Embodiment
The invention will be further described with the following Examples.
Application scenarios 1
Referring to Fig. 1, Fig. 2, across the cloud customer certification system towards mixed cloud of one embodiment of this application scene, includingService request terminal 1, mixed cloud management system 2, across cloud authentication administrative system 3, access monitoring system 4 and information storage system 5;
The service request terminal 1 is used to provide access interface for the privately owned cloud service in service requester access mixed cloud;
The mixed cloud management system 2 includes mixed cloud identity management module 21, mixed cloud differentiated control module 22;It is describedMixed cloud identity management module 21 is used to be managed the private clound for adding mixed cloud based on Certificate Authentication Mechanism, and sets up eachTrusting relationship between private clound;The mixed cloud differentiated control module 22 is used for private clound according to the security classification of private cloundOpen level, confidential and confidential are divided into, and takes different security strategies to be managed for different brackets;
Across the cloud authentication administrative system 3 includes across cloud authentication module 31 and alarm module 32;Across the cloud authentication module31 are used for the attribute token of acquisition service requester during for service requester progress across cloud access, and based on customized across cloudAuthentication protocol realizes across cloud certification when service of the service requester of local private clound to other private clounds carries out across cloud accessCommunication service is provided;The alarm module 32 is used for the alert when obtaining attribute token failure or decryption failure;
The access monitoring system 4 is used to be monitored service requester across the process that cloud is accessed;
Described information storage system 5 is used for the access information and warning message of storage service requestor.
It is preferred that, the attribute token that service requester is obtained when service requester carries out across cloud access, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined password, and the self-defined password digit have to be larger than 6, and will be self-definedPassword and its identity together with the attribute request as message by sending jointly to the certification of private clound after encrypted signatureAgency, authentication proxy message is decrypted checking, after being verified, root by the private key of oneself and the public key of service requesterAccording to extracting corresponding with attribute request attribute in the attribute request dependence memory module of service requester and sign and issue attribute token,Session key is generated, service requester is sent to after encrypted signature together with the attribute token and self-defined password;
(4) service requester is received after message, and message is carried out using the private key of oneself and the public key certificate of authentication proxyDecryption, if containing self-defined password in information, have authenticated the identity of the authentication proxy, while also obtain attribute token.
It is preferred that, the alert when obtaining attribute token failure or decryption failure, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined code error, obtains attribute token failure, and alarm module 32 sends alarm signalBreath, attribute token, which is obtained, to be sent to after service requester, and information can not be decrypted for service requester, it is impossible to is completed identity and is testedCard, the also alert of alarm module 32.
The above embodiment of the present invention devises the acquisition modes of attribute token, improve attribute token acquisition security andEfficiency;Across the cloud Verification System towards mixed cloud is constructed, service requester under mixing cloud environment can be met and adhere to different privates separatelyThere are the authenticated domain of cloud, service access frequently demand, so as to solve above-mentioned technical problem.
It is preferred that, the mixed cloud identity management module 21 includes:
(1) certificate issuance unit 211:For the authentication proxy when private clound adds or exits mixed cloud for the private cloundSign and issue or revoked public key certificate, and the public key certificate signed and issued in mixed cloud is managed collectively;
(2) Yun Jian authentication proxys unit 212:The registration of the private clound newly added for receiving, it is privately owned that management is newly addedThe log-on message of the authentication proxy of cloud, so as to set up its trusting relationship between private clound.
It is preferred that, the authentication proxy of the private clound supports ID authentication mechanism and Certificate Authentication Mechanism, for managing privateThere is signing and issuing for the authentication in cloud and attribute token, and when across cloud authentication module 31 carries out across cloud certification, by the registrationInformation is submitted to mixed cloud identity management module 21 and is managed, and receives the public key card that mixed cloud identity management module 21 is signed and issuedBook;The log-on message of the authentication proxy for managing the private clound newly added, including:Audit the certification generation of the private clound newly addedThe log-on message of reason, receive the private clound newly added authentication proxy log-on message, log-on message is stored in safety database,The log-on message of the private clound exited is deleted when private clound exits mixed cloud.
Above-mentioned two preferred embodiment realizes the management to the private clound in mixed cloud, and the authentication proxy of private clound supportsID authentication mechanism and Certificate Authentication Mechanism, make the more science of the management to the private clound in mixed cloud, safe.
It is preferred that, private clound is divided into open level, confidential and confidential, bag by the security classification according to private cloundInclude:
(1) if certain private clound only allows private clound founder itself to access, the private clound is confidential;
(2) if the service requester that certain private clound allows private clound founder to authorize is accessed, the private clound is secretLevel;
(3) if certain private clound allows to access with all service requesters that the private clound sets up trusting relationship, this is privately ownedCloud is open level.
It is preferred that, the security strategy includes:
(1) for confidential private clound, it is encrypted using elliptic curve cipher system, visitor needs to carry out fingerprint inspectionCard could send access request;
(2) for confidential private clound, it is encrypted using RSA cryptographic algorithms, visitor needs to authorize U-shield to visitAsk;
(3) for open level private clound, it is encrypted using des encryption algorithm, the visitor for setting up trusting relationship can be withDirectly transmit access request.
This preferred embodiment divides security classification to different private clounds and designs corresponding security strategy, is ensureing safetyOn the premise of different private clounds can be conducted interviews.
It is preferred that, described information storage system 5 is stored using multilayered model to information, including accumulation layer, management levelAnd interface layer, the accumulation layer be in memory module bottom, be made up of different equipment, the management level be located at accumulation layer itOn, storage device is managed by various softwares, the service-oriented requestor of interface layer provides service, can be according to visitorThere is provided different service interfaces for family demand.
This preferred embodiment is easy to that manager's queried access information and warning message can be easy to, and is easy to subsequent examination.
It is preferred that, customized across the cloud authentication protocol is:
(1) service requester randomly selects self-defined numeral as fresh number, the attribute token obtained with service requesterThe random number of service requester is returned to together as message with S is serviced when carrying out across cloud accesss, and clothes are sent to after encrypted signatureBe engaged in S;
(2) service S is received after message, close to message solution label with the private key of oneself and the public key of service requester, if messageThe random number of service requester is returned to containing the service S, then service requester authentication passes through, service S and then generationAnother random number, carries out encrypted signature to another random number and the self-defined numeral, forms feedback information, be sent to clothesBe engaged in requestor;
(3) service requester is received after the feedback information, with the private key of oneself and service S public key to feedback information solutionLabel are close, if feedback information contains the self-defined numeral, service S identity have authenticated, it is achieved thereby that both sides' mutually recognizes each otherCard.
This preferred embodiment devises customized across cloud authentication protocol, realizes two-way between service requester and serviceCertification, improves the security and the efficiency across cloud certification of system.
It is preferred that, the monitoring system 4 that accesses is by access process vector X=(a1、a2、a3) be indicated, a1Represent reportA situation arises for alert information, a2Represent service requester accesses whether meet security strategy, a2Represent running situation;Work as alarmWhen information does not occur, a11 is taken, 0 is otherwise taken;When service requester access meets security strategy, a21 is taken, 0 is otherwise taken;When system fortuneA when row is normal31 is taken, 0 is otherwise taken;Only when X=(1,1,1), monitoring system identification is accessed successfully;Monitoring system 4 is accessed to existRecorded in work to accessing unsuccessful time and number of times, setting time is reached when accessing unsuccessful number of times in setting time sectionNumber, accesses monitoring system 4 and sends warning information.
This preferred embodiment realizes the monitoring to service requester access process, improves the security of system.
In this application scenarios, the self-defined password digit is 11, and certification speed improves 10%, and security is improved12%.
Application scenarios 2
Referring to Fig. 1, Fig. 2, across the cloud customer certification system towards mixed cloud of one embodiment of this application scene, includingService request terminal 1, mixed cloud management system 2, across cloud authentication administrative system 3, access monitoring system 4 and information storage system 5;
The service request terminal 1 is used to provide access interface for the privately owned cloud service in service requester access mixed cloud;
The mixed cloud management system 2 includes mixed cloud identity management module 21, mixed cloud differentiated control module 22;It is describedMixed cloud identity management module 21 is used to be managed the private clound for adding mixed cloud based on Certificate Authentication Mechanism, and sets up eachTrusting relationship between private clound;The mixed cloud differentiated control module 22 is used for private clound according to the security classification of private cloundOpen level, confidential and confidential are divided into, and takes different security strategies to be managed for different brackets;
Across the cloud authentication administrative system 3 includes across cloud authentication module 31 and alarm module 32;Across the cloud authentication module31 are used for the attribute token of acquisition service requester during for service requester progress across cloud access, and based on customized across cloudAuthentication protocol realizes across cloud certification when service of the service requester of local private clound to other private clounds carries out across cloud accessCommunication service is provided;The alarm module 32 is used for the alert when obtaining attribute token failure or decryption failure;
The access monitoring system 4 is used to be monitored service requester across the process that cloud is accessed;
Described information storage system 5 is used for the access information and warning message of storage service requestor.
It is preferred that, the attribute token that service requester is obtained when service requester carries out across cloud access, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined password, and the self-defined password digit have to be larger than 6, and will be self-definedPassword and its identity together with the attribute request as message by sending jointly to the certification of private clound after encrypted signatureAgency, authentication proxy message is decrypted checking, after being verified, root by the private key of oneself and the public key of service requesterAccording to extracting corresponding with attribute request attribute in the attribute request dependence memory module of service requester and sign and issue attribute token,Session key is generated, service requester is sent to after encrypted signature together with the attribute token and self-defined password;
(4) service requester is received after message, and message is carried out using the private key of oneself and the public key certificate of authentication proxyDecryption, if containing self-defined password in information, have authenticated the identity of the authentication proxy, while also obtain attribute token.
It is preferred that, the alert when obtaining attribute token failure or decryption failure, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined code error, obtains attribute token failure, and alarm module 32 sends alarm signalBreath, attribute token, which is obtained, to be sent to after service requester, and information can not be decrypted for service requester, it is impossible to is completed identity and is testedCard, the also alert of alarm module 32.
The above embodiment of the present invention devises the acquisition modes of attribute token, improve attribute token acquisition security andEfficiency;Across the cloud Verification System towards mixed cloud is constructed, service requester under mixing cloud environment can be met and adhere to different privates separatelyThere are the authenticated domain of cloud, service access frequently demand, so as to solve above-mentioned technical problem.
It is preferred that, the mixed cloud identity management module 21 includes:
(1) certificate issuance unit 211:For the authentication proxy when private clound adds or exits mixed cloud for the private cloundSign and issue or revoked public key certificate, and the public key certificate signed and issued in mixed cloud is managed collectively;
(2) Yun Jian authentication proxys unit 212:The registration of the private clound newly added for receiving, it is privately owned that management is newly addedThe log-on message of the authentication proxy of cloud, so as to set up its trusting relationship between private clound.
It is preferred that, the authentication proxy of the private clound supports ID authentication mechanism and Certificate Authentication Mechanism, for managing privateThere is signing and issuing for the authentication in cloud and attribute token, and when across cloud authentication module 31 carries out across cloud certification, by the registrationInformation is submitted to mixed cloud identity management module 21 and is managed, and receives the public key card that mixed cloud identity management module 21 is signed and issuedBook;The log-on message of the authentication proxy for managing the private clound newly added, including:Audit the certification generation of the private clound newly addedThe log-on message of reason, receive the private clound newly added authentication proxy log-on message, log-on message is stored in safety database,The log-on message of the private clound exited is deleted when private clound exits mixed cloud.
Above-mentioned two preferred embodiment realizes the management to the private clound in mixed cloud, and the authentication proxy of private clound supportsID authentication mechanism and Certificate Authentication Mechanism, make the more science of the management to the private clound in mixed cloud, safe.
It is preferred that, private clound is divided into open level, confidential and confidential, bag by the security classification according to private cloundInclude:
(1) if certain private clound only allows private clound founder itself to access, the private clound is confidential;
(2) if the service requester that certain private clound allows private clound founder to authorize is accessed, the private clound is secretLevel;
(3) if certain private clound allows to access with all service requesters that the private clound sets up trusting relationship, this is privately ownedCloud is open level.
It is preferred that, the security strategy includes:
(1) for confidential private clound, it is encrypted using elliptic curve cipher system, visitor needs to carry out fingerprint inspectionCard could send access request;
(2) for confidential private clound, it is encrypted using RSA cryptographic algorithms, visitor needs to authorize U-shield to visitAsk;
(3) for open level private clound, it is encrypted using des encryption algorithm, the visitor for setting up trusting relationship can be withDirectly transmit access request.
This preferred embodiment divides security classification to different private clounds and designs corresponding security strategy, is ensureing safetyOn the premise of different private clounds can be conducted interviews.
It is preferred that, described information storage system 5 is stored using multilayered model to information, including accumulation layer, management levelAnd interface layer, the accumulation layer be in memory module bottom, be made up of different equipment, the management level be located at accumulation layer itOn, storage device is managed by various softwares, the service-oriented requestor of interface layer provides service, can be according to visitorThere is provided different service interfaces for family demand.
This preferred embodiment is easy to that manager's queried access information and warning message can be easy to, and is easy to subsequent examination.
It is preferred that, customized across the cloud authentication protocol is:
(1) service requester randomly selects self-defined numeral as fresh number, the attribute token obtained with service requesterThe random number of service requester is returned to together as message with S is serviced when carrying out across cloud accesss, and clothes are sent to after encrypted signatureBe engaged in S;
(2) service S is received after message, close to message solution label with the private key of oneself and the public key of service requester, if messageThe random number of service requester is returned to containing the service S, then service requester authentication passes through, service S and then generationAnother random number, carries out encrypted signature to another random number and the self-defined numeral, forms feedback information, be sent to clothesBe engaged in requestor;
(3) service requester is received after the feedback information, with the private key of oneself and service S public key to feedback information solutionLabel are close, if feedback information contains the self-defined numeral, service S identity have authenticated, it is achieved thereby that both sides' mutually recognizes each otherCard.
This preferred embodiment devises customized across cloud authentication protocol, realizes two-way between service requester and serviceCertification, improves the security and the efficiency across cloud certification of system.
It is preferred that, the monitoring system 4 that accesses is by access process vector X=(a1、a2、a3) be indicated, a1Represent reportA situation arises for alert information, a2Represent service requester accesses whether meet security strategy, a3Represent running situation;Work as alarmWhen information does not occur, a11 is taken, 0 is otherwise taken;When service requester access meets security strategy, a21 is taken, 0 is otherwise taken;When system fortuneA when row is normal31 is taken, 0 is otherwise taken;Only when X=(1,1,1), monitoring system identification is accessed successfully;Monitoring system 4 is accessed to existRecorded in work to accessing unsuccessful time and number of times, setting time is reached when accessing unsuccessful number of times in setting time sectionNumber, accesses monitoring system 4 and sends warning information.
This preferred embodiment realizes the monitoring to service requester access process, improves the security of system.
In this application scenarios, the self-defined password digit is 10, and certification speed improves 11%, and security is improved11%.
Application scenarios 3
Referring to Fig. 1, Fig. 2, across the cloud customer certification system towards mixed cloud of one embodiment of this application scene, includingService request terminal 1, mixed cloud management system 2, across cloud authentication administrative system 3, access monitoring system 4 and information storage system 5;
The service request terminal 1 is used to provide access interface for the privately owned cloud service in service requester access mixed cloud;
The mixed cloud management system 2 includes mixed cloud identity management module 21, mixed cloud differentiated control module 22;It is describedMixed cloud identity management module 21 is used to be managed the private clound for adding mixed cloud based on Certificate Authentication Mechanism, and sets up eachTrusting relationship between private clound;The mixed cloud differentiated control module 22 is used for private clound according to the security classification of private cloundOpen level, confidential and confidential are divided into, and takes different security strategies to be managed for different brackets;
Across the cloud authentication administrative system 3 includes across cloud authentication module 31 and alarm module 32;Across the cloud authentication module31 are used for the attribute token of acquisition service requester during for service requester progress across cloud access, and based on customized across cloudAuthentication protocol realizes across cloud certification when service of the service requester of local private clound to other private clounds carries out across cloud accessCommunication service is provided;The alarm module 32 is used for the alert when obtaining attribute token failure or decryption failure;
The access monitoring system 4 is used to be monitored service requester across the process that cloud is accessed;
Described information storage system 5 is used for the access information and warning message of storage service requestor.
It is preferred that, the attribute token that service requester is obtained when service requester carries out across cloud access, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined password, and the self-defined password digit have to be larger than 6, and will be self-definedPassword and its identity together with the attribute request as message by sending jointly to the certification of private clound after encrypted signatureAgency, authentication proxy message is decrypted checking, after being verified, root by the private key of oneself and the public key of service requesterAccording to extracting corresponding with attribute request attribute in the attribute request dependence memory module of service requester and sign and issue attribute token,Session key is generated, service requester is sent to after encrypted signature together with the attribute token and self-defined password;
(4) service requester is received after message, and message is carried out using the private key of oneself and the public key certificate of authentication proxyDecryption, if containing self-defined password in information, have authenticated the identity of the authentication proxy, while also obtain attribute token.
It is preferred that, the alert when obtaining attribute token failure or decryption failure, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined code error, obtains attribute token failure, and alarm module 32 sends alarm signalBreath, attribute token, which is obtained, to be sent to after service requester, and information can not be decrypted for service requester, it is impossible to is completed identity and is testedCard, the also alert of alarm module 32.
The above embodiment of the present invention devises the acquisition modes of attribute token, improve attribute token acquisition security andEfficiency;Across the cloud Verification System towards mixed cloud is constructed, service requester under mixing cloud environment can be met and adhere to different privates separatelyThere are the authenticated domain of cloud, service access frequently demand, so as to solve above-mentioned technical problem.
It is preferred that, the mixed cloud identity management module 21 includes:
(1) certificate issuance unit 211:For the authentication proxy when private clound adds or exits mixed cloud for the private cloundSign and issue or revoked public key certificate, and the public key certificate signed and issued in mixed cloud is managed collectively;
(2) Yun Jian authentication proxys unit 212:The registration of the private clound newly added for receiving, it is privately owned that management is newly addedThe log-on message of the authentication proxy of cloud, so as to set up its trusting relationship between private clound.
It is preferred that, the authentication proxy of the private clound supports ID authentication mechanism and Certificate Authentication Mechanism, for managing privateThere is signing and issuing for the authentication in cloud and attribute token, and when across cloud authentication module 31 carries out across cloud certification, by the registrationInformation is submitted to mixed cloud identity management module 21 and is managed, and receives the public key card that mixed cloud identity management module 21 is signed and issuedBook;The log-on message of the authentication proxy for managing the private clound newly added, including:Audit the certification generation of the private clound newly addedThe log-on message of reason, receive the private clound newly added authentication proxy log-on message, log-on message is stored in safety database,The log-on message of the private clound exited is deleted when private clound exits mixed cloud.
Above-mentioned two preferred embodiment realizes the management to the private clound in mixed cloud, and the authentication proxy of private clound supportsID authentication mechanism and Certificate Authentication Mechanism, make the more science of the management to the private clound in mixed cloud, safe.
It is preferred that, private clound is divided into open level, confidential and confidential, bag by the security classification according to private cloundInclude:
(1) if certain private clound only allows private clound founder itself to access, the private clound is confidential;
(2) if the service requester that certain private clound allows private clound founder to authorize is accessed, the private clound is secretLevel;
(3) if certain private clound allows to access with all service requesters that the private clound sets up trusting relationship, this is privately ownedCloud is open level.
It is preferred that, the security strategy includes:
(1) for confidential private clound, it is encrypted using elliptic curve cipher system, visitor needs to carry out fingerprint inspectionCard could send access request;
(2) for confidential private clound, it is encrypted using RSA cryptographic algorithms, visitor needs to authorize U-shield to visitAsk;
(3) for open level private clound, it is encrypted using des encryption algorithm, the visitor for setting up trusting relationship can be withDirectly transmit access request.
This preferred embodiment divides security classification to different private clounds and designs corresponding security strategy, is ensureing safetyOn the premise of different private clounds can be conducted interviews.
It is preferred that, described information storage system 5 is stored using multilayered model to information, including accumulation layer, management levelAnd interface layer, the accumulation layer be in memory module bottom, be made up of different equipment, the management level be located at accumulation layer itOn, storage device is managed by various softwares, the service-oriented requestor of interface layer provides service, can be according to visitorThere is provided different service interfaces for family demand.
This preferred embodiment is easy to that manager's queried access information and warning message can be easy to, and is easy to subsequent examination.
It is preferred that, customized across the cloud authentication protocol is:
(1) service requester randomly selects self-defined numeral as fresh number, the attribute token obtained with service requesterThe random number of service requester is returned to together as message with S is serviced when carrying out across cloud accesss, and clothes are sent to after encrypted signatureBe engaged in S;
(2) service S is received after message, close to message solution label with the private key of oneself and the public key of service requester, if messageThe random number of service requester is returned to containing the service S, then service requester authentication passes through, service S and then generationAnother random number, carries out encrypted signature to another random number and the self-defined numeral, forms feedback information, be sent to clothesBe engaged in requestor;
(3) service requester is received after the feedback information, with the private key of oneself and service S public key to feedback information solutionLabel are close, if feedback information contains the self-defined numeral, service S identity have authenticated, it is achieved thereby that both sides' mutually recognizes each otherCard.
This preferred embodiment devises customized across cloud authentication protocol, realizes two-way between service requester and serviceCertification, improves the security and the efficiency across cloud certification of system.
It is preferred that, the monitoring system 4 that accesses is by access process vector X=(a1、a2、a3) be indicated, a1Represent reportA situation arises for alert information, a2Represent service requester accesses whether meet security strategy, a3Represent running situation;Work as alarmWhen information does not occur, a11 is taken, 0 is otherwise taken;When service requester access meets security strategy, a21 is taken, 0 is otherwise taken;When system fortuneA when row is normal31 is taken, 0 is otherwise taken;Only when X=(1,1,1), monitoring system identification is accessed successfully;Monitoring system 4 is accessed to existRecorded in work to accessing unsuccessful time and number of times, setting time is reached when accessing unsuccessful number of times in setting time sectionNumber, accesses monitoring system 4 and sends warning information.
This preferred embodiment realizes the monitoring to service requester access process, improves the security of system.HereinIn application scenarios, the self-defined password digit is 9, and certification speed improves 12%, and security improves 10%.
Application scenarios 4
Referring to Fig. 1, Fig. 2, across the cloud customer certification system towards mixed cloud of one embodiment of this application scene, includingService request terminal 1, mixed cloud management system 2, across cloud authentication administrative system 3, access monitoring system 4 and information storage system 5;
The service request terminal 1 is used to provide access interface for the privately owned cloud service in service requester access mixed cloud;
The mixed cloud management system 2 includes mixed cloud identity management module 21, mixed cloud differentiated control module 22;It is describedMixed cloud identity management module 21 is used to be managed the private clound for adding mixed cloud based on Certificate Authentication Mechanism, and sets up eachTrusting relationship between private clound;The mixed cloud differentiated control module 22 is used for private clound according to the security classification of private cloundOpen level, confidential and confidential are divided into, and takes different security strategies to be managed for different brackets;
Across the cloud authentication administrative system 3 includes across cloud authentication module 31 and alarm module 32;Across the cloud authentication module31 are used for the attribute token of acquisition service requester during for service requester progress across cloud access, and based on customized across cloudAuthentication protocol realizes across cloud certification when service of the service requester of local private clound to other private clounds carries out across cloud accessCommunication service is provided;The alarm module 32 is used for the alert when obtaining attribute token failure or decryption failure;
The access monitoring system 4 is used to be monitored service requester across the process that cloud is accessed;
Described information storage system 5 is used for the access information and warning message of storage service requestor.
It is preferred that, the attribute token that service requester is obtained when service requester carries out across cloud access, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined password, and the self-defined password digit have to be larger than 6, and will be self-definedPassword and its identity together with the attribute request as message by sending jointly to the certification of private clound after encrypted signatureAgency, authentication proxy message is decrypted checking, after being verified, root by the private key of oneself and the public key of service requesterAccording to extracting corresponding with attribute request attribute in the attribute request dependence memory module of service requester and sign and issue attribute token,Session key is generated, service requester is sent to after encrypted signature together with the attribute token and self-defined password;
(4) service requester is received after message, and message is carried out using the private key of oneself and the public key certificate of authentication proxyDecryption, if containing self-defined password in information, have authenticated the identity of the authentication proxy, while also obtain attribute token.
It is preferred that, the alert when obtaining attribute token failure or decryption failure, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined code error, obtains attribute token failure, and alarm module 32 sends alarm signalBreath, attribute token, which is obtained, to be sent to after service requester, and information can not be decrypted for service requester, it is impossible to is completed identity and is testedCard, the also alert of alarm module 32.
The above embodiment of the present invention devises the acquisition modes of attribute token, improve attribute token acquisition security andEfficiency;Across the cloud Verification System towards mixed cloud is constructed, service requester under mixing cloud environment can be met and adhere to different privates separatelyThere are the authenticated domain of cloud, service access frequently demand, so as to solve above-mentioned technical problem.
It is preferred that, the mixed cloud identity management module 21 includes:
(1) certificate issuance unit 211:For the authentication proxy when private clound adds or exits mixed cloud for the private cloundSign and issue or revoked public key certificate, and the public key certificate signed and issued in mixed cloud is managed collectively;
(2) Yun Jian authentication proxys unit 212:The registration of the private clound newly added for receiving, it is privately owned that management is newly addedThe log-on message of the authentication proxy of cloud, so as to set up its trusting relationship between private clound.
It is preferred that, the authentication proxy of the private clound supports ID authentication mechanism and Certificate Authentication Mechanism, for managing privateThere is signing and issuing for the authentication in cloud and attribute token, and when across cloud authentication module 31 carries out across cloud certification, by the registrationInformation is submitted to mixed cloud identity management module 21 and is managed, and receives the public key card that mixed cloud identity management module 21 is signed and issuedBook;The log-on message of the authentication proxy for managing the private clound newly added, including:Audit the certification generation of the private clound newly addedThe log-on message of reason, receive the private clound newly added authentication proxy log-on message, log-on message is stored in safety database,The log-on message of the private clound exited is deleted when private clound exits mixed cloud.
Above-mentioned two preferred embodiment realizes the management to the private clound in mixed cloud, and the authentication proxy of private clound supportsID authentication mechanism and Certificate Authentication Mechanism, make the more science of the management to the private clound in mixed cloud, safe.
It is preferred that, private clound is divided into open level, confidential and confidential, bag by the security classification according to private cloundInclude:
(1) if certain private clound only allows private clound founder itself to access, the private clound is confidential;
(2) if the service requester that certain private clound allows private clound founder to authorize is accessed, the private clound is secretLevel;
(3) if certain private clound allows to access with all service requesters that the private clound sets up trusting relationship, this is privately ownedCloud is open level.
It is preferred that, the security strategy includes:
(1) for confidential private clound, it is encrypted using elliptic curve cipher system, visitor needs to carry out fingerprint inspectionCard could send access request;
(2) for confidential private clound, it is encrypted using RSA cryptographic algorithms, visitor needs to authorize U-shield to visitAsk;
(3) for open level private clound, it is encrypted using des encryption algorithm, the visitor for setting up trusting relationship can be withDirectly transmit access request.
This preferred embodiment divides security classification to different private clounds and designs corresponding security strategy, is ensureing safetyOn the premise of different private clounds can be conducted interviews.
It is preferred that, described information storage system 5 is stored using multilayered model to information, including accumulation layer, management levelAnd interface layer, the accumulation layer be in memory module bottom, be made up of different equipment, the management level be located at accumulation layer itOn, storage device is managed by various softwares, the service-oriented requestor of interface layer provides service, can be according to visitorThere is provided different service interfaces for family demand.
This preferred embodiment is easy to that manager's queried access information and warning message can be easy to, and is easy to subsequent examination.
It is preferred that, customized across the cloud authentication protocol is:
(1) service requester randomly selects self-defined numeral as fresh number, the attribute token obtained with service requesterThe random number of service requester is returned to together as message with S is serviced when carrying out across cloud accesss, and clothes are sent to after encrypted signatureBe engaged in S;
(2) service S is received after message, close to message solution label with the private key of oneself and the public key of service requester, if messageThe random number of service requester is returned to containing the service S, then service requester authentication passes through, service S and then generationAnother random number, carries out encrypted signature to another random number and the self-defined numeral, forms feedback information, be sent to clothesBe engaged in requestor;
(3) service requester is received after the feedback information, with the private key of oneself and service S public key to feedback information solutionLabel are close, if feedback information contains the self-defined numeral, service S identity have authenticated, it is achieved thereby that both sides' mutually recognizes each otherCard.
This preferred embodiment devises customized across cloud authentication protocol, realizes two-way between service requester and serviceCertification, improves the security and the efficiency across cloud certification of system.
It is preferred that, the monitoring system 4 that accesses is by access process vector X=(a1、a2、a3) be indicated, a1Represent reportA situation arises for alert information, a2Represent service requester accesses whether meet security strategy, a3Represent running situation;Work as alarmWhen information does not occur, a11 is taken, 0 is otherwise taken;When service requester access meets security strategy, a21 is taken, 0 is otherwise taken;When system fortuneA when row is normal31 is taken, 0 is otherwise taken;Only when X=(1,1,1), monitoring system identification is accessed successfully;Monitoring system 4 is accessed to existRecorded in work to accessing unsuccessful time and number of times, setting time is reached when accessing unsuccessful number of times in setting time sectionNumber, accesses monitoring system 4 and sends warning information.
This preferred embodiment realizes the monitoring to service requester access process, improves the security of system.
In this application scenarios, the self-defined password digit is 8, and certification speed improves 13%, and security is improved9%.
Application scenarios 5
Referring to Fig. 1, Fig. 2, across the cloud customer certification system towards mixed cloud of one embodiment of this application scene, includingService request terminal 1, mixed cloud management system 2, across cloud authentication administrative system 3, access monitoring system 4 and information storage system 5;
The service request terminal 1 is used to provide access interface for the privately owned cloud service in service requester access mixed cloud;
The mixed cloud management system 2 includes mixed cloud identity management module 21, mixed cloud differentiated control module 22;It is describedMixed cloud identity management module 21 is used to be managed the private clound for adding mixed cloud based on Certificate Authentication Mechanism, and sets up eachTrusting relationship between private clound;The mixed cloud differentiated control module 22 is used for private clound according to the security classification of private cloundOpen level, confidential and confidential are divided into, and takes different security strategies to be managed for different brackets;
Across the cloud authentication administrative system 3 includes across cloud authentication module 31 and alarm module 32;Across the cloud authentication module31 are used for the attribute token of acquisition service requester during for service requester progress across cloud access, and based on customized across cloudAuthentication protocol realizes across cloud certification when service of the service requester of local private clound to other private clounds carries out across cloud accessCommunication service is provided;The alarm module 32 is used for the alert when obtaining attribute token failure or decryption failure;
The access monitoring system 4 is used to be monitored service requester across the process that cloud is accessed;
Described information storage system 5 is used for the access information and warning message of storage service requestor.
It is preferred that, the attribute token that service requester is obtained when service requester carries out across cloud access, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined password, and the self-defined password digit have to be larger than 6, and will be self-definedPassword and its identity together with the attribute request as message by sending jointly to the certification of private clound after encrypted signatureAgency, authentication proxy message is decrypted checking, after being verified, root by the private key of oneself and the public key of service requesterAccording to extracting corresponding with attribute request attribute in the attribute request dependence memory module of service requester and sign and issue attribute token,Session key is generated, service requester is sent to after encrypted signature together with the attribute token and self-defined password;
(4) service requester is received after message, and message is carried out using the private key of oneself and the public key certificate of authentication proxyDecryption, if containing self-defined password in information, have authenticated the identity of the authentication proxy, while also obtain attribute token.
It is preferred that, the alert when obtaining attribute token failure or decryption failure, including:
(1) service requester sends to the service S for other private clounds to be accessed across cloud and accesses service request;
(2) service S responses are accessed after service request, and attribute request is sent to service requester;
(3) service requester inputs self-defined code error, obtains attribute token failure, and alarm module 32 sends alarm signalBreath, attribute token, which is obtained, to be sent to after service requester, and information can not be decrypted for service requester, it is impossible to is completed identity and is testedCard, the also alert of alarm module 32.
The above embodiment of the present invention devises the acquisition modes of attribute token, improve attribute token acquisition security andEfficiency;Across the cloud Verification System towards mixed cloud is constructed, service requester under mixing cloud environment can be met and adhere to different privates separatelyThere are the authenticated domain of cloud, service access frequently demand, so as to solve above-mentioned technical problem.
It is preferred that, the mixed cloud identity management module 21 includes:
(1) certificate issuance unit 211:For the authentication proxy when private clound adds or exits mixed cloud for the private cloundSign and issue or revoked public key certificate, and the public key certificate signed and issued in mixed cloud is managed collectively;
(2) Yun Jian authentication proxys unit 212:The registration of the private clound newly added for receiving, it is privately owned that management is newly addedThe log-on message of the authentication proxy of cloud, so as to set up its trusting relationship between private clound.
It is preferred that, the authentication proxy of the private clound supports ID authentication mechanism and Certificate Authentication Mechanism, for managing privateThere is signing and issuing for the authentication in cloud and attribute token, and when across cloud authentication module 31 carries out across cloud certification, by the registrationInformation is submitted to mixed cloud identity management module 21 and is managed, and receives the public key card that mixed cloud identity management module 21 is signed and issuedBook;The log-on message of the authentication proxy for managing the private clound newly added, including:Audit the certification generation of the private clound newly addedThe log-on message of reason, receive the private clound newly added authentication proxy log-on message, log-on message is stored in safety database,The log-on message of the private clound exited is deleted when private clound exits mixed cloud.
Above-mentioned two preferred embodiment realizes the management to the private clound in mixed cloud, and the authentication proxy of private clound supportsID authentication mechanism and Certificate Authentication Mechanism, make the more science of the management to the private clound in mixed cloud, safe.
It is preferred that, private clound is divided into open level, confidential and confidential, bag by the security classification according to private cloundInclude:
(1) if certain private clound only allows private clound founder itself to access, the private clound is confidential;
(2) if the service requester that certain private clound allows private clound founder to authorize is accessed, the private clound is secretLevel;
(3) if certain private clound allows to access with all service requesters that the private clound sets up trusting relationship, this is privately ownedCloud is open level.
It is preferred that, the security strategy includes:
(1) for confidential private clound, it is encrypted using elliptic curve cipher system, visitor needs to carry out fingerprint inspectionCard could send access request;
(2) for confidential private clound, it is encrypted using RSA cryptographic algorithms, visitor needs to authorize U-shield to visitAsk;
(3) for open level private clound, it is encrypted using des encryption algorithm, the visitor for setting up trusting relationship can be withDirectly transmit access request.
This preferred embodiment divides security classification to different private clounds and designs corresponding security strategy, is ensureing safetyOn the premise of different private clounds can be conducted interviews.
It is preferred that, described information storage system 5 is stored using multilayered model to information, including accumulation layer, management levelAnd interface layer, the accumulation layer be in memory module bottom, be made up of different equipment, the management level be located at accumulation layer itOn, storage device is managed by various softwares, the service-oriented requestor of interface layer provides service, can be according to visitorThere is provided different service interfaces for family demand.
This preferred embodiment is easy to that manager's queried access information and warning message can be easy to, and is easy to subsequent examination.
It is preferred that, customized across the cloud authentication protocol is:
(1) service requester randomly selects self-defined numeral as fresh number, the attribute token obtained with service requesterThe random number of service requester is returned to together as message with S is serviced when carrying out across cloud accesss, and clothes are sent to after encrypted signatureBe engaged in S;
(2) service S is received after message, close to message solution label with the private key of oneself and the public key of service requester, if messageThe random number of service requester is returned to containing the service S, then service requester authentication passes through, service S and then generationAnother random number, carries out encrypted signature to another random number and the self-defined numeral, forms feedback information, be sent to clothesBe engaged in requestor;
(3) service requester is received after the feedback information, with the private key of oneself and service S public key to feedback information solutionLabel are close, if feedback information contains the self-defined numeral, service S identity have authenticated, it is achieved thereby that both sides' mutually recognizes each otherCard.
This preferred embodiment devises customized across cloud authentication protocol, realizes two-way between service requester and serviceCertification, improves the security and the efficiency across cloud certification of system.
It is preferred that, the monitoring system 4 that accesses is by access process vector X=(a1、a2、a3) be indicated, a1Represent reportA situation arises for alert information, a2Represent service requester accesses whether meet security strategy, a3Represent running situation;Work as alarmWhen information does not occur, a11 is taken, 0 is otherwise taken;When service requester access meets security strategy, a21 is taken, 0 is otherwise taken;When system fortuneA when row is normal31 is taken, 0 is otherwise taken;Only when X=(1,1,1), monitoring system identification is accessed successfully;Monitoring system 4 is accessed to existRecorded in work to accessing unsuccessful time and number of times, setting time is reached when accessing unsuccessful number of times in setting time sectionNumber, accesses monitoring system 4 and sends warning information.
This preferred embodiment realizes the monitoring to service requester access process, improves the security of system.
In this application scenarios, the self-defined password digit is 7, and certification speed improves 14%, and security is improved8%.
Finally it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than to present invention guarantorThe limitation of scope is protected, although being explained with reference to preferred embodiment to the present invention, one of ordinary skill in the art shouldWork as understanding, technical scheme can be modified or equivalent substitution, without departing from the reality of technical solution of the present inventionMatter and scope.