CN106992978B

Movatterモバイル変換

Info

Publication number: CN106992978B
Application number: CN201710192013.7A
Authority: CN
Inventors: 张奇伟
Original assignee: Lenovo Beijing Ltd
Current assignee: Lenovo Beijing Ltd
Priority date: 2017-03-28
Filing date: 2017-03-28
Publication date: 2020-08-25
Anticipated expiration: 2037-03-28
Also published as: CN106992978A

Abstract

The invention discloses a network security management method and a server, wherein the method comprises the following steps: when detecting that the authority certificate file is used for executing an identity authentication operation request, acquiring the authority certificate file; sending the authority certificate file to a trusted encryption hardware module; so that the trusted encryption hardware module carries out decryption operation on the authority certificate file; and performing identity authentication operation by using the decrypted authority certificate file. According to the technical scheme of the embodiment, the authority certificate file of the main body in the cluster is encrypted by adopting the trusted encryption hardware module, and the response is sent to the main body according to the content of the decrypted request, so that the network security is ensured.

Description

Network security management method and server

Technical Field

The present invention relates to the field of network security technologies, and in particular, to a network security management method and a server.

Background

For large data systems, the rights management module is an important module. Because the authority management module not only controls the access authority of the user to the big data system, but also directly controls the access of the user to the data of the big data system. Especially inside a big data system, communication across hosts is usually involved, and at this time, the rights management module can control the authorization data of each host in the cluster and complete updating of the authorization data.

When the rights management module manages the authorization data, identity verification is usually required, specifically, identity verification is performed through a certificate issued by a big data system. If the certificate is read by a third party, the security of the authority management module is threatened, so that the communication security between the hosts is threatened.

Disclosure of Invention

In view of this, an object of the embodiments of the present invention is to provide a network security management method and a server capable of performing identity verification on an authority management module.

In order to achieve the above object, an embodiment of the present invention provides a network security management method, including:

when detecting that the authority certificate file is used for executing an identity authentication operation request, acquiring the authority certificate file;

sending the authority certificate file to a trusted encryption hardware module; so that the trusted encryption hardware module carries out decryption operation on the authority certificate file;

and performing identity authentication operation by using the decrypted authority certificate file.

Preferably, before invoking the trusted encryption hardware module to perform decryption operation on the authority certificate file, the method further includes:

verifying the processing authority of the request to obtain a first judgment result;

and when the first judgment result shows that the request has the authority for executing the identity authentication operation, the trusted encryption hardware module performs decryption operation on the authority certificate file.

Preferably, the method further comprises:

judging the access authority of the user sending the request to obtain a second judgment result;

and when the second judgment result shows that the user has the access right to the authority certificate file, the trusted encryption hardware module carries out decryption operation on the authority certificate file.

Preferably, the method further comprises: receiving an access request of a user sending the request according to the result of identity authentication operation of the decrypted authority certificate file;

sending the access request to the trusted cryptographic hardware module; so that the trusted encryption hardware module performs decryption operation on the access request;

and responding to the decrypted access request.

Preferably, the method further comprises:

calling the trusted encryption hardware module to encrypt the response;

and sending the encrypted response to the user sending the request.

The embodiment of the invention also provides a network security management method, which comprises the following steps:

generating an authority certificate file;

calling a trusted encryption hardware module to encrypt the authority certificate file;

and sending an identity authentication operation request by using the authority certificate file.

Preferably, the method comprises: and receiving a response result to the operation request.

An embodiment of the present invention further provides a server, including:

the processor is configured to acquire the authority certificate file and send the authority certificate file to the trusted encryption hardware module when detecting that the authority certificate file is used for executing an identity authentication operation request;

the trusted encryption hardware module is configured to decrypt the authority certificate file;

and the processor is also configured to perform identity authentication operation by using the decrypted authority certificate file.

Preferably, the server includes:

the processor is further configured to verify the processing permission of the request to obtain a first judgment result before calling the trusted encryption hardware module to perform decryption operation on the permission certificate file, and when the first judgment result shows that the request has permission to perform identity authentication operation, the trusted encryption hardware module performs decryption operation on the permission certificate file.

An embodiment of the present invention further provides a server, including:

and the processor is configured to generate an authority certificate file, call a trusted encryption hardware module to encrypt the authority certificate file, and send an identity authentication operation request by using the authority certificate file.

Compared with the prior art, the embodiment of the invention has the following beneficial effects: according to the technical scheme of the embodiment, the authority certificate file of the main body in the cluster is encrypted by adopting the trusted encryption hardware module, and the response is sent to the main body according to the content of the decrypted request, so that the network security is ensured.

Drawings

FIG. 1 is a flowchart of a first embodiment of a network security management method according to the present invention;

fig. 2 is a schematic view of a scenario of a network security management method according to a first embodiment of the present invention;

FIG. 3 is a flowchart of a third embodiment of a network security management method according to the present invention;

FIG. 4 is a diagram of a first embodiment of a server according to the present invention;

fig. 5 is a schematic diagram of a second embodiment of the server according to the present invention.

Detailed Description

Various aspects and features of the disclosure are described herein with reference to the drawings.

It will be understood that various modifications may be made to the embodiments disclosed herein. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Other modifications will occur to those skilled in the art within the scope and spirit of the disclosure.

The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the disclosure and, together with a general description of the disclosure given above, and the detailed description of the embodiments given below, serve to explain the principles of the disclosure.

These and other characteristics of the invention will become apparent from the following description of a preferred form of embodiment, given as a non-limiting example, with reference to the accompanying drawings.

It should also be understood that, although the invention has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of the invention, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.

The above and other aspects, features and advantages of the present disclosure will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.

Specific embodiments of the present disclosure are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely examples of the disclosure that may be embodied in various forms. Well-known and/or repeated functions and structures have not been described in detail so as not to obscure the present disclosure with unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present disclosure in virtually any appropriately detailed structure.

The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the disclosure.

The existing big data cluster manages data generated in the cluster through the management of the authority management module, and the authority management module adopts a forced authentication mode, namely the authority management module can manage the database only after the authority management module authenticates the identity of the authority management module. Because the rights management module can involve communication between main bodies (principle) in the cluster when managing data, if the rights management module has a security problem, the data in the whole cluster can be threatened. Therefore, to solve the above problems, embodiments of the present invention provide a method and an apparatus for network security management; further, in order to make the invention more comprehensible, its features and technical contents are described in detail below with reference to the accompanying drawings, which are provided for illustration and are not intended to limit the invention.

Example one

Fig. 1 is a flowchart of a first embodiment of a network security management method of the present invention, as shown in fig. 1, the network security management method of this embodiment may specifically include the following steps:

s101, when detecting that the authority certificate file is used for executing the identity authentication operation request, acquiring the authority certificate file.

The execution subject of this embodiment is any server in the cluster. When the server detects that the main body uses the authority certificate file to send the management request for the authority, the authority certificate file needs to be verified. The main body sending the request may be any main body in the cluster, and specifically, the authority management module of the cluster management platform is set on the main body.

S102, sending the authority certificate file to a trusted encryption hardware module; so that the trusted encryption hardware module performs decryption operation on the authority certificate file.

The servers in the cluster of this embodiment all comply with this validation rule by convention. And after the server obtains the authority certificate file, sending the authority certificate file to the trusted encryption hardware module for decryption, and if the decryption is successful, indicating that the identity of the authority management module is legal.

The Trusted encryption hardware Module can be a Trusted Cryptography Module (TCM), which is a microcontroller storing keys, passwords and data certificates, and can ensure the security of data stored in the computer without the risk of external software attack or entity stealing.

And S103, performing identity authentication operation by using the decrypted authority certificate file.

Specifically, if the main body can decrypt the authority certificate file, the decrypted authority certificate file obtains the authentication information of the main body, and a response of corresponding authority can be made to the main body according to the authentication information.

In an application scenario, as shown in fig. 2, a principal a and a server B in a cluster, where the principal a sends a request for performing identity authentication using a permission certificate file C to the server B, the server B first obtains the permission certificate file C and verifies the permission certificate file C, specifically, sends the permission certificate file to a trusted encryption hardware module for decryption, and the decrypted permission certificate file can obtain authentication information of the principal a. Therefore, the server B decrypts the authorization data according to the authorization data of the main body A, and if the decryption is successful, the authentication information in the authority certificate file C can be obtained. Thereby responding to the request of a according to the authentication information of the subject a.

The trusted encryption hardware module of this embodiment is a hardware module disposed locally, so when decrypting the authority certificate file, the trusted encryption hardware module must be called locally to decrypt the authority certificate file; that is, even if an unauthorized user obtains the authority certificate file, the authorized user cannot call the trusted encryption module of the server to decrypt the authority certificate file, and therefore cannot obtain the authentication information described in the authority certificate file. Thereby protecting the security of the network.

According to the technical scheme of the embodiment, the authority certificate file of the main body in the cluster is encrypted by adopting the trusted encryption hardware module, and the response is sent to the main body according to the content of the decrypted request, so that the network security is ensured.

Example two

Based on the method described in the first embodiment, several specific ways of verifying the subject are given in this embodiment.

In a first embodiment, in order to further ensure the security of the network, before invoking the trusted encryption hardware module to perform a decryption operation on the permission certificate file, the server further needs to verify the processing permission of the request, including the following steps: a, verifying the processing authority of the request to obtain a first judgment result; and B, when the first judgment result shows that the request has the authority to execute the identity authentication operation, the trusted encryption hardware module performs decryption operation on the authority certificate file. For example, in one of the application scenarios, the request has timed out, and the server may not respond to the timed-out request.

In another specific embodiment, the method further verifies the authority of the subject sending the request, and includes the following steps: c, judging the access authority of the user sending the request to obtain a second judgment result; and D, when the second judgment result shows that the user has the access right to the authority certificate file, the trusted encryption hardware module carries out decryption operation on the authority certificate file. For example, in another application scenario, if the server determines that the IP address of the request is not legal, the server may not respond to the request, and if the request has legal authentication information and the IP address is legal, the server may respond to the content of the request accordingly. The user sending the request refers to the main body sending the request, and the two are the same semantic. The same is as follows.

In another specific embodiment, the authentication result of the server for the principal indicates that the principal has a legal identity. The server may receive an operation of the rights management by the principal. The method specifically comprises the following steps: e, receiving an access request of a user sending the request according to the result of identity authentication operation of the decrypted authority certificate file; f, sending the access request to the trusted encryption hardware module; g, enabling the trusted encryption hardware module to perform decryption operation on the access request; and responding to the decrypted access request.

In another specific embodiment, to further improve network security, the server may also encrypt the response to the subject. The method specifically comprises the following steps: calling the trusted encryption hardware module to encrypt the response; and I, sending the encrypted response to the user sending the request.

According to the technical scheme, the authority certificate file of the main body in the cluster is encrypted by the trusted encryption hardware module, the authority information of the main body is verified, the response sent to the main body is also encrypted, and the network security is improved from different dimensions.

EXAMPLE III

s301, generating a permission certificate file.

Specifically, when the principal sends an identity authentication request to the server using the authority certificate file, the principal first needs to generate the authority certificate file. The authority certificate file can be generated by the main body itself or generated by a communication protocol server used between the main bodies.

S302, calling a trusted encryption hardware module to encrypt the authority certificate file.

The Trusted encryption hardware Module can be a Trusted Cryptography Module (TCM), which is a microcontroller storing keys, passwords and data certificates, and can ensure the security of data stored in the computer without the risk of external software attack or entity stealing. The trusted encryption hardware module of this embodiment is a hardware module disposed locally, so when encrypting and decrypting an authority certificate file, the trusted encryption hardware module must be called locally to perform decryption and decryption; that is, even if an unauthorized user obtains the authority certificate file, the authorized user cannot call the trusted encryption module of the server to encrypt and decrypt the authority certificate file, and thus cannot obtain the authentication information described in the authority certificate file. Thereby protecting the security of the network.

S303, sending an identity authentication operation request by using the authority certificate file.

Specifically, before requesting from the server, the principal sends the encrypted authority certificate file to the server to request for identity authentication. So that the authority can be subsequently operated after passing the identity authentication.

In a specific embodiment, a response result to the operation request is received. Specifically, a response result of the server to the operation request is received. In practical applications, in order to improve network security, the response result may also be encrypted by using a trusted hardware encryption module, so that the main body needs to decrypt the response result.

Example four

The embodiment provides a server, which is a server in a cluster. In order to improve the security of a network when each main body in a cluster communicates, the authority of the main body is authenticated during authority management, and when the main body sends an operation request for data, the authority certificate file of the main body needs to be further verified. Because the trusted encryption hardware module is arranged locally, the encryption and decryption processes are both carried out locally, and even if an illegal user obtains the authority certificate file, the authority certificate file cannot be decrypted, so that the network security is improved. Further, as shown in fig. 4, the server includes:

aprocessor 41 configured to obtain the authority certificate file and send the authority certificate file to a trusted encryption hardware module when detecting that an identity authentication operation request is executed by using the authority certificate file;

the trustedencryption hardware module 42 is configured to perform decryption operation on the authority certificate file;

wherein, theprocessor 41 is further configured to perform an identity authentication operation by using the decrypted authority certificate file.

In a specific embodiment, theprocessor 41 is further configured to verify the processing permission of the request before invoking the trusted encryption hardware module to perform a decryption operation on the permission certificate file, obtain a first determination result, and perform a decryption operation on the permission certificate file by the trusted encryption hardware module when the first determination result indicates that the request has the permission to perform the identity authentication operation.

In the fifth embodiment, the first step is,

the embodiment provides a server, which is a server in a cluster. In order to improve the security of a network when each main body in a cluster communicates, the authority of the main body is authenticated during authority management, and when the main body sends an operation request for data, the authority certificate file of the main body needs to be further verified. Because the trusted encryption hardware module is arranged locally, the encryption and decryption processes are both carried out locally, and even if an illegal user obtains the authority certificate file, the authority certificate file cannot be decrypted, so that the network security is improved. Further, as shown in fig. 5, the server includes:

theprocessor 51 is configured to generate a permission certificate file, call a trusted encryption hardware module to encrypt the permission certificate file, and send an identity authentication operation request by using the permission certificate file.

Here, it should be noted that: the description of the embodiment of the electronic device is similar to the description of the method, and has the same beneficial effects as the embodiment of the method, and therefore, the description is omitted. For technical details that are not disclosed in the embodiment of the electronic device of the present invention, those skilled in the art should refer to the description of the embodiment of the method of the present invention to understand that, for the sake of brevity, detailed description is not repeated here.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. A network security management method, comprising:

carrying out identity authentication operation by using the decrypted authority certificate file;

before the trusted encryption hardware module is called to decrypt the authority certificate file, the method further comprises the following steps: verifying the processing authority of the request to obtain a first judgment result;

and when the second judgment result shows that the user has the access authority to the authority certificate file and the first judgment result shows that the request has the authority to execute the identity authentication operation, the trusted encryption hardware module performs decryption operation on the authority certificate file.

2. The method of claim 1, further comprising: receiving an access request of a user sending the request according to the result of identity authentication operation of the decrypted authority certificate file;

and responding to the decrypted access request.

3. The method of claim 2, further comprising:

calling the trusted encryption hardware module to encrypt the response;

and sending the encrypted response to the user sending the request.

4. A network security management method, comprising:

generating an authority certificate file;

and sending an identity authentication operation request by using the authority certificate file so as to verify the identity authentication operation request and the access authority of the user, and decrypting the authority certificate after verifying that the identity authentication operation request has the identity authentication operation and the user has the access authority of the authority certificate file.

5. The method of claim 4, the method comprising: and receiving a response result to the operation request.

6. A server, comprising:

the processor is further configured to perform identity authentication operation by using the decrypted authority certificate file; the processor is further configured to verify the processing authority of the request before calling the trusted encryption hardware module to perform decryption operation on the authority certificate file, and obtain a first judgment result; judging the access authority of the user sending the request to obtain a second judgment result;

7. A server, comprising:

the processor is configured to generate an authority certificate file, call a trusted encryption hardware module to encrypt the authority certificate file, and send an identity authentication operation request by using the authority certificate file; so that the identity authentication operation request is verified and the access authority of the user is verified, and the authority certificate is decrypted after the identity authentication operation request is verified to have the authority to execute the identity authentication operation and the user has the access authority to the authority certificate file.