CN104753879A - Method and system for authenticating cloud service provider through terminal and method and system for authenticating terminal through cloud service provider - Google Patents
Method and system for authenticating cloud service provider through terminal and method and system for authenticating terminal through cloud service provider Download PDFInfo
- Publication number
- CN104753879A CN104753879A CN201310746278.9A CN201310746278A CN104753879A CN 104753879 A CN104753879 A CN 104753879A CN 201310746278 A CN201310746278 A CN 201310746278A CN 104753879 A CN104753879 A CN 104753879A
- Authority
- CN
- China
- Prior art keywords
- service provider
- cloud service
- terminal
- authentication
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供一种终端认证云服务提供者的方法,包括:依据谓词评估函数生成与终端有关的谓词评估令牌STKf;生成包括所述谓词评估令牌STKf与公钥SKpu的数据包,所述数据包还包括指明所述云服务提供者身份的身份数据;将所述数据包发送到与所述云服务提供者有关的装置;在所述云服务提供者有关的装置处,依据谓词评估匿名判断函数对所接收的数据包进行解析,依据解析结果认证所述云服务提供者。还提供端认证云服务提供者的系统、云服务认证终端的方法及系统,以及双向云认证方法及系统。
The present invention provides a method for a terminal to authenticate a cloud service provider, comprising: generating a terminal-related predicate evaluation token STK f according to a predicate evaluation function; generating a data packet including the predicate evaluation token STK f and a public key SK pu , the data packet also includes identity data indicating the identity of the cloud service provider; sending the data packet to a device related to the cloud service provider; at the device related to the cloud service provider, according to The predicate evaluation anonymous judgment function parses the received data packet, and authenticates the cloud service provider according to the parsing result. Also provided are a system for terminal authentication of cloud service providers, a method and system for cloud service authentication terminals, and a two-way cloud authentication method and system.
Description
技术领域 technical field
本发明涉及安全认证技术,具体而言,涉及云身份认证技术。 The present invention relates to security authentication technology, in particular, to cloud identity authentication technology. the
背景技术 Background technique
现有的云身份认证技术主要采用联合身份认证机制,涉及到身份提供商(IDP)与服务提供商(SP)。这种情况下,多个SP共用一个IDP,在IDP失效的情况下,多个SP都将无法实现身份认证。此外,如果这个IDP受到攻击,就会造成数据泄露甚至系统瘫痪,导致巨额损失。 Existing cloud identity authentication technologies mainly adopt a federated identity authentication mechanism, involving identity providers (IDPs) and service providers (SPs). In this case, multiple SPs share one IDP, and if the IDP fails, multiple SPs will not be able to implement identity authentication. In addition, if this IDP is attacked, it will cause data leakage or even system paralysis, resulting in huge losses. the
在联合身份认证过程中,通常只关注如何便捷实现对用户身份的认证,这就使用户面临网络钓鱼等危险。 In the process of federated identity authentication, usually only focus on how to conveniently realize the authentication of user identity, which exposes users to dangers such as phishing. the
the
发明内容 Contents of the invention
有鉴于此,本发明提供一种终端认证云服务提供者的方法,包括:依据谓词评估函数生成与终端有关的谓词评估令牌STKf;生成包括所述谓词评估令牌STKf与公钥SKpu的数据包,所述数据包还包括指明所述云服务提供者身份的身份数据;将所述数据包发送到与所述云服务提供者有关的装置;在所述云服务提供者有关的装置处,依据谓词评估匿名判断函数对所接收的数据包进行解析,依据解析结果认证所述云服务提供者。 In view of this, the present invention provides a method for terminal authentication cloud service provider, including: generating a terminal-related predicate evaluation token STK f according to a predicate evaluation function; A data packet of pu , the data packet also includes identity data indicating the identity of the cloud service provider; sending the data packet to a device related to the cloud service provider; At the device, the anonymous judgment function is evaluated according to the predicate to analyze the received data packet, and the cloud service provider is authenticated according to the analysis result.
根据本发明的终端认证云服务提供者的方法,优选地,所述依据谓词评估函数生成与终端有关的谓词评估令牌STKf包括:生成一对密钥SPK与SMSK;由所述一对密钥SPK与SMSK依据谓词评估函数生成与终端有关的谓词评估令牌STKf。 According to the method for terminal authentication cloud service provider of the present invention, preferably, said generating the predicate evaluation token STK f related to the terminal according to the predicate evaluation function includes: generating a pair of keys SPK and SMSK; The key SPK and the SMSK generate a terminal-related predicate evaluation token STK f according to the predicate evaluation function.
根据本发明的又一方面,还提供一种云服务提供者认证终端的方法,包括:接收到来自终端的请求后,以谓词加密算法处理认证用中间数据,由此生成密文UCT与谓词评估令牌UTKf;将密文UCT与谓词评估令牌UTKf、与安全机制有关的数据SeP、以及公钥AKpu一起用云服务提供者提供的公钥SKpu生成安全主动约束包SAB;将所述安全主动约束包SAB提供给与云服务提供者有关的装置;通过所述云服务提供者提供的私钥解密所述安全主动约束包SAB;解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据SeP进行安全检查;在安全检查通过的情况下,从解密的所述安全主动约束包SAB取得密文UCT与谓词评估令牌UTKf并解密UTKf,在解密结果与所述认证用中间数据相同的情况下,认证通过。 According to yet another aspect of the present invention, a method for authenticating a terminal of a cloud service provider is also provided, including: after receiving a request from the terminal, processing the intermediate data for authentication with a predicate encryption algorithm, thereby generating ciphertext UCT and predicate evaluation Token UTK f ; combine the ciphertext UCT with the predicate evaluation token UTK f , the data SeP related to the security mechanism, and the public key AK pu together with the public key SK pu provided by the cloud service provider to generate a security active constraint package SAB; The security active constraint package SAB is provided to a device related to the cloud service provider; the security active constraint package SAB is decrypted through the private key provided by the cloud service provider; the decrypted security active constraint package SAB follows the The data SeP related to the security mechanism performs a security check; in the case of passing the security check, obtain the ciphertext UCT and the predicate evaluation token UTK f from the decrypted security active constraint package SAB and decrypt the UTK f , after the decryption result is consistent with the If the intermediate data for authentication described above are the same, the authentication is passed.
按照本发明提供的云服务提供者认证终端的方法,可选地,所述认证用中间数据为云服务提供者的身份数据。 According to the method for authenticating a terminal provided by a cloud service provider in the present invention, optionally, the authentication intermediate data is identity data of the cloud service provider. the
按照本发明提供的云服务提供者认证终端的方法,可选地,所述接收到来自终端的请求后,以谓词加密算法处理认证用中间数据,由此生成密文UCT与谓词评估令牌UTKf包括:接收到来自终端的请求后,判断该云服务提供者是否是第一次认证该终端;如果是,则提供该终端虚拟身份,并基于该虚拟身份生成数字签名,同时,将该云服务提供者的身份数据作为认证用中间数据,以谓词加密算法处理该认证用中间数据,生成基于该身份数据的密文UCT与谓词评估令牌UTKf;以及如果不是,则依据所述云服务提供者的身份数据获取该终端的数字签名,以谓词加密算法处理所述数字签名,由此生成基于所述数字签名的密文UCT与谓词评估令牌UTKf。 According to the method for authenticating a terminal provided by a cloud service provider in the present invention, optionally, after receiving the request from the terminal, process the intermediate data for authentication with a predicate encryption algorithm, thereby generating a ciphertext UCT and a predicate evaluation token UTK f includes: after receiving the request from the terminal, judging whether the cloud service provider is authenticating the terminal for the first time; if so, providing the virtual identity of the terminal, and generating a digital signature based on the virtual identity; The identity data of the service provider is used as the intermediate data for authentication, and the intermediate data for authentication is processed with the predicate encryption algorithm to generate the ciphertext UCT and the predicate evaluation token UTK f based on the identity data; and if not, according to the cloud service The provider's identity data obtains the terminal's digital signature, and processes the digital signature with a predicate encryption algorithm, thereby generating a ciphertext UCT and a predicate evaluation token UTK f based on the digital signature.
根据本发明的又一示例,还提供一种双向云认证方法,用于终端与云服务提供者的互相认证,该方法包括: According to another example of the present invention, there is also provided a two-way cloud authentication method for mutual authentication between a terminal and a cloud service provider, the method comprising:
终端认证云服务提供者,包括:依据谓词评估函数生成与终端有关的谓词评估令牌STKf;生成包括所述谓词评估令牌STKf与公钥SKpu的数据包,所述数据包还包括指明所述云服务提供者身份的身份数据;将所述数据包发送到与所述云服务提供者有关的装置;在所述云服务提供者有关的装置处,依据谓词评估匿名判断函数对所接收的数据包进行解析,依据解析结果认证所述云服务提供者;以及 The terminal authentication cloud service provider includes: generating a predicate evaluation token STK f related to the terminal according to the predicate evaluation function; generating a data packet including the predicate evaluation token STK f and a public key SK pu , and the data packet also includes Indicate the identity data of the identity of the cloud service provider; send the data packet to the device related to the cloud service provider; at the device related to the cloud service provider, evaluate the anonymous judgment function according to the predicate Analyzing the received data packet, and authenticating the cloud service provider according to the analysis result; and
云服务提供者认证终端,包括:接收到来自终端的请求后,以谓词加密算法处理认证用中间数据,由此生成密文UCT与谓词评估令牌UTKf;将密文UCT与谓词评估令牌UTKf、以及与安全机制有关的数据SeP、以及公钥AKpu一起用云服务提供者提供的公钥SKpu加密生成安全主动约束包SAB;将所述安全主动约束包SAB发送到与云服务提供者有关的装置;通过所述云服务提供者提供的私钥解密所述安全主动约束包SAB;解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据SeP进行安全检查;在安全检查通过的情况下,从解密的所述安全主动约束包SAB取得密文UCT与谓词评估令牌UTKf并解密UTKf,在解密结果与所述认证用中间数据相同的情况下,认证通过。 The cloud service provider authenticates the terminal, including: after receiving the request from the terminal, processing the intermediate data for authentication with the predicate encryption algorithm, thereby generating the ciphertext UCT and the predicate evaluation token UTK f ; combining the ciphertext UCT and the predicate evaluation token UTK f , and the data SeP related to the security mechanism, and the public key AK pu are encrypted with the public key SK pu provided by the cloud service provider to generate a security active constraint package SAB; the security initiative constraint package SAB is sent to the cloud service provider A device related to the provider; decrypt the security active constraint package SAB through the private key provided by the cloud service provider; perform a security check on the decrypted security active constraint package SAB according to the data SeP related to the security mechanism included therein; When the security check is passed, obtain the ciphertext UCT and the predicate evaluation token UTK f from the decrypted security active constraint package SAB and decrypt the UTK f , and if the decryption result is the same as the authentication intermediate data, the authentication is passed .
根据本发明的双向云认证方法,优选地,所述依据谓词评估函数生成与终端有关的谓词评估令牌STKf包括:生成一对密钥SPK与SMSK;由所述一对密钥SPK与SMSK依据谓词评估函数生成与终端有关的谓词评估令牌STKf。 According to the two-way cloud authentication method of the present invention, preferably, said generating the predicate evaluation token STK f related to the terminal according to the predicate evaluation function includes: generating a pair of keys SPK and SMSK; A terminal-dependent predicate evaluation token STKf is generated from the predicate evaluation function.
根据本发明的双向云认证方法,可选地,所述认证用中间数据为云服务提供者的身份数据。 According to the two-way cloud authentication method of the present invention, optionally, the intermediate data for authentication is the identity data of the cloud service provider. the
根据本发明的双向云认证方法,可选地,所述接收到来自终端的请求后,以谓词加密算法处理认证用中间数据,由此生成密文UCT与谓词评估令牌UTKf包括:接收到来自终端的请求后,判断该云服务提供者是否是第一次认证该终端;如果是,则提供该终端虚拟身份,并基于该虚拟身份生成数字签名,同时,将该云服务提供者的身份数据作为认证用中间数据,以谓词加密算法处理该认证用中间数据,生成基于该身份数据的密文UCT与谓词评估令牌UTKf;以及如果不是,则依据所述云服务提供者的身份数据获取该终端的数字签名,以谓词加密算法处理所述数字签名,由此生成基于所述数字签名的密文UCT与谓词评估令牌UTKf。 According to the two-way cloud authentication method of the present invention, optionally, after receiving the request from the terminal, processing the intermediate data for authentication with the predicate encryption algorithm, thereby generating the ciphertext UCT and the predicate evaluation token UTKf includes: receiving After the request from the terminal, it is judged whether the cloud service provider is authenticating the terminal for the first time; if so, the virtual identity of the terminal is provided, and a digital signature is generated based on the virtual identity, and at the same time, the identity of the cloud service provider The data is used as the intermediate data for authentication, and the intermediate data for authentication is processed with the predicate encryption algorithm to generate the ciphertext UCT and the predicate evaluation token UTK f based on the identity data; and if not, then according to the identity data of the cloud service provider The digital signature of the terminal is obtained, and the digital signature is processed with a predicate encryption algorithm, thereby generating a ciphertext UCT and a predicate evaluation token UTK f based on the digital signature.
根据本发明的又一示例,还提供一种终端认证云服务提供者的系统,包括:终端数据包生成模块,其配置成依据谓词评估函数生成与终端有关的谓词评估令牌STKf,及生成包括所述谓词评估令牌STKf与公钥SKpu的数据包,所述数据包还包括指明所述云服务提供者身份的身份数据;发送模块,其配置成发送所述数据包;第一认证模块,其配置成接收所述发送模块发送的数据包,并依据谓词评估匿名判断函数对所接收的数据包进行解析,依据解析结果认证所述云服务提供者。 According to yet another example of the present invention, a system for terminal authentication cloud service provider is also provided, including: a terminal data packet generation module configured to generate a terminal-related predicate evaluation token STK f according to a predicate evaluation function, and generate A data packet including the predicate evaluation token STK f and the public key SK pu , the data packet also includes identity data indicating the identity of the cloud service provider; a sending module configured to send the data packet; the first An authentication module configured to receive the data packet sent by the sending module, analyze the received data packet according to the predicate evaluation anonymous judgment function, and authenticate the cloud service provider according to the analysis result.
根据本发明的终端认证云服务提供者的系统,优选地,所述终端数据包生成模块包括:密钥对生成单元,用于一对密钥SPK与SMSK;令牌生成单元,用于由所述一对密钥SPK与SMSK依据谓词评估函数生成与终端有关的谓词评估令牌STKf;数据包生成单元,生成包括谓词评估令牌STKf与公钥SKpu的数据包,该数据包还包括指明云服务提供者身份的身份数据。 According to the system for terminal authentication cloud service provider of the present invention, preferably, the terminal data packet generation module includes: a key pair generation unit for a pair of keys SPK and SMSK; a token generation unit for the The pair of keys SPK and SMSK generate the predicate evaluation token STK f related to the terminal according to the predicate evaluation function; the data packet generating unit generates a data packet including the predicate evaluation token STK f and the public key SK pu , and the data packet also Includes identity data that identifies the cloud service provider.
根据本发明的又一示例,还提供一种云服务提供者认证终端的系统,包括:第一处理模块,其在接收来自终端的请求后,以谓词加密算法处理认证用中间数据,由此生成密文UCT与谓词评估令牌UTKf;SAB生成模块,其用于将密文UCT与谓词评估令牌UTKf、以及与安全机制有关的数据SeP、以及公钥AKpu一起用云服务提供者提供的公钥SKpu加密生成安全主动约束包SAB,并将该安全主动约束包SAB发送到与云服务提供者有关的装置;解密模块,其用于通过私钥解密所述安全主动约束包SAB,其中,解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据SeP进行安全检查;第二处理模块,其在安全检查通过的情况下,从解密的所述安全主动约束包SAB取得密文UCT与谓词评估令牌UTKf并解密UTKf,并将解密结果与所述认证用中间数据进行比较,如果比较结果相同,则认证通过。 According to yet another example of the present invention, a system for authenticating a terminal by a cloud service provider is also provided, including: a first processing module, after receiving a request from the terminal, processing the intermediate data for authentication with a predicate encryption algorithm, thereby generating The ciphertext UCT and the predicate evaluation token UTK f ; the SAB generation module is used to use the ciphertext UCT and the predicate evaluation token UTK f together with the data SeP related to the security mechanism and the public key AK pu to the cloud service provider The provided public key SK pu encrypts to generate a security active constraint package SAB, and sends the security initiative constraint package SAB to a device related to the cloud service provider; a decryption module, which is used to decrypt the security initiative constraint package SAB through a private key , wherein, the decrypted security active constraint package SAB performs a security check according to the data SeP related to the security mechanism included therein; the second processing module, when the security check passes, performs a security check from the decrypted security active constraint package SAB Obtain the ciphertext UCT and the predicate evaluation token UTK f and decrypt the UTK f , and compare the decryption result with the authentication intermediate data, and if the comparison results are the same, the authentication is passed.
根据本发明示例的云服务提供者认证终端的系统,可选地,所述认证用中间数据为云服务提供者的身份数据。 According to the system for authenticating a terminal by a cloud service provider according to an example of the present invention, optionally, the intermediate data for authentication is identity data of the cloud service provider. the
根据本发明示例的云服务提供者认证终端的系统,可选地,所述第一处理模块包括:判断单元,其用于在接收到来自终端的请求后,判断该云服务提供者是否是第一次认证该终端;第一处理单元,其用于在判断单元的结果为是的情况下,向该终端提供虚拟身份,并基于该虚拟身份生成数字签名,同时,以谓词加密算法处理在该终端第一次向所述云服务提供者进行请求时作为认证用中间数据的所述服务提供者的身份数据,由此生成基于所述身份数据的密文UCT与谓词评估令牌UTKf;及第二处理单元,其用于在判断单元的结果为不是的情况下,依据所述云服务提供者的身份数据获取该终端的数字签名,以谓词加密算法处理所述数字签名,由此生成基于所述数字签名的密文UCT与谓词评估令牌UTKf。 According to the system for authenticating a terminal by a cloud service provider according to an example of the present invention, optionally, the first processing module includes: a judging unit configured to judge whether the cloud service provider is the first after receiving a request from the terminal The terminal is authenticated once; the first processing unit is configured to provide a virtual identity to the terminal when the result of the judging unit is yes, and generate a digital signature based on the virtual identity, and at the same time, use a predicate encryption algorithm to process the The identity data of the service provider as intermediate data for authentication when the terminal makes a request to the cloud service provider for the first time, thereby generating a ciphertext UCT and a predicate evaluation token UTK f based on the identity data; and The second processing unit is used to obtain the digital signature of the terminal according to the identity data of the cloud service provider when the result of the judging unit is negative, and process the digital signature with a predicate encryption algorithm, thereby generating a digital signature based on Said digitally signed ciphertext UCT and predicate evaluation token UTK f .
根据本发明的又一示例,还提供一种双向云认证系统,用于终端与云服务提供者的互相认证,所述双向云认证系统包括: According to yet another example of the present invention, a two-way cloud authentication system is also provided for mutual authentication between a terminal and a cloud service provider, and the two-way cloud authentication system includes:
终端认证云服务提供者的系统,其包括:终端数据包生成模块,其配置成依据谓词评估函数生成与终端有关的谓词评估令牌STKf,及生成包括所述谓词评估令牌STKf与公钥SKpu的数据包,所述数据包还包括指明所述云服务提供者身份的身份数据;发送模块,其配置成发送所述数据包;第一认证模块,其配置成接收所述发送模块发送的数据包,并对所接收的数据包进行解析,依据解析结果认证所述云服务提供者;以及 A system for terminal authentication cloud service provider, which includes: a terminal data packet generation module configured to generate a terminal-related predicate evaluation token STK f according to a predicate evaluation function, and generate the predicate evaluation token STK f and public A data packet of the key SK pu , the data packet also includes identity data indicating the identity of the cloud service provider; a sending module configured to send the data packet; a first authentication module configured to receive the sending module sending data packets, and analyzing the received data packets, and authenticating the cloud service provider according to the analysis results; and
云服务提供者认证终端的系统,其包括:第一处理模块,其在接收到来自终端的请求后,以谓词加密算法处理认证用中间数据,由此生成密文UCT与谓词评估令牌UTKf;SAB生成模块,其用于将密文UCT与谓词评估令牌UTKf、以及与安全机制有关的数据SeP、以及公钥AKpu一起用云服务提供者提供的公钥SKpu加密生成安全主动约束包SAB,并将该安全主动约束包SAB发送到与云服务提供者有关的装置;解密模块,其用于通过私钥解密所述安全主动约束包SAB,其中,解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据SeP进行安全检查;第二处理模块,其在安全检查通过的情况下,从解密的所述安全主动约束包SAB取得密文UCT与谓词评估令牌UTKf并解密UTKf,并将解密结果与所述认证用中间数据进行比较,如果比较结果相同,则认证通过。 A cloud service provider authentication terminal system, which includes: a first processing module, after receiving a request from a terminal, it uses a predicate encryption algorithm to process authentication intermediate data, thereby generating a ciphertext UCT and a predicate evaluation token UTK f ; SAB generation module, which is used to encrypt the ciphertext UCT and the predicate evaluation token UTK f , and the data SeP related to the security mechanism, and the public key AK pu with the public key SK pu provided by the cloud service provider to generate a security active Constrain the package SAB, and send the security active constraint package SAB to a device related to the cloud service provider; a decryption module, which is used to decrypt the security active constraint package SAB through a private key, wherein the decrypted security active constraint package The SAB performs a security check according to the data SeP related to the security mechanism included therein; the second processing module, when the security check passes, obtains the ciphertext UCT and the predicate evaluation token UTK from the decrypted security active constraint package SAB f and decrypt the UTK f , and compare the decryption result with the authentication intermediate data, and if the comparison results are the same, the authentication is passed.
该双向云认证系统,优选地,所述终端数据包生成模块包括:密钥对生成单元,用于一对密钥SPK与SMSK;令牌生成单元,用于由所述一对密钥SPK与SMSK依据谓词评估函数生成与终端有关的谓词评估令牌STKf;数据包生成单元,生成包括谓词评估令牌STKf与公钥SKpu的数据包,该数据包还包括指明云服务提供者身份的身份数据。 In the two-way cloud authentication system, preferably, the terminal data packet generation module includes: a key pair generation unit for a pair of keys SPK and SMSK; a token generation unit for using the pair of keys SPK and SMSK SMSK generates the predicate evaluation token STK f related to the terminal according to the predicate evaluation function; the data packet generation unit generates a data packet including the predicate evaluation token STK f and the public key SK pu , and the data packet also includes indicating the identity of the cloud service provider identity data.
该双向云认证系统,可选地,所述认证用中间数据为云服务提供者的身份数据。 In the two-way cloud authentication system, optionally, the authentication intermediate data is the identity data of the cloud service provider. the
该双向云认证系统,可选地,所述第一处理模块包括:判断单元,其用于在接收到来自终端的请求后,判断该云服务提供者是否是第一次认证该终端;第一处理单元,其用于在判断单元的结果为是的情况下,向该终端提供虚拟身份,并基于该虚拟身份生成数字签名,同时,将该云服务提供者的身份数据作为认证用中间数据,以谓词加密算法处理该认证用中间数据,生成基于该身份数据的密文UCT与谓词评估令牌UTKf;及第二处理单元,其用于在判断单元的结果为不是的情况下,依据所述云服务提供者的身份数据获取该终端的数字签名,以谓词加密算法处理所述数字签名,由此生成基于所述数字签名的密文UCT与谓词评估令牌UTKf。 In the two-way cloud authentication system, optionally, the first processing module includes: a judging unit, configured to judge whether the cloud service provider authenticates the terminal for the first time after receiving a request from the terminal; the first a processing unit, configured to provide a virtual identity to the terminal when the result of the judging unit is yes, and generate a digital signature based on the virtual identity, and at the same time, use the identity data of the cloud service provider as intermediate data for authentication, Processing the intermediate data for authentication with a predicate encryption algorithm to generate a ciphertext UCT based on the identity data and a predicate evaluation token UTK f ; The digital signature of the terminal is obtained from the identity data of the cloud service provider, and the digital signature is processed with a predicate encryption algorithm, thereby generating a ciphertext UCT and a predicate evaluation token UTK f based on the digital signature.
附图说明 Description of drawings
图1是根据本发明的示例的终端认证云服务提供者的方法的流程图。 Figure 1 is a flow chart of a method for a terminal authenticating a cloud service provider according to an example of the present invention. the
图2是根据本发明一个示例的云服务提供者认证终端的方法的流程图。 Fig. 2 is a flow chart of a method for authenticating a terminal by a cloud service provider according to an example of the present invention. the
图3是根据本发明又一个示例的云服务提供者认证终端的方法的流程图。 Fig. 3 is a flow chart of a method for authenticating a terminal by a cloud service provider according to yet another example of the present invention. the
图4是根据本发明示例的终端认证云服务提供者的系统的结构框图。 FIG. 4 is a structural block diagram of a system for terminal authentication of a cloud service provider according to an example of the present invention. the
图5是根据本发明一个示例的云服务提供者认证终端的系统的结构框图。 Fig. 5 is a structural block diagram of a system for authenticating a terminal of a cloud service provider according to an example of the present invention. the
图6是根据本发明又一个示例的云服务提供者认证终端的系统的结构框图。 Fig. 6 is a structural block diagram of a system for authenticating a terminal by a cloud service provider according to yet another example of the present invention. the
图7是根据本发明的示例的双向云认证系统的结构示意图。 FIG. 7 is a schematic structural diagram of a two-way cloud authentication system according to an example of the present invention. the
the
具体实施方式 Detailed ways
现在参照附图描述本发明的示意性示例,相同的附图标号表示相同的元件。下文描述的各实施例有助于本领域技术人员透彻理解本发明,且意在示例而非限制。除非另有限定,文中使用的术语(包括科学、技术和行业术语)具有与本发明所属领域的技术人员普遍理解的含义相同的含义。 Illustrative examples of the present invention will now be described with reference to the accompanying drawings, wherein like reference numerals refer to like elements. The embodiments described below are intended to help those skilled in the art to fully understand the present invention, and are intended to be illustrative rather than limiting. Unless defined otherwise, the terms (including scientific, technical and industry terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. the
图1是根据本发明的示例的终端认证云服务提供者的方法的流程图。在本发明的所有示例中,终端可以是任何可接入云服务网络的设备,如台式电脑、笔记本、及手持式电子设备(例如智能手机、平板电脑等)、服务器、在服务器包括多个独立主板的情况下可以是任一独立主板等。云服务提供者可以是运行在云端设备中的云服务应用,也可以是云端设备。 FIG. 1 is a flowchart of a method for a terminal authenticating a cloud service provider according to an example of the present invention. In all examples of the present invention, the terminal can be any device that can access the cloud service network, such as desktop computers, notebooks, and handheld electronic devices (such as smart phones, tablet computers, etc.), servers, and servers that include multiple independent In the case of the main board, any independent main board or the like may be used. The cloud service provider may be a cloud service application running on a cloud device, or a cloud device. the
在步骤100,依据谓词评估函数生成与终端有关的谓词评估令牌STKf。作为示例,生成一对密钥SPK与SMSK;由该对密钥SPK与SMSK依据谓词评估函数生成谓词评估令牌STKf,用于匿名认证。谓词加密(Predicate Encryption)技术是一项发展较为成熟的常规技术,本发明中所采用的谓词评估函数可以是本领域技术人员已知的任一种用于生成评估令牌的谓词评估函数,在此要注意的是,所选用的谓词评估函数有一个与其相对应的谓词评估匿名判断函数。 In step 100, a terminal-dependent predicate evaluation token STK f is generated according to a predicate evaluation function. As an example, a pair of keys SPK and SMSK is generated; a predicate evaluation token STK f is generated from the pair of keys SPK and SMSK according to a predicate evaluation function for anonymous authentication. The predicate encryption (Predicate Encryption) technology is a well-developed conventional technology. The predicate evaluation function used in the present invention can be any predicate evaluation function known to those skilled in the art for generating evaluation tokens. It should be noted that the selected predicate evaluation function has a corresponding predicate evaluation anonymous judgment function.
在步骤102,终端生成包括谓词评估令牌STKf与公钥SKpu的数据包,该数据包还包括指明云服务提供者身份的身份数据。随后,在步骤104,将该数据包发送给与云服务提供者有关的装置。与云服务提供者有关的装置可以是云服务提供者所在的设备,也可以是独立于云服务者所在的设备但可与该云服务提供者所在的设备进行通信的设备。 In step 102, the terminal generates a data packet including the predicate evaluation token STK f and the public key SK pu , and the data packet also includes identity data indicating the identity of the cloud service provider. Then, at step 104, the data packet is sent to a device related to the cloud service provider. The device related to the cloud service provider may be a device where the cloud service provider is located, or a device that is independent from the device where the cloud service provider is located but can communicate with the device where the cloud service provider is located.
在步骤106,在该云服务提供者有关的装置处,依据谓词评估匿名判断函数对所接收的数据包进行解析,依据解析结果认证所述云服务提供者。该谓词评估匿名判断函数与前述谓词评估函数是相互对应的函数;并且,如果谓词评估匿名判断函数的解析结果为真,则云服务提供者通过认证,反之则没有通过认证。 In step 106, at the device related to the cloud service provider, the received data packet is analyzed according to the predicate evaluation anonymous judgment function, and the cloud service provider is authenticated according to the result of the analysis. The predicate evaluation anonymous judgment function is a function corresponding to the aforementioned predicate evaluation function; and if the analysis result of the predicate evaluation anonymous judgment function is true, the cloud service provider is authenticated, otherwise, the authentication is not passed. the
根据本发明的示例,步骤100、102以及104可分别由终端执行,或作为替代,也可由独立于终端的设备执行,只是该设备应该能与终端通信,即,该设备可接收终端发送的要认证云服务提供者的请求,并反馈认证结果给终端。与云服务提供者有关的装置是云服务提供者所在的设备时,步骤106在云服务提供者所在的设备执行,与云服务提供者有关的装置是独立于云服务者所在的设备但可与其通信的设备时,步骤106在该独立于云服务者所在的设备执行。 According to an example of the present invention, steps 100, 102, and 104 can be performed by the terminal respectively, or instead, can also be performed by a device independent of the terminal, but the device should be able to communicate with the terminal, that is, the device can receive the request sent by the terminal. Authenticate the request of the cloud service provider, and feedback the authentication result to the terminal. When the device related to the cloud service provider is the device where the cloud service provider is located, step 106 is executed on the device where the cloud service provider is located, and the device related to the cloud service provider is independent of the device where the cloud service provider is located but can be connected with it When the device communicates, step 106 is executed on the device independent of the cloud service provider. the
图1所示的终端认证云服务提供者的方法可实现为软件、硬件或软件与硬件的结合。无论是实现为软件、硬件还是软件与硬件的结合,如上所述,方法中的部分步骤(如步骤100、102及104)在终端执行或由独立于终端但可与终端通信的设备执行,而部分(如步骤106)在云服务提供者所在的设备执行或在可与云服务提供者所在的设备通信的设备执行。 The method for terminal authentication cloud service provider shown in Figure 1 can be implemented as software, hardware or a combination of software and hardware. Whether implemented as software, hardware, or a combination of software and hardware, as described above, some steps in the method (such as steps 100, 102, and 104) are executed in the terminal or by a device that is independent of the terminal but can communicate with the terminal, and Part (such as step 106) is executed on the device where the cloud service provider is located or executed on a device that can communicate with the device where the cloud service provider is located. the
图2是根据本发明一个示例的云服务提供者认证终端的方法的流程图。在步骤200,接收到来自终端的认证请求后,以谓词加密算法处理认证用中间数据,由此生成密文UCT与谓词评估令牌UTKf。在本示例中,认证用中间数据可以是云服务提供者的身份数据。在将要结合图3所描述的另一个示例中,认证用中间数据是针对用户终端虚拟身份的数字签名。步骤200可在云服务提供者所在的设备中执行;也可以在独立于云服务提供者所在设备但可与其通信的设备中执行。 Fig. 2 is a flow chart of a method for authenticating a terminal by a cloud service provider according to an example of the present invention. In step 200, after receiving the authentication request from the terminal, the intermediate data for authentication is processed with the predicate encryption algorithm, thereby generating the ciphertext UCT and the predicate evaluation token UTK f . In this example, the intermediate data for authentication may be the identity data of the cloud service provider. In another example that will be described in conjunction with FIG. 3 , the intermediate data for authentication is a digital signature for the virtual identity of the user terminal. Step 200 can be executed in the device where the cloud service provider resides; it can also be executed in a device that is independent from the device where the cloud service provider resides but can communicate with it.
在图2所示的示例中,生成密文UCT与谓词评估令牌UTKf后,在步骤202,将密文UCT与谓词评估令牌UTKf、与安全机制有关的数据SeP、以及公钥AKpu一起用云服务提供者提供的公钥SKpu加密生成安全主动约束包SAB。与安全机制有关的数据SeP指明SAB要在解密过程中进行的安全检查,例如自我完整性检查以及在自我完整性检查没有通过的情况下是否要执行自我销毁的自我销毁机制。此外,为执行后续的安全性检查,一般都在SAB数据包中包括至少可执行SAB安全性检查及在检查不通过的情况下可执行自我销毁的虚拟机,本例中的SAB即包括这样的虚拟机。步骤202可在云服务提供者所在的设备中执行;也可以在独立于云服务提供者所在设备但可与其通信的设备中执行,与云服务提供者所在设备进行的通信旨在使云服务提供者知道认证结果。步骤202与步骤200可由同一设备执行也可由不同设备执行。 In the example shown in FIG. 2, after the ciphertext UCT and the predicate evaluation token UTK f are generated, in step 202, the ciphertext UCT, the predicate evaluation token UTK f , the data SeP related to the security mechanism, and the public key AK Pu is encrypted with the public key SK pu provided by the cloud service provider to generate a security active constraint package SAB. The data SeP related to the security mechanism indicates the security check to be performed by the SAB during the decryption process, such as the self-integrity check and whether to execute the self-destruction self-destruction mechanism if the self-integrity check fails. In addition, in order to perform subsequent security checks, the SAB data package generally includes at least a virtual machine that can perform the SAB security check and can perform self-destruction if the check fails. The SAB in this example includes such virtual machine. Step 202 can be executed in the device where the cloud service provider is located; it can also be executed in a device that is independent of the device where the cloud service provider is located but can communicate with it, and the communication with the device where the cloud service provider is located is intended to enable the cloud service provider to provide The user knows the authentication result. Step 202 and step 200 may be performed by the same device or by different devices.
在步骤204,将所述安全主动约束包SAB提供给与云服务提供者有关的装置。在此与云服务提供者有关的装置指的是后续执行解密过程的装置,后续执行解密过程的装置可以设置在云服务提供者所在的设备中,也可设置在其它设备中。 In step 204, the security active constraint package SAB is provided to the device related to the cloud service provider. Here, the device related to the cloud service provider refers to the device that subsequently executes the decryption process, and the device that subsequently executes the decryption process may be set in the device where the cloud service provider is located, or in other devices. the
在步骤206,在与云服务提供者有关的装置处,通过云服务提供者提供的私钥解密所述安全主动约束包SAB。随后在步骤208,解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据SeP,由SAB所包括的虚拟机进行安全检查。在此,该安全检查是自我完整性检查,即SAB检查其解密后的数据包是否完整。在安全检查通过的情况下,执行步骤210,从解密的安全主动约束包SAB中取得密文UCT与谓词评估令牌UTKf,并解密UTKf从而获得解密结果,将解密结果与云服务提供者的身份数据比较,如果相同,则通过认证,否则,未通过认证,终止与终端之间的沟通。在此,在SAB的自我完整性检查没有通过的情况下,本例中虚拟机会将SAB自我销毁。步骤208、210可与步骤206在同一装置执行,但不以此为限,在步骤208、210与步骤206在同一装置执行的情况下,该装置可将最后的认证结果提供给云服务提供者。 In step 206, at the device related to the cloud service provider, the security active constraint package SAB is decrypted through the private key provided by the cloud service provider. Then in step 208, the decrypted security active constraint package SAB is subjected to a security check by the virtual machine included in the SAB according to the data SeP related to the security mechanism contained therein. Here, the security check is a self-integrity check, that is, the SAB checks whether its decrypted data packet is complete. In the case of passing the security check, execute step 210, obtain the ciphertext UCT and the predicate evaluation token UTK f from the decrypted security active constraint package SAB, and decrypt the UTK f to obtain the decryption result, and share the decryption result with the cloud service provider If they are the same, the authentication is passed; otherwise, the authentication is not passed, and the communication with the terminal is terminated. Here, in the case that the self-integrity check of the SAB fails, the virtual machine destroys the SAB itself in this example. Steps 208, 210 can be executed on the same device as step 206, but not limited thereto. If steps 208, 210 and step 206 are executed on the same device, the device can provide the final authentication result to the cloud service provider .
此外,在本例及下文结合图3给出的示例中,可选地,为了进一步增加认证的安全性,在生成SAB数据包时还可包括涉及终端敏感信息的属性信息,具体需要将何种属性信息包括到该SAB数据包中,可根据云服务提供者的要求确定,而该要求例如可由云服务提供者在SAB数据包生成之前告知生成SAB的装置、设备或模块,由其收集并处理。在SAB包含了属性信息的情况下,在SAB解密后,获得终端的属性公钥AKPU,并利用该公钥解开属性信息,由此,则进一步可验证属性信息。在这样的情况下,仅在属性信息验证成功且如图2的步骤210以及图3的步骤312中的认证通过的情况下,云服务提供者对终端的认证通过。 In addition, in this example and the example given below in conjunction with FIG. 3 , optionally, in order to further increase the security of authentication, attribute information related to terminal sensitive information may also be included when generating the SAB data packet. What kind of The attribute information is included in the SAB data packet, which can be determined according to the requirements of the cloud service provider, and the requirement, for example, can be notified by the cloud service provider to the device, device or module that generates the SAB before the generation of the SAB data packet, and collected and processed by it . In the case that the SAB contains attribute information, after the SAB is decrypted, the attribute public key AK PU of the terminal is obtained, and the attribute information is decrypted by using the public key, so that the attribute information can be further verified. In such a case, only when the verification of the attribute information is successful and the authentication in step 210 of FIG. 2 and step 312 of FIG. 3 passes, the authentication of the terminal by the cloud service provider passes.
图2所示的云服务提供者认证终端的方法可实现为软件、硬件或软件与硬件的结合。 The method for authenticating a terminal by a cloud service provider shown in FIG. 2 may be implemented as software, hardware, or a combination of software and hardware. the
图3是根据本发明又一个示例的云服务提供者认证终端的方法的流程图,在该示例中,认证用中间数据在该云服务提供者第一次认证终端时是云服务提供者的身份数据,而在其他任意次的认证中,则为针对用户终端虚拟身份的数字签名。在步骤300,接收到来自终端的认证请求后,判断该云服务提供者是否是第一次对该终端进行认证,如果是,则进至步骤302a。在步骤302a,向该终端提供虚拟身份VID,并基于该虚拟身份生成数字签名Sg(VID),同时,将该云服务提供者的身份数据作为第一次认证用的认证用中间数据,以谓词加密算法处理该认证用中间数据,由此生成基于该身份数据的密文UCT与谓词评估令牌UTKf;此外,在本步骤中,VID及Sg(VID)都将被存储,如下文将介绍到的,在该云服务提供者以后认证该终端时,都将该数字签名Sg(VID)作为认证用中间数据。步骤302a可在云服务提供者所在的设备中执行;还可以在独立于云服务提供者所在设备但可与其通信的设备中执行。 3 is a flowchart of a method for a cloud service provider to authenticate a terminal according to another example of the present invention. In this example, the intermediate data for authentication is the identity of the cloud service provider when the cloud service provider authenticates the terminal for the first time data, and in any other authentication, it is a digital signature for the virtual identity of the user terminal. In step 300, after receiving the authentication request from the terminal, it is determined whether the cloud service provider is authenticating the terminal for the first time, and if so, proceed to step 302a. In step 302a, the virtual identity VID is provided to the terminal, and a digital signature Sg(VID) is generated based on the virtual identity. At the same time, the identity data of the cloud service provider is used as the authentication intermediate data for the first authentication, and the predicate The encryption algorithm processes the intermediate data for authentication, thereby generating the ciphertext UCT and the predicate evaluation token UTK f based on the identity data; in addition, in this step, VID and Sg (VID) will be stored, as will be introduced below When the cloud service provider later authenticates the terminal, the digital signature Sg(VID) will be used as the intermediate data for authentication. Step 302a can be executed in the device where the cloud service provider resides; it can also be executed in a device that is independent from the device where the cloud service provider resides but can communicate with it.
如果步骤300中,接收到来自终端的认证请求后,判断该云服务提供者不是第一次认证该终端,则进至步骤302b。由于该云服务提供者第一次认证该终端时,已存储了VID及Sg(VID),因此在步骤302b中,以云服务提供者的身份数据作为索引,找到该终端的VID,进而找到该Sg(VID),以谓词加密算法处理作为认证用中间数据的Sg(VID),进而生成基于所述数字签名的密文UCT与谓词评估令牌UTKf。作为实力,执行步骤302a与步骤302b可在同一设备执行。 If in step 300, after receiving the authentication request from the terminal, it is determined that the cloud service provider is not authenticating the terminal for the first time, then go to step 302b. Since the cloud service provider has stored the VID and Sg(VID) when authenticating the terminal for the first time, in step 302b, the identity data of the cloud service provider is used as an index to find the VID of the terminal, and then find the Sg(VID), using the predicate encryption algorithm to process Sg(VID) as the intermediate data for authentication, and then generate the ciphertext UCT and the predicate evaluation token UTK f based on the digital signature. As an advantage, the execution of step 302a and step 302b can be performed by the same device.
在步骤304,将密文UCT与谓词评估令牌UTKf、与安全机制有关的数据SeP、以及公钥AKpu一起用云服务提供者提供的公钥SKpu加密,生成安全主动约束包SAB。与安全机制有关的数据SeP指明SAB在解密过程中进行的安全检查的种类,例如自我完整性检查以及在自我完整性检查没有通过的情况下是否要进行自我销毁的自我销毁机制。此外,为执行后续的安全性检查,一般SAB数据包中包括至少可执行SAB安全性检查及在检查不通过的情况下可执行自我销毁的虚拟机,本例中SAB即包括这样的虚拟机。 In step 304, the ciphertext UCT, the predicate evaluation token UTK f , the data SeP related to the security mechanism, and the public key AK pu are encrypted with the public key SK pu provided by the cloud service provider to generate a security active constraint package SAB. The data SeP related to the security mechanism indicates the type of security check performed by the SAB during the decryption process, such as the self-integrity check and the self-destruction mechanism whether to perform self-destruction if the self-integrity check fails. In addition, in order to perform subsequent security checks, generally the SAB data package includes at least a virtual machine that can perform the SAB security check and can perform self-destruction if the check fails. In this example, the SAB includes such a virtual machine.
在步骤306,将所述安全主动约束包SAB提供给与云服务提供者有关的装置。在此与云服务提供者有关的装置指的是后续执行解密过程的装置,后续执行解密过程的装置可以设置在云服务提供者所在的设备中,也可设置在其它设备中。 In step 306, the security active constraint package SAB is provided to the device related to the cloud service provider. Here, the device related to the cloud service provider refers to the device that subsequently executes the decryption process, and the device that subsequently executes the decryption process may be set in the device where the cloud service provider is located, or in other devices. the
在步骤308,在与云服务提供者有关的装置处,通过云服务提供者提供的私钥解密所述安全主动约束包SAB。随后在步骤310,解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据SeP,由SAB所包括的虚拟机进行安全检查。在此,该安全检查是自我完整性检查,即SAB检查其解密后的数据包是否完整。在安全检查通过的情况下,执行步骤312,从解密的安全主动约束包SAB中取得密文UCT与谓词评估令牌UTKf,并解密UTKf从而获得解密结果,在此,如果密文UCT与谓词评估令牌UTKf是在步骤302a生成的,则将解密结果与云服务提供者的身份数据比较,如果相同,则通过认证,否则,未通过认证,终止与终端之间的沟通;如果密文UCT与谓词评估令牌UTKf是在步骤302b生成的,则将解密结果与数字签名Sg(VID)比较,如果相同,则通过认证,否则,未通过认证,终止与终端之间的沟通。 In step 308, at the device related to the cloud service provider, the security active constraint package SAB is decrypted through the private key provided by the cloud service provider. Then at step 310, the decrypted security active constraint package SAB is subjected to a security check by the virtual machine included in the SAB according to the data SeP related to the security mechanism contained therein. Here, the security check is a self-integrity check, that is, the SAB checks whether its decrypted data packet is complete. If the security check is passed, step 312 is executed to obtain the ciphertext UCT and the predicate evaluation token UTK f from the decrypted security active constraint package SAB, and decrypt UTK f to obtain the decryption result. Here, if the ciphertext UCT and The predicate evaluation token UTK f is generated in step 302a, then compare the decryption result with the identity data of the cloud service provider, if they are the same, then pass the authentication, otherwise, fail to pass the authentication, terminate the communication with the terminal; The text UCT and the predicate evaluation token UTK f are generated in step 302b, and the decryption result is compared with the digital signature Sg(VID). If they are the same, the authentication is passed; otherwise, the authentication is not passed, and the communication with the terminal is terminated.
与图2的示例类似,本例中,在SAB的自我完整性检查没有通过的情况下,虚拟机会将SAB自我销毁。 Similar to the example in FIG. 2 , in this example, if the self-integrity check of the SAB fails, the virtual machine will self-destruct the SAB. the
根据本发明,还提供一种双向云认证方法,该方法用于终端与服务提供者之间的互相认证。在该认证中,终端认证云服务提供者的过程与图1所示例的方法相同,在图1所示的终端对云服务提供者的认证通过之后,则进行云服务提供者对终端的认证,而云服务提供者对终端的认证过程可采用如图2所示的方法,也可采用如图3所示的方法。无论是哪一种,在最终云服务提供者对终端认证通过的情况下,即完成了云服务提供者与终端的相互认证。可替代地,也可首先进行云服务提供者对终端的认证,再通过之后,再进行终端对云服务提供者的认证。考虑到上文中已经结合图1,图2与图3描述了终端认证云服务提供者以及云服务提供者的过程,在此对于基于它们的双向云认证方法就不再详细描述。 According to the present invention, a two-way cloud authentication method is also provided, which is used for mutual authentication between a terminal and a service provider. In this authentication, the process of the terminal authenticating the cloud service provider is the same as the method illustrated in FIG. 1. After the authentication of the terminal to the cloud service provider shown in FIG. 1 is passed, the cloud service provider authenticates the terminal. The authentication process of the terminal by the cloud service provider may adopt the method shown in FIG. 2 or the method shown in FIG. 3 . No matter which one is used, when the cloud service provider finally passes the authentication of the terminal, the mutual authentication between the cloud service provider and the terminal is completed. Alternatively, the terminal may be authenticated by the cloud service provider first, and then authenticated by the terminal to the cloud service provider after passing. Considering that the terminal authentication cloud service provider and the process of the cloud service provider have been described above in conjunction with FIG. 1 , FIG. 2 and FIG. 3 , the two-way cloud authentication method based on them will not be described in detail here. the
图4是根据本发明示例的终端认证云服务提供者的系统的结构框图。如图所示,该终端认证云服务提供者的系统包括终端数据包生成模块40,发送模块42,以及第一认证模块44。终端数据包生成模块40配置成依据谓词评估函数生成与终端有关的谓词评估令牌STKf,及生成包括谓词评估令牌STKf与公钥SKpu的数据包,该数据包还包括指明云服务提供者身份的身份数据。作为具体示例,终端数据包生成模块40包括密钥对生成单元400,其设置成生成一对密钥SPK与SMSK;令牌生成单元402,其用于由所述一对密钥SPK与SMSK依据谓词评估函数生成与终端有关的谓词评估令牌STKf;以及,数据包生成单元404,其设置成生成包括谓词评估令牌STKf与公钥SKpu的数据包,该数据包还包括指明云服务提供者身份的身份数据。发送模块42将生成的数据包发送给第一认证模块44。作为示例,终端数据包生成模块40与发送模块都可设置在终端,也可设置在独立于终端但与该终端有关联的设备中,该独立于终端的设备至少可与该终端通信,即接收终端认证云服务提供者的请求,并反馈认证结果给终端。第一认证模块44对所接收的数据包依据谓词评估匿名判断函数进行解析,依据解析结果认证该云服务提供者是否合法。其中,谓词评估匿名判断函数与谓词评估函数为相互对应的函数。如果第一认证模块44以谓词评估匿名判断函数为基础所进行的解析,其结果为真,则云服务提供者通过认证,反之,云服务提供者没有通过认证。第一认证模块44可以设置在云服务提供者所在的设备,也可设置在与云服务提供者所在的设备有关联的设备,该有关联的设备可将认证结果发送给该云服务提供者。 Fig. 4 is a structural block diagram of a system for terminal authentication of a cloud service provider according to an example of the present invention. As shown in the figure, the system for terminal authentication of a cloud service provider includes a terminal data packet generation module 40 , a sending module 42 , and a first authentication module 44 . The terminal data packet generation module 40 is configured to generate a predicate evaluation token STK f related to the terminal according to the predicate evaluation function, and generate a data packet including the predicate evaluation token STK f and the public key SK pu , and the data packet also includes the specified cloud service Identity data for provider identity. As a specific example, the terminal data packet generation module 40 includes a key pair generation unit 400, which is configured to generate a pair of keys SPK and SMSK; a token generation unit 402, which is used to generate a pair of keys SPK and SMSK according to The predicate evaluation function generates a predicate evaluation token STK f related to the terminal; and, a data packet generating unit 404 is configured to generate a data packet including the predicate evaluation token STK f and the public key SK pu , and the data packet also includes the specified cloud Identity data for the identity of the service provider. The sending module 42 sends the generated data packet to the first authentication module 44 . As an example, both the terminal data packet generation module 40 and the sending module can be set in the terminal, or can be set in a device independent of the terminal but associated with the terminal, and the device independent of the terminal can at least communicate with the terminal, that is, receive The terminal authenticates the request of the cloud service provider, and feeds back the authentication result to the terminal. The first authentication module 44 analyzes the received data packet according to the predicate evaluation anonymous judgment function, and verifies whether the cloud service provider is legal according to the analysis result. Wherein, the predicate evaluation anonymous judgment function and the predicate evaluation function are functions corresponding to each other. If the result of the analysis performed by the first authentication module 44 based on the predicate evaluation anonymous judgment function is true, then the cloud service provider has passed the authentication; otherwise, the cloud service provider has not passed the authentication. The first authentication module 44 can be set on the device where the cloud service provider is located, or can be set on a device associated with the device where the cloud service provider is located, and the associated device can send the authentication result to the cloud service provider.
图4所示的终端认证云服务提供者的系统可实现为软件、硬件或软件与硬件的结合。无论是实现为软件、硬件还是软件与硬件的结合,该系统如上所述,可将一部分(如终端数据包生成模块40与发送模块42)设置在终端或设置在独立于终端的设备,又一部分(如第一认证模块44)设置在云服务提供者所在的设备或可与云服务提供者所在的设备通信的设备。 The system for terminal authentication cloud service provider shown in FIG. 4 can be implemented as software, hardware or a combination of software and hardware. Whether implemented as software, hardware, or a combination of software and hardware, as described above, part of the system (such as the terminal data packet generation module 40 and the sending module 42) can be set in the terminal or in a device independent of the terminal, and another part (such as the first authentication module 44) is set on the device where the cloud service provider is located or a device that can communicate with the device where the cloud service provider is located. the
图5是根据本发明又一个示例的云服务提供者认证终端的系统的结构框图。如图所示,该云服务提供者认证终端的系统包括第一处理模块50,SAB生成模块52,解密模块54,第二处理模块56。第一处理模块50在接收到来自终端的请求后,以谓词加密算法处理认证用中间数据,由此生成密文UCT与谓词评估令牌UTKf。在本例中,认证用中间数据是云服务提供者的身份数据。第一处理模块50可设置在云服务提供者所在的设备,还可以设置在独立于云服务提供者所在设备但可与其通信的设备中。SAB生成模块52将密文UCT与谓词评估令牌UTKf、与安全机制有关的数据SeP、以及公钥AKpu一起用云服务提供者提供的公钥SKpu加密生成安全主动约束包SAB,并将该SAB发送给与云服务提供者有关的装置。与安全机制有关的数据SeP指明SAB在解密过程中进行的安全检查的种类,例如自我完整性检查以及在自我完整性检查没有通过的情况下是否要自我销毁的自我销毁机制。此外,为执行后续的安全性检查,一般都在SAB数据包中包括至少可执行SAB安全性检查及在检查不通过的情况下可执行自我销毁的虚拟机,本例中的SAB包括这样的虚拟机。SAB生成模块52可与第一处理模块50设置在同一设备中。解密模块54通过云服务提供者提供的私钥解密所述安全主动约束包SAB,并使解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据进行安全检查;具体而言,解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据SeP,由SAB所包括的虚拟机进行安全检查。在此,该安全检查是自我完整性检查,即SAB检查其解密后的数据包是否完整。第二处理模块56从解密的安全主动约束包SAB中取得密文UCT与谓词评估令牌UTKf,并解密UTKf从而获得解密结果,将解密结果与云服务的身份数据比较,如果相同,则通过认证,否则,未通过认证,终止与终端之间的沟通。在此,在SAB的自我完整性检查没有通过的情况下,本例中虚拟机会将SAB自我销毁。 Fig. 5 is a structural block diagram of a system for authenticating a terminal by a cloud service provider according to yet another example of the present invention. As shown in the figure, the cloud service provider authentication terminal system includes a first processing module 50 , an SAB generation module 52 , a decryption module 54 and a second processing module 56 . After receiving the request from the terminal, the first processing module 50 processes the authentication intermediate data with the predicate encryption algorithm, thereby generating the ciphertext UCT and the predicate evaluation token UTK f . In this example, the intermediate data for authentication is the identity data of the cloud service provider. The first processing module 50 can be set in a device where the cloud service provider is located, or can be set in a device that is independent of the cloud service provider's device but can communicate with it. The SAB generation module 52 encrypts the ciphertext UCT, the predicate evaluation token UTKf, the data SeP related to the security mechanism, and the public key AK pu with the public key SK pu provided by the cloud service provider to generate a security active constraint package SAB, and The SAB is sent to the device associated with the cloud service provider. The data SeP related to the security mechanism indicates the type of security check performed by the SAB during the decryption process, such as the self-integrity check and the self-destruction mechanism whether to self-destruct if the self-integrity check fails. In addition, in order to perform subsequent security checks, the SAB data package generally includes a virtual machine that can at least perform the SAB security check and can perform self-destruction if the check fails. The SAB in this example includes such a virtual machine machine. The SAB generation module 52 and the first processing module 50 can be set in the same device. The decryption module 54 decrypts the security active constraint package SAB through the private key provided by the cloud service provider, and makes the decrypted security active constraint package SAB perform a security check according to the data related to the security mechanism included therein; specifically, the decryption According to the data SeP related to the security mechanism included in the security active constraint package SAB, the virtual machine included in the SAB performs a security check. Here, the security check is a self-integrity check, that is, the SAB checks whether its decrypted data packet is complete. The second processing module 56 obtains the ciphertext UCT and the predicate evaluation token UTK f from the decrypted security active constraint package SAB, and decrypts the UTK f to obtain the decryption result, compares the decryption result with the identity data of the cloud service, and if they are the same, then If the authentication is passed, otherwise, the communication with the terminal is terminated if the authentication is not passed. Here, in the case that the self-integrity check of the SAB fails, the virtual machine destroys the SAB itself in this example.
图6是根据本发明又一个示例的云服务提供者认证终端的系统的结构框图。根据该示例,该云服务提供者认证终端的系统包括第一处理模块60,SAB生成模块62,解密模块64,第二处理模块66。第一处理模块60包括判断单元600、第一处理单元602与第二处理单元604。判断单元600用于在接收到来自终端的请求后,判断云服务提供者是否是第一次认证该终端,第一处理单元602在判断单元600的结果为是的情况下,向该终端提供虚拟身份,并基于该虚拟身份生成数字签名Sg(VID),同时,将该云服务提供者的身份数据作为该第一次认证用的认证用中间数据,以谓词加密算法处理该认证用中间数据,由此生成基于该身份数据的密文UCT与谓词评估令牌UTKf;此外,VID及Sg(VID)都将被存储,如下文将介绍到的,在该云服务提供者以后认证该终端时,都将该数字签名Sg(VID)作为认证用中间数据。第二处理单元604用于在判断单元的结果为不是的情况下,以该云服务提供者的身份数据作为索引,找到该终端的VID,进而找到该Sg(VID),由此以谓词加密算法处理作为认证用中间数据的Sg(VID),生成基于该数字签名的密文UCT与谓词评估令牌UTKf。 Fig. 6 is a structural block diagram of a system for authenticating a terminal by a cloud service provider according to yet another example of the present invention. According to this example, the system for authenticating a terminal of a cloud service provider includes a first processing module 60 , an SAB generation module 62 , a decryption module 64 and a second processing module 66 . The first processing module 60 includes a judging unit 600 , a first processing unit 602 and a second processing unit 604 . The judging unit 600 is configured to judge whether the cloud service provider authenticates the terminal for the first time after receiving the request from the terminal, and the first processing unit 602 provides virtual Identity, and generate a digital signature Sg (VID) based on the virtual identity, and at the same time, use the identity data of the cloud service provider as the authentication intermediate data for the first authentication, and process the authentication intermediate data with the predicate encryption algorithm, As a result, the ciphertext UCT and the predicate evaluation token UTK f based on the identity data are generated; in addition, VID and Sg(VID) will be stored, as will be introduced below, when the cloud service provider later authenticates the terminal , all use the digital signature Sg(VID) as the intermediate data for authentication. The second processing unit 604 is used to use the identity data of the cloud service provider as an index to find the VID of the terminal and then find the Sg(VID) when the result of the judging unit is negative, thereby using the predicate encryption algorithm The Sg(VID) which is the intermediate data for authentication is processed, and the ciphertext UCT and the predicate evaluation token UTK f based on the digital signature are generated.
SAB生成模块62将密文UCT与谓词评估令牌UTKf、与安全机制有关的数据SeP、以及公钥AKpu一起用云服务提供者提供的公钥SKpu加密生成安全主动约束包SAB,并将该SAB发送给云服务提供者。与安全机制有关的数据SeP指明SAB在解密过程中进行的安全检查的种类,例如自我完整性检查以及在自我完整性检查没有通过的情况下是否要自我销毁的自我销毁机制。此外,为执行后续的安全性检查,一般都在SAB数据包中再包括至少可执行SAB安全性检查及在检查不通过的情况下可执行自我销毁的虚拟机,本例中的SAB包括这样的虚拟机。SAB生成模块62可与第一处理模块60设置在同一设备中。解密模块64通过云服务提供者提供的私钥解密所述安全主动约束包SAB,并且使解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据进行安全检查;具体而言,解密后的安全主动约束包SAB按照其中包括的与安全机制有关的数据SeP,由SAB所包括的虚拟机进行安全检查。在此,该安全检查是自我完整性检查,即SAB检查其解密后的数据包是否完整。第二处理模块66从解密的安全主动约束包SAB中取得密文UCT与谓词评估令牌UTKf,并解密UTKf从而获得解密结果。在密文UCT与谓词评估令牌UTKf由第一处理单元602生成的情况下,第二处理模块66将解密结果与云服务提供者的身份数据比较,如果相同,则通过认证,否则,未通过认证,终止与终端之间的沟通;在密文UCT与谓词评估令牌UTKf由第二处理单元604生成的情况下,第二处理模块66将解密结果与数字签名比较,如果相同,则通过认证,否则,未通过认证,终止与终端之间的沟通。在此,在SAB的自我完整性检查没有通过的情况下,本例中虚拟机会将SAB自我销毁。 The SAB generation module 62 encrypts the ciphertext UCT, the predicate evaluation token UTKf, the data SeP related to the security mechanism, and the public key AK pu with the public key SK pu provided by the cloud service provider to generate a security active constraint package SAB, and The SAB is sent to the cloud service provider. The data SeP related to the security mechanism indicates the type of security check performed by the SAB during the decryption process, such as the self-integrity check and the self-destruction mechanism whether to self-destruct if the self-integrity check fails. In addition, in order to perform subsequent security checks, the SAB data package generally includes at least a virtual machine that can perform the SAB security check and can perform self-destruction if the check fails. The SAB in this example includes such virtual machine. The SAB generating module 62 and the first processing module 60 can be set in the same device. The decryption module 64 decrypts the security-active constraint package SAB through the private key provided by the cloud service provider, and makes the decrypted security-active constraint package SAB carry out a security check according to the data related to the security mechanism included therein; specifically, the decryption According to the data SeP related to the security mechanism included in the security active constraint package SAB, the virtual machine included in the SAB performs a security check. Here, the security check is a self-integrity check, that is, the SAB checks whether its decrypted data packet is complete. The second processing module 66 obtains the ciphertext UCT and the predicate evaluation token UTK f from the decrypted security active constraint packet SAB, and decrypts the UTK f to obtain a decryption result. In the case that the ciphertext UCT and the predicate evaluation token UTK f are generated by the first processing unit 602, the second processing module 66 compares the decryption result with the identity data of the cloud service provider, and if they are the same, the authentication is passed; otherwise, the authentication is not Through the authentication, the communication with the terminal is terminated; under the situation that the ciphertext UCT and the predicate evaluation token UTK f are generated by the second processing unit 604, the second processing module 66 compares the decryption result with the digital signature, and if they are the same, then If the authentication is passed, otherwise, the communication with the terminal is terminated if the authentication is not passed. Here, in the case that the self-integrity check of the SAB fails, the virtual machine destroys the SAB itself in this example.
本发明还提供一种双向云认证系统,用于终端与云服务提供者之间的互相认证。图7是根据本发明的双向云认证系统的示意框图。该双向云认证系统包括终端认证云服务提供者的系统7a以及云服务提供者认证终端的系统7b。终端认证云服务提供者的系统7a与图4所示的终端认证云服务提供者的系统相同,不再赘述。按照本发明的一个示例,云服务提供者认证终端的系统7b可采用图5所示的云服务提供者认证终端的系统,不再详细描述。按照本发明的又一个示例,云服务提供者认证终端的系统7b还可采用图6所示的云服务提供者认证终端的系统。一般而言在终端认证云服务提供者的系统7a的认证结果云服务提供者通过认证的情况下,再由云服务提供者认证终端的系统7b进行云服务提供者对终端的认证。但也可是在云服务提供者认证终端的系统7b进行了云服务提供者对终端的认证之后,由终端认证云服务提供者的系统7a进行终端对云服务者的认证。 The invention also provides a two-way cloud authentication system for mutual authentication between the terminal and the cloud service provider. Fig. 7 is a schematic block diagram of a two-way cloud authentication system according to the present invention. The two-way cloud authentication system includes a system 7a for terminal authentication cloud service provider and a system 7b for cloud service provider authentication terminal. The system 7a for the terminal to authenticate the cloud service provider is the same as the system 7a for the terminal to authenticate the cloud service provider shown in FIG. According to an example of the present invention, the cloud service provider authentication terminal system 7b may adopt the cloud service provider authentication terminal system shown in FIG. 5 , which will not be described in detail. According to yet another example of the present invention, the cloud service provider authentication terminal system 7b may also adopt the cloud service provider authentication terminal system shown in FIG. 6 . Generally speaking, when the terminal authenticates the cloud service provider's system 7a and the cloud service provider passes the authentication, the cloud service provider's terminal authentication system 7b then authenticates the cloud service provider's terminal. However, after the terminal authentication system 7b of the cloud service provider authenticates the terminal, the system 7a for terminal authentication of the cloud service provider performs the authentication of the terminal to the cloud service provider. the
采用如本发明所述的系统或执行如本发明所述的方法,不象常规技术那样只有云服务提供者对终端的认证,而使云服务提供者与终端可实现双向认证,由此避免了网络钓鱼这种情况的发生。认证过程中,谓词评估、SAB技术、以及自我销毁机制的采用有效防止了数据窃取。认证过程中采用公钥加密,使得小数攻击无法奏效。此外,谓词加密、虚拟帐号的采用也保证了匿名性,防止了服务商或攻击者对用户访问的跟踪,也防止了多个服务提供商通过联合解密窃取终端用户信息这种情况的发生。在本发明提供的技术方案中,用户与云提供商直接进行认证,而不需要第三方,这避免了云服务提供者对某一身份提供商的以来,有利于云服务提供商的扩展以及资源互享。 Adopting the system as described in the present invention or executing the method as described in the present invention, unlike the conventional technology, only the cloud service provider authenticates the terminal, but enables the cloud service provider and the terminal to realize two-way authentication, thereby avoiding This happens with phishing. During the authentication process, the adoption of predicate evaluation, SAB technology, and self-destruction mechanism effectively prevents data theft. Public key encryption is used in the authentication process, making decimal attacks ineffective. In addition, the use of predicate encryption and virtual accounts also ensures anonymity, prevents service providers or attackers from tracking user access, and prevents multiple service providers from stealing end user information through joint decryption. In the technical solution provided by the present invention, the user and the cloud provider directly authenticate without the need for a third party, which avoids the cloud service provider from relying on a certain identity provider, and is beneficial to the expansion of the cloud service provider and resource share. the
Claims (18)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310746278.9A CN104753879B (en) | 2013-12-30 | 2013-12-30 | Method and system for terminal authentication cloud service provider, method and system for cloud service provider authentication terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310746278.9A CN104753879B (en) | 2013-12-30 | 2013-12-30 | Method and system for terminal authentication cloud service provider, method and system for cloud service provider authentication terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104753879A true CN104753879A (en) | 2015-07-01 |
| CN104753879B CN104753879B (en) | 2019-03-15 |
Family
ID=53592997
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310746278.9A Active CN104753879B (en) | 2013-12-30 | 2013-12-30 | Method and system for terminal authentication cloud service provider, method and system for cloud service provider authentication terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104753879B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104935607A (en) * | 2015-07-07 | 2015-09-23 | 成都睿峰科技有限公司 | Login certification method in cloud computing network |
| CN104935608A (en) * | 2015-07-07 | 2015-09-23 | 成都睿峰科技有限公司 | Identity authentication method in cloud computing network |
| CN104935606A (en) * | 2015-07-07 | 2015-09-23 | 成都睿峰科技有限公司 | Terminal login method in cloud computing network |
| CN105657702A (en) * | 2016-04-07 | 2016-06-08 | 中国联合网络通信集团有限公司 | Authentication method, authentication system, authentication method of mobile terminal and mobile terminal |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143230A (en) * | 2011-04-01 | 2011-08-03 | 广州杰赛科技股份有限公司 | Method for mini-station to authenticate and log in virtual machine in cloud system and login system |
| CN102158432A (en) * | 2011-03-07 | 2011-08-17 | 候万春 | Telecom operator network middleware device prior to being embedded to terminal operating system |
| CN102571359A (en) * | 2012-04-06 | 2012-07-11 | 上海凯卓信息科技有限公司 | Method for certificating cloud desktop based on smart card |
| CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
| CN103096036A (en) * | 2013-01-13 | 2013-05-08 | 潘铁军 | Security and protection device and cloud service system and safety method of wide band video |
| EP2624501A1 (en) * | 2010-10-26 | 2013-08-07 | ZTE Corporation | Authentication routing system, method and authentication router of cloud computing service |
-
2013
- 2013-12-30 CN CN201310746278.9A patent/CN104753879B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2624501A1 (en) * | 2010-10-26 | 2013-08-07 | ZTE Corporation | Authentication routing system, method and authentication router of cloud computing service |
| CN102158432A (en) * | 2011-03-07 | 2011-08-17 | 候万春 | Telecom operator network middleware device prior to being embedded to terminal operating system |
| CN102143230A (en) * | 2011-04-01 | 2011-08-03 | 广州杰赛科技股份有限公司 | Method for mini-station to authenticate and log in virtual machine in cloud system and login system |
| CN102571359A (en) * | 2012-04-06 | 2012-07-11 | 上海凯卓信息科技有限公司 | Method for certificating cloud desktop based on smart card |
| CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
| CN103096036A (en) * | 2013-01-13 | 2013-05-08 | 潘铁军 | Security and protection device and cloud service system and safety method of wide band video |
Non-Patent Citations (1)
| Title |
|---|
| 徐雯丽: "《云计算环境下的身份认证研究》", 《中国优秀硕士学位论文全文库》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104935607A (en) * | 2015-07-07 | 2015-09-23 | 成都睿峰科技有限公司 | Login certification method in cloud computing network |
| CN104935608A (en) * | 2015-07-07 | 2015-09-23 | 成都睿峰科技有限公司 | Identity authentication method in cloud computing network |
| CN104935606A (en) * | 2015-07-07 | 2015-09-23 | 成都睿峰科技有限公司 | Terminal login method in cloud computing network |
| CN105657702A (en) * | 2016-04-07 | 2016-06-08 | 中国联合网络通信集团有限公司 | Authentication method, authentication system, authentication method of mobile terminal and mobile terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104753879B (en) | 2019-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12244739B2 (en) | Confidential authentication and provisioning | |
| US20210385201A1 (en) | Systems and methods for secure multi-party communications using aproxy | |
| US8112787B2 (en) | System and method for securing a credential via user and server verification | |
| USH2270H1 (en) | Open protocol for authentication and key establishment with privacy | |
| CN107040513B (en) | Trusted access authentication processing method, user terminal and server | |
| WO2016177052A1 (en) | User authentication method and apparatus | |
| CN110337797A (en) | Methods for performing two-factor authentication | |
| WO2019085531A1 (en) | Method and device for network connection authentication | |
| US20050216736A1 (en) | System and method for combining user and platform authentication in negotiated channel security protocols | |
| WO2017210145A1 (en) | Flexible provisioning of attestation keys in secure enclaves | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| AU2020336124A1 (en) | Decentralized techniques for verification of data in transport layer security and other contexts | |
| WO2015158172A1 (en) | User identity identification card | |
| EP3000216B1 (en) | Secured data channel authentication implying a shared secret | |
| US9887967B2 (en) | Portable security device, method for securing a data exchange and computer program product | |
| CN117081736A (en) | Key distribution method, key distribution device, communication method, and communication device | |
| CN116032556A (en) | Key negotiation method and device for applet application | |
| CN114338091A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN104753879A (en) | Method and system for authenticating cloud service provider through terminal and method and system for authenticating terminal through cloud service provider | |
| CN114065170A (en) | Method, device and server for obtaining platform identity certificate | |
| Robinson | Cryptography as a service | |
| Alzomai et al. | The mobile phone as a multi OTP device using trusted computing | |
| CN114692120B (en) | National password authentication method, virtual machine, terminal equipment, system and storage medium | |
| WO2018011775A1 (en) | Method for providing an enhanced level of authentication related to a secure software client application provided by an application distribution entity in order to be transmitted to a client computing device; system, application distribution entity, software client application, and client computing device for providing an enhanced level of authentication related to a secure software client application, program and computer program product | |
| Blokhin et al. | Multiprotocol Authentication Device for HPC and Cloud Environments Based on Elliptic Curve Cryptography |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |