[go: up one dir, main page]

CN105404560A - RAID5 based security authentication method in object storage system - Google Patents

RAID5 based security authentication method in object storage system Download PDF

Info

Publication number
CN105404560A
CN105404560A CN201510744366.4A CN201510744366A CN105404560A CN 105404560 A CN105404560 A CN 105404560A CN 201510744366 A CN201510744366 A CN 201510744366A CN 105404560 A CN105404560 A CN 105404560A
Authority
CN
China
Prior art keywords
raid5
server
client
authentication request
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510744366.4A
Other languages
Chinese (zh)
Other versions
CN105404560B (en
Inventor
冯丹
王阿孟
胡燏翀
吴锋
文可
肖仁智
张晓阳
常栓霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201510744366.4A priority Critical patent/CN105404560B/en
Publication of CN105404560A publication Critical patent/CN105404560A/en
Application granted granted Critical
Publication of CN105404560B publication Critical patent/CN105404560B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/08Error detection or correction by redundancy in data representation, e.g. by using checking codes
    • G06F11/10Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
    • G06F11/1076Parity data used in redundant arrays of independent storages, e.g. in RAID systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种对象存储系统中基于RAID5的安全认证方法。该方法包括:利用RAID5安全可靠低成本的特性,在对象存储系统的关键路径TA上设置N台TA服务器,然后将N台TA服务器上的存储资源整合,并在其上部署RAID5。当客户端发来认证请求时,TA?Controller首先对认证请求赋予ID,并对ID进行取模运算,选择一台目标TA服务器对Client端认证请求进行处理,将认证请求处理结果返回到TA?Controller中。TA?Controller将处理结果存入RAID5中,按照RAID5的存取机制进行数据存取。冗余TA服务器可以有效地防止单点故障,同时,RAID5又可保证数据丢失时的快速恢复,保证TA端用户数据的安全性和服务的可靠性。本发明能大幅度地提高TA端数据的安全可靠性。

The invention discloses a security authentication method based on RAID5 in an object storage system. The method includes: utilizing the safe, reliable and low-cost characteristics of RAID5, setting N TA servers on the critical path TA of the object storage system, integrating storage resources on the N TA servers, and deploying RAID5 on it. When the client sends an authentication request, TA? The Controller first assigns an ID to the authentication request, and performs a modulo operation on the ID, selects a target TA server to process the client-side authentication request, and returns the authentication request processing result to the TA? Controller. TA? The Controller stores the processing results in RAID5, and performs data access according to the RAID5 access mechanism. Redundant TA servers can effectively prevent single-point failures. At the same time, RAID5 can ensure rapid recovery when data is lost, and ensure the security of TA-side user data and service reliability. The invention can greatly improve the safety and reliability of the data at the TA end.

Description

一种对象存储系统中基于RAID5的安全认证方法A security authentication method based on RAID5 in object storage system

技术领域technical field

本发明属于存储系统和安全认证技术领域,更具体地,涉及一种对象存储系统中基于RAID5(RedundantArraysofIndependentDisks5,磁盘阵列5)的安全认证方法。The invention belongs to the technical field of storage systems and security authentication, and more specifically relates to a security authentication method based on RAID5 (Redundant Arrays of Independent Disks 5, disk array 5) in an object storage system.

背景技术Background technique

大数据时代的到来,使得数据变成一种无形且无价的资产,其安全可靠性也逐渐被国家、企业及个人所重视和关注。With the advent of the era of big data, data has become an intangible and priceless asset, and its security and reliability have gradually been valued and concerned by countries, enterprises and individuals.

对象存储系统中可信中心((TrustedAuthority,TA)主要包含用户信息列表及证书撤销列表(CertificateRevocationList,CRL)等重要信息,当TA服务器受到黑客攻击的时候,会存在以下风险:The trusted center (TrustedAuthority, TA) in the object storage system mainly includes important information such as user information list and certificate revocation list (CertificateRevocationList, CRL). When the TA server is attacked by hackers, there will be the following risks:

数据丢失:黑客侵入系统,将用户的信息获取后,从而进入对象存储系统获取用户存入对象存储设备(Object-basedStorageDevice,OSD)中的数据,对用户造成无法估量的经济损失。Data loss: Hackers intrude into the system, obtain user information, and then enter the object storage system to obtain the data stored in the object storage device (Object-based Storage Device, OSD) by the user, causing incalculable economic losses to the user.

数据损坏:当黑客侵入系统后,对用户数据进行篡改和损坏,使得用户无法正常使用OSD中的数据,造成不可估量的经济损失。Data damage: When hackers invade the system, they tamper and damage user data, making users unable to use the data in the OSD normally, resulting in immeasurable economic losses.

服务中断:当黑客侵入TA服务器后,植入木马病毒使得TA服务器无法正常提供服务,导致服务中断,这将对需要不间断提供服务的企业来说无疑是一种致命的打击。Service interruption: When a hacker invades the TA server, the implanted Trojan horse virus makes the TA server unable to provide services normally, resulting in service interruption, which will undoubtedly be a fatal blow to enterprises that need to provide uninterrupted services.

现有的对象存储系统的相关工作,都是单TA服务器提供服务,如果一旦该服务器受到攻击,则会造成不可估计的经济损失。The related work of the existing object storage system is provided by a single TA server. Once the server is attacked, it will cause inestimable economic losses.

发明内容Contents of the invention

针对现有技术的以上缺陷或改进需求,本发明提供了一种对象存储系统中基于RAID5的安全认证方法,在对象存储系统的关键路径TA上部署RAID5,其目的是提高对象存储系统的安全可靠性;在单台TA服务器受到攻击的情况下,对象存储系统能够继续向用户提供正常服务;如果数据丢失或损坏,可通过RAID5的恢复机制快速恢复数据。Aiming at the above defects or improvement needs of the prior art, the present invention provides a security authentication method based on RAID5 in the object storage system, deploying RAID5 on the critical path TA of the object storage system, and its purpose is to improve the security and reliability of the object storage system reliability; when a single TA server is attacked, the object storage system can continue to provide normal services to users; if data is lost or damaged, the data can be quickly restored through the RAID5 recovery mechanism.

为了实现上述目的,本发明提供了一种对象存储系统中基于RAID5的安全认证方法,包括如下步骤:In order to achieve the above object, the present invention provides a security authentication method based on RAID5 in an object storage system, comprising the following steps:

(1)启动基于RAID5的N台TA服务器,等待客户端(Client)连接,其中N为TA服务器的数量;(1) Start N TA servers based on RAID5, and wait for the client (Client) to connect, where N is the number of TA servers;

(2)Client端将认证请求发送至可信中心控制器(TAController),TAController选择上述多台TA服务器中的一台作为目标TA服务器;(2) The client sends the authentication request to the trusted central controller (TAController), and the TAController selects one of the above-mentioned multiple TA servers as the target TA server;

(3)被选中的目标TA服务器对Client端的认证请求进行处理,并将认证请求处理结果返回给TAController;(3) The selected target TA server processes the client's authentication request, and returns the authentication request processing result to TAController;

(4)TAController将所述认证请求处理结果按照RAID5的存取机制分散存入构成RAID5的不同磁盘中。(4) The TAController dispersively stores the authentication request processing results into different disks constituting the RAID5 according to the RAID5 access mechanism.

本发明的一个实施例中,所述步骤(2)包括如下子步骤:In one embodiment of the present invention, said step (2) includes the following sub-steps:

(2.1)多个Client端的认证请求首先被发送至TAController中,TAController对认证请求进行ID编号(例如0、1、2......),然后对ID进行取模运算(ID%N),将编号等于取模运算结果的TA服务器作为目标TA服务器,上述N台TA服务器的编号分别为1-N;(2.1) Authentication requests from multiple clients are first sent to TAController, and TAController numbers the authentication requests (such as 0, 1, 2...), and then moduloes the ID (ID%N) , the TA server whose number is equal to the result of the modulo operation is used as the target TA server, and the numbers of the above N TA servers are 1-N respectively;

(2.2)在Client端和被选中的目标TA服务器之间建立一条连接通路,被选中的目标TA服务器用于对Client端的认证请求进行处理。(2.2) A connection path is established between the client end and the selected target TA server, and the selected target TA server is used to process the authentication request of the client end.

本发明的一个实施例中,所述步骤(3)包括如下子步骤:In one embodiment of the present invention, said step (3) includes the following sub-steps:

(3.1)目标TA服务器和Client端,首先按照提前约定的参数和算法生成各自的会话秘钥,后续的通信过程都通过会话秘钥进行加密传输;(3.1) The target TA server and client first generate their own session keys according to the parameters and algorithms agreed in advance, and the subsequent communication process is encrypted and transmitted through the session keys;

(3.2)目标TA服务器获取Client端发送的认证请求中包含的用户名和密码,然后对用户名和密码进行合法性验证。验证通过后,对比用户信息列表中的信息,查看是否有数据匹配;(3.2) The target TA server obtains the user name and password included in the authentication request sent by the client, and then performs legality verification on the user name and password. After the verification is passed, compare the information in the user information list to see if there is a data match;

其中合法性验证是指对用户名、密码的格式、长度、是否包含非法字符等进行验证。The legality verification refers to verifying the format, length, and whether illegal characters are included in the user name and password.

(3.3)如果对比中有数据匹配,则说明用户信息已经在用户列表中。说明已经给用户发送过证书且在有效期内,此时目标TA服务器拒绝为用户生成新的证书;如果不在用户列表中,说明用户是第一次申请证书,目标TA服务器接受Client端的认证请求;(3.3) If there is a data match in the comparison, it means that the user information is already in the user list. It means that the certificate has been sent to the user and is within the validity period. At this time, the target TA server refuses to generate a new certificate for the user; if it is not in the user list, it means that the user is applying for a certificate for the first time, and the target TA server accepts the client's authentication request;

(3.4)目标TA服务器通过用户名、密码生成私钥和证书,并通过会话秘钥将私钥和证书加密后发送至Client端。Client端通过自身的会话秘钥对接收的私钥、证书数据进行解密,然后用私钥对使用公钥加密的证书进行解密,最终将证书保存在Client端本地;(3.4) The target TA server generates a private key and certificate through the user name and password, and encrypts the private key and certificate through the session key and sends it to the client. The client side decrypts the received private key and certificate data through its own session secret key, and then uses the private key to decrypt the certificate encrypted with the public key, and finally saves the certificate locally on the client side;

(3.5)目标TA服务器将认证请求处理结果返回到TAController中。(3.5) The target TA server returns the authentication request processing result to TAController.

本发明的一个实施例中,所述步骤(4)包括如下子步骤:In one embodiment of the present invention, said step (4) includes the following sub-steps:

(4.1)被选中的目标TA服务器将认证请求处理结果的数据返回给TAController,并保存在TAController中;(4.1) The selected target TA server returns the data of the authentication request processing result to TAController and saves it in TAController;

(4.2)TAcontroller将目标TA服务器返回的认证请求处理结果按照RAID5机制分散存入构成RAID5的不同磁盘中,以实现安全存储。(4.2) The TAcontroller disperses and stores the authentication request processing results returned by the target TA server into different disks constituting the RAID5 according to the RAID5 mechanism, so as to realize safe storage.

本发明的一个实施例中,所述步骤(1)中的N取值为3。In one embodiment of the present invention, the value of N in the step (1) is 3.

总体而言,通过本发明所构思的以上技术方案与现有技术相比,具有以下有益效果:本发明利用冗余技术,可以有效地解决TA单点故障的问题,提高系统的可靠性;利用RAID5技术,可以使得黑客侵入某台TA服务器,也只能获取部分用户数据而非全部用户数据,进一步保证了用户数据的安全性;利用RAID5技术,还可对丢失和损坏的数据进行快速恢复,保证数据的安全性和可靠性。Generally speaking, compared with the prior art, the above technical solution conceived by the present invention has the following beneficial effects: the present invention can effectively solve the problem of TA single-point failure and improve the reliability of the system by using redundancy technology; RAID5 technology allows hackers to intrude into a certain TA server, and can only obtain some user data instead of all user data, which further ensures the security of user data; using RAID5 technology, it can also quickly restore lost and damaged data, Ensure data security and reliability.

附图说明Description of drawings

图1是本发明实施例中冗余TA对象存储系统结构图;FIG. 1 is a structural diagram of a redundant TA object storage system in an embodiment of the present invention;

图2是本发明实施例中TA服务器选择流程图;Fig. 2 is a flow chart of TA server selection in the embodiment of the present invention;

图3是本发明实施例中TA服务器存储数据流程图;Fig. 3 is a flow chart of storing data by a TA server in an embodiment of the present invention;

图4是本发明实施例中用户注册与证书颁发流程图。Fig. 4 is a flowchart of user registration and certificate issuance in the embodiment of the present invention.

具体实施方式detailed description

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。此外,下面所描述的本发明各个实施方式中所涉及到的技术特征只要彼此之间未构成冲突就可以相互组合。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention. In addition, the technical features involved in the various embodiments of the present invention described below can be combined with each other as long as they do not constitute a conflict with each other.

如图1所示,本发明方法所基于的冗余TA对象存储系统结构图详细描述如下:As shown in Figure 1, the detailed description of the structure diagram of the redundant TA object storage system based on the method of the present invention is as follows:

对象存储系统主要包含四个部分:客户端Client、可信中心TA、元数据服务器MDS、对象存储设备OSD。The object storage system mainly includes four parts: the client client, the trusted center TA, the metadata server MDS, and the object storage device OSD.

冗余TA对象存储系统是在对象存储系统的基础上,在系统的关键路径TA上,搭建冗余TA,提高系统的可靠性。The redundant TA object storage system is based on the object storage system, and builds redundant TA on the key path TA of the system to improve the reliability of the system.

冗余对象存储系统流程:首先Client端向TAController发送认证请求,TAController首先为认证请求赋予ID,然后对认证请求ID进行取模运算,选择出目标TA服务器,并将用户名和密码信息发送至目标TA服务器。目标TA服务器首先与Client端建立一条通信线路,然后对认证请求进行处理,并将认证请求处理结果发送回TAController中,由TAController将用户信息保存到构成RAID5的TA集群存储设备中。同时将证书、私钥加密发送至Client端,Client端将获取的证书解密后保存在本地。Client端将证书及请求发送至MDS端,MDS端通过验证后将权能证书和元数据信息返回给Client端。Client端利用获得的权能证书和元数据信息向OSD端发送请求,获取所需数据。Redundant object storage system process: first, the client sends an authentication request to TAController, and TAController first assigns an ID to the authentication request, then performs a modulo operation on the authentication request ID, selects the target TA server, and sends the user name and password information to the target TA server. The target TA server first establishes a communication line with the client, then processes the authentication request, and sends the processing result of the authentication request back to TAController, and TAController saves the user information to the TA cluster storage device that constitutes RAID5. At the same time, the certificate and private key are encrypted and sent to the client, and the client decrypts the obtained certificate and saves it locally. The client side sends the certificate and request to the MDS side, and the MDS side returns the capability certificate and metadata information to the client side after passing the verification. The client uses the obtained capability certificate and metadata information to send a request to the OSD to obtain the required data.

如图2所示,TA服务器选择流程图详细描述如下:As shown in Figure 2, the TA server selection flow chart is described in detail as follows:

当Client端向TA服务器发送认证请求时,首先发送至TAController中,由TAController为认证请求赋予ID。When the client sends an authentication request to the TA server, it is first sent to the TAController, and the TAController assigns an ID to the authentication request.

TAController对认证请求ID进行取模运算(ID%3),选出目标TA服务器。如果取模运算结果为0,则选择编号为0的TA0服务器处理认证请求;如果取模运算结果为1,则选择编号为1的TA1服务器处理认证请求;如果取模运算结果为2,则选择编号为2的TA2服务器处理认证请求。TAController performs a modulo operation on the authentication request ID (ID%3) to select the target TA server. If the result of the modulo operation is 0, select TA0 server numbered 0 to process the authentication request; if the result of the modulo operation is 1, select TA1 server numbered 1 to process the authentication request; if the result of the modulo operation is 2, select The TA2 server numbered 2 processes the authentication request.

如图3所示,TA模块存储数据流程图详细描述如下:As shown in Figure 3, the detailed description of the TA module storage data flow chart is as follows:

当TAController为Client端认证请求选择好目标TA服务器后,会在Client端和目标TA服务器之间建立一条通信线路。由目标TA服务器来处理Client端认证请求,并将认证请求处理结果返回到TAController中。After TAController selects the target TA server for the client authentication request, it will establish a communication line between the client and the target TA server. The target TA server processes the client authentication request, and returns the authentication request processing result to TAController.

TAController将返回的认证请求处理结果按照RAID5存取机制分散存入构成RAID5的不同磁盘中。TAController disperses and stores the returned authentication request processing results into different disks constituting RAID5 according to the RAID5 access mechanism.

如图4所示,用户注册与证书颁发流程图详细描述如下:As shown in Figure 4, the flow chart of user registration and certificate issuance is described in detail as follows:

Client端发送认证请求至TAController时,由TAController获取RAID5中的用户信息列表。When the client sends an authentication request to TAController, TAController obtains the user information list in RAID5.

Client端向TAController发出认证请求后,TAController首先监听用户请求,获取用户名、密码之后,首先进行合法性验证,验证通过后,对比用户信息列表里的信息,看看是否有数据匹配。如有数据匹配,说明用户信息已经在列表中,已经向用户发送过证书,且证书仍在有效期内,此时拒绝为用户生成新的证书。如果无数据匹配,则说明用户是第一次申请证书,就为其生成公私钥并传送证书、更新用户信息列表。After the client sends an authentication request to TAController, TAController first monitors the user request, obtains the user name and password, and first performs legality verification. After the verification is passed, it compares the information in the user information list to see if there is any data matching. If there is a data match, it means that the user information is already in the list, and the certificate has been sent to the user, and the certificate is still valid. At this time, refuse to generate a new certificate for the user. If there is no data match, it means that the user is applying for a certificate for the first time, so generate a public and private key for it, transmit the certificate, and update the user information list.

本领域的技术人员容易理解,以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。Those skilled in the art can easily understand that the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention, All should be included within the protection scope of the present invention.

Claims (6)

1.一种对象存储系统中基于RAID5的安全认证方法,其特征在于,包括如下步骤:1. a security authentication method based on RAID5 in an object storage system, is characterized in that, comprises the steps: (1)启动基于RAID5的N台TA服务器,等待客户端Client连接,其中N为TA服务器的数量;(1) Start N TA servers based on RAID5, and wait for the client Client to connect, where N is the number of TA servers; (2)Client端将认证请求发送至可信中心控制器TAController,TAController选择上述多台TA服务器中的一台作为目标TA服务器;(2) The client sends the authentication request to the trusted central controller TAController, and the TAController selects one of the above-mentioned multiple TA servers as the target TA server; (3)被选中的目标TA服务器对Client端的认证请求进行处理,并将认证请求处理结果返回给TAController;(3) The selected target TA server processes the client's authentication request, and returns the authentication request processing result to TAController; (4)TAController将所述认证请求处理结果按照RAID5的存取机制分散存入构成RAID5的不同磁盘中。(4) The TAController dispersively stores the authentication request processing results into different disks constituting the RAID5 according to the RAID5 access mechanism. 2.如权利要求1所述的对象存储系统中基于RAID5的安全认证方法,其特征在于,所述步骤(2)具体包括如下子步骤:2. the security authentication method based on RAID5 in the object storage system as claimed in claim 1, is characterized in that, described step (2) specifically comprises the following sub-steps: (2.1)多个Client端的认证请求首先被发送至TAController中,TAController对认证请求进行ID编号,然后对ID进行取模运算ID%N,将编号等于取模运算结果的TA服务器作为目标TA服务器,其中上述N台TA服务器的编号分别为1-N;(2.1) Authentication requests from multiple clients are first sent to TAController. TAController numbers the IDs of the authentication requests, and then performs a modulo operation ID%N on the IDs. The TA server whose number is equal to the result of the modulo operation is used as the target TA server. The numbers of the above N TA servers are 1-N respectively; (2.2)在Client端和被选中的目标TA服务器之间建立一条连接通路,被选中的目标TA服务器用于对Client端的认证请求进行处理。(2.2) A connection path is established between the client end and the selected target TA server, and the selected target TA server is used to process the authentication request of the client end. 3.如权利要求1或2所述的对象存储系统中基于RAID5的安全认证方法,其特征在于,所述步骤(3)具体包括如下子步骤:3. The security authentication method based on RAID5 in the object storage system according to claim 1 or 2, wherein said step (3) specifically includes the following sub-steps: (3.1)目标TA服务器和Client端,按照提前约定的参数和算法生成各自的会话秘钥,后续的通信过程都通过会话秘钥进行加密传输;(3.1) The target TA server and client generate their own session keys according to the parameters and algorithms agreed in advance, and the subsequent communication process is encrypted and transmitted through the session key; (3.2)目标TA服务器获取Client端发送的认证请求中包含的用户名和密码,然后对用户名和密码进行合法性验证;验证通过后,对比用户信息列表中的信息,查看是否有数据匹配;(3.2) The target TA server obtains the username and password contained in the authentication request sent by the client, and then performs legality verification on the username and password; after the verification is passed, compare the information in the user information list to check whether there is a data match; (3.3)如果对比中有数据匹配,则说明用户信息已经在用户列表中,已经给用户发送过证书且在有效期内,此时目标TA服务器拒绝为用户生成新的证书;如果不在用户列表中,说明用户是第一次申请证书,目标TA服务器接受Client端的认证请求;(3.3) If there is a data match in the comparison, it means that the user information is already in the user list, and the certificate has been sent to the user and is within the validity period. At this time, the target TA server refuses to generate a new certificate for the user; if it is not in the user list, Indicates that the user is applying for a certificate for the first time, and the target TA server accepts the client's authentication request; (3.4)目标TA服务器通过用户名、密码生成私钥和证书,并通过会话秘钥将私钥和证书加密后发送至Client端;Client端通过自身的会话秘钥对接收的私钥、证书数据进行解密,然后用私钥对使用公钥加密的证书进行解密,最终将证书保存在Client端本地;(3.4) The target TA server generates a private key and certificate through the user name and password, and encrypts the private key and certificate through the session key and sends it to the client; the client receives the private key and certificate data through its own session key pair Decrypt, then use the private key to decrypt the certificate encrypted with the public key, and finally save the certificate locally on the client side; (3.5)目标TA服务器将认证请求处理结果返回到TAController中。(3.5) The target TA server returns the authentication request processing result to TAController. 4.如权利要求1或2所述的对象存储系统中基于RAID5的安全认证方法,其特征在于,所述步骤(4)具体包括如下子步骤:4. The security authentication method based on RAID5 in the object storage system according to claim 1 or 2, wherein said step (4) specifically comprises the following sub-steps: (4.1)被选中的目标TA服务器将认证请求处理结果的数据返回给TAController,并保存在TAController中;(4.1) The selected target TA server returns the data of the authentication request processing result to TAController and saves it in TAController; (4.2)TAcontroller将目标TA服务器返回的认证请求处理结果按照RAID5机制分散存入构成RAID5的不同磁盘中,以实现安全存储。(4.2) The TAcontroller disperses and stores the authentication request processing results returned by the target TA server into different disks constituting the RAID5 according to the RAID5 mechanism, so as to realize safe storage. 5.如权利要求3所述的对象存储系统中基于RAID5的安全认证方法,其特征在于,在所述步骤(3.2)中进行合法性验证是指对用户名和密码的格式、长度、是否包含非法字符进行验证。5. The security authentication method based on RAID5 in the object storage system as claimed in claim 3, characterized in that, performing legality verification in the step (3.2) refers to the format, length, and whether the user name and password contain illegal characters to verify. 6.如权利要求1或2所述的对象存储系统中基于RAID5的安全认证方法,其特征在于,所述步骤(1)中的N取值为3。6. The security authentication method based on RAID5 in the object storage system according to claim 1 or 2, wherein the value of N in the step (1) is 3.
CN201510744366.4A 2015-11-05 2015-11-05 Safety certifying method based on RAID5 in a kind of object storage system Active CN105404560B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510744366.4A CN105404560B (en) 2015-11-05 2015-11-05 Safety certifying method based on RAID5 in a kind of object storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510744366.4A CN105404560B (en) 2015-11-05 2015-11-05 Safety certifying method based on RAID5 in a kind of object storage system

Publications (2)

Publication Number Publication Date
CN105404560A true CN105404560A (en) 2016-03-16
CN105404560B CN105404560B (en) 2019-01-04

Family

ID=55470058

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510744366.4A Active CN105404560B (en) 2015-11-05 2015-11-05 Safety certifying method based on RAID5 in a kind of object storage system

Country Status (1)

Country Link
CN (1) CN105404560B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117134918A (en) * 2023-07-20 2023-11-28 威艾特科技(深圳)有限公司 Distributed data signature verification method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030182549A1 (en) * 2002-03-22 2003-09-25 Hallin Philip J. Systems and methods for distributing trusted certification authorities
CN101095116A (en) * 2004-11-05 2007-12-26 数据机器人技术公司 Dynamically scalable and scalable fault-tolerant storage system and method allowing storage devices of various sizes
US20080098212A1 (en) * 2006-10-20 2008-04-24 Helms William L Downloadable security and protection methods and apparatus
CN101534295A (en) * 2009-04-08 2009-09-16 哈尔滨工程大学 Storage method of architecture based on object storage system
CN104917843A (en) * 2015-06-17 2015-09-16 嘉兴市第一医院 Cloud storage and medical image seamless joint system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030182549A1 (en) * 2002-03-22 2003-09-25 Hallin Philip J. Systems and methods for distributing trusted certification authorities
CN101095116A (en) * 2004-11-05 2007-12-26 数据机器人技术公司 Dynamically scalable and scalable fault-tolerant storage system and method allowing storage devices of various sizes
US20080098212A1 (en) * 2006-10-20 2008-04-24 Helms William L Downloadable security and protection methods and apparatus
CN101534295A (en) * 2009-04-08 2009-09-16 哈尔滨工程大学 Storage method of architecture based on object storage system
CN104917843A (en) * 2015-06-17 2015-09-16 嘉兴市第一医院 Cloud storage and medical image seamless joint system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117134918A (en) * 2023-07-20 2023-11-28 威艾特科技(深圳)有限公司 Distributed data signature verification method and device

Also Published As

Publication number Publication date
CN105404560B (en) 2019-01-04

Similar Documents

Publication Publication Date Title
EP3661120B1 (en) Method and apparatus for security authentication
JP6517359B2 (en) Account restoration protocol
US8196186B2 (en) Security architecture for peer-to-peer storage system
CN104378206B (en) A USB-Key-based virtual desktop security authentication method and system
CN108964885B (en) Authentication method, device, system and storage medium
CN106453384B (en) A secure cloud disk system and secure encryption method thereof
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
US8892602B2 (en) Secure configuration of authentication servers
CN101534192B (en) System used for providing cross-domain token and method thereof
CN101605137A (en) Safe distribution file system
CN106921663B (en) Identity continuous authentication system and method based on intelligent terminal software/intelligent terminal
CN102957708B (en) Application encrypting and decrypting method, server and terminal
CN103780609A (en) Cloud data processing method and device and cloud data security gateway
WO2022143498A1 (en) Access control method and apparatus, and network-side device, terminal and blockchain node
US20120272303A1 (en) Method and device for enhancing security of user security model
CN105404560A (en) RAID5 based security authentication method in object storage system
CN118282662A (en) Device registration method, device registration apparatus, and computer storage medium
CN110740139A (en) secret key device and secret key management method, system, equipment and computer medium
CN104135482A (en) Authentication method and device as well as server
CN118074925A (en) Unified identity authentication method, device and electronic equipment
CN102594841B (en) Distributed multi-tenant node digital authentication system for cloud computing environment
CN117318969A (en) Business communication methods, devices and systems for realizing disaster recovery
CN106714159A (en) Network access control method and system
CN119814297B (en) Data processing method, service side, client, storage medium and computer program product
CN115189975B (en) Login method, login device, electronic equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant