WO2017020452A1 - Authentication method and authentication system - Google Patents

Authentication method and authentication system Download PDF

Info

Publication number
WO2017020452A1
WO2017020452A1 PCT/CN2015/095767 CN2015095767W WO2017020452A1 WO 2017020452 A1 WO2017020452 A1 WO 2017020452A1 CN 2015095767 W CN2015095767 W CN 2015095767W WO 2017020452 A1 WO2017020452 A1 WO 2017020452A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
key
client
user
information
Prior art date
Application number
PCT/CN2015/095767
Other languages
French (fr)
Chinese (zh)
Inventor
邓小超
Original Assignee
北京百度网讯科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京百度网讯科技有限公司 filed Critical 北京百度网讯科技有限公司
Publication of WO2017020452A1 publication Critical patent/WO2017020452A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • the present application relates to the field of computer network technologies, and in particular, to the field of computer network authentication technologies, and in particular, to an authentication method and an authentication system.
  • customers In public cloud services, customers (such as website owners) need to provide direct access to resources (such as audio and video) stored in the cloud to users (such as Internet users) in web pages or applications, so as to avoid unnecessary data transfer through the client's server. Network transmission.
  • the application programming interface provided by the cloud storage is implemented by signing the request through the public and private keys to ensure security.
  • the public and private keys need to be configured.
  • the webpage or application is distributed to the user (netizen), and there is a risk that the malicious user will decipher the client's key and get the identity of the client to destroy.
  • the client key may be prevented from being leaked in the public cloud service in two ways: 1.
  • the client is allowed to distribute the fragment of the key to the webpage or the application, and the cloud storage server is the interface required for such webpage or application access. Open a special authentication mechanism, the web page or application can access the resource only when the request is signed by the key-based fragment.
  • the temporary key mechanism is used, that is, the webpage or the application first requests the client's server to obtain a short-term valid key, and based on the short-term key, the resource access is performed to the cloud service.
  • the above two technologies have the following risks: 1. Based on the key fragment-based authorization mechanism, the interface that supports the key fragment signature opened by the cloud service is fixed, and when the customer has new requirements and needs to increase the temporary access of the interface. , the cloud server needs to be upgraded and configured; at the same time, after the malicious user obtains the key fragment, these open interfaces are equivalent to Fully open, there is still the problem that customer data will be destroyed. 2. Temporary key mechanism Since the webpage or application requests the temporary key from the client every time, the client needs to apply to the cloud identity identification and access management system IAM, the customer service rises or the customer business logic is improper (such as repeated application for temporary When the key), IAM's own pressure is too large, affecting the basic authentication service.
  • the present application provides an authentication method and an authentication system.
  • the application provides an authentication method for a client of an authentication system, where the authentication system includes: a client, a client server, and a cloud server, the method includes: sending a first to the client server The allocation request information of the temporary key, the allocation request information carries a session identity for verifying the identity of the user; and receiving the first response information of the allocation request information sent by the client server in response to the identity of the user by the verification,
  • the first response information includes: a user key account for confirming the identity of the client to the cloud server, signing a first temporary key obtained by using the first session key to describe an access control list of the user right, and using the The session key information obtained by the access control list is encrypted by the first session key, wherein the first session key is a session key held by the client server and the session with the cloud server; and sent to the cloud server
  • the present application provides a method for generating first response information for a client server of an authentication system, where the authentication system includes: a client, a client, and a cloud.
  • the method includes: receiving allocation request information of a first temporary key sent by the user end, where the allocation request information carries a session identity identifier for verifying a user identity; and the user is based on the session identity identifier The identity is verified; in response to the identity of the user, the first response information is generated in response to the allocation request information, where the first response information includes: a user key account used to confirm the identity of the client to the cloud server, using the first a session key signature for describing a first temporary key obtained by an access control list of a user right, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session The key is a session key held by the client server and the session of the cloud server; and the first response information is sent to the client.
  • the present application provides an authentication method for a cloud server of an authentication system, where the authentication system includes: a client, a client server, and a cloud server, and the method includes: receiving a user sent by the client a key account, session policy information, and cloud service request information signed using the first temporary key, wherein the first temporary key is used by the client server to use the first session key pair to describe access to the user right
  • the control list is signed, the user key account is generated by the client server to confirm the identity of the client to the cloud server, and the session policy information is encrypted by the client server using the first session key.
  • the first session key is a session key held by the client server and a session with the cloud server; and based on the user key account and the session policy information, the received session Declaring the signature of the cloud service request information for authentication; and transmitting, in response to the authentication, to the client, the response to the cloud A second service request message response information.
  • the present application provides an authentication method for an authentication system, where the authentication system includes: a client, a client server, and a cloud server, the method includes: the client sends the client to the client server An allocation request information of the first temporary key, the allocation request information carrying a session identity identifier for verifying the identity of the user; the client server receiving the allocation request information, and verifying the identity of the user based on the session identity identifier And generating, by the verification, the first response information in response to the allocation request information, and sending the first response information to the user end, wherein the first response information comprises: for using the cloud server The user key account that confirms the identity of the client, using the first session key to sign the first access control list used to describe the user rights a temporary key, and session policy information obtained by encrypting the access control list by using the first session key, wherein the first session key is a session secret held by the client server and the session of the cloud server
  • the client sends the cloud service request information generated based on the first response information to the cloud server
  • the cloud server is based on the received user key account number and the session policy information, and the received The signature of the cloud service request information is authenticated, and in response to the authentication being passed, the second response information that is responsive to the cloud service request information is sent to the client.
  • the application provides a client for an authentication system, where the client is configured to: send, to the client server, allocation request information of a first temporary key, where the allocation request information is carried a session identifier for verifying the identity of the user; receiving, by the client server, the first response information that is sent by the user in response to the identity of the user, and the first response information includes: determining the identity of the client to the cloud server a user key account, using a first session key to sign a first temporary key obtained by using an access control list for describing a user right, and session policy information obtained by encrypting the access control list using the first session key
  • the first session key is a session key held by the client server and the cloud server session, and the cloud service request information generated based on the first response information is sent to the cloud server,
  • the cloud service request information carries the user key account, the session policy information, and is generated by using the first temporary key a signature of the cloud service request information; receiving second response information of the cloud service request information sent by the cloud server, where the
  • the application provides a client server for an authentication system, where the client server is configured to: receive allocation request information of a first temporary key sent by the client, where the allocation request information is carried Session identity used to authenticate the user; based on The session identifier is used to verify the identity of the user; the first response information is generated in response to the user's identity, and the first response information is used to confirm the identity of the client to the cloud server.
  • the client server is configured to: receive allocation request information of a first temporary key sent by the client, where the allocation request information is carried Session identity used to authenticate the user; based on The session identifier is used to verify the identity of the user; the first response information is generated in response to the user's identity, and the first response information is used to confirm the identity of the client to the cloud server.
  • the first session key is a session key held by the client server and the session of the cloud server; and the first response information is sent to the client.
  • the application provides a cloud server for an authentication system, where the cloud server is configured to: receive a user key account sent by the client, session policy information, and a cloud signed by using a first temporary key.
  • Service request information wherein the first temporary key is obtained by the client server by using a first session key to sign an access control list for describing user rights, and the user key account is served by the client Generating to confirm the identity of the client to the cloud server, the session policy information obtained by the client server using the first session key to encrypt the access control list, the first session key being the client server Holding a session key for a session with the cloud server; authenticating a signature of the received cloud service request information based on the user key account number and the session policy information; and passing the authentication in response to the authentication Sending, to the user terminal, second response information that is responsive to the cloud service request information.
  • the application provides an authentication system, where the authentication system includes: a user end, configured to send, to the client server, allocation request information of a first temporary key, where the allocation request information is carried for verification a session identifier of the user identity; receiving, by the client server, the first response information that is sent by the user in response to the user identity, and the first response information includes: confirming the identity of the client to the cloud server a user key account, using a first session key to sign a first temporary key obtained by using an access control list for describing a user right, and session policy information obtained by encrypting the access control list using the first session key,
  • the first session key is a session key held by the client server and the cloud server, and the cloud service request information generated based on the first response information is sent to the cloud server, where the cloud The service request information carries the user key account, the session policy information, and uses the first temporary key to generate The cloud of the signature information service request; the client server, with Receiving the allocation request information, verifying the user identity based on the
  • the authentication method and the authentication system provided by the application send the first temporary key allocation request information to the client server through the client, and after the client server verifies the allocation request information, generate and send the user key account to the client.
  • the first response information of the first temporary key and the session policy information, and the cloud service request information generated by the first response information is sent by the user end to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the use
  • the signature of the cloud service request information generated by the first temporary key is authenticated by the cloud server based on the user key account number and the session policy information, and the second response of the cloud service request information is sent to the user end after the authentication is passed. information.
  • the authentication method of the embodiment of the present application reduces the interaction process between the client server and the cloud server, and reduces the authentication pressure of the cloud server.
  • FIG. 1 illustrates an exemplary system architecture to which embodiments of the present application may be applied
  • FIG. 2 is a schematic flowchart of an authentication method for a UE of an authentication system according to an embodiment of the present application
  • FIG. 3 is a schematic flowchart of a method for generating first response information for a client server of an authentication system according to an embodiment of the present application
  • FIG. 4 is a schematic flowchart of an authentication method of a cloud server for authenticating a system according to an embodiment of the present application
  • FIG. 5 illustrates an exemplary flowchart of a method of authenticating a signature of cloud service request information according to an embodiment of the present application
  • FIG. 6 illustrates one of authentication methods for an authentication system according to an embodiment of the present application. Exemplary flow chart
  • FIG. 7 illustrates an exemplary flowchart of a specific application scenario of an authentication method for an authentication system according to an embodiment of the present application
  • FIG. 8 shows an exemplary structural diagram of an authentication system according to an embodiment of the present application.
  • FIG. 9 is a block diagram showing the structure of a computer system suitable for implementing the terminal device or server of the embodiment of the present application.
  • FIG. 1 illustrates an exemplary system architecture 100 in which embodiments of the present application may be applied.
  • the system architecture 100 can include terminal devices 101, 102, network 103 and client server 104, and cloud server 105.
  • the network 103 is used to provide a medium for communication links between the terminal devices 101, 102, the client server 104, and the cloud server 105.
  • Network 103 may include various types of connections, such as wired, wireless communication links, fiber optic cables, and the like.
  • the user 110 can interact with the client server 104 and the cloud server 105 via the network 103 using the terminal devices 101, 102 to transmit information or receive information and the like.
  • Various web pages or applications such as a video player, a web game application, and the like, may be installed on the terminal devices 101, 102.
  • the terminal devices 101, 102 can be various electronic devices including, but not limited to, personal computers, smart phones, smart watches, tablets, personal digital assistants, and the like.
  • the client server 104 and the cloud server 105 may be servers that provide various services.
  • the server can store, analyze, and the like the received data, and feed back the processing result to other servers or terminal devices.
  • the authentication method and the authentication system provided by the embodiments of the present application may be performed by the terminal device 101, 102 as an authentication method and a client in the authentication system, and the client server 104 serves as an authentication method and a client in the authentication system.
  • the server executes, and is executed by the cloud server 105 as an authentication method and a cloud server in the authentication system.
  • the number of terminal devices, networks, and servers in Figure 1 is merely illustrative. Depending on the implementation needs, there can be any number of terminal devices, networks, and servers.
  • the authentication system may include a client, a client server, and a cloud server.
  • FIG. 2 is a schematic flowchart of an authentication method for a UE of an authentication system according to an embodiment of the present application.
  • the authentication method for the client of the authentication system may include:
  • step 201 the allocation request information of the first temporary key is sent to the client server, and the allocation request information carries the session identity for verifying the identity of the user.
  • the allocation request information of the first temporary key is used to request the client server to allocate a set of temporary keys.
  • the allocation request information carries a session identifier (sessionid) for providing a valid identity of the user to the client server.
  • step 202 the first response information of the response allocation request information sent by the client server in response to the user identity by the verification is received.
  • the client server verifies the user identity based on the session identity identifier carried in the received distribution request information. After the verification is passed, it is determined that the allocation request information sent by the client is valid, and is allocated for the user to be confirmed to the cloud server.
  • the user key account (access key id, abbreviated as ak) of the customer identity, and the access control list (ACL, ACL describes the effective expiration time) used to describe the user authority is determined according to the user identity, and the client server holds the
  • the session key (first session key) of the cloud server session signs the access control list to obtain a first temporary key (accesse key secret, abbreviated as sk), and uses the session key to encrypt the access control list to obtain session policy information.
  • the signature of the access control list can be implemented by a digital signature algorithm, for example, using a secure hash algorithm SHA.
  • SHA secure hash algorithm
  • a series of cryptographic hash functions are implemented;
  • the encrypted access control list can use digital encryption standards, such as the data encryption standard DES, the data encryption standard 3DES and the advanced encryption standard AES, which use three 64-bit keys to encrypt the data three times. .
  • the client may receive the first response information (including ak, sk, session policy).
  • step 203 the cloud service request information generated based on the first response information is sent to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the cloud service request information generated by using the first temporary key. signature.
  • the cloud service request information is used to request a resource from the cloud
  • the user end (the body that sends the request may be a webpage or an application in the user end) uses the first temporary key to sign the cloud service request information, and carries the user secret.
  • the key account confirms the identity of the user, and carries the session policy information as additional authentication data and sends it to the cloud server.
  • step 204 the second response information sent by the cloud server in response to the cloud service request information is received.
  • the cloud server after receiving the cloud service request, sends the first response information to the user end by using the following steps: the cloud server performs the signature of the received cloud service request information based on the user key account number and the session policy information.
  • the authentication in response to the passing of the authentication, sends the second response information that responds to the cloud service request information to the client.
  • the cloud service When the cloud server authenticates the signature of the received cloud service request information based on the user key account and the session policy information, the cloud service authenticates the first temporary secret to the Identity and Access Management (IAM).
  • the signature of the key, the IAM calculates the second temporary key based on the user key account and the session policy information, and calculates the signature using the second temporary key, and compares the calculated signature with the received signature when the comparison result is the same.
  • the received signature passes the authentication, and the authentication result is returned to the cloud service, and the cloud service responds to the cloud service request, and sends the second response information to the client.
  • the client then receives the second response information of the cloud service request information sent by the cloud server to the client.
  • the authentication method for the client of the authentication system receives the client service server by sending the first temporary key allocation request information to the client server. Sending the first response information of the response allocation request information, and sending the cloud service request information generated based on the first response information to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the generated by using the first temporary key.
  • the signature of the cloud service request information receives the second response information sent by the cloud server to the client in response to the cloud service request information, which reduces the interaction process between the client server and the cloud server, reduces the pressure on the cloud server, and the cloud server does not need to be deployed. High-performance services that are under heavy traffic pressure and avoid the performance damage to the cloud's IAM service when there are too many temporary key requests.
  • FIG. 3 is a schematic flowchart of a method for generating first response information for a client server of an authentication system according to an embodiment of the present application.
  • the method for generating the first response information of the client server for the authentication system may include:
  • step 301 the allocation request information of the first temporary key sent by the user end is received, and the allocation request information carries a session identity identifier for verifying the identity of the user.
  • the allocation request information of the first temporary key is used to request the client server to allocate a set of temporary keys.
  • the session identifier (sessionid) carried in the allocation request information is used to provide the client server with the valid identity of the user.
  • step 302 the user identity is verified based on the session identity.
  • the session identity can provide a valid identity of the user, and the client server compares the provided valid identity of the user with the identity of the reserved user. If the comparison result is the same, the user identity passes. verification.
  • step 303 first response information in response to the allocation request information is generated in response to the identity of the user.
  • the first response information includes: a user key account used to confirm the identity of the client to the cloud server, a first temporary key obtained by using the first session key to sign the access control list for describing the user right, and using the first The session key encrypts the session policy information obtained by the access control list, where the first session key is a session key held by the client server and communicated with the cloud server.
  • the client server verifies the user identity based on the session identity identifier carried in the received distribution request information. After the verification is passed, it is determined that the allocation request information sent by the client is valid, and is allocated for the user to be confirmed to the cloud server.
  • the session key of the cloud server session signs the access control list to obtain the first temporary key (accesse key secret, abbreviated as sk), and uses the session key to encrypt the access control list to obtain session policy information (session policy).
  • the user key account, the first temporary key, and the session policy information are sent to the client as the first response information.
  • the signature of the access control list can be implemented by a digital signature algorithm, for example, using a series of cryptographic hash functions of the secure hash algorithm SHA;
  • the encrypted access control list can use a digital encryption standard, such as the data encryption standard DES, use Three 64-bit keys are used to encrypt data three times with data encryption standard 3DES and advanced encryption standard AES.
  • step 304 the first response information is sent to the UE.
  • the cloud server after receiving the cloud service request, sends the first response information to the user end by using the following steps: the cloud server performs the signature of the received cloud service request information based on the user key account number and the session policy information.
  • the authentication in response to the passing of the authentication, sends the second response information that responds to the cloud service request information to the client.
  • the method for generating the first response information of the client server for the authentication system receives the request information of the first temporary key sent by the user end, and the allocation request information carries the session for verifying the identity of the user.
  • the identity identifier is based on the session identity identifier, and the user identity is verified, and the first response information of the response allocation request information is generated in response to the user identity, thereby providing the client with the credentials for accessing the cloud service, and the cloud server deployment is not required to be undertaken.
  • FIG. 4 is a schematic flowchart of an authentication method of a cloud server for authenticating a system according to an embodiment of the present application.
  • the authentication method of the cloud server for authenticating the system may include:
  • step 401 receiving a user key account and a session policy sent by the client The information and the cloud service request information signed using the first temporary key.
  • the first temporary key is obtained by the client server using the first session key to sign the access control list for describing the user right, and the user key account is generated by the client server to confirm the identity of the client to the cloud server, and the session policy
  • the information is obtained by the client server using the first session key to encrypt the access control list, and the first session key is a session key held by the client server for the session with the cloud server.
  • step 402 the signature of the received cloud service request information is authenticated based on the user key account number and the session policy information.
  • the cloud service When the cloud server authenticates the signature of the received cloud service request information based on the user key account and the session policy information, the cloud service authenticates the first temporary secret to the Identity and Access Management (IAM).
  • the signature of the key the IAM calculates the second temporary key based on the user key account and the session policy information, and calculates the signature using the second temporary key, and compares the calculated signature with the received signature when the comparison result is the same.
  • the received signature is authenticated.
  • step 403 in response to the authentication being passed, the second response information in response to the cloud service request information is sent to the UE.
  • the authentication result in response to the signature of the IAM authentication cloud service request information, the authentication result is returned to the cloud service, and the cloud service sends the second response information generated in response to the cloud service request to the client.
  • the authentication method of the cloud server for the authentication system authenticates the signature of the received cloud service request information by using the received user key account and session policy information, and responds to the authentication, to the client.
  • Sending the second response information in response to the cloud service request information thereby providing services for the client, reducing the interaction process between the cloud server and the client server, eliminating the need for the cloud server to deploy high-performance services under heavy traffic pressure, and avoiding temporary key requests Too much performance damage to the cloud's IAM service, which reduces the performance requirements for the cloud server.
  • FIG. 5 illustrates an exemplary flowchart of a method of authenticating a signature of cloud service request information in accordance with an embodiment of the present application.
  • the method for authenticating the signature of the cloud service request information includes:
  • step 501 the identity of the client is verified based on the user key account number.
  • the second temporary key is obtained based on the session policy information and the second session key, wherein the second session key is a session held by the cloud server with the client server. Session key.
  • the method step of obtaining the second temporary key based on the session policy information and the second session key is the same as the step of the client server generating the first temporary key, that is, first decrypting using the second session key.
  • the session policy information is obtained, and the access control list is obtained; then the obtained access control list is signed by using the second session key to obtain a second temporary key.
  • step 503 the signature of the cloud service request information is calculated using the second temporary key.
  • the process of calculating the signature of the cloud service request information by using the second temporary key is the same as the process of signing the cloud service request information by the user end using the first temporary key.
  • Signatures can be implemented using a variety of signature methods, such as RSA signatures and hash hash signatures.
  • step 504 the signature of the received cloud service request information and the calculated signature of the cloud service request information are compared.
  • step 505 in response to the result of the comparison being the same, it is determined that the authentication result is the authentication pass.
  • the method for authenticating the signature of the cloud service request information provided by the above example, after verifying the identity of the client by using the user key account, obtaining a second temporary key based on the session policy information and the second session key, wherein the second session is dense
  • the key is a session key held by the cloud server and communicated with the client server, and then the second temporary key is used to calculate the signature of the cloud service request information, and then the received signature and the calculated signature are compared with the calculated result.
  • the authentication result is the certification pass, and the authentication of the signature is realized simply and quickly, and the authentication efficiency is improved.
  • FIG. 6 shows an exemplary flowchart of an authentication method for an authentication system according to an embodiment of the present application.
  • the authentication method for the authentication system includes:
  • step 601 the UE sends the first temporary key allocation request information to the client server, and the allocation request information carries the session identity used to verify the identity of the user.
  • the allocation request information of the first temporary key is used to request the client server to allocate a set of temporary keys.
  • the allocation request information carries a session identifier (sessionid) for providing a valid identity of the user to the client server.
  • the client server receives the allocation request information, and verifies the user identity based on the session identity identifier; and generates the first response information in response to the allocation request information and sends the generated response message to the client according to the identity of the user.
  • the first response message is the first response message.
  • the first response information includes: a user key account used to confirm the identity of the client to the cloud server, a first temporary key obtained by using the first session key to sign the access control list for describing the user right, and using the first The session key encrypts the session policy information obtained by the access control list, where the first session key is a session key held by the client server and communicated with the cloud server.
  • the client server verifies the user identity based on the session identity identifier carried in the received distribution request information. After the verification is passed, it is determined that the allocation request information sent by the client is valid, and is allocated for the user to be confirmed to the cloud server.
  • the session key of the cloud server session signs the access control list to obtain the first temporary key (accesse key secret, abbreviated as sk), and uses the session key to encrypt the access control list to obtain session policy information (session policy).
  • the user key account, the first temporary key, and the session policy information are sent to the client as the first response information.
  • the signature of the access control list can be implemented by a digital signature algorithm, for example, using a series of cryptographic hash functions of the secure hash algorithm SHA;
  • the encrypted access control list can use a digital encryption standard, such as the data encryption standard DES, use Three 64-bit keys are used to encrypt data three times with data encryption standard 3DES and advanced encryption standard AES.
  • the session identity can provide a valid identity of the user, and the client server compares the provided valid identity of the user with the identity of the reserved user. If the comparison result is the same, the user identity passes. verification.
  • the UE sends the cloud service request information generated based on the first response information to the cloud server in response to receiving the first response information, where the cloud service request information carries the user key account, the session policy information, and the usage The signature of the cloud service request information generated by a temporary key.
  • the cloud service request information is used to request a resource from the cloud
  • the user end (the execution body may be a webpage or an application existing in the user end) uses the first temporary key to sign the cloud service request information, and carries the user key.
  • the account confirms the identity of the user, and carries the session policy information as additional authentication data and sends it to the cloud server.
  • the cloud server authenticates the signature of the received cloud service request information based on the received user key account and session policy information, and sends a response to the cloud service request information to the client in response to the authentication pass. Second response information.
  • the authentication method may include the following steps:
  • Step 701 The user sends, by using the user end, request information for requesting the first temporary key to the client server, where the request information carries a session identity identifier for verifying the identity of the user.
  • Step 702 The client server receives the allocation request information, and after the user identity is verified based on the session identity identifier carried in the distribution request information, the first response information is generated, where the first response information includes: a user secret used to confirm the identity of the client to the cloud server. a key account, using a first session key to sign a first temporary key obtained by using an access control list for describing a user right, and session policy information obtained by encrypting an access control list using the first session key, wherein the first session is confidential
  • the key is the session key held by the client server and the session with the cloud server;
  • Step 703 the client server returns the first response information to the client;
  • Step 704 The UE sends a user key account, session policy information, and cloud service request information signed by using the first temporary key to the cloud service of the cloud server.
  • Step 705 the cloud service is based on the user key account, session policy information, and usage first.
  • the cloud service request information of the temporary key signature is authenticated to the IAM;
  • Step 706 The IAM returns a result of successful authentication to the cloud service.
  • Step 707 The cloud service returns, to the UE, second response information that is in response to the cloud service request information.
  • the authentication method for the authentication system sends the first temporary key allocation request information to the client server through the client, and the user identity server identifies the user according to the session identity in the received distribution request information.
  • the identity is verified, and the first response information corresponding to the distribution request information is generated and sent to the user end, and the first end response information sent by the client server to the cloud server is sent to the cloud server.
  • the cloud service request information generated by the first response information, the cloud service request information carries the user key account, the session policy information, and the signature of the cloud service request information generated by using the first temporary key, and the cloud server is based on the user key account and the session.
  • the policy information is used to authenticate the signature of the received cloud service request information, and send the second response information that responds to the cloud service request information to the user end in response to the authentication, and receive the response cloud service sent by the cloud server to the user end through the user end.
  • Request information The second response information reduces the interaction process between the client server and the cloud server, reduces the pressure on the cloud server, and the cloud server does not need to deploy a high-performance service that bears heavy traffic pressure, and avoids the temporary key request to the cloud. Performance damage caused by IAM services.
  • FIG. 8 shows an exemplary structural diagram of an authentication system according to an embodiment of the present application.
  • the authentication system includes: a client 810, a client server 820, and a cloud server 830.
  • the client 810 is configured to send, to the client server, the allocation request information of the first temporary key, where the allocation request information carries the session identity identifier used to verify the identity of the user; and the response sent by the client server in response to the identity of the user is verified. And allocating the first response information of the request information, where the first response information includes: a user key account used to confirm the identity of the client to the cloud server, and the first session key is used to sign the access control list for describing the user right.
  • the first session key is the client service a session key held by the server for the session with the cloud server; sending cloud service request information generated based on the first response information to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the first use The signature of the cloud service request information generated by the temporary key.
  • the first response information is used by the client server to verify the allocation request information, and in response to the verification, the access control list for describing the user authority is generated, based on the access control list and the cloud held by the client server.
  • the client 810 Receiving second response information that the cloud server responds to the allocation request information
  • the client server 820 is configured to receive the allocation request information, verify the user identity based on the session identity carried by the distribution request information, and generate the first response information in response to the allocation request information and send the response to the user according to the identity of the user.
  • the terminal sends the generated first response information.
  • the first response information of the response allocation request information generated and sent is the same information as the first response information received by the client 810, and the first response information includes: a user secret for confirming the identity of the client to the cloud server. a key account, using a first session key to sign a first temporary key obtained by using an access control list for describing a user right, and session policy information obtained by encrypting an access control list using the first session key, wherein the first The session key is a session key held by the client server for a session with the cloud server.
  • the cloud server 830 is configured to authenticate the signature of the received cloud service request information based on the received user key account and session policy information, and send a second response to the cloud service request information to the client in response to the authentication pass. information.
  • the cloud server 830 is further configured to verify the identity of the client based on the user key account; in response to the identity of the client, the second temporary key is obtained based on the session policy information and the second session key.
  • the second session key is a session key held by the cloud server and communicated with the client server; the second temporary key is used to calculate the cloud Signing of the service request information; comparing the signature of the received cloud service request information with the calculated signature of the cloud service request information; in response to the result of the comparison, determining that the authentication result is the authentication pass.
  • the cloud server 830 is further configured to decrypt the session policy information using the second session key to obtain an access control list; and use the second session key to sign the obtained access control list to obtain a second temporary key.
  • the client, the client server and the cloud server described in the device 800 correspond to the operation steps of the client, the client server and the cloud server described in the methods described in reference to FIGS. 2 to 7.
  • the operations and features described above for the authentication method are equally applicable to the apparatus 800 and the units contained therein, and are not described herein.
  • the authentication system provided by the foregoing embodiment of the present application sends the first temporary key allocation request information to the client server through the client, and after the client server verifies the allocation request information, generates and sends the user key account to the client. And the first response information of the first temporary key and the session policy information, and the cloud service request information generated by the first response information is sent by the user end to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the use The signature of the cloud service request information generated by the first temporary key is authenticated by the cloud server based on the user key account number and the session policy information, and the second response of the cloud service request information is sent to the user end after the authentication is passed. information.
  • the authentication method of the embodiment of the present application reduces the interaction process between the client server and the cloud server, and reduces the authentication pressure of the cloud server.
  • the first temporary key and the second temporary key represent two different key generation methods used by different execution entities according to the session key they hold.
  • the temporary key obtained is used to verify the signature of the cloud service request information; and the first response information and the second response information are respectively response information of the user terminal responding to the first temporary key allocation request information and the cloud server responding to the client end
  • the response information of the cloud service request information is not the same;
  • the first session key and the second session key are the session key held by the client server and the cloud server session, and the latter is the cloud server hold.
  • the session key for the session with the client server both symmetric keys, using the same key for encryption and decryption.
  • FIG. 9 there is shown a terminal device suitable for implementing the embodiments of the present application. Or a schematic diagram of the structure of the computer system 900 of the server.
  • computer system 900 includes a central processing unit (CPU) 901 that can be loaded into a program in random access memory (RAM) 903 according to a program stored in read only memory (ROM) 902 or from storage portion 908. And perform various appropriate actions and processes.
  • RAM random access memory
  • ROM read only memory
  • various programs and data required for the operation of the system 900 are also stored.
  • the CPU 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904.
  • An input/output (I/O) interface 905 is also coupled to bus 904.
  • the following components are connected to the I/O interface 905: an input portion 906 including a keyboard, a mouse, etc.; an output portion 907 including, for example, a cathode ray tube (CRT), a liquid crystal display (LCD), and the like, and a storage portion 908 including a hard disk or the like. And a communication portion 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the Internet.
  • Driver 910 is also connected to I/O interface 905 as needed.
  • a removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory or the like is mounted on the drive 910 as needed so that a computer program read therefrom is installed into the storage portion 908 as needed.
  • embodiments of the present disclosure include a computer program product comprising a computer program tangibly embodied on a machine readable medium, the computer program comprising program code for executing the method illustrated in the flowchart.
  • the computer program can be downloaded and installed from the network via the communication portion 909, and/or installed from the removable medium 911.
  • each block in the flowchart or block diagram can represent a module, a program segment, or a portion of code, and a module, a program segment, or a portion of code includes one or more Executable instructions.
  • the functions noted in the blocks may also occur in a different order than that illustrated in the drawings. For example, two successively represented blocks may in fact be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending upon the functionality involved.
  • the present application further provides a computer readable storage medium, which may be a computer readable storage medium included in the apparatus in the foregoing embodiment, or may exist separately and not assembled.
  • the computer readable storage medium stores one or more programs that are used by one or more processors to perform the authentication methods described herein.

Abstract

Disclosed are an authentication method and an authentication system. The authentication method comprises: a client sends first-temporary-key allocation request information to a server; after verifying the allocation request information, the server generates first response information comprising a user key account, a first temporary key, and session strategy information, and sends the first response information to the client; the client sends a cloud service request information that is generated based on the first response information, to a cloud server, the cloud service request information carrying the user key account, the session strategy information, and a signature of the cloud service request information that is generated by using the first temporary key; and the cloud server authenticates, based on the user key account and the session strategy information, the signature of the cloud service request information, and sends second response information for responding to the cloud service request information, to the client after authentication succeeds. By using the authentication method in the implementation manners of the present application, an interaction procedure between a server and a cloud server is simplified, and an authentication pressure on the cloud server is reduced.

Description

认证方法和认证系统Certification method and authentication system
相关申请的交叉引用Cross-reference to related applications
本申请要求于2015年08月04日提交的中国专利申请号为“201510471383.5”的优先权,其全部内容作为整体并入本申请中。The present application claims priority to Chinese Patent Application No. 201510471383.5, filed on Aug.
技术领域Technical field
本申请涉及计算机网络技术领域,具体涉及计算机网络认证技术领域,尤其涉及认证方法和认证系统。The present application relates to the field of computer network technologies, and in particular, to the field of computer network authentication technologies, and in particular, to an authentication method and an authentication system.
背景技术Background technique
在公有云服务中,客户(如网站主)需要在网页或应用中向用户(如网民)提供保存于云端的资源(如音视频)的直接访问,以避免数据经过客户的服务器中转带来无谓的网络传输。而云端存储对外提供的应用程序编程接口,为保证安全性,是通过公私钥对请求进行签名实现的,网页或应用访问时,需要配置使用公私钥。但网页或应用是分发到用户(网民)的,存在被恶意用户破译出客户的密钥,进而拿到客户身份进行破坏的风险。In public cloud services, customers (such as website owners) need to provide direct access to resources (such as audio and video) stored in the cloud to users (such as Internet users) in web pages or applications, so as to avoid unnecessary data transfer through the client's server. Network transmission. The application programming interface provided by the cloud storage is implemented by signing the request through the public and private keys to ensure security. When the webpage or the application accesses, the public and private keys need to be configured. However, the webpage or application is distributed to the user (netizen), and there is a risk that the malicious user will decipher the client's key and get the identity of the client to destroy.
现有技术中,可以通过两种方式避免在公有云服务中客户密钥被泄露:1、允许客户分发密钥的片段到网页或应用,云存储服务端为这类网页或应用访问需要的接口开放特殊认证机制,网页或应用在请求时仅需基于密钥的片段进行请求签名,即可对资源进行访问。2、使用临时密钥机制,即网页或应用先向客户的服务端请求获取一份短期有效的密钥,基于此短期密钥向云端服务进行资源访问。In the prior art, the client key may be prevented from being leaked in the public cloud service in two ways: 1. The client is allowed to distribute the fragment of the key to the webpage or the application, and the cloud storage server is the interface required for such webpage or application access. Open a special authentication mechanism, the web page or application can access the resource only when the request is signed by the key-based fragment. 2. The temporary key mechanism is used, that is, the webpage or the application first requests the client's server to obtain a short-term valid key, and based on the short-term key, the resource access is performed to the cloud service.
然而,上述的两种技术,存在以下风险:1、基于密钥片段的授权机制,云端服务所开放的支持密钥片段签名的接口是固定的,在客户有新需求需要增加接口的临时访问时,需要云端服务器升级配置;同时在恶意用户获取到密钥片段后,这些开放的接口也就相当于对其完 全开放了,仍然有客户数据会被破坏的问题。2、临时密钥机制由于网页或应用每次向客户端请求临时密钥时,客户端需要向云端的身份识别与访问管理系统IAM进行申请,客户业务上涨或客户业务逻辑不当(如反复申请临时密钥)时,IAM的自身压力过大,影响基础的认证服务。However, the above two technologies have the following risks: 1. Based on the key fragment-based authorization mechanism, the interface that supports the key fragment signature opened by the cloud service is fixed, and when the customer has new requirements and needs to increase the temporary access of the interface. , the cloud server needs to be upgraded and configured; at the same time, after the malicious user obtains the key fragment, these open interfaces are equivalent to Fully open, there is still the problem that customer data will be destroyed. 2. Temporary key mechanism Since the webpage or application requests the temporary key from the client every time, the client needs to apply to the cloud identity identification and access management system IAM, the customer service rises or the customer business logic is improper (such as repeated application for temporary When the key), IAM's own pressure is too large, affecting the basic authentication service.
发明内容Summary of the invention
鉴于现有技术中的上述缺陷或不足,期望能够提供一种安全性好、云端服务及认证压力小的方案。为了实现上述一个或多个目的,本申请提供了认证方法和认证系统。In view of the above-mentioned drawbacks or deficiencies in the prior art, it is desirable to provide a solution with good security, cloud service and small authentication pressure. To achieve one or more of the above objectives, the present application provides an authentication method and an authentication system.
第一方面,本申请提供了一种用于认证系统的用户端的认证方法,所述认证系统包括:用户端、客户服务端和云端服务器,所述方法包括:向所述客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;接收所述客户服务端响应于用户身份通过验证发送的响应所述分配请求信息的第一响应信息,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;向所述云端服务器发送基于所述第一响应信息生成的云端服务请求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;接收所述云端服务器发送的响应云端服务请求信息的第二响应信息,其中,所述第二响应信息通过以下步骤得到:所述云端服务器基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。In a first aspect, the application provides an authentication method for a client of an authentication system, where the authentication system includes: a client, a client server, and a cloud server, the method includes: sending a first to the client server The allocation request information of the temporary key, the allocation request information carries a session identity for verifying the identity of the user; and receiving the first response information of the allocation request information sent by the client server in response to the identity of the user by the verification, The first response information includes: a user key account for confirming the identity of the client to the cloud server, signing a first temporary key obtained by using the first session key to describe an access control list of the user right, and using the The session key information obtained by the access control list is encrypted by the first session key, wherein the first session key is a session key held by the client server and the session with the cloud server; and sent to the cloud server The cloud service request information carried by the first response information, the cloud service request information carrying a user key account, the session policy information, and a signature of the cloud service request information generated by using the first temporary key; receiving second response information of the cloud service request information sent by the cloud server, where The second response information is obtained by the following steps: the cloud server authenticates the signature of the received cloud service request information based on the user key account number and the session policy information, and responds to the authentication, Sending, to the client, second response information that is responsive to the cloud service request information.
第二方面,本申请提供了一种用于认证系统的客户服务端的生成第一响应信息的方法,所述认证系统包括:用户端、客户服务端和云 端服务器,所述方法包括:接收所述用户端发送的第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;基于所述会话身份标识,对用户身份进行验证;响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息,其中,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;向所述用户端发送所述第一响应信息。In a second aspect, the present application provides a method for generating first response information for a client server of an authentication system, where the authentication system includes: a client, a client, and a cloud. End server, the method includes: receiving allocation request information of a first temporary key sent by the user end, where the allocation request information carries a session identity identifier for verifying a user identity; and the user is based on the session identity identifier The identity is verified; in response to the identity of the user, the first response information is generated in response to the allocation request information, where the first response information includes: a user key account used to confirm the identity of the client to the cloud server, using the first a session key signature for describing a first temporary key obtained by an access control list of a user right, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session The key is a session key held by the client server and the session of the cloud server; and the first response information is sent to the client.
第三方面,本申请提供了一种用于认证系统的云端服务器的认证方法,所述认证系统包括:用户端、客户服务端和云端服务器,所述方法包括:接收所述用户端发送的用户密钥账号、会话策略信息和使用第一临时密钥签名的云端服务请求信息,其中,所述第一临时密钥由所述客户服务端使用第一会话密钥对用于描述用户权限的访问控制列表进行签名得到,所述用户密钥账号由所述客户服务端生成以向云端服务器确认客户身份,所述会话策略信息由所述客户服务端使用所述第一会话密钥加密所述访问控制列表得到,所述第一会话密钥为所述客户服务端持有的与所述云端服务器进行会话的会话密钥;基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证;以及响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。In a third aspect, the present application provides an authentication method for a cloud server of an authentication system, where the authentication system includes: a client, a client server, and a cloud server, and the method includes: receiving a user sent by the client a key account, session policy information, and cloud service request information signed using the first temporary key, wherein the first temporary key is used by the client server to use the first session key pair to describe access to the user right The control list is signed, the user key account is generated by the client server to confirm the identity of the client to the cloud server, and the session policy information is encrypted by the client server using the first session key. Obtaining, the first session key is a session key held by the client server and a session with the cloud server; and based on the user key account and the session policy information, the received session Declaring the signature of the cloud service request information for authentication; and transmitting, in response to the authentication, to the client, the response to the cloud A second service request message response information.
第四方面,本申请提供了一种用于认证系统的认证方法,所述认证系统包括:用户端、客户服务端和云端服务器,所述方法包括:所述用户端向所述客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;所述客户服务端接收所述分配请求信息,基于所述会话身份标识,对用户身份进行验证;以及响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息并向所述用户端发送所述第一响应信息,其中,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一 临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;所述用户端响应于接收到所述第一响应信息,向所述云端服务器发送基于所述第一响应信息生成的云端服务请求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;所述云端服务器基于接收的所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,以及响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。In a fourth aspect, the present application provides an authentication method for an authentication system, where the authentication system includes: a client, a client server, and a cloud server, the method includes: the client sends the client to the client server An allocation request information of the first temporary key, the allocation request information carrying a session identity identifier for verifying the identity of the user; the client server receiving the allocation request information, and verifying the identity of the user based on the session identity identifier And generating, by the verification, the first response information in response to the allocation request information, and sending the first response information to the user end, wherein the first response information comprises: for using the cloud server The user key account that confirms the identity of the client, using the first session key to sign the first access control list used to describe the user rights a temporary key, and session policy information obtained by encrypting the access control list by using the first session key, wherein the first session key is a session secret held by the client server and the session of the cloud server The client sends the cloud service request information generated based on the first response information to the cloud server, where the cloud service request information carries the user key account, in response to receiving the first response information. And the session policy information and the signature of the cloud service request information generated by using the first temporary key; the cloud server is based on the received user key account number and the session policy information, and the received The signature of the cloud service request information is authenticated, and in response to the authentication being passed, the second response information that is responsive to the cloud service request information is sent to the client.
第五方面,本申请提供了一种用于认证系统的用户端,所述用户端用于:向所述客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;接收所述客户服务端响应于用户身份通过验证发送的响应所述分配请求信息的第一响应信息,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;向所述云端服务器发送基于所述第一响应信息生成的云端服务请求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;接收所述云端服务器发送的响应云端服务请求信息的第二响应信息,其中,所述第二响应信息通过以下步骤得到:所述云端服务器基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。In a fifth aspect, the application provides a client for an authentication system, where the client is configured to: send, to the client server, allocation request information of a first temporary key, where the allocation request information is carried a session identifier for verifying the identity of the user; receiving, by the client server, the first response information that is sent by the user in response to the identity of the user, and the first response information includes: determining the identity of the client to the cloud server a user key account, using a first session key to sign a first temporary key obtained by using an access control list for describing a user right, and session policy information obtained by encrypting the access control list using the first session key The first session key is a session key held by the client server and the cloud server session, and the cloud service request information generated based on the first response information is sent to the cloud server, The cloud service request information carries the user key account, the session policy information, and is generated by using the first temporary key a signature of the cloud service request information; receiving second response information of the cloud service request information sent by the cloud server, where the second response information is obtained by: the cloud server is based on the user key The account and the session policy information are used to authenticate the signature of the received cloud service request information, and in response to the authentication pass, send the second response information in response to the cloud service request information to the client.
第六方面,本申请提供了一种用于认证系统的客户服务端,所述客户服务端用于:接收所述用户端发送的第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;基于 所述会话身份标识,对用户身份进行验证;响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息,其中,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;向所述用户端发送所述第一响应信息。In a sixth aspect, the application provides a client server for an authentication system, where the client server is configured to: receive allocation request information of a first temporary key sent by the client, where the allocation request information is carried Session identity used to authenticate the user; based on The session identifier is used to verify the identity of the user; the first response information is generated in response to the user's identity, and the first response information is used to confirm the identity of the client to the cloud server. a user key account, using a first session key to sign a first temporary key obtained by using an access control list for describing a user right, and session policy information obtained by encrypting the access control list using the first session key The first session key is a session key held by the client server and the session of the cloud server; and the first response information is sent to the client.
第七方面,本申请提供了一种用于认证系统的云端服务器,所述云端服务器用于:接收所述用户端发送的用户密钥账号、会话策略信息和使用第一临时密钥签名的云端服务请求信息,其中,所述第一临时密钥由所述客户服务端使用第一会话密钥对用于描述用户权限的访问控制列表进行签名得到,所述用户密钥账号由所述客户服务端生成以向云端服务器确认客户身份,所述会话策略信息由所述客户服务端使用所述第一会话密钥加密所述访问控制列表得到,所述第一会话密钥为所述客户服务端持有的与所述云端服务器进行会话的会话密钥;基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证;以及响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。In a seventh aspect, the application provides a cloud server for an authentication system, where the cloud server is configured to: receive a user key account sent by the client, session policy information, and a cloud signed by using a first temporary key. Service request information, wherein the first temporary key is obtained by the client server by using a first session key to sign an access control list for describing user rights, and the user key account is served by the client Generating to confirm the identity of the client to the cloud server, the session policy information obtained by the client server using the first session key to encrypt the access control list, the first session key being the client server Holding a session key for a session with the cloud server; authenticating a signature of the received cloud service request information based on the user key account number and the session policy information; and passing the authentication in response to the authentication Sending, to the user terminal, second response information that is responsive to the cloud service request information.
第八方面,本申请提供了一种认证系统,所述认证系统包括:用户端,用于向所述客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;接收所述客户服务端响应于用户身份通过验证发送的响应所述分配请求信息的第一响应信息,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;向所述云端服务器发送基于所述第一响应信息生成的云端服务请求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;所述客户服务端,用 于接收所述分配请求信息,基于所述会话身份标识,对用户身份进行验证;以及响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息并向所述用户端发送所述第一响应信息;所述云端服务器,用于基于接收的所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,以及响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。In an eighth aspect, the application provides an authentication system, where the authentication system includes: a user end, configured to send, to the client server, allocation request information of a first temporary key, where the allocation request information is carried for verification a session identifier of the user identity; receiving, by the client server, the first response information that is sent by the user in response to the user identity, and the first response information includes: confirming the identity of the client to the cloud server a user key account, using a first session key to sign a first temporary key obtained by using an access control list for describing a user right, and session policy information obtained by encrypting the access control list using the first session key, The first session key is a session key held by the client server and the cloud server, and the cloud service request information generated based on the first response information is sent to the cloud server, where the cloud The service request information carries the user key account, the session policy information, and uses the first temporary key to generate The cloud of the signature information service request; the client server, with Receiving the allocation request information, verifying the user identity based on the session identity identifier; and generating, by the verification, the first response information in response to the allocation request information and transmitting the a first response information, where the cloud server is configured to authenticate the received signature of the cloud service request information based on the received user key account and the session policy information, and respond to the authentication, Sending, to the client, second response information that is responsive to the cloud service request information.
本申请提供的认证方法和认证系统,通过用户端向客户服务端发送第一临时密钥的分配请求信息,通过客户服务端在验证分配请求信息后,生成并向用户端发送包括用户密钥账号、第一临时密钥和会话策略信息的第一响应信息,通过用户端向云端服务器发送基于第一响应信息生成的云端服务请求信息,云端服务请求信息携带用户密钥账号、会话策略信息和使用第一临时密钥生成的云端服务请求信息的签名,通过云端服务器基于用户密钥账号和会话策略信息认证云端服务请求信息的签名,认证通过后向用户端发送响应云端服务请求信息的第二响应信息。本申请实施方式的认证方法减少了客户服务端与云端服务器的交互流程,降低了云端服务器的认证压力。The authentication method and the authentication system provided by the application send the first temporary key allocation request information to the client server through the client, and after the client server verifies the allocation request information, generate and send the user key account to the client. And the first response information of the first temporary key and the session policy information, and the cloud service request information generated by the first response information is sent by the user end to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the use The signature of the cloud service request information generated by the first temporary key is authenticated by the cloud server based on the user key account number and the session policy information, and the second response of the cloud service request information is sent to the user end after the authentication is passed. information. The authentication method of the embodiment of the present application reduces the interaction process between the client server and the cloud server, and reduces the authentication pressure of the cloud server.
附图说明DRAWINGS
通过阅读参照以下附图所作的对非限制性实施例的详细描述,本申请的其它特征、目的和优点将会变得更明显:Other features, objects, and advantages of the present application will become more apparent from the detailed description of the accompanying drawings.
图1示出了可以应用本申请实施例的示例性系统架构;FIG. 1 illustrates an exemplary system architecture to which embodiments of the present application may be applied;
图2示出了根据本申请实施例的用于认证系统的用户端的认证方法的一种示意性流程图;2 is a schematic flowchart of an authentication method for a UE of an authentication system according to an embodiment of the present application;
图3示出了根据本申请实施例的用于认证系统的客户服务端的生成第一响应信息的方法的一种示意性流程图;FIG. 3 is a schematic flowchart of a method for generating first response information for a client server of an authentication system according to an embodiment of the present application; FIG.
图4示出了根据本申请实施例的用于认证系统的云端服务器的认证方法的一种示意性流程图;FIG. 4 is a schematic flowchart of an authentication method of a cloud server for authenticating a system according to an embodiment of the present application;
图5示出了根据本申请实施例的认证云端服务请求信息的签名的方法的一种示例性流程图;FIG. 5 illustrates an exemplary flowchart of a method of authenticating a signature of cloud service request information according to an embodiment of the present application;
图6示出了根据本申请实施例的用于认证系统的认证方法的一个 示例性流程图;FIG. 6 illustrates one of authentication methods for an authentication system according to an embodiment of the present application. Exemplary flow chart;
图7示出了根据本申请实施例的用于认证系统的认证方法的一个具体应用场景的示例性流程图;FIG. 7 illustrates an exemplary flowchart of a specific application scenario of an authentication method for an authentication system according to an embodiment of the present application;
图8示出了根据本申请实施例的认证系统的一种示例性结构图;FIG. 8 shows an exemplary structural diagram of an authentication system according to an embodiment of the present application;
图9示出了适于用来实现本申请实施例的终端设备或服务器的计算机系统的结构示意图。FIG. 9 is a block diagram showing the structure of a computer system suitable for implementing the terminal device or server of the embodiment of the present application.
具体实施方式detailed description
下面结合附图和实施例对本申请作进一步的详细说明。可以理解的是,此处所描述的具体实施例仅仅用于解释相关发明,而非对该发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与有关发明相关的部分。The present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention, rather than the invention. It is also to be noted that, for the convenience of description, only the parts related to the related invention are shown in the drawings.
需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. The present application will be described in detail below with reference to the accompanying drawings.
图1示出了可以应用本申请实施例的示例性系统架构100。FIG. 1 illustrates an exemplary system architecture 100 in which embodiments of the present application may be applied.
如图1所示,系统架构100可以包括终端设备101、102、网络103和客户端服务器104、云端服务器105。网络103用以在终端设备101、102、客户端服务器104和云端服务器105之间提供通信链路的介质。网络103可以包括各种连接类型,例如有线、无线通信链路或者光纤电缆等等。As shown in FIG. 1, the system architecture 100 can include terminal devices 101, 102, network 103 and client server 104, and cloud server 105. The network 103 is used to provide a medium for communication links between the terminal devices 101, 102, the client server 104, and the cloud server 105. Network 103 may include various types of connections, such as wired, wireless communication links, fiber optic cables, and the like.
用户110可以使用终端设备101、102通过网络103与客户端服务器104和云端服务器105交互,以发送信息或接收信息等。终端设备101、102上可以安装有各种网页或应用,例如视频播放器、网络游戏应用等。The user 110 can interact with the client server 104 and the cloud server 105 via the network 103 using the terminal devices 101, 102 to transmit information or receive information and the like. Various web pages or applications, such as a video player, a web game application, and the like, may be installed on the terminal devices 101, 102.
终端设备101、102可以是各种电子设备,包括但不限于个人电脑、智能手机、智能手表、平板电脑、个人数字助理等等。The terminal devices 101, 102 can be various electronic devices including, but not limited to, personal computers, smart phones, smart watches, tablets, personal digital assistants, and the like.
客户端服务器104和云端服务器105可以是提供各种服务的服务器。服务器可以对接收到的数据进行存储、分析等处理,并将处理结果反馈给其他服务器或终端设备。 The client server 104 and the cloud server 105 may be servers that provide various services. The server can store, analyze, and the like the received data, and feed back the processing result to other servers or terminal devices.
需要说明的是,本申请实施例所提供的认证方法以及认证系统可以由终端设备101、102作为认证方法以及认证系统中的用户端执行,由客户端服务器104作为认证方法以及认证系统中的客户服务端执行,由云端服务器105作为认证方法以及认证系统中的云端服务器执行。应该理解,图1中的终端设备、网络和服务器的数目仅仅是示意性的。根据实现需要,可以具有任意数目的终端设备、网络和服务器。It should be noted that the authentication method and the authentication system provided by the embodiments of the present application may be performed by the terminal device 101, 102 as an authentication method and a client in the authentication system, and the client server 104 serves as an authentication method and a client in the authentication system. The server executes, and is executed by the cloud server 105 as an authentication method and a cloud server in the authentication system. It should be understood that the number of terminal devices, networks, and servers in Figure 1 is merely illustrative. Depending on the implementation needs, there can be any number of terminal devices, networks, and servers.
以下结合图2至图7,说明本申请实施例的用于认证系统的认证方法。在本申请的实施例中,认证系统可以包括用户端、客户服务端和云端服务器。The authentication method for the authentication system of the embodiment of the present application will be described below with reference to FIG. 2 to FIG. 7. In an embodiment of the present application, the authentication system may include a client, a client server, and a cloud server.
请参考图2,图2示出了根据本申请实施例的用于认证系统的用户端的认证方法的一种示意性流程图。Please refer to FIG. 2. FIG. 2 is a schematic flowchart of an authentication method for a UE of an authentication system according to an embodiment of the present application.
如图2所示,用于认证系统的用户端的认证方法可以包括:As shown in FIG. 2, the authentication method for the client of the authentication system may include:
首先,在步骤201中,向客户服务端发送第一临时密钥的分配请求信息,分配请求信息携带用于验证用户身份的会话身份标识。First, in step 201, the allocation request information of the first temporary key is sent to the client server, and the allocation request information carries the session identity for verifying the identity of the user.
在本实施例中,第一临时密钥的分配请求信息用于向客户服务端请求分配一组临时密钥。该分配请求信息携带有会话身份标识(sessionid),用于向客户服务端提供用户的有效身份证明。In this embodiment, the allocation request information of the first temporary key is used to request the client server to allocate a set of temporary keys. The allocation request information carries a session identifier (sessionid) for providing a valid identity of the user to the client server.
接着,在步骤202中,接收客户服务端响应于用户身份通过验证发送的响应分配请求信息的第一响应信息。Next, in step 202, the first response information of the response allocation request information sent by the client server in response to the user identity by the verification is received.
在本实施例中,客户服务端基于接收的分配请求信息中携带的会话身份标识对用户身份进行验证,验证通过之后,认定用户端发送的分配请求信息有效,为用户分配用于向云端服务器确认客户身份的用户密钥账号(access key id,缩写为ak),并根据用户身份确定用于描述用户权限的访问控制列表(ACL,ACL中描述生效失效时间),使用客户服务端持有的与云端服务器会话的会话密钥(第一会话密钥)对访问控制列表进行签名得到第一临时密钥(accesse key secret,缩写为sk),并使用该会话密钥加密访问控制列表得到会话策略信息(session policy),最后将上述的用户密钥账号、第一临时密钥以及会话策略信息作为第一响应信息发送给用户端。其中,对访问控制列表进行签名可以通过数字签名算法来实现,例如使用安全散列算法SHA 的一系列密码散列函数来实现;加密访问控制列表可以使用数字加密标准,例如数据加密标准DES、使用3条64位的密钥对数据进行三次加密的数据加密标准3DES和高级加密标准AES等。In this embodiment, the client server verifies the user identity based on the session identity identifier carried in the received distribution request information. After the verification is passed, it is determined that the allocation request information sent by the client is valid, and is allocated for the user to be confirmed to the cloud server. The user key account (access key id, abbreviated as ak) of the customer identity, and the access control list (ACL, ACL describes the effective expiration time) used to describe the user authority is determined according to the user identity, and the client server holds the The session key (first session key) of the cloud server session signs the access control list to obtain a first temporary key (accesse key secret, abbreviated as sk), and uses the session key to encrypt the access control list to obtain session policy information. (session policy), finally sending the user key account, the first temporary key, and the session policy information as the first response information to the client. Wherein, the signature of the access control list can be implemented by a digital signature algorithm, for example, using a secure hash algorithm SHA. A series of cryptographic hash functions are implemented; the encrypted access control list can use digital encryption standards, such as the data encryption standard DES, the data encryption standard 3DES and the advanced encryption standard AES, which use three 64-bit keys to encrypt the data three times. .
在客户服务端发送第一响应信息之后,用户端可以接收上述的第一响应信息(包括ak,sk,session policy)。After the client server sends the first response message, the client may receive the first response information (including ak, sk, session policy).
之后,在步骤203中,向云端服务器发送基于第一响应信息生成的云端服务请求信息,云端服务请求信息携带用户密钥账号、会话策略信息和使用第一临时密钥生成的云端服务请求信息的签名。Then, in step 203, the cloud service request information generated based on the first response information is sent to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the cloud service request information generated by using the first temporary key. signature.
在本实施例中,云端服务请求信息用于向云端请求资源,用户端(发送请求的主体可以为用户端中的网页或应用)使用第一临时密钥签名云端服务请求信息,并携带用户密钥账号确认用户身份,携带会话策略信息作为额外认证数据,发送至云端服务器。In this embodiment, the cloud service request information is used to request a resource from the cloud, and the user end (the body that sends the request may be a webpage or an application in the user end) uses the first temporary key to sign the cloud service request information, and carries the user secret. The key account confirms the identity of the user, and carries the session policy information as additional authentication data and sends it to the cloud server.
然后,在步骤204中,接收云端服务器发送的响应云端服务请求信息的第二响应信息。Then, in step 204, the second response information sent by the cloud server in response to the cloud service request information is received.
在本实施例中,云端服务器在接收到云端服务请求后,通过以下步骤向用户端发送第一响应信息:云端服务器基于用户密钥账号和会话策略信息,对接收的云端服务请求信息的签名进行认证,响应于认证通过,向用户端发送响应云端服务请求信息的第二响应信息。In this embodiment, after receiving the cloud service request, the cloud server sends the first response information to the user end by using the following steps: the cloud server performs the signature of the received cloud service request information based on the user key account number and the session policy information. The authentication, in response to the passing of the authentication, sends the second response information that responds to the cloud service request information to the client.
云端服务器基于用户密钥账号和会话策略信息,对接收的云端服务请求信息的签名进行认证时,云端服务向身份识别与访问管理系统(Identity and Access Management,缩写为IAM)认证此第一临时密钥的签名,IAM基于用户密钥账号和会话策略信息计算出第二临时密钥,并使用第二临时密钥计算出签名,比对计算出的签名与接收的签名,当比对结果相同时,接收的签名通过认证,并将认证结果返回云端服务,云端服务响应云端服务请求,并将第二响应信息发送给用户端。When the cloud server authenticates the signature of the received cloud service request information based on the user key account and the session policy information, the cloud service authenticates the first temporary secret to the Identity and Access Management (IAM). The signature of the key, the IAM calculates the second temporary key based on the user key account and the session policy information, and calculates the signature using the second temporary key, and compares the calculated signature with the received signature when the comparison result is the same. The received signature passes the authentication, and the authentication result is returned to the cloud service, and the cloud service responds to the cloud service request, and sends the second response information to the client.
用户端从而接收云端服务器向用户端发送的响应云端服务请求信息的第二响应信息。The client then receives the second response information of the cloud service request information sent by the cloud server to the client.
本申请上述实施例提供的用于认证系统的用户端的认证方法,通过向客户服务端发送第一临时密钥的分配请求信息,接收客户服务端 发送的响应分配请求信息的第一响应信息,向云端服务器发送基于第一响应信息生成的云端服务请求信息,云端服务请求信息携带用户密钥账号、会话策略信息和使用第一临时密钥生成的云端服务请求信息的签名,接收云端服务器向用户端发送的响应云端服务请求信息的第二响应信息,减少了客户服务端与云端服务器的交互流程,降低了云端服务器的压力,云端服务器无需部署需承担大流量压力的高性能服务,并且避免了临时密钥请求过多时给云端的IAM服务带来的性能损害。The authentication method for the client of the authentication system provided by the foregoing embodiment of the present application receives the client service server by sending the first temporary key allocation request information to the client server. Sending the first response information of the response allocation request information, and sending the cloud service request information generated based on the first response information to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the generated by using the first temporary key. The signature of the cloud service request information receives the second response information sent by the cloud server to the client in response to the cloud service request information, which reduces the interaction process between the client server and the cloud server, reduces the pressure on the cloud server, and the cloud server does not need to be deployed. High-performance services that are under heavy traffic pressure and avoid the performance damage to the cloud's IAM service when there are too many temporary key requests.
请参考图3,图3示出了根据本申请实施例的用于认证系统的客户服务端的生成第一响应信息的方法的一种示意性流程图。Please refer to FIG. 3. FIG. 3 is a schematic flowchart of a method for generating first response information for a client server of an authentication system according to an embodiment of the present application.
如图3所示,用于认证系统的客户服务端的生成第一响应信息的方法可以包括:As shown in FIG. 3, the method for generating the first response information of the client server for the authentication system may include:
首先,在步骤301中,接收用户端发送的第一临时密钥的分配请求信息,分配请求信息携带用于验证用户身份的会话身份标识。First, in step 301, the allocation request information of the first temporary key sent by the user end is received, and the allocation request information carries a session identity identifier for verifying the identity of the user.
在本实施例中,第一临时密钥的分配请求信息用于向客户服务端请求分配一组临时密钥。该分配请求信息携带的会话身份标识(sessionid),用于向客户服务端提供用户的有效身份凭证。In this embodiment, the allocation request information of the first temporary key is used to request the client server to allocate a set of temporary keys. The session identifier (sessionid) carried in the allocation request information is used to provide the client server with the valid identity of the user.
接着,在步骤302中,基于会话身份标识,对用户身份进行验证。Next, in step 302, the user identity is verified based on the session identity.
在本实施例中,会话身份标识可以提供用户的有效身份凭证,客户服务端将提供的用户的有效身份凭证和预留的用户的身份凭证进行比对,若比对结果相同,则用户身份通过验证。In this embodiment, the session identity can provide a valid identity of the user, and the client server compares the provided valid identity of the user with the identity of the reserved user. If the comparison result is the same, the user identity passes. verification.
在实际进行身份验证时,若会话身份标识标示为未登录,可以跳转至客户服务端提供的登录页面或第三方登录页面进行登录。In the actual authentication, if the session identity is marked as not logged in, you can log in to the login page provided by the client server or the third-party login page to log in.
之后,在步骤303中,响应于用户身份通过验证,生成响应分配请求信息的第一响应信息。Thereafter, in step 303, first response information in response to the allocation request information is generated in response to the identity of the user.
其中,第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用第一会话密钥加密访问控制列表得到的会话策略信息,其中,第一会话密钥为客户服务端持有的与云端服务器会话的会话密钥。 The first response information includes: a user key account used to confirm the identity of the client to the cloud server, a first temporary key obtained by using the first session key to sign the access control list for describing the user right, and using the first The session key encrypts the session policy information obtained by the access control list, where the first session key is a session key held by the client server and communicated with the cloud server.
在本实施例中,客户服务端基于接收的分配请求信息中携带的会话身份标识对用户身份进行验证,验证通过之后,认定用户端发送的分配请求信息有效,为用户分配用于向云端服务器确认客户身份的用户密钥账号(access key id,缩写为ak),并根据用户身份确定用于描述用户权限的访问控制列表(ACL,ACL中应描述生效失效时间),使用客户服务端持有的与云端服务器会话的会话密钥对访问控制列表进行签名得到第一临时密钥(accesse key secret,缩写为sk),并使用该会话密钥加密访问控制列表得到会话策略信息(session policy),最后将上述的用户密钥账号、第一临时密钥以及会话策略信息作为第一响应信息发送给用户端。其中,对访问控制列表进行签名可以通过数字签名算法来实现,例如使用安全散列算法SHA的一系列密码散列函数来实现;加密访问控制列表可以使用数字加密标准,例如数据加密标准DES、使用3条64位的密钥对数据进行三次加密的数据加密标准3DES和高级加密标准AES等。In this embodiment, the client server verifies the user identity based on the session identity identifier carried in the received distribution request information. After the verification is passed, it is determined that the allocation request information sent by the client is valid, and is allocated for the user to be confirmed to the cloud server. The user key account (access key id, abbreviated as ak) of the customer identity, and the access control list (ACL, ACL should describe the effective expiration time) used to describe the user authority according to the identity of the user, is held by the client server. The session key of the cloud server session signs the access control list to obtain the first temporary key (accesse key secret, abbreviated as sk), and uses the session key to encrypt the access control list to obtain session policy information (session policy). The user key account, the first temporary key, and the session policy information are sent to the client as the first response information. Wherein, the signature of the access control list can be implemented by a digital signature algorithm, for example, using a series of cryptographic hash functions of the secure hash algorithm SHA; the encrypted access control list can use a digital encryption standard, such as the data encryption standard DES, use Three 64-bit keys are used to encrypt data three times with data encryption standard 3DES and advanced encryption standard AES.
然后,在步骤304中,向用户端发送第一响应信息。Then, in step 304, the first response information is sent to the UE.
在本实施例中,云端服务器在接收到云端服务请求后,通过以下步骤向用户端发送第一响应信息:云端服务器基于用户密钥账号和会话策略信息,对接收的云端服务请求信息的签名进行认证,响应于认证通过,向用户端发送响应云端服务请求信息的第二响应信息。In this embodiment, after receiving the cloud service request, the cloud server sends the first response information to the user end by using the following steps: the cloud server performs the signature of the received cloud service request information based on the user key account number and the session policy information. The authentication, in response to the passing of the authentication, sends the second response information that responds to the cloud service request information to the client.
本申请上述实施例提供的用于认证系统的客户服务端的生成第一响应信息的方法,通过接收用户端发送的第一临时密钥的分配请求信息,分配请求信息携带用于验证用户身份的会话身份标识,基于会话身份标识,对用户身份进行验证,响应于用户身份通过验证,生成响应分配请求信息的第一响应信息,从而为用户端提供访问云端服务的凭证,无需云端服务器部署需承担大流量压力的高性能服务,并且避免了临时密钥请求过多时给云端的IAM服务带来的性能损害。The method for generating the first response information of the client server for the authentication system provided by the foregoing embodiment of the present application receives the request information of the first temporary key sent by the user end, and the allocation request information carries the session for verifying the identity of the user. The identity identifier is based on the session identity identifier, and the user identity is verified, and the first response information of the response allocation request information is generated in response to the user identity, thereby providing the client with the credentials for accessing the cloud service, and the cloud server deployment is not required to be undertaken. High-performance services with traffic pressure, and avoiding performance damage to the cloud's IAM service when there are too many temporary key requests.
请参考图4,图4示出了根据本申请实施例的用于认证系统的云端服务器的认证方法的一种示意性流程图。Please refer to FIG. 4. FIG. 4 is a schematic flowchart of an authentication method of a cloud server for authenticating a system according to an embodiment of the present application.
如图4所示,用于认证系统的云端服务器的认证方法可以包括:As shown in FIG. 4, the authentication method of the cloud server for authenticating the system may include:
首先,在步骤401中,接收用户端发送的用户密钥账号、会话策 略信息和使用第一临时密钥签名的云端服务请求信息。First, in step 401, receiving a user key account and a session policy sent by the client The information and the cloud service request information signed using the first temporary key.
其中,第一临时密钥为客户服务端使用第一会话密钥对用于描述用户权限的访问控制列表进行签名得到,用户密钥账号由客户服务端生成以向云端服务器确认客户身份,会话策略信息为客户服务端使用第一会话密钥加密访问控制列表得到,第一会话密钥为客户服务端持有的与云端服务器进行会话的会话密钥。The first temporary key is obtained by the client server using the first session key to sign the access control list for describing the user right, and the user key account is generated by the client server to confirm the identity of the client to the cloud server, and the session policy The information is obtained by the client server using the first session key to encrypt the access control list, and the first session key is a session key held by the client server for the session with the cloud server.
接着,在步骤402中,基于用户密钥账号和会话策略信息,对接收的云端服务请求信息的签名进行认证。Next, in step 402, the signature of the received cloud service request information is authenticated based on the user key account number and the session policy information.
云端服务器基于用户密钥账号和会话策略信息,对接收的云端服务请求信息的签名进行认证时,云端服务向身份识别与访问管理系统(Identity and Access Management,缩写为IAM)认证此第一临时密钥的签名,IAM基于用户密钥账号和会话策略信息计算出第二临时密钥,并使用第二临时密钥计算出签名,比对计算出的签名与接收的签名,当比对结果相同时,接收的签名通过认证。When the cloud server authenticates the signature of the received cloud service request information based on the user key account and the session policy information, the cloud service authenticates the first temporary secret to the Identity and Access Management (IAM). The signature of the key, the IAM calculates the second temporary key based on the user key account and the session policy information, and calculates the signature using the second temporary key, and compares the calculated signature with the received signature when the comparison result is the same. The received signature is authenticated.
之后,在步骤403中,响应于认证通过,向用户端发送响应云端服务请求信息的第二响应信息。Then, in step 403, in response to the authentication being passed, the second response information in response to the cloud service request information is sent to the UE.
在本实施例中,响应于IAM认证云端服务请求信息的签名通过,将认证结果返回云端服务,云端服务将响应于云端服务请求生成的第二响应信息发送给客户端。In this embodiment, in response to the signature of the IAM authentication cloud service request information, the authentication result is returned to the cloud service, and the cloud service sends the second response information generated in response to the cloud service request to the client.
本申请上述实施例提供的用于认证系统的云端服务器的认证方法,通过接收的用户密钥账号和会话策略信息,对接收的云端服务请求信息的签名进行认证,响应于认证通过,向用户端发送响应云端服务请求信息的第二响应信息,从而为用户端提供服务,减少了云端服务器与客户服务端的交互流程,无需云端服务器部署承担大流量压力的高性能服务,并且避免了临时密钥请求过多时给云端的IAM服务带来的性能损害,从而降低了对云端服务器的性能要求。The authentication method of the cloud server for the authentication system provided by the foregoing embodiment of the present application authenticates the signature of the received cloud service request information by using the received user key account and session policy information, and responds to the authentication, to the client. Sending the second response information in response to the cloud service request information, thereby providing services for the client, reducing the interaction process between the cloud server and the client server, eliminating the need for the cloud server to deploy high-performance services under heavy traffic pressure, and avoiding temporary key requests Too much performance damage to the cloud's IAM service, which reduces the performance requirements for the cloud server.
进一步参考图5,图5示出了根据本申请实施例的认证云端服务请求信息的签名的方法的一种示例性流程图。With further reference to FIG. 5, FIG. 5 illustrates an exemplary flowchart of a method of authenticating a signature of cloud service request information in accordance with an embodiment of the present application.
如图5所示,认证云端服务请求信息的签名的方法包括:As shown in FIG. 5, the method for authenticating the signature of the cloud service request information includes:
首先,在步骤501中,基于用户密钥账号,验证客户身份。 First, in step 501, the identity of the client is verified based on the user key account number.
接着,在步骤502中,响应于客户身份通过验证,基于会话策略信息和第二会话密钥,得到第二临时密钥,其中,第二会话密钥为云端服务器持有的与客户服务端会话的会话密钥。Next, in step 502, in response to the identity of the client, the second temporary key is obtained based on the session policy information and the second session key, wherein the second session key is a session held by the cloud server with the client server. Session key.
在本实施例中,基于会话策略信息和第二会话密钥,得到第二临时密钥的方法步骤与客户服务端生成第一临时密钥的步骤相同,也即首先使用第二会话密钥解密会话策略信息,得到访问控制列表;之后使用第二会话密钥对得到的访问控制列表进行签名,得到第二临时密钥。In this embodiment, the method step of obtaining the second temporary key based on the session policy information and the second session key is the same as the step of the client server generating the first temporary key, that is, first decrypting using the second session key. The session policy information is obtained, and the access control list is obtained; then the obtained access control list is signed by using the second session key to obtain a second temporary key.
之后,在步骤503中,使用第二临时密钥,计算云端服务请求信息的签名。Thereafter, in step 503, the signature of the cloud service request information is calculated using the second temporary key.
在本实施例中,使用第二临时密钥计算云端服务请求信息的签名的过程,与用户端使用第一临时密钥对云端服务请求信息的签名过程相同。可以采用多种签名方法实现签名,例如RSA签名和哈希Hash签名等。In this embodiment, the process of calculating the signature of the cloud service request information by using the second temporary key is the same as the process of signing the cloud service request information by the user end using the first temporary key. Signatures can be implemented using a variety of signature methods, such as RSA signatures and hash hash signatures.
然后,在步骤504中,比对接收的云端服务请求信息的签名与计算得到的云端服务请求信息的签名。Then, in step 504, the signature of the received cloud service request information and the calculated signature of the cloud service request information are compared.
然后,在步骤505中,响应于比对的结果相同,确定认证结果为认证通过。Then, in step 505, in response to the result of the comparison being the same, it is determined that the authentication result is the authentication pass.
本申请上述例提供的认证云端服务请求信息的签名的方法,在通过用户密钥账号验证客户身份后,基于会话策略信息和第二会话密钥得到第二临时密钥,其中,第二会话密钥为云端服务器持有的与客户服务端会话的会话密钥,之后使用第二临时密钥计算云端服务请求信息的签名,之后比对接收的签名与计算得到的签名,响应于比对的结果相同,确定认证结果为认证通过,简单快捷的实现了对签名的认证,提高了认证效率。The method for authenticating the signature of the cloud service request information provided by the above example, after verifying the identity of the client by using the user key account, obtaining a second temporary key based on the session policy information and the second session key, wherein the second session is dense The key is a session key held by the cloud server and communicated with the client server, and then the second temporary key is used to calculate the signature of the cloud service request information, and then the received signature and the calculated signature are compared with the calculated result. In the same way, it is determined that the authentication result is the certification pass, and the authentication of the signature is realized simply and quickly, and the authentication efficiency is improved.
请参考图6,图6示出了根据本申请实施例的用于认证系统的认证方法的一个示例性流程图。Please refer to FIG. 6. FIG. 6 shows an exemplary flowchart of an authentication method for an authentication system according to an embodiment of the present application.
如图6所示,用于认证系统的认证方法包括:As shown in FIG. 6, the authentication method for the authentication system includes:
首先,在步骤601中,用户端向客户服务端发送第一临时密钥的分配请求信息,分配请求信息携带用于验证用户身份的会话身份标识。 First, in step 601, the UE sends the first temporary key allocation request information to the client server, and the allocation request information carries the session identity used to verify the identity of the user.
在本实施例中,第一临时密钥的分配请求信息用于向客户服务端请求分配一组临时密钥。该分配请求信息携带有会话身份标识(sessionid),用于向客户服务端提供用户的有效身份证明。In this embodiment, the allocation request information of the first temporary key is used to request the client server to allocate a set of temporary keys. The allocation request information carries a session identifier (sessionid) for providing a valid identity of the user to the client server.
接着,在步骤602中,客户服务端接收分配请求信息,基于会话身份标识,对用户身份进行验证;以及响应于用户身份通过验证,生成响应分配请求信息的第一响应信息并向用户端发送生成的第一响应信息。Next, in step 602, the client server receives the allocation request information, and verifies the user identity based on the session identity identifier; and generates the first response information in response to the allocation request information and sends the generated response message to the client according to the identity of the user. The first response message.
其中,第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用第一会话密钥加密访问控制列表得到的会话策略信息,其中,第一会话密钥为客户服务端持有的与云端服务器会话的会话密钥。The first response information includes: a user key account used to confirm the identity of the client to the cloud server, a first temporary key obtained by using the first session key to sign the access control list for describing the user right, and using the first The session key encrypts the session policy information obtained by the access control list, where the first session key is a session key held by the client server and communicated with the cloud server.
在本实施例中,客户服务端基于接收的分配请求信息中携带的会话身份标识对用户身份进行验证,验证通过之后,认定用户端发送的分配请求信息有效,为用户分配用于向云端服务器确认客户身份的用户密钥账号(access key id,缩写为ak),并根据用户身份确定用于描述用户权限的访问控制列表(ACL,ACL中应描述生效失效时间),使用客户服务端持有的与云端服务器会话的会话密钥对访问控制列表进行签名得到第一临时密钥(accesse key secret,缩写为sk),并使用该会话密钥加密访问控制列表得到会话策略信息(session policy),最后将上述的用户密钥账号、第一临时密钥以及会话策略信息作为第一响应信息发送给用户端。其中,对访问控制列表进行签名可以通过数字签名算法来实现,例如使用安全散列算法SHA的一系列密码散列函数来实现;加密访问控制列表可以使用数字加密标准,例如数据加密标准DES、使用3条64位的密钥对数据进行三次加密的数据加密标准3DES和高级加密标准AES等。In this embodiment, the client server verifies the user identity based on the session identity identifier carried in the received distribution request information. After the verification is passed, it is determined that the allocation request information sent by the client is valid, and is allocated for the user to be confirmed to the cloud server. The user key account (access key id, abbreviated as ak) of the customer identity, and the access control list (ACL, ACL should describe the effective expiration time) used to describe the user authority according to the identity of the user, is held by the client server. The session key of the cloud server session signs the access control list to obtain the first temporary key (accesse key secret, abbreviated as sk), and uses the session key to encrypt the access control list to obtain session policy information (session policy). The user key account, the first temporary key, and the session policy information are sent to the client as the first response information. Wherein, the signature of the access control list can be implemented by a digital signature algorithm, for example, using a series of cryptographic hash functions of the secure hash algorithm SHA; the encrypted access control list can use a digital encryption standard, such as the data encryption standard DES, use Three 64-bit keys are used to encrypt data three times with data encryption standard 3DES and advanced encryption standard AES.
在本实施例中,会话身份标识可以提供用户的有效身份凭证,客户服务端将提供的用户的有效身份凭证和预留的用户的身份凭证进行比对,若比对结果相同,则用户身份通过验证。In this embodiment, the session identity can provide a valid identity of the user, and the client server compares the provided valid identity of the user with the identity of the reserved user. If the comparison result is the same, the user identity passes. verification.
在实际进行身份验证时,若会话身份标识标示为未登录,可以跳 转至客户服务端提供的登录页面或第三方登录页面进行登录。In the actual authentication, if the session identity is marked as not logged in, you can skip Go to the login page provided by the client server or the third-party login page to log in.
之后,在步骤603中,用户端响应于接收到第一响应信息,向云端服务器发送基于第一响应信息生成的云端服务请求信息,云端服务请求信息携带用户密钥账号、会话策略信息和使用第一临时密钥生成的云端服务请求信息的签名。Then, in step 603, the UE sends the cloud service request information generated based on the first response information to the cloud server in response to receiving the first response information, where the cloud service request information carries the user key account, the session policy information, and the usage The signature of the cloud service request information generated by a temporary key.
在本实施例中,云端服务请求信息用于向云端请求资源,用户端(执行主体可以为用户端中存在的网页或应用)使用第一临时密钥签名云端服务请求信息,并携带用户密钥账号确认用户身份,携带会话策略信息作为额外认证数据,发送至云端服务器。In this embodiment, the cloud service request information is used to request a resource from the cloud, and the user end (the execution body may be a webpage or an application existing in the user end) uses the first temporary key to sign the cloud service request information, and carries the user key. The account confirms the identity of the user, and carries the session policy information as additional authentication data and sends it to the cloud server.
然后,在步骤604中,云端服务器基于接收的用户密钥账号和会话策略信息,对接收的云端服务请求信息的签名进行认证,以及响应于认证通过,向用户端发送响应云端服务请求信息的第二响应信息。Then, in step 604, the cloud server authenticates the signature of the received cloud service request information based on the received user key account and session policy information, and sends a response to the cloud service request information to the client in response to the authentication pass. Second response information.
在本实施例中,对接收的云端服务请求信息的签名进行认证时,认证的方法上述图5中描述的认证云端服务请求信息的签名的方法相同。在此不再赘述。In this embodiment, when the signature of the received cloud service request information is authenticated, the method for authenticating the signature of the cloud service request information described in FIG. 5 is the same. I will not repeat them here.
如图7所示,在本实施例的一个具体的应用场景中,认证方法可以包括以下步骤:As shown in FIG. 7, in a specific application scenario of the embodiment, the authentication method may include the following steps:
步骤701,用户通过用户端向客户服务端发送请求分配第一临时密钥的请求信息,请求信息携带用于验证用户身份的会话身份标识;Step 701: The user sends, by using the user end, request information for requesting the first temporary key to the client server, where the request information carries a session identity identifier for verifying the identity of the user.
步骤702,客户服务端接收分配请求信息,基于分配请求信息携带的会话身份标识对用户身份进行验证后,生成第一响应信息,第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用第一会话密钥加密访问控制列表得到的会话策略信息,其中,第一会话密钥为客户服务端持有的与云端服务器会话的会话密钥;Step 702: The client server receives the allocation request information, and after the user identity is verified based on the session identity identifier carried in the distribution request information, the first response information is generated, where the first response information includes: a user secret used to confirm the identity of the client to the cloud server. a key account, using a first session key to sign a first temporary key obtained by using an access control list for describing a user right, and session policy information obtained by encrypting an access control list using the first session key, wherein the first session is confidential The key is the session key held by the client server and the session with the cloud server;
步骤703,客户服务端返回第一响应信息给用户端;Step 703, the client server returns the first response information to the client;
步骤704,用户端向云端服务器的云服务发送用户密钥账号、会话策略信息和使用第一临时密钥签名的云端服务请求信息;Step 704: The UE sends a user key account, session policy information, and cloud service request information signed by using the first temporary key to the cloud service of the cloud server.
步骤705,云服务基于用户密钥账号、会话策略信息和使用第一 临时密钥签名的云端服务请求信息向IAM进行认证;Step 705, the cloud service is based on the user key account, session policy information, and usage first. The cloud service request information of the temporary key signature is authenticated to the IAM;
步骤706,IAM向云服务返回认证成功的结果;Step 706: The IAM returns a result of successful authentication to the cloud service.
步骤707,云服务向用户端返回响应云端服务请求信息的第二响应信息。Step 707: The cloud service returns, to the UE, second response information that is in response to the cloud service request information.
本申请上述实施例提供的用于认证系统的认证方法,通过用户端向客户服务端发送第一临时密钥的分配请求信息,通过客户服务端根据接收的分配请求信息中的会话身份标识对用户身份进行验证,响应于用户身份通过验证,生成响应分配请求信息的第一响应信息并向用户端发送,用户端接收客户服务端发送的响应分配请求信息的第一响应信息,向云端服务器发送基于第一响应信息生成的云端服务请求信息,云端服务请求信息携带用户密钥账号、会话策略信息和使用第一临时密钥生成的云端服务请求信息的签名,通过云端服务器基于用户密钥账号和会话策略信息,对接收的云端服务请求信息的签名进行认证,以及响应于认证通过,向用户端发送响应云端服务请求信息的第二响应信息;通过用户端接收云端服务器向用户端发送的响应云端服务请求信息的第二响应信息,减少了客户服务端与云端服务器的交互流程,降低了云端服务器的压力,云端服务器无需部署需承担大流量压力的高性能服务,并且避免了临时密钥请求过多时给云端的IAM服务带来的性能损害。The authentication method for the authentication system provided by the foregoing embodiment of the present application sends the first temporary key allocation request information to the client server through the client, and the user identity server identifies the user according to the session identity in the received distribution request information. The identity is verified, and the first response information corresponding to the distribution request information is generated and sent to the user end, and the first end response information sent by the client server to the cloud server is sent to the cloud server. The cloud service request information generated by the first response information, the cloud service request information carries the user key account, the session policy information, and the signature of the cloud service request information generated by using the first temporary key, and the cloud server is based on the user key account and the session. The policy information is used to authenticate the signature of the received cloud service request information, and send the second response information that responds to the cloud service request information to the user end in response to the authentication, and receive the response cloud service sent by the cloud server to the user end through the user end. Request information The second response information reduces the interaction process between the client server and the cloud server, reduces the pressure on the cloud server, and the cloud server does not need to deploy a high-performance service that bears heavy traffic pressure, and avoids the temporary key request to the cloud. Performance damage caused by IAM services.
请参考图8,图8示出了根据本申请实施例的认证系统的一种示例性结构图。Please refer to FIG. 8. FIG. 8 shows an exemplary structural diagram of an authentication system according to an embodiment of the present application.
如图8所示,认证系统包括:用户端810,客户服务端820和云端服务器830。As shown in FIG. 8, the authentication system includes: a client 810, a client server 820, and a cloud server 830.
用户端810,配置用于向客户服务端发送第一临时密钥的分配请求信息,分配请求信息携带用于验证用户身份的会话身份标识;接收客户服务端响应于用户身份通过验证而发送的响应分配请求信息的第一响应信息,其中,第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用第一会话密钥加密访问控制列表得到的会话策略信息,其中,所述第一会话密钥为所述客户服 务端持有的与所述云端服务器进行会话的会话密钥;向云端服务器发送基于第一响应信息生成的云端服务请求信息,云端服务请求信息携带用户密钥账号、会话策略信息和使用第一临时密钥生成的云端服务请求信息的签名。The client 810 is configured to send, to the client server, the allocation request information of the first temporary key, where the allocation request information carries the session identity identifier used to verify the identity of the user; and the response sent by the client server in response to the identity of the user is verified. And allocating the first response information of the request information, where the first response information includes: a user key account used to confirm the identity of the client to the cloud server, and the first session key is used to sign the access control list for describing the user right. a temporary key, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session key is the client service a session key held by the server for the session with the cloud server; sending cloud service request information generated based on the first response information to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the first use The signature of the cloud service request information generated by the temporary key.
在本实施例中,第一响应信息为客户服务端对分配请求信息进行验证,响应于验证通过,生成用于描述用户权限的访问控制列表,基于访问控制列表和客户服务端持有的与云端服务器会话的会话密钥,生成并向用户端发送的响应分配请求信息的第一响应信息。In this embodiment, the first response information is used by the client server to verify the allocation request information, and in response to the verification, the access control list for describing the user authority is generated, based on the access control list and the cloud held by the client server. The session key of the server session, and the first response information of the response allocation request information generated and sent to the client.
在向云端服务器发送基于第一响应信息生成的云端服务请求信息,云端服务请求信息携带用户密钥账号、会话策略信息和使用第一临时密钥生成的云端服务请求信息的签名之后,用户端810可以接收云端服务器响应所述分配请求信息的第二响应信息After the cloud service request information generated by the first response information is sent to the cloud server, and the cloud service request information carries the user key account, the session policy information, and the signature of the cloud service request information generated by using the first temporary key, the client 810 Receiving second response information that the cloud server responds to the allocation request information
客户服务端820,配置用于接收分配请求信息,基于分配请求信息携带的会话身份标识,对用户身份进行验证;以及响应于用户身份通过验证,生成响应分配请求信息的第一响应信息并向用户端发送生成的第一响应信息。The client server 820 is configured to receive the allocation request information, verify the user identity based on the session identity carried by the distribution request information, and generate the first response information in response to the allocation request information and send the response to the user according to the identity of the user. The terminal sends the generated first response information.
在本实施例中,生成并发送的响应分配请求信息的第一响应信息与用户端810接收的第一响应信息为同一信息,第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用第一会话密钥加密访问控制列表得到的会话策略信息,其中,所述第一会话密钥为所述客户服务端持有的与所述云端服务器进行会话的会话密钥。In this embodiment, the first response information of the response allocation request information generated and sent is the same information as the first response information received by the client 810, and the first response information includes: a user secret for confirming the identity of the client to the cloud server. a key account, using a first session key to sign a first temporary key obtained by using an access control list for describing a user right, and session policy information obtained by encrypting an access control list using the first session key, wherein the first The session key is a session key held by the client server for a session with the cloud server.
云端服务器830,配置用于基于接收的用户密钥账号、会话策略信息,对接收的云端服务请求信息的签名进行认证,以及响应于认证通过,向用户端发送响应云端服务请求信息的第二响应信息。The cloud server 830 is configured to authenticate the signature of the received cloud service request information based on the received user key account and session policy information, and send a second response to the cloud service request information to the client in response to the authentication pass. information.
在本实施例中,云端服务器830进一步配置用于基于用户密钥账号,验证客户身份;响应于客户身份通过验证,基于会话策略信息和第二会话密钥,得到第二临时密钥,其中,第二会话密钥为云端服务器持有的与客户服务端会话的会话密钥;使用第二临时密钥,计算云 端服务请求信息的签名;比对接收的云端服务请求信息的签名与计算得到的云端服务请求信息的签名;响应于比对的结果相同,确定认证结果为认证通过。In this embodiment, the cloud server 830 is further configured to verify the identity of the client based on the user key account; in response to the identity of the client, the second temporary key is obtained based on the session policy information and the second session key. The second session key is a session key held by the cloud server and communicated with the client server; the second temporary key is used to calculate the cloud Signing of the service request information; comparing the signature of the received cloud service request information with the calculated signature of the cloud service request information; in response to the result of the comparison, determining that the authentication result is the authentication pass.
云端服务器830进一步配置用于使用第二会话密钥解密会话策略信息,得到访问控制列表;使用第二会话密钥对得到的访问控制列表进行签名,得到第二临时密钥。The cloud server 830 is further configured to decrypt the session policy information using the second session key to obtain an access control list; and use the second session key to sign the obtained access control list to obtain a second temporary key.
应当理解,装置800中记载的用户端,客户服务端和云端服务器与参考图2至图7中描述的方法中记载的用户端,客户服务端和云端服务器的操作步骤相对应。由此,上文针对认证方法描述的操作和特征同样适用于装置800及其中包含的单元,在此不再赘述。It should be understood that the client, the client server and the cloud server described in the device 800 correspond to the operation steps of the client, the client server and the cloud server described in the methods described in reference to FIGS. 2 to 7. Thus, the operations and features described above for the authentication method are equally applicable to the apparatus 800 and the units contained therein, and are not described herein.
本申请上述实施例提供的认证系统,通过用户端向客户服务端发送第一临时密钥的分配请求信息,通过客户服务端在验证分配请求信息后,生成并向用户端发送包括用户密钥账号、第一临时密钥和会话策略信息的第一响应信息,通过用户端向云端服务器发送基于第一响应信息生成的云端服务请求信息,云端服务请求信息携带用户密钥账号、会话策略信息和使用第一临时密钥生成的云端服务请求信息的签名,通过云端服务器基于用户密钥账号和会话策略信息认证云端服务请求信息的签名,认证通过后向用户端发送响应云端服务请求信息的第二响应信息。本申请实施方式的认证方法减少了客户服务端与云端服务器的交互流程,降低了云端服务器的认证压力。The authentication system provided by the foregoing embodiment of the present application sends the first temporary key allocation request information to the client server through the client, and after the client server verifies the allocation request information, generates and sends the user key account to the client. And the first response information of the first temporary key and the session policy information, and the cloud service request information generated by the first response information is sent by the user end to the cloud server, where the cloud service request information carries the user key account, the session policy information, and the use The signature of the cloud service request information generated by the first temporary key is authenticated by the cloud server based on the user key account number and the session policy information, and the second response of the cloud service request information is sent to the user end after the authentication is passed. information. The authentication method of the embodiment of the present application reduces the interaction process between the client server and the cloud server, and reduces the authentication pressure of the cloud server.
本领域技术人员应当理解,在本申请的上述实施例中,第一临时密钥和第二临时密钥代表两个由不同的执行主体根据其持有的会话密钥使用相同的密钥生成方法分别得到的临时密钥,用于验证云端服务请求信息的签名;而第一响应信息和第二响应信息分别为用户端响应第一临时密钥的分配请求信息的响应信息和云端服务器响应用户端的云端服务请求信息的响应信息,两者并不相同;第一会话密钥和第二会话密钥,前者为客户服务端持有的与云端服务器会话的会话密钥,后者为云端服务器持有的与客户服务端会话的会话密钥,两者为对称密钥,使用同一密钥用于加密和解密。It should be understood by those skilled in the art that in the above embodiment of the present application, the first temporary key and the second temporary key represent two different key generation methods used by different execution entities according to the session key they hold. The temporary key obtained is used to verify the signature of the cloud service request information; and the first response information and the second response information are respectively response information of the user terminal responding to the first temporary key allocation request information and the cloud server responding to the client end The response information of the cloud service request information is not the same; the first session key and the second session key are the session key held by the client server and the cloud server session, and the latter is the cloud server hold. The session key for the session with the client server, both symmetric keys, using the same key for encryption and decryption.
下面参考图9,其示出了适于用来实现本申请实施例的终端设备 或服务器的计算机系统900的结构示意图。Referring now to FIG. 9, there is shown a terminal device suitable for implementing the embodiments of the present application. Or a schematic diagram of the structure of the computer system 900 of the server.
如图9所示,计算机系统900包括中央处理单元(CPU)901,其可以根据存储在只读存储器(ROM)902中的程序或者从存储部分908加载到随机访问存储器(RAM)903中的程序而执行各种适当的动作和处理。在RAM 903中,还存储有系统900操作所需的各种程序和数据。CPU 901、ROM 902以及RAM 903通过总线904彼此相连。输入/输出(I/O)接口905也连接至总线904。As shown in FIG. 9, computer system 900 includes a central processing unit (CPU) 901 that can be loaded into a program in random access memory (RAM) 903 according to a program stored in read only memory (ROM) 902 or from storage portion 908. And perform various appropriate actions and processes. In the RAM 903, various programs and data required for the operation of the system 900 are also stored. The CPU 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also coupled to bus 904.
以下部件连接至I/O接口905:包括键盘、鼠标等的输入部分906;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分907;包括硬盘等的存储部分908;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分909。通信部分909经由诸如因特网的网络执行通信处理。驱动器910也根据需要连接至I/O接口905。可拆卸介质911,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器910上,以便于从其上读出的计算机程序根据需要被安装入存储部分908。The following components are connected to the I/O interface 905: an input portion 906 including a keyboard, a mouse, etc.; an output portion 907 including, for example, a cathode ray tube (CRT), a liquid crystal display (LCD), and the like, and a storage portion 908 including a hard disk or the like. And a communication portion 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the Internet. Driver 910 is also connected to I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory or the like is mounted on the drive 910 as needed so that a computer program read therefrom is installed into the storage portion 908 as needed.
特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括有形地包含在机器可读介质上的计算机程序,计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分909从网络上被下载和安装,和/或从可拆卸介质911被安装。In particular, the processes described above with reference to the flowcharts may be implemented as a computer software program in accordance with an embodiment of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program tangibly embodied on a machine readable medium, the computer program comprising program code for executing the method illustrated in the flowchart. In such an embodiment, the computer program can be downloaded and installed from the network via the communication portion 909, and/or installed from the removable medium 911.
附图中的流程图和框图,图示了按照本发明各种实施例的系统、方法的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定 的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems and methods in accordance with various embodiments of the present invention. In this regard, each block in the flowchart or block diagram can represent a module, a program segment, or a portion of code, and a module, a program segment, or a portion of code includes one or more Executable instructions. It should also be noted that in some alternative implementations, the functions noted in the blocks may also occur in a different order than that illustrated in the drawings. For example, two successively represented blocks may in fact be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts The function or operation is implemented by a dedicated hardware-based system, or it can be implemented in a combination of dedicated hardware and computer instructions.
作为另一方面,本申请还提供了一种计算机可读存储介质,该计算机可读存储介质可以是上述实施例中装置中所包含的计算机可读存储介质;也可以是单独存在,未装配入终端中的计算机可读存储介质。计算机可读存储介质存储有一个或者一个以上程序,程序被一个或者一个以上的处理器用来执行描述于本申请的认证方法。In another aspect, the present application further provides a computer readable storage medium, which may be a computer readable storage medium included in the apparatus in the foregoing embodiment, or may exist separately and not assembled. A computer readable storage medium in the terminal. The computer readable storage medium stores one or more programs that are used by one or more processors to perform the authentication methods described herein.
以上描述仅为本申请的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本申请中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本申请中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。 The above description is only a preferred embodiment of the present application and a description of the principles of the applied technology. It should be understood by those skilled in the art that the scope of the invention referred to in the present application is not limited to the specific combination of the above technical features, and should also be covered by the above technical features or Other technical solutions formed by arbitrarily combining the features. For example, the above features are combined with the technical features disclosed in the present application, but are not limited to the technical features having similar functions.

Claims (22)

  1. 一种用于认证系统的用户端的认证方法,所述认证系统包括:用户端、客户服务端和云端服务器,其特征在于,所述方法包括:An authentication method for a client of an authentication system, the authentication system includes: a client, a client server, and a cloud server, wherein the method includes:
    向所述客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;Sending, to the client server, allocation request information of a first temporary key, where the allocation request information carries a session identity identifier for verifying a user identity;
    接收所述客户服务端响应于用户身份通过验证发送的响应所述分配请求信息的第一响应信息,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;Receiving, by the client server, the first response information that is sent by the user in response to the user identity, and the first response information includes: a user key account used to confirm the identity of the client to the cloud server, using the first a session key signature for describing a first temporary key obtained by an access control list of a user right, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session The key is a session key held by the client server and the session with the cloud server;
    向所述云端服务器发送基于所述第一响应信息生成的云端服务请求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;Sending cloud service request information generated based on the first response information to the cloud server, where the cloud service request information carries the user key account, the session policy information, and generated by using the first temporary key The signature of the cloud service request information;
    接收所述云端服务器发送的响应云端服务请求信息的第二响应信息,其中,所述第二响应信息通过以下步骤得到:所述云端服务器基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。And receiving the second response information that is sent by the cloud server to respond to the cloud service request information, where the second response information is obtained by: the cloud server is based on the user key account number and the session policy information, The received signature of the cloud service request information is authenticated, and in response to the authentication being passed, the second response information that is responsive to the cloud service request information is sent to the user end.
  2. 一种用于认证系统的客户服务端的生成第一响应信息的方法,所述认证系统包括:用户端、客户服务端和云端服务器,其特征在于,所述方法包括:A method for generating a first response message for a client server of an authentication system, the authentication system includes: a client, a client server, and a cloud server, wherein the method includes:
    接收所述用户端发送的第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;Receiving, by the user end, allocation request information of the first temporary key, where the allocation request information carries a session identity identifier for verifying the identity of the user;
    基于所述会话身份标识,对用户身份进行验证;Verifying the identity of the user based on the session identity;
    响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息,其中,所述第一响应信息包括:用于向云端服务器确认客户 身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;Generating, in response to the identity of the user, first response information in response to the allocation request information, wherein the first response information comprises: confirming a client to the cloud server An identity user account account, a first temporary key obtained by using an address control list for describing a user right using a first session key, and a session policy obtained by encrypting the access control list using the first session key Information, wherein the first session key is a session key held by the client server and the session with the cloud server;
    向所述用户端发送所述第一响应信息。Sending the first response information to the client.
  3. 一种用于认证系统的云端服务器的认证方法,所述认证系统包括:用户端、客户服务端和云端服务器,其特征在于,所述方法包括:An authentication method for a cloud server of an authentication system, the authentication system includes: a client, a client server, and a cloud server, wherein the method includes:
    接收所述用户端发送的用户密钥账号、会话策略信息和使用第一临时密钥签名的云端服务请求信息,其中,所述第一临时密钥由所述客户服务端使用第一会话密钥对用于描述用户权限的访问控制列表进行签名得到,所述用户密钥账号由所述客户服务端生成以向云端服务器确认客户身份,所述会话策略信息由所述客户服务端使用所述第一会话密钥加密所述访问控制列表得到,所述第一会话密钥为所述客户服务端持有的与所述云端服务器进行会话的会话密钥;Receiving a user key account, session policy information, and cloud service request information signed by the first temporary key, where the first temporary key is used by the client server to use the first session key Signing an access control list for describing user rights, the user key account is generated by the client server to confirm a customer identity to a cloud server, and the session policy information is used by the client server Encrypting the access control list by a session key, where the first session key is a session key held by the client server and a session with the cloud server;
    基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证;以及And authenticating the received signature of the cloud service request information based on the user key account number and the session policy information;
    响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。And responding to the authentication, sending, by the client, second response information that is responsive to the cloud service request information.
  4. 根据权利要求3所述的方法,其特征在于,所述基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证包括:The method according to claim 3, wherein the authenticating the signature of the received cloud service request information based on the user key account number and the session policy information comprises:
    基于所述用户密钥账号,验证所述客户身份;Verifying the identity of the client based on the user key account number;
    响应于所述客户身份通过验证,基于所述会话策略信息和所述第二会话密钥,得到第二临时密钥,其中,所述第二会话密钥为云端服务器持有的与所述客户服务端会话的会话密钥;Retrieving, according to the client identity, a second temporary key based on the session policy information and the second session key, wherein the second session key is held by the cloud server and the client The session key of the server session;
    使用所述第二临时密钥,计算所述云端服务请求信息的签名;Calculating a signature of the cloud service request information by using the second temporary key;
    比对接收的所述云端服务请求信息的签名与计算得到的云端服务请求信息的签名; And comparing the signature of the received cloud service request information with the calculated signature of the cloud service request information;
    响应于所述比对的结果相同,确定认证结果为认证通过。In response to the same result of the comparison, it is determined that the authentication result is the authentication pass.
  5. 根据权利要求4所述的方法,其特征在于,所述基于所述会话策略信息和所述第二会话密钥,得到第二临时密钥包括:The method according to claim 4, wherein the obtaining the second temporary key based on the session policy information and the second session key comprises:
    使用所述第二会话密钥解密所述会话策略信息,得到所述访问控制列表;Decrypting the session policy information by using the second session key to obtain the access control list;
    使用所述第二会话密钥对得到的所述访问控制列表进行签名,得到第二临时密钥。And signing the obtained access control list by using the second session key to obtain a second temporary key.
  6. 一种用于认证系统的认证方法,所述认证系统包括:用户端、客户服务端和云端服务器,其特征在于,所述方法包括:An authentication method for an authentication system, the authentication system includes: a client, a client server, and a cloud server, wherein the method includes:
    所述用户端向所述客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;The user end sends the first temporary key allocation request information to the client server, where the allocation request information carries a session identity identifier for verifying the identity of the user;
    所述客户服务端接收所述分配请求信息,基于所述会话身份标识,对用户身份进行验证;以及响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息并向所述用户端发送所述第一响应信息,其中,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;Receiving, by the client server, the allocation request information, verifying the identity of the user based on the session identity identifier, and generating, by the verification, the first response information in response to the allocation request information to the user Sending, by the terminal, the first response information, where the first response information includes: a user key account for confirming the identity of the client to the cloud server, and the access control list for describing the user right is obtained by using the first session key. a first temporary key, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session key is a session held by a client server with the cloud server Session key
    所述用户端响应于接收到所述第一响应信息,向所述云端服务器发送基于所述第一响应信息生成的云端服务请求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;Sending, by the user end, the cloud service request information generated by the first response information to the cloud server, where the cloud service request information carries the user key account and the a session policy information and a signature of the cloud service request information generated using the first temporary key;
    所述云端服务器基于接收的所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,以及响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。 The cloud server authenticates the received signature of the cloud service request information based on the received user key account and the session policy information, and sends a response to the client in response to the authentication being passed. The second response information of the cloud service request information.
  7. 根据权利要求6所述的方法,其特征在于,所述基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证包括:The method according to claim 6, wherein the authenticating the signature of the received cloud service request information based on the user key account number and the session policy information comprises:
    基于所述用户密钥账号,验证所述客户身份;Verifying the identity of the client based on the user key account number;
    响应于所述客户身份通过验证,基于所述会话策略信息和所述第二会话密钥,得到第二临时密钥,其中,所述第二会话密钥为云端服务器持有的与所述客户服务端会话的会话密钥;Retrieving, according to the client identity, a second temporary key based on the session policy information and the second session key, wherein the second session key is held by the cloud server and the client The session key of the server session;
    使用所述第二临时密钥,计算所述云端服务请求信息的签名;Calculating a signature of the cloud service request information by using the second temporary key;
    比对接收的所述云端服务请求信息的签名与计算得到的所述云端服务请求信息的签名;And comparing the signature of the received cloud service request information with the calculated signature of the cloud service request information;
    响应于所述比对的结果相同,确定认证结果为认证通过。In response to the same result of the comparison, it is determined that the authentication result is the authentication pass.
  8. 根据权利要求6所述的方法,其特征在于,所述基于所述会话策略信息和所述第二会话密钥,得到第二临时密钥包括:The method according to claim 6, wherein the obtaining the second temporary key based on the session policy information and the second session key comprises:
    使用所述第二会话密钥解密所述会话策略信息,得到所述访问控制列表;Decrypting the session policy information by using the second session key to obtain the access control list;
    使用所述第二会话密钥对得到的所述访问控制列表进行签名,得到第二临时密钥。And signing the obtained access control list by using the second session key to obtain a second temporary key.
  9. 一种用于认证系统的用户端,所述认证系统包括:用户端、客户服务端和云端服务器,其特征在于,所述用户端用于:A client for an authentication system, the authentication system includes: a client, a client server, and a cloud server, wherein the client is configured to:
    向所述客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;Sending, to the client server, allocation request information of a first temporary key, where the allocation request information carries a session identity identifier for verifying a user identity;
    接收所述客户服务端响应于用户身份通过验证发送的响应所述分配请求信息的第一响应信息,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;Receiving, by the client server, the first response information that is sent by the user in response to the user identity, and the first response information includes: a user key account used to confirm the identity of the client to the cloud server, using the first a session key signature for describing a first temporary key obtained by an access control list of a user right, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session The key is a session key held by the client server and the session with the cloud server;
    向所述云端服务器发送基于所述第一响应信息生成的云端服务请 求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;Sending a cloud service generated based on the first response information to the cloud server Obtaining information, the cloud service request information carrying the user key account, the session policy information, and a signature of the cloud service request information generated by using the first temporary key;
    接收所述云端服务器发送的响应云端服务请求信息的第二响应信息,其中,所述第二响应信息通过以下步骤得到:所述云端服务器基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。And receiving the second response information that is sent by the cloud server to respond to the cloud service request information, where the second response information is obtained by: the cloud server is based on the user key account number and the session policy information, The received signature of the cloud service request information is authenticated, and in response to the authentication being passed, the second response information that is responsive to the cloud service request information is sent to the user end.
  10. 一种用于认证系统的客户服务端,所述认证系统包括:用户端、客户服务端和云端服务器,其特征在于,所述客户服务端用于:A client server for an authentication system, the authentication system includes: a client, a client server, and a cloud server, wherein the client server is configured to:
    接收所述用户端发送的第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;Receiving, by the user end, allocation request information of the first temporary key, where the allocation request information carries a session identity identifier for verifying the identity of the user;
    基于所述会话身份标识,对用户身份进行验证;Verifying the identity of the user based on the session identity;
    响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息,其中,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;Generating, in response to the identity of the user, the first response information in response to the allocation request information, wherein the first response information comprises: a user key account for confirming the identity of the client to the cloud server, using the first session key Signing a first temporary key obtained by using an access control list describing a user right, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session key is a client a session key held by the server and the session with the cloud server;
    向所述用户端发送所述第一响应信息。Sending the first response information to the client.
  11. 一种用于认证系统的云端服务器,所述认证系统包括:用户端、客户服务端和云端服务器,其特征在于,所述云端服务器用于:A cloud server for an authentication system, the authentication system includes: a client, a client server, and a cloud server, wherein the cloud server is configured to:
    接收所述用户端发送的用户密钥账号、会话策略信息和使用第一临时密钥签名的云端服务请求信息,其中,所述第一临时密钥由所述客户服务端使用第一会话密钥对用于描述用户权限的访问控制列表进行签名得到,所述用户密钥账号由所述客户服务端生成以向云端服务器确认客户身份,所述会话策略信息由所述客户服务端使用所述第一会话密钥加密所述访问控制列表得到,所述第一会话密钥为所述客户 服务端持有的与所述云端服务器进行会话的会话密钥;Receiving a user key account, session policy information, and cloud service request information signed by the first temporary key, where the first temporary key is used by the client server to use the first session key Signing an access control list for describing user rights, the user key account is generated by the client server to confirm a customer identity to a cloud server, and the session policy information is used by the client server Encrypting the access control list with a session key, the first session key being the client a session key held by the server to perform a session with the cloud server;
    基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证;And authenticating the received signature of the cloud service request information based on the user key account and the session policy information;
    以及响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。And transmitting, in response to the authentication, the second response information that is responsive to the cloud service request information to the client.
  12. 根据权利要求11所述的云端服务器,其特征在于,所述云端服务器用于基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证包括:The cloud server according to claim 11, wherein the cloud server is configured to authenticate the signature of the received cloud service request information based on the user key account number and the session policy information, including:
    所述云端服务器用于基于所述用户密钥账号,验证所述客户身份;响应于所述客户身份通过验证,基于所述会话策略信息和所述第二会话密钥,得到第二临时密钥,其中,所述第二会话密钥为云端服务器持有的与所述客户服务端会话的会话密钥;使用所述第二临时密钥,计算所述云端服务请求信息的签名;比对接收的所述云端服务请求信息的签名与计算得到的云端服务请求信息的签名;响应于所述比对的结果相同,确定认证结果为认证通过。The cloud server is configured to verify the identity of the client based on the user key account; and obtain a second temporary key based on the session policy information and the second session key in response to the client identity being verified The second session key is a session key held by the cloud server to be in a session with the client server; and the signature of the cloud service request information is calculated by using the second temporary key; The signature of the cloud service request information and the calculated signature of the cloud service request information; in response to the result of the comparison being the same, determining that the authentication result is the authentication pass.
  13. 根据权利要求12所述的云端服务器,其特征在于,所述云端服务器用于基于所述会话策略信息和所述第二会话密钥,得到第二临时密钥包括:The cloud server according to claim 12, wherein the cloud server is configured to obtain the second temporary key based on the session policy information and the second session key, including:
    所述云端服务器用于使用所述第二会话密钥解密所述会话策略信息,得到所述访问控制列表;使用所述第二会话密钥对得到的所述访问控制列表进行签名,得到第二临时密钥。The cloud server is configured to decrypt the session policy information by using the second session key to obtain the access control list, and use the second session key to sign the obtained access control list to obtain a second Temporary key.
  14. 一种认证系统,所述认证系统包括:用户端、客户服务端和云端服务器,其特征在于,所述认证系统包括:An authentication system includes: a client, a client server, and a cloud server, wherein the authentication system includes:
    用户端,用于向所述客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;接收所述客户服务端响应于用户身份通过验证发送的响应所述分配请求信息的第一响应信息,所述第一响应信息包括:用于向云端服务器确认 客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;向所述云端服务器发送基于所述第一响应信息生成的云端服务请求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;a client, configured to send, to the client server, allocation request information of a first temporary key, where the allocation request information carries a session identity identifier for verifying a user identity; and receiving the client server to verify by responding to the identity of the user The first response information sent in response to the allocation request information, the first response information includes: used to confirm to the cloud server a user key account of the customer identity, a first temporary key obtained by using the first session key to identify an access control list for describing the user right, and a session obtained by encrypting the access control list using the first session key The policy information, wherein the first session key is a session key held by the client server and the cloud server session; and the cloud service request information generated based on the first response information is sent to the cloud server, The cloud service request information carries the user key account, the session policy information, and a signature of the cloud service request information generated by using the first temporary key;
    所述客户服务端,用于接收所述分配请求信息,基于所述会话身份标识,对用户身份进行验证;以及响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息并向所述用户端发送所述第一响应信息;The client server is configured to receive the allocation request information, verify the user identity based on the session identity identifier, and generate a first response message in response to the allocation request information by verifying the user identity and The user end sends the first response information;
    所述云端服务器,用于基于接收的所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,以及响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。The cloud server is configured to authenticate, according to the received user key account number and the session policy information, a signature of the received cloud service request information, and respond to the authentication, to the user end Sending second response information in response to the cloud service request information.
  15. 根据权利要求14所述的认证系统,其特征在于,所述云端服务器用于基于接收的所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证包括:The authentication system according to claim 14, wherein the cloud server is configured to perform authentication on the received signature of the cloud service request information based on the received user key account number and the session policy information. :
    所述云端服务器用于基于所述用户密钥账号,验证所述客户身份;响应于所述客户身份通过验证,基于所述会话策略信息和所述第二会话密钥,得到第二临时密钥,其中,所述第二会话密钥为云端服务器持有的与所述客户服务端会话的会话密钥;使用所述第二临时密钥,计算所述云端服务请求信息的签名;比对接收的所述云端服务请求信息的签名与计算得到的所述云端服务请求信息的签名;以及响应于所述比对的结果相同,确定认证结果为认证通过。The cloud server is configured to verify the identity of the client based on the user key account; and obtain a second temporary key based on the session policy information and the second session key in response to the client identity being verified The second session key is a session key held by the cloud server to be in a session with the client server; and the signature of the cloud service request information is calculated by using the second temporary key; The signature of the cloud service request information and the calculated signature of the cloud service request information; and in response to the result of the comparison being the same, determining that the authentication result is the authentication pass.
  16. 根据权利要求15所述的认证系统,其特征在于,所述云端服务器用于基于所述会话策略信息和所述第二会话密钥,得到第二临时密钥包括: The authentication system according to claim 15, wherein the obtaining, by the cloud server, the second temporary key based on the session policy information and the second session key comprises:
    所述云端服务器用于使用所述第二会话密钥解密所述会话策略信息,得到所述访问控制列表;使用所述第二会话密钥对得到的所述访问控制列表进行签名,得到第二临时密钥。The cloud server is configured to decrypt the session policy information by using the second session key to obtain the access control list, and use the second session key to sign the obtained access control list to obtain a second Temporary key.
  17. 一种用户端设备,包括:A client device, comprising:
    处理器;和Processor; and
    存储器,Memory,
    所述存储器中存储有能够被所述处理器执行的计算机可读指令,在所述计算机可读指令被执行时,所述处理器:The memory stores computer readable instructions executable by the processor, the processor being: when the computer readable instructions are executed:
    向客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;Sending, to the client server, allocation request information of the first temporary key, where the allocation request information carries a session identity identifier for verifying the identity of the user;
    接收所述客户服务端响应于用户身份通过验证发送的响应所述分配请求信息的第一响应信息,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;Receiving, by the client server, the first response information that is sent by the user in response to the user identity, and the first response information includes: a user key account used to confirm the identity of the client to the cloud server, using the first a session key signature for describing a first temporary key obtained by an access control list of a user right, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session The key is a session key held by the client server and the session with the cloud server;
    向所述云端服务器发送基于所述第一响应信息生成的云端服务请求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;Sending cloud service request information generated based on the first response information to the cloud server, where the cloud service request information carries the user key account, the session policy information, and generated by using the first temporary key The signature of the cloud service request information;
    接收所述云端服务器发送的响应云端服务请求信息的第二响应信息,其中,所述第二响应信息通过以下步骤得到:所述云端服务器基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,响应于所述认证通过,向所述用户端设备发送响应所述云端服务请求信息的第二响应信息。And receiving the second response information that is sent by the cloud server to respond to the cloud service request information, where the second response information is obtained by: the cloud server is based on the user key account number and the session policy information, The received signature of the cloud service request information is authenticated, and in response to the authentication being passed, the second response information that is responsive to the cloud service request information is sent to the user equipment.
  18. 一种客户服务端设备,包括:A client server device, including:
    处理器;和Processor; and
    存储器, Memory,
    所述存储器中存储有能够被所述处理器执行的计算机可读指令,在所述计算机可读指令被执行时,所述处理器:The memory stores computer readable instructions executable by the processor, the processor being: when the computer readable instructions are executed:
    接收用户端发送的第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;Receiving, by the user end, allocation request information of the first temporary key, where the allocation request information carries a session identity identifier for verifying the identity of the user;
    基于所述会话身份标识,对用户身份进行验证;Verifying the identity of the user based on the session identity;
    响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息,其中,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端设备持有的与所述云端服务器会话的会话密钥;Generating, in response to the identity of the user, the first response information in response to the allocation request information, wherein the first response information comprises: a user key account for confirming the identity of the client to the cloud server, using the first session key Signing a first temporary key obtained by using an access control list describing a user right, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session key is a client a session key held by the server device and talking to the cloud server;
    向所述用户端发送所述第一响应信息。Sending the first response information to the client.
  19. 一种云端设备,包括:A cloud device, including:
    处理器;和Processor; and
    存储器,Memory,
    所述存储器中存储有能够被所述处理器执行的计算机可读指令,在所述计算机可读指令被执行时,所述处理器:The memory stores computer readable instructions executable by the processor, the processor being: when the computer readable instructions are executed:
    接收用户端发送的用户密钥账号、会话策略信息和使用第一临时密钥签名的云端服务请求信息,其中,所述第一临时密钥由客户服务端使用第一会话密钥对用于描述用户权限的访问控制列表进行签名得到,所述用户密钥账号由所述客户服务端生成以向所述云端设备确认客户身份,所述会话策略信息由所述客户服务端使用所述第一会话密钥加密所述访问控制列表得到,所述第一会话密钥为所述客户服务端持有的与所述云端设备进行会话的会话密钥;Receiving a user key account sent by the client, session policy information, and cloud service request information signed by using the first temporary key, wherein the first temporary key is used by the client server to describe the first session key pair The access control list of the user authority is signed, and the user key account is generated by the client server to confirm the identity of the client to the cloud device, and the session policy information is used by the client server to use the first session. The key is encrypted by the access control list, and the first session key is a session key held by the client server to perform a session with the cloud device;
    基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证;And authenticating the received signature of the cloud service request information based on the user key account and the session policy information;
    以及响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。 And transmitting, in response to the authentication, the second response information that is responsive to the cloud service request information to the client.
  20. 一种非易失性计算机存储介质,所述计算机存储介质存储有能够被用户端的处理器执行的计算机可读指令,当所述计算机可读指令被处理器执行时,所述处理器:A non-volatile computer storage medium storing computer readable instructions executable by a processor of a client, when the computer readable instructions are executed by a processor, the processor:
    向客户服务端发送第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;Sending, to the client server, allocation request information of the first temporary key, where the allocation request information carries a session identity identifier for verifying the identity of the user;
    接收所述客户服务端响应于用户身份通过验证发送的响应所述分配请求信息的第一响应信息,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;Receiving, by the client server, the first response information that is sent by the user in response to the user identity, and the first response information includes: a user key account used to confirm the identity of the client to the cloud server, using the first a session key signature for describing a first temporary key obtained by an access control list of a user right, and session policy information obtained by encrypting the access control list using the first session key, wherein the first session The key is a session key held by the client server and the session with the cloud server;
    向所述云端服务器发送基于所述第一响应信息生成的云端服务请求信息,所述云端服务请求信息携带所述用户密钥账号、所述会话策略信息和使用所述第一临时密钥生成的所述云端服务请求信息的签名;Sending cloud service request information generated based on the first response information to the cloud server, where the cloud service request information carries the user key account, the session policy information, and generated by using the first temporary key The signature of the cloud service request information;
    接收所述云端服务器发送的响应云端服务请求信息的第二响应信息,其中,所述第二响应信息通过以下步骤得到:所述云端服务器基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证,响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。And receiving the second response information that is sent by the cloud server to respond to the cloud service request information, where the second response information is obtained by: the cloud server is based on the user key account number and the session policy information, The received signature of the cloud service request information is authenticated, and in response to the authentication being passed, the second response information that is responsive to the cloud service request information is sent to the user end.
  21. 一种非易失性计算机存储介质,所述计算机存储介质存储有能够被客户服务端的处理器执行的计算机可读指令,当所述计算机可读指令被处理器执行时,所述处理器:A non-volatile computer storage medium storing computer readable instructions executable by a processor of a client server, when the computer readable instructions are executed by a processor, the processor:
    接收用户端发送的第一临时密钥的分配请求信息,所述分配请求信息携带用于验证用户身份的会话身份标识;Receiving, by the user end, allocation request information of the first temporary key, where the allocation request information carries a session identity identifier for verifying the identity of the user;
    基于所述会话身份标识,对用户身份进行验证;Verifying the identity of the user based on the session identity;
    响应于用户身份通过验证,生成响应所述分配请求信息的第一响应信息,其中,所述第一响应信息包括:用于向云端服务器确认客户身份的用户密钥账号,使用第一会话密钥签名用于描述用户权限的访 问控制列表得到的第一临时密钥,以及使用所述第一会话密钥加密所述访问控制列表得到的会话策略信息,其中,所述第一会话密钥为客户服务端持有的与所述云端服务器会话的会话密钥;Generating, in response to the identity of the user, the first response information in response to the allocation request information, wherein the first response information comprises: a user key account for confirming the identity of the client to the cloud server, using the first session key Signature is used to describe the visit of user rights a first temporary key obtained by the control list, and session policy information obtained by encrypting the access control list by using the first session key, where the first session key is a client and a server The session key of the cloud server session;
    向所述用户端发送所述第一响应信息。Sending the first response information to the client.
  22. 一种非易失性计算机存储介质,所述计算机存储介质存储有能够被云端服务器的处理器执行的计算机可读指令,当所述计算机可读指令被处理器执行时,所述处理器:A non-volatile computer storage medium storing computer readable instructions executable by a processor of a cloud server, the processor readable when the computer readable instructions are executed by a processor:
    接收用户端发送的用户密钥账号、会话策略信息和使用第一临时密钥签名的云端服务请求信息,其中,所述第一临时密钥由客户服务端使用第一会话密钥对用于描述用户权限的访问控制列表进行签名得到,所述用户密钥账号由所述客户服务端生成以向云端服务器确认客户身份,所述会话策略信息由所述客户服务端使用所述第一会话密钥加密所述访问控制列表得到,所述第一会话密钥为所述客户服务端持有的与所述云端服务器进行会话的会话密钥;Receiving a user key account sent by the client, session policy information, and cloud service request information signed by using the first temporary key, wherein the first temporary key is used by the client server to describe the first session key pair The access control list of the user authority is obtained by signing, the user key account is generated by the client server to confirm the identity of the client to the cloud server, and the session policy information is used by the client server to use the first session key Encrypting the access control list, where the first session key is a session key held by the client server and a session with the cloud server;
    基于所述用户密钥账号和所述会话策略信息,对接收的所述云端服务请求信息的签名进行认证;And authenticating the received signature of the cloud service request information based on the user key account and the session policy information;
    以及响应于所述认证通过,向所述用户端发送响应所述云端服务请求信息的第二响应信息。 And transmitting, in response to the authentication, the second response information that is responsive to the cloud service request information to the client.
PCT/CN2015/095767 2015-08-04 2015-11-27 Authentication method and authentication system WO2017020452A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510471383.5 2015-08-04
CN201510471383.5A CN105007279B (en) 2015-08-04 2015-08-04 Authentication method and Verification System

Publications (1)

Publication Number Publication Date
WO2017020452A1 true WO2017020452A1 (en) 2017-02-09

Family

ID=54379800

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/095767 WO2017020452A1 (en) 2015-08-04 2015-11-27 Authentication method and authentication system

Country Status (2)

Country Link
CN (1) CN105007279B (en)
WO (1) WO2017020452A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109995759A (en) * 2019-03-04 2019-07-09 平安科技(深圳)有限公司 A kind of method and relevant apparatus of physical machine access VPC
CN110874464A (en) * 2018-09-03 2020-03-10 巍乾全球技术有限责任公司 Method and equipment for managing user identity authentication data
CN111818483A (en) * 2020-06-29 2020-10-23 郑州信大捷安信息技术股份有限公司 V2V vehicle networking communication system and method based on 5G
CN112000951A (en) * 2020-08-31 2020-11-27 上海商汤智能科技有限公司 Access method, device, system, electronic equipment and storage medium
CN112003706A (en) * 2020-08-24 2020-11-27 北京字节跳动网络技术有限公司 Signature method and device, computer equipment and storage medium
CN113450095A (en) * 2020-03-24 2021-09-28 北京沃东天骏信息技术有限公司 Method and device for configuring identification
CN114079560A (en) * 2020-07-31 2022-02-22 中移(苏州)软件技术有限公司 Communication encryption method, aircraft and computer readable storage medium

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105376242A (en) * 2015-11-26 2016-03-02 上海斐讯数据通信技术有限公司 Cloud terminal data access authentication method, cloud terminal data access authentication system and cloud terminal management system
US10951421B2 (en) * 2016-11-28 2021-03-16 Ssh Communications Security Oyj Accessing hosts in a computer network
CN106657152B (en) * 2017-02-07 2021-05-28 腾讯科技(深圳)有限公司 Authentication method, server and access control device
CN109426734A (en) * 2017-08-28 2019-03-05 阿里巴巴集团控股有限公司 A kind of access method, device, system and electronic equipment
CN110430167B (en) * 2019-07-05 2021-11-16 浙江大华技术股份有限公司 Temporary account management method, electronic device, management terminal and storage medium
CN110401648A (en) * 2019-07-16 2019-11-01 宇龙计算机通信科技(深圳)有限公司 Obtain method, apparatus, electronic equipment and the medium of cloud service
CN112242976B (en) * 2019-07-17 2022-02-25 华为技术有限公司 Identity authentication method and device
CN111177735B (en) * 2019-07-30 2023-09-22 腾讯科技(深圳)有限公司 Identity authentication method, device, system and equipment and storage medium
CN110545285B (en) * 2019-09-17 2022-02-11 北京方研矩行科技有限公司 Internet of things terminal security authentication method based on security chip
CN112579996B (en) * 2019-09-29 2023-11-03 杭州海康威视数字技术股份有限公司 Temporary authorization method and device
CN111935094B (en) * 2020-07-14 2022-06-03 北京金山云网络技术有限公司 Database access method, device, system and computer readable storage medium
CN111949974A (en) * 2020-08-04 2020-11-17 北京字节跳动网络技术有限公司 Authentication method and device, computer equipment and storage medium
CN112187725A (en) * 2020-09-03 2021-01-05 北京金山云网络技术有限公司 Cloud computing resource access method and device, service line service and gateway

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571771A (en) * 2011-12-23 2012-07-11 华中科技大学 Safety authentication method of cloud storage system
US20140380417A1 (en) * 2013-06-25 2014-12-25 Alcatel Lucent Methods And Devices For Controlling Access To Distributed Resources
CN104838616A (en) * 2012-12-12 2015-08-12 诺基亚技术有限公司 Cloud centric application trust validation

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275934B1 (en) * 1998-10-16 2001-08-14 Soft Book Press, Inc. Authentication for information exchange over a communication network
KR101360354B1 (en) * 2007-04-16 2014-02-19 삼성전자주식회사 Method for authentication and apparatus therefor
CN101547095B (en) * 2009-02-11 2011-05-18 广州杰赛科技股份有限公司 Application service management system and management method based on digital certificate
CN102984252B (en) * 2012-11-26 2015-04-08 中国科学院信息工程研究所 Cloud resource access control method based on dynamic cross-domain security token
CN104243452B (en) * 2014-08-20 2018-02-02 宇龙计算机通信科技(深圳)有限公司 A kind of cloud computing access control method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571771A (en) * 2011-12-23 2012-07-11 华中科技大学 Safety authentication method of cloud storage system
CN104838616A (en) * 2012-12-12 2015-08-12 诺基亚技术有限公司 Cloud centric application trust validation
US20140380417A1 (en) * 2013-06-25 2014-12-25 Alcatel Lucent Methods And Devices For Controlling Access To Distributed Resources

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110874464A (en) * 2018-09-03 2020-03-10 巍乾全球技术有限责任公司 Method and equipment for managing user identity authentication data
CN109995759A (en) * 2019-03-04 2019-07-09 平安科技(深圳)有限公司 A kind of method and relevant apparatus of physical machine access VPC
CN109995759B (en) * 2019-03-04 2022-10-28 平安科技(深圳)有限公司 Method for accessing VPC (virtual private network) by physical machine and related device
CN113450095A (en) * 2020-03-24 2021-09-28 北京沃东天骏信息技术有限公司 Method and device for configuring identification
CN111818483A (en) * 2020-06-29 2020-10-23 郑州信大捷安信息技术股份有限公司 V2V vehicle networking communication system and method based on 5G
CN111818483B (en) * 2020-06-29 2022-02-11 郑州信大捷安信息技术股份有限公司 V2V vehicle networking communication system and method based on 5G
CN114079560A (en) * 2020-07-31 2022-02-22 中移(苏州)软件技术有限公司 Communication encryption method, aircraft and computer readable storage medium
CN112003706A (en) * 2020-08-24 2020-11-27 北京字节跳动网络技术有限公司 Signature method and device, computer equipment and storage medium
CN112003706B (en) * 2020-08-24 2023-07-18 北京字节跳动网络技术有限公司 Signature method, signature device, computer equipment and storage medium
CN112000951A (en) * 2020-08-31 2020-11-27 上海商汤智能科技有限公司 Access method, device, system, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN105007279B (en) 2018-11-27
CN105007279A (en) 2015-10-28

Similar Documents

Publication Publication Date Title
WO2017020452A1 (en) Authentication method and authentication system
US11757662B2 (en) Confidential authentication and provisioning
JP7181539B2 (en) METHOD AND APPARATUS FOR MANAGING USER IDENTIFICATION AND AUTHENTICATION DATA
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
US11102191B2 (en) Enabling single sign-on authentication for accessing protected network services
US9917829B1 (en) Method and apparatus for providing a conditional single sign on
WO2019233204A1 (en) Method, apparatus and system for key management, storage medium, and computer device
EP2954448B1 (en) Provisioning sensitive data into third party network-enabled devices
US8843415B2 (en) Secure software service systems and methods
WO2019020051A1 (en) Method and apparatus for security authentication
CN106487765B (en) Authorized access method and device using the same
KR101530809B1 (en) Dynamic platform reconfiguration by multi-tenant service providers
US20140096213A1 (en) Method and system for distributed credential usage for android based and other restricted environment devices
JP2018518090A (en) Cloud-based encryption machine key injection method, apparatus, and system
CN111708991A (en) Service authorization method, service authorization device, computer equipment and storage medium
US20220286440A1 (en) Secure Media Delivery
CN108809633B (en) Identity authentication method, device and system
US8397281B2 (en) Service assisted secret provisioning
JP5452192B2 (en) Access control system, access control method and program
TW201926943A (en) Data transmission method and system
US20220394039A1 (en) Seamlessly securing access to application programming interface gateways
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
KR101836211B1 (en) Electronic device authentication manager device
CN110225011B (en) Authentication method and device for user node and computer readable storage medium
Marian et al. A Technical Investigation towards a Cloud-Based Signature Solution

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15900222

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15900222

Country of ref document: EP

Kind code of ref document: A1