above discussion of any of the embodiments is exemplary only and is not intended to suggest that the scope of the invention (including the claims) is limited to these examples; combinations of features of the above embodiments or in different embodiments are also possible within the spirit of the invention, steps may be implemented in any order and there are many other variations of the different aspects of one or more embodiments of the invention described above which are not provided in detail for the sake of brevity. The above detailed description of the present invention is merely illustrative or explanatory of the principles of the invention and is not necessarily intended to limit the invention. Accordingly, any modification, equivalent replacement, improvement, etc. made without departing from the spirit and scope of the present invention should be included in the scope of the present invention. Furthermore, the appended claims are intended to cover all such changes and modifications that fall within the scope and boundary of the appended claims, or equivalents of such scope and boundary.
Claims (9)
1. A method for authenticating computing elements based on items, which is applied to a supervision server, the method comprising:
receiving an identity certificate signature request file sent by a computing element instance node, and sending an identity certificate to the computing element instance node after authentication is carried out according to the identity certificate signature request file;
Receiving a task certificate signing request file sent by a task-related computing element instance node, and after authentication is carried out according to the task certificate signing request file, sending a task certificate to the computing element instance node, so that each computing element instance node carries out data transmission and/or data calculation after authentication is carried out between the computing element instance node and a supervision server or other computing element instance nodes according to the task certificate during execution of the task;
forming a project element set according to a preset project, wherein the project element set comprises a plurality of computing element examples which can be called according to the project;
sending a construction instruction to a computing element provider related to a plurality of computing element examples, so that each computing element provider constructs a computing element example in a project element set according to the construction instruction to form a computing element example node, wherein the construction instruction comprises the following steps: determining a corresponding relation between a computing element and each computing element involved in a computing element instance, wherein the computing element comprises hardware, a platform and an algorithm or hardware, a platform and data; and deploying the algorithm or the data to a corresponding platform, and deploying the platform with the deployed algorithm or data to corresponding hardware.
2. The method according to claim 1, wherein the method further comprises: acquiring task information of a task in the project, selecting one or more computing element examples according to the task information, constructing a task computing framework, and sending a notification instruction to the selected computing element example nodes, wherein the selected computing element example nodes are computing element example nodes related to the task; the task computing framework comprises the selected computing element examples and the task information;
and storing the working states of all computing element examples in the project element set in a computing element example list, wherein the working states at least comprise the current task and the predicted completion time of the current task.
3. The method of claim 2, wherein deploying the algorithm or data onto a corresponding platform and deploying the platform on which the algorithm or data has been deployed onto corresponding hardware comprises:
sending the hash value of the corresponding platform and the hash value of the corresponding algorithm or data to the hardware;
sending a hash value of corresponding hardware to the platform;
sending the hash value of the corresponding hardware and the hash value of the corresponding platform to the algorithm or the data;
Such that the hardware, platform and algorithm, or hardware, platform and data, are verified by hash values and a connection is established to build the computing element instance.
4. A method according to claim 3, characterized in that the method further comprises: and after the computing element instance nodes are authenticated according to the identity certificate signature request file, combining according to the computing element instance nodes after identity authentication to form a plurality of safe computing spaces.
5. The method of claim 4, wherein the identity certificate signature request file of the computing element instance node includes a hash value of a computing element that constitutes the algorithm element instance, the computing element being hardware, a platform, an algorithm, or data; authenticating according to the identity certificate signature request file comprises the following steps:
extracting a hash value of a computing element in the identity certificate signature request file;
comparing the hash value of the computing element with a locally registered and stored computing element hash table and a blacklist to obtain a comparison result, wherein the computing element hash table comprises at least one of a hardware hash table, a platform hash table, an algorithm instance hash table and a data instance hash table;
And if the comparison result meets the requirement, sending the signed identity certificate to the computing element instance node.
6. The method of claim 5, wherein signing the request file in accordance with the task certificate includes:
receiving an identity certificate sent by a computing element instance node;
performing identity verification according to the identity certificate of the computing element example;
and if the identity verification is passed, sending a signed task certificate to the computing element instance node.
7. A method for item-based authentication of a computing element, applied to a computing element instance node, the method comprising:
sending an identity certificate signing request file to a supervision server to acquire an identity certificate from the supervision server;
receiving a notification instruction sent by a supervision server, wherein the notification instruction indicates a role of the computing element instance in a task, networking rules related to the task, an encryption mode of intermediate data and result data and estimated time of interaction with other computing element instances;
a task certificate signing request file is sent to a supervision server to acquire a task certificate from the supervision server, and data transmission and/or data calculation are carried out after authentication is carried out between the task certificate and the supervision server or other calculation element instance nodes during execution of the task;
The computing element instance node is formed according to the following mode: the method comprises the steps that a supervision server forms a project element set according to a preset project, wherein the project element set comprises a plurality of computing element examples which can be called according to the project; sending a construction instruction to a computing element provider related to a plurality of computing element examples, so that each computing element provider constructs a computing element example in a project element set according to the construction instruction to form a computing element example node, wherein the construction instruction comprises the following steps: determining a corresponding relation between a computing element and each computing element involved in a computing element instance, wherein the computing element comprises hardware, a platform and an algorithm or hardware, a platform and data; and deploying the algorithm or the data to a corresponding platform, and deploying the platform with the deployed algorithm or data to corresponding hardware.
8. The method of claim 7, wherein the method further comprises:
and encrypting and/or decrypting the instruction and related information issued by the supervision server according to the key carried by the task certificate, and encrypting and/or decrypting related data of other computing element instance nodes.
9. A project-based computing element authentication apparatus, for use with a supervisory server, the apparatus comprising:
The identity certificate issuing module is used for receiving an identity certificate signing request file sent by the computing element instance node, and sending an identity certificate to the computing element instance node after authentication is carried out according to the identity certificate signing request file;
the task certificate issuing module is used for receiving a task certificate signing request file sent by a task-related computing element instance node, and sending a task certificate to the computing element instance node after authentication is carried out according to the task certificate signing request file, so that each computing element instance node carries out data transmission and/or data calculation after authentication is carried out between the task certificate and a supervision server or other computing element instance nodes during execution of the task;
the computing element example node is formed according to the following mode: the method comprises the steps that a supervision server forms a project element set according to a preset project, wherein the project element set comprises a plurality of computing element examples which can be called according to the project; sending a construction instruction to a computing element provider related to a plurality of computing element examples, so that each computing element provider constructs a computing element example in a project element set according to the construction instruction to form a computing element example node, wherein the construction instruction comprises the following steps: determining a corresponding relation between a computing element and each computing element involved in a computing element instance, wherein the computing element comprises hardware, a platform and an algorithm or hardware, a platform and data; and deploying the algorithm or the data to a corresponding platform, and deploying the platform with the deployed algorithm or data to corresponding hardware.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311206352.8A CN116933334B (en) | 2023-09-19 | 2023-09-19 | Calculation element authentication method and device based on data operation project |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311206352.8A CN116933334B (en) | 2023-09-19 | 2023-09-19 | Calculation element authentication method and device based on data operation project |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116933334A CN116933334A (en) | 2023-10-24 |
| CN116933334B true CN116933334B (en) | 2023-12-29 |
Family
ID=88381172
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311206352.8A Active CN116933334B (en) | 2023-09-19 | 2023-09-19 | Calculation element authentication method and device based on data operation project |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116933334B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110677376A (en) * | 2018-07-03 | 2020-01-10 | 中国电信股份有限公司 | Authentication method, related device and system and computer readable storage medium |
| CN110677240A (en) * | 2019-08-29 | 2020-01-10 | 阿里巴巴集团控股有限公司 | Method and device for providing high-availability computing service through certificate issuing |
| CN112564919A (en) * | 2020-12-04 | 2021-03-26 | 广东投盟科技有限公司 | Identity authentication method, identity authentication equipment and computer readable storage medium |
| CN115065487A (en) * | 2022-08-17 | 2022-09-16 | 北京锘崴信息科技有限公司 | Privacy protection cloud computing method and cloud computing method for protecting financial privacy data |
| CN115277010A (en) * | 2022-07-11 | 2022-11-01 | 深圳市名竹科技有限公司 | Identity authentication method, system, computer device and storage medium |
| CN115412378A (en) * | 2022-11-02 | 2022-11-29 | 北京锘崴信息科技有限公司 | Credibility authentication method and device for private data and financial private data related service |
| CN115580414A (en) * | 2022-12-08 | 2023-01-06 | 太极计算机股份有限公司 | Data opening system and method based on privacy computation |
| CN115706993A (en) * | 2021-08-03 | 2023-02-17 | 华为技术有限公司 | Authentication method, readable medium, and electronic device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ES2644593T3 (en) * | 2012-06-29 | 2017-11-29 | Huawei Technologies Co., Ltd. | Identity authentication method and device |
-
2023
- 2023-09-19 CN CN202311206352.8A patent/CN116933334B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110677376A (en) * | 2018-07-03 | 2020-01-10 | 中国电信股份有限公司 | Authentication method, related device and system and computer readable storage medium |
| CN110677240A (en) * | 2019-08-29 | 2020-01-10 | 阿里巴巴集团控股有限公司 | Method and device for providing high-availability computing service through certificate issuing |
| CN112564919A (en) * | 2020-12-04 | 2021-03-26 | 广东投盟科技有限公司 | Identity authentication method, identity authentication equipment and computer readable storage medium |
| CN115706993A (en) * | 2021-08-03 | 2023-02-17 | 华为技术有限公司 | Authentication method, readable medium, and electronic device |
| CN115277010A (en) * | 2022-07-11 | 2022-11-01 | 深圳市名竹科技有限公司 | Identity authentication method, system, computer device and storage medium |
| CN115065487A (en) * | 2022-08-17 | 2022-09-16 | 北京锘崴信息科技有限公司 | Privacy protection cloud computing method and cloud computing method for protecting financial privacy data |
| CN115412378A (en) * | 2022-11-02 | 2022-11-29 | 北京锘崴信息科技有限公司 | Credibility authentication method and device for private data and financial private data related service |
| CN115580414A (en) * | 2022-12-08 | 2023-01-06 | 太极计算机股份有限公司 | Data opening system and method based on privacy computation |
Non-Patent Citations (2)
| Title |
|---|
| 基于区块链技术的计算机终端信息安全认证;任刚;电子技术与软件工程;第14-17页 * |
| 基于雾节点的移动终端无证书认证方案;曾萍;袁琳;高原;马英杰;;北京电子科技学院学报(03);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116933334A (en) | 2023-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230231711A1 (en) | Blockchain-implemented method and system | |
| CN109756485B (en) | Electronic contract signing method, electronic contract signing device, computer equipment and storage medium | |
| US20220247572A1 (en) | Secure dynamic threshold signature scheme employing trusted hardware | |
| EP4120114A1 (en) | Data processing method and apparatus, smart device and storage medium | |
| US8954732B1 (en) | Authenticating third-party programs for platforms | |
| Wei et al. | Security and privacy for storage and computation in cloud computing | |
| WO2019127278A1 (en) | Safe access blockchain method, apparatus, system, storage medium, and electronic device | |
| CN111708991A (en) | Service authorization method, service authorization device, computer equipment and storage medium | |
| CN111080295A (en) | Block chain-based electronic contract processing method and equipment | |
| US10805091B2 (en) | Certificate tracking | |
| US7930763B2 (en) | Method of authorising a computing entity | |
| CN114978635B (en) | Cross-domain authentication method and device, user registration method and device | |
| CN112152778A (en) | Node management method and device and electronic equipment | |
| CN115460019B (en) | Method, apparatus, device and medium for providing digital identity-based target application | |
| Dougherty et al. | APECS: A distributed access control framework for pervasive edge computing services | |
| KR101246339B1 (en) | System and method using qr code for security authentication | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN112364335B (en) | Identification identity authentication method and device, electronic equipment and storage medium | |
| CN112927026A (en) | Coupon processing method and device, electronic equipment and computer storage medium | |
| CN111245594B (en) | Homomorphic operation-based collaborative signature method and system | |
| CN114268437A (en) | Data processing method, block chain node, system and computer readable storage medium | |
| CN111314059B (en) | Processing method, device and equipment for account authority proxy and readable storage medium | |
| CN116933334B (en) | Calculation element authentication method and device based on data operation project | |
| US11888987B2 (en) | Method and system for digital voting using a trusted digital voting platform | |
| CN115622812A (en) | Digital identity verification method and system based on block chain intelligent contract |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |