CN102594841B - Distributed multi-tenant node digital authentication system for cloud computing environment - Google Patents
Distributed multi-tenant node digital authentication system for cloud computing environment Download PDFInfo
- Publication number
- CN102594841B CN102594841B CN201210075227.3A CN201210075227A CN102594841B CN 102594841 B CN102594841 B CN 102594841B CN 201210075227 A CN201210075227 A CN 201210075227A CN 102594841 B CN102594841 B CN 102594841B
- Authority
- CN
- China
- Prior art keywords
- node
- certificate
- tenant
- cloud computing
- digital authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000005540 biological transmission Effects 0.000 claims abstract description 7
- 230000004224 protection Effects 0.000 claims abstract description 3
- 208000024891 symptom Diseases 0.000 claims 1
- 238000004891 communication Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 238000000034 method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000002513 implantation Methods 0.000 description 2
- 230000006378 damage Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
本发明涉及认证技术领域,特别公开了一种用于云计算环境下的分布式多租户节点数字认证体系。该用于云计算环境下的分布式多租户节点数字认证体系,包括密钥和证书的中心管理服务器,其特征在于:所述中心管理服务器由多租户环境的最高级管理员建立和配置,使用严格保护的2048位根证书签发适用物理节点的主证书,虚拟节点和物理节点之间的所有信息传递都使用适用虚拟节点的客证书进行加密和签名。本发明具有良好的开放性,无平台相关性,对数字认证具有多重保护,不仅对用户,而且对节点本身做数字认证,保密性好,安全性高。
The invention relates to the technical field of authentication, and in particular discloses a distributed multi-tenant node digital authentication system used in a cloud computing environment. The distributed multi-tenant node digital certification system for cloud computing environment includes a central management server of keys and certificates, and is characterized in that: the central management server is established and configured by the most senior administrator of the multi-tenant environment, using The strictly protected 2048-bit root certificate issues the main certificate applicable to the physical node, and all information transmission between the virtual node and the physical node is encrypted and signed with the guest certificate applicable to the virtual node. The invention has good openness, no platform correlation, multiple protections for digital authentication, not only digital authentication for users, but also digital authentication for nodes themselves, good confidentiality and high security.
Description
(一) 技术领域 (1) Technical field
本发明涉及网络认证技术领域,特别涉及一种用于云计算环境下的分布式多租户节点数字认证体系。 The present invention relates to the technical field of network authentication, in particular to a distributed multi-tenant node digital authentication system used in a cloud computing environment.
(二) 背景技术 (2) Background technology
在现代数据通信系统中,安全是主要问题之一。随着越来越多信息在数据通信系统传输以及越来越多的具有安全性关键信息的用户应用程序运行在与此类通信系统连接的装置上,对通信系统入侵或安全相关机制的破坏可具有灾难性后果。为了防止恶意使用者的供给或如今,在许多通信网络中要求用户在经由通信网络的接入节点开始数据通信之前进行验证。 Security is one of the major concerns in modern data communication systems. As more and more information is transmitted in data communication systems and as more and more user applications with security-critical information run on devices connected to such communication systems, intrusion into or destruction of security-related mechanisms of communication systems may with catastrophic consequences. In order to prevent the supply of malicious users or today, in many communication networks, the user is required to be authenticated before starting data communication via an access node of the communication network.
随着云计算技术的日益成熟,未来云计算环境将会越来越多地基于分布式的多租户环境;在多租户环境下,各节点之间不存在基本的信任关系,安全问题面临巨大挑战。 With the maturity of cloud computing technology, the future cloud computing environment will be more and more based on distributed multi-tenant environment; in a multi-tenant environment, there is no basic trust relationship between nodes, and security issues are facing great challenges .
多租户环境下的安全问题集中在节点间互相认证,以及信息传递的加密和签名。 Security issues in a multi-tenant environment focus on mutual authentication between nodes, as well as encryption and signature of information transmission.
(三) 发明内容 (3) Contents of the invention
本发明为了弥补现有技术的不足,提供了一种开放的、无平台相关性的用于云计算环境下的分布式多租户节点数字认证体系。 In order to make up for the shortcomings of the existing technology, the present invention provides an open, platform-free distributed multi-tenant node digital authentication system for cloud computing environments.
本发明是通过如下技术方案实现的: The present invention is achieved through the following technical solutions:
一种用于云计算环境下的分布式多租户节点数字认证体系,包括密钥和证书的中心管理服务器,其特征在于:所述中心管理服务器由多租户环境的最高级管理员建立和配置,使用严格保护的2048位根证书签发适用物理节点的主证书CH,虚拟节点和物理节点之间的所有信息传递都使用适用虚拟节点的客证书CG进行加密和签名。 A distributed multi-tenant node digital authentication system used in a cloud computing environment, including a central management server of keys and certificates, characterized in that: the central management server is established and configured by the most senior administrator of the multi-tenant environment, Use the strictly protected 2048-bit root certificate to issue the main certificate CH of the applicable physical node, and all information transmission between the virtual node and the physical node is encrypted and signed with the guest certificate C G of the applicable virtual node.
本发明中云计算节点认证不仅对用户,而且会节点本身做数字认证;其具备很大的开放性,无平台相关性,支持Windows、Linux和其他操作系统;它通过唯一的中心根证书,对云计算系统内的所有资源进行认证。 In the present invention, the cloud computing node authentication not only performs digital authentication on the user, but also on the node itself; it has great openness, no platform dependency, and supports Windows, Linux and other operating systems; it passes the unique central root certificate, to All resources in the cloud computing system are authenticated.
本发明中客证书签发时一个自动过程,这也是本数字认证系统的关键。 It is an automatic process when the customer certificate is issued in the present invention, which is also the key of the digital authentication system.
所述客证书签发时,在物理节点上创建虚拟节点,物理节点生成具备时效的临时密钥,并采用文件植入技术把临时密钥植入虚拟节点,虚拟节点在发送信息前,先用临时密钥加密签名客证书请求,并把请求发给物理节点,物理节点使用临时密钥对客证书请求进行解密,并验证签名,通过后,正式颁发客证书并传回给虚拟节点。 When the guest certificate is issued, a virtual node is created on the physical node, the physical node generates a time-sensitive temporary key, and the temporary key is implanted into the virtual node using file implantation technology, and the virtual node uses the temporary key before sending information. The key encrypts and signs the guest certificate request, and sends the request to the physical node. The physical node uses the temporary key to decrypt the guest certificate request, and verifies the signature. After passing, the guest certificate is officially issued and sent back to the virtual node.
所述虚拟节点之间的信息传递的加密和签名为可选,信息接收节点可以根据安全配置决定是否接收未加密和签名的信息。 The encryption and signature of the information transfer between the virtual nodes are optional, and the information receiving node can decide whether to receive unencrypted and signed information according to the security configuration.
所述临时密钥的时效不超过120秒。 The validity of the temporary key is not more than 120 seconds.
本发明具有良好的开放性,无平台相关性,对数字认证具有多重保护,不仅对用户,而且对节点本身做数字认证,保密性好,安全性高。 The invention has good openness, no platform correlation, multiple protections for digital authentication, not only digital authentication for users, but also digital authentication for nodes themselves, good confidentiality and high security.
(四) 附图说明 (4) Description of drawings
下面结合附图对本发明作进一步的说明。 The present invention will be further described below in conjunction with the accompanying drawings.
图1为本发明的主流程示意图; Fig. 1 is a schematic diagram of the main process of the present invention;
图2为本发明客证书签发流程示意图; Fig. 2 is a schematic diagram of the guest certificate issuance process of the present invention;
图3为本发明用户登录虚拟节点流程示意图; Fig. 3 is a schematic diagram of the process of user login virtual node in the present invention;
图4为本发明用户登录虚拟节点失败流程示意图。 FIG. 4 is a schematic diagram of a flow of a user failing to log in to a virtual node in the present invention.
图中,C 中心管理服务器,H 物理节点,CH 主证书,G 虚拟节点,CG 客证书。 In the figure, C is the central management server, H is the physical node, C H is the main certificate, G is the virtual node, and C G is the guest certificate.
(五) 具体实施方式 (5) Specific implementation methods
附图为本发明的一种具体实施例。该实施例包括密钥和证书的中心管理服务器C,所述中心管理服务器C由多租户环境的最高级管理员建立和配置,使用严格保护的2048位根证书签发适用物理节点H的主证书CH,虚拟节点G和物理节点H之间的所有信息传递都使用适用虚拟节点G的客证书CG进行加密和签名;所述客证书CG签发时,在物理节点H上创建虚拟节点G,物理节点H生成具备时效的临时密钥,并采用文件植入技术把临时密钥植入虚拟节点G,虚拟节点G在发送信息前,先用临时密钥加密签名客证书CG请求,并把请求发给物理节点H,物理节点H使用临时密钥对客证书CG请求进行解密,并验证签名,通过后,正式颁发客证书CG并传回给虚拟节点G;所述虚拟节点G之间的信息传递的加密和签名为可选;所述临时密钥的时效不超过120秒。 Accompanying drawing is a kind of specific embodiment of the present invention. This embodiment includes a key and certificate central management server C, which is established and configured by the most senior administrator of the multi-tenant environment, using a strictly protected 2048-bit root certificate to issue the main certificate C applicable to the physical node H H , all information transmission between virtual node G and physical node H is encrypted and signed with the guest certificate C G applicable to virtual node G; when the guest certificate C G is issued, virtual node G is created on physical node H, Physical node H generates a time-sensitive temporary key, and uses file implantation technology to embed the temporary key into virtual node G. Before sending information, virtual node G encrypts and signs the guest certificate C G request with the temporary key, and puts The request is sent to the physical node H, and the physical node H uses the temporary key to decrypt the request of the guest certificate C G and verifies the signature. After passing, the guest certificate C G is formally issued and sent back to the virtual node G; The encryption and signature of the information transmission between is optional; the validity of the temporary key is not more than 120 seconds.
如附图3所示,虚拟节点G获得客证书CG后,用户请求登录。虚拟节点G返回客证书CG。用户从中心证书服务器取得根证书(根证书也可以预装在客户端),用根证书验证客证书CG。验证通过后,用户视虚拟节点G为可信任,提供登录信息并成功登录。 As shown in Figure 3, after the virtual node G obtains the guest certificate C G , the user requests to log in. Virtual node G returns guest certificate C G . The user obtains the root certificate from the central certificate server (the root certificate can also be pre-installed on the client), and uses the root certificate to verify the client certificate C G . After the verification is passed, the user regards the virtual node G as trustworthy, provides login information and successfully logs in.
如附图4所示,虚拟节点G获得客证书CG后,用户请求登录。与此同时,同一环境下另一虚拟节点G’遭受攻击后沦陷。G’采用ARP欺骗等手段骗取G的网络地址。当用户请求登录G时,用户实际被导向G’。因为G’只有客证书CG’,所以只能递交CG’给用户。用户从中心证书服务器取得根证书,用根证书验证客证书CG’。该验证失败,用户拒绝提供登录信息。 As shown in Figure 4, after the virtual node G obtains the guest certificate C G , the user requests to log in. At the same time, another virtual node G' in the same environment fell after being attacked. G' uses means such as ARP spoofing to defraud G's network address. When a user requests to log into G, the user is actually directed to G'. Since G' only has the guest certificate C G ', it can only submit C G ' to the user. The user obtains the root certificate from the central certificate server, and uses the root certificate to verify the client certificate C G '. The authentication failed and the user declined to provide login information.
Claims (3)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210075227.3A CN102594841B (en) | 2012-03-21 | 2012-03-21 | Distributed multi-tenant node digital authentication system for cloud computing environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210075227.3A CN102594841B (en) | 2012-03-21 | 2012-03-21 | Distributed multi-tenant node digital authentication system for cloud computing environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102594841A CN102594841A (en) | 2012-07-18 |
| CN102594841B true CN102594841B (en) | 2015-01-07 |
Family
ID=46483042
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210075227.3A Expired - Fee Related CN102594841B (en) | 2012-03-21 | 2012-03-21 | Distributed multi-tenant node digital authentication system for cloud computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594841B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10063537B2 (en) * | 2014-12-19 | 2018-08-28 | Microsoft Technology Licensing, Llc | Permission architecture for remote management and capacity instances |
| US9787690B2 (en) | 2014-12-19 | 2017-10-10 | Microsoft Technology Licensing, Llc | Security and permission architecture |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1345494A (en) * | 1999-03-26 | 2002-04-17 | 摩托罗拉公司 | Secure wireless e-commerce system with digital product certificate and digital license certificate |
| CN1791116A (en) * | 2005-12-26 | 2006-06-21 | 北京航空航天大学 | Credential protection handling method facing service |
| CN102333077A (en) * | 2011-07-21 | 2012-01-25 | 上海互联网软件有限公司 | Safety verification system for electronic document office system and method thereof |
-
2012
- 2012-03-21 CN CN201210075227.3A patent/CN102594841B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1345494A (en) * | 1999-03-26 | 2002-04-17 | 摩托罗拉公司 | Secure wireless e-commerce system with digital product certificate and digital license certificate |
| CN1791116A (en) * | 2005-12-26 | 2006-06-21 | 北京航空航天大学 | Credential protection handling method facing service |
| CN102333077A (en) * | 2011-07-21 | 2012-01-25 | 上海互联网软件有限公司 | Safety verification system for electronic document office system and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102594841A (en) | 2012-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10447486B2 (en) | Remote attestation of a security module's assurance level | |
| JP7602539B2 (en) | Quantum Safe Networking | |
| JP7121459B2 (en) | Blockchain authentication via hard/soft token verification | |
| JP6684930B2 (en) | Blockchain-based identity authentication method, device, node and system | |
| CN109361668B (en) | Trusted data transmission method | |
| US20220103369A1 (en) | Security system and related methods | |
| US9602500B2 (en) | Secure import and export of keying material | |
| WO2016011827A1 (en) | Information security realizing method and system based on digital certificate | |
| CN101534192B (en) | System used for providing cross-domain token and method thereof | |
| CN104639516A (en) | Method, equipment and system for authenticating identities | |
| TW201426383A (en) | System and method for identifying users | |
| CN114270386A (en) | Authenticator application for consent framework | |
| CN105656862A (en) | Authentication method and device | |
| US20240012933A1 (en) | Integration of identity access management infrastructure with zero-knowledge services | |
| WO2022143498A1 (en) | Access control method and apparatus, and network-side device, terminal and blockchain node | |
| JP2022534677A (en) | Protecting online applications and web pages that use blockchain | |
| CN105024813A (en) | A server, a user equipment, and an interaction method between the user equipment and the server | |
| Khalil et al. | TPM-based authentication mechanism for apache hadoop | |
| US11258766B2 (en) | VNF package signing system and VNF package signing method | |
| CN103532961A (en) | Method and system for authenticating identity of power grid website based on trusted crypto modules | |
| CN102594841B (en) | Distributed multi-tenant node digital authentication system for cloud computing environment | |
| Jang-Jaccard et al. | Portable key management service for cloud storage | |
| WO2013067792A1 (en) | Method, device and system for querying smart card | |
| Lahmer et al. | Towards a virtual domain based authentication on MapReduce | |
| Mitra et al. | TUSH-key: Transferable user secrets on hardware key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: SHANDONG LVJISUAN ELECTRON TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: SHANDONG JIXINIC ELECTRONICS CO., LTD. Effective date: 20140930 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Ding Li Inventor before: Chen Qikai Inventor before: Jiang Tianchen |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: CHEN QIKAI JIANG TIANCHEN TO: DING LI Free format text: CORRECT: ADDRESS; FROM: 250101 JINAN, SHANDONG PROVINCE TO: 250000 JINAN, SHANDONG PROVINCE |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20140930 Address after: 250000 Shandong city of Ji'nan province high tech Zone Shun Road No. 2000 Shun Tai Plaza Building 8 floor A block 9 Applicant after: SHANDONG GREEN COMPUTING ELECTRONICS TECHNOLOGY Co.,Ltd. Address before: 250101 Shandong city of Ji'nan province high tech Zone Shun Road No. 2000 Shun Tai Plaza Building 8 East Room 903 Applicant before: SHANDONG JIXIN ELECTRONIC TECHNOLOGY CO.,LTD. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150107 |