CN111538973A

Movatterモバイル変換

Info

Publication number: CN111538973A
Application number: CN202010222288.2A
Authority: CN
Inventors: 莫翼; 丁建; 曾祥发
Original assignee: Chengdu Yunchao Zhilian Technology Co ltd
Current assignee: Chengdu Yunchao Zhilian Technology Co ltd
Priority date: 2020-03-26
Filing date: 2020-03-26
Publication date: 2020-08-14

Abstract

The invention provides a personal authorization access control system based on a national cryptographic algorithm, which comprises the following modules: the personal authorization access control system based on the state cryptographic algorithm controls the user resource authority by using a policy-based access control (PBAC) mode, has more flexible control capability than the traditional Role (RBAC) -based access control, and realizes authority control of different granularities. Compared with the traditional international general algorithms RSA, SHA and DES, the SM-SM 2, SM3 and SM4 algorithms have lower resource consumption, higher safety and higher performance.

Description

Personal authorization access control system based on state cryptographic algorithm

Technical Field

The invention particularly relates to a personal authorization access control system based on a national cryptographic algorithm.

Background

With the continuous development of IT technology, micro-service architecture is more and more widely adopted, and has become a technology architecture commonly adopted by internet and enterprise-level projects, a plurality of relatively independent subsystems in a project are provided as an independent service by dividing different service fields, so that if some complex services need to be frequently called among a plurality of micro-services, authentication cannot be left in each service calling process, and how to ensure that frequent authentication cannot become a bottleneck of the whole system when a large number of users access concurrently is a primary problem faced by the micro-service security architecture. Similarly, today, the information interconnection and intercommunication requirements among enterprises are increasing day by day, and on the premise of how to ensure safety, information inside an enterprise is opened to an external enterprise which gives credit, and a safety architecture is also a problem which needs to be solved firstly.

Currently common solutions include:

sharing conversation, storing the authenticated user and authorization information in a shared storage, and extracting data from each micro service needing to be authenticated to judge the authority. This approach solves the problem of authentication between services within an enterprise, but it is unlikely that the enterprise will open such important shared storage to external enterprises for use, and thus clearly does not support the need for secure sharing of data between enterprises.

The client side token requests the identity card authentication server to generate the token, the identity authentication server carries out RSA algorithm signature on the token, and the subsequent client side attaches the token when accessing other services.

Therefore, a personal authorization access control system based on a cryptographic algorithm is provided for the above problems.

Disclosure of Invention

The present invention aims to provide a personal authorization access control system based on a national cryptographic algorithm, which can solve the above problems well.

In order to meet the requirements, the technical scheme adopted by the invention is as follows: the personal authorization access control system based on the national cryptographic algorithm comprises the following modules:

the user management module is used for managing a user name, a password and user attribute information which can log in the system and ensuring that a registered user can log in the system;

the authorization policy management module is used for managing resource authorization policy information of a user on all servers after the user logs in the system;

the client management module is used for ensuring that only the client registered in the system can call the user login and authority judgment service of the system;

the system comprises a user authentication module, a client side and a server, wherein the user authentication module is used for generating a token representing the identity of a user after the user logs in through a client side authorized by the system, signing the token, encrypting and protecting the token by using a public key of the client side and returning the token to the client side;

and the authority judging module is used for judging the resource information, the resource owner information, the logged-in resource visitor information, the access destination and the operation information executed on the resource according to the authority, and judging results comprise permission access, non-permission access and incapability of judging.

The personal authorization access control system based on the cryptographic algorithm has the following advantages:

(1) the user resource authority is controlled by using a policy-based access control (PBAC) mode, and the method has more flexible control capability compared with the traditional role-based (RBAC) access control, and realizes the authority control of different granularities.

(2) Compared with the traditional international general algorithms RSA, SHA and DES, the SM-SM 2, SM3 and SM4 algorithms have lower resource consumption, higher safety and higher performance.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 schematically shows a system block diagram of a personal authorization access control system based on a cryptographic algorithm according to an embodiment of the present application.

Fig. 2 schematically shows a data security transmission flow chart of a personal authorization access control system based on a cryptographic algorithm according to an embodiment of the application.

Fig. 3 schematically shows a user authentication flow diagram of a personal authorization access control system based on a cryptographic algorithm according to an embodiment of the present application.

Fig. 4 schematically shows a flowchart of authority determination of the personal authorization access control system based on the cryptographic algorithm according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail with reference to the accompanying drawings and specific embodiments.

In the following description, references to "one embodiment," "an embodiment," "one example," "an example," etc., indicate that the embodiment or example so described may include a particular feature, structure, characteristic, property, element, or limitation, but every embodiment or example does not necessarily include the particular feature, structure, characteristic, property, element, or limitation. Moreover, repeated use of the phrase "in accordance with an embodiment of the present application" although it may possibly refer to the same embodiment, does not necessarily refer to the same embodiment.

Certain features that are well known to those skilled in the art have been omitted from the following description for the sake of simplicity.

According to an embodiment of the present application, a personal authorization access control system based on a cryptographic algorithm is provided, as shown in fig. 1, which includes five major parts, namely a user management module, a client management module, an authorization policy management module, a user authentication module, and an authority determination module, and specifically includes the following functions:

and (4) user management, namely managing information such as user names, passwords, user attributes and the like which can log in the system, wherein only registered users can log in the system.

And (3) managing authorization policies, wherein after a user logs in the system, the user can manage resource authorization policy information of the user on all servers, and the authorization policies comprise protected resources, a main body for accessing the resources, operation on the resources, other environment variable information necessary for providing authority judgment, information on whether to operate access after matching the policies and the like.

And (4) managing the client, wherein only the client registered in the system can call user login and authority judgment service of the system. When registering a client, a public key of an SM2 key pair of the client needs to be uploaded, and a system uses the public key of the client to carry out signature verification and identify the identity of the client; meanwhile, the client needs to download the SM2 public key of the system, and the client uses the public key to verify the signature of the system, so that high-security bidirectional trust management between the client and the system is established. Meanwhile, in the data interaction process between the client and the system, the summary information is calculated on partial fields of the request message by using an SM3 summary algorithm, then the summary information is subjected to SM2 asymmetric encryption by using a public key of the opposite side to form a symmetric encryption key, and finally the message body is subjected to symmetric encryption by using a SM4 and the symmetric key, so that the data is prevented from being stolen in the transmission process, and the transmission safety of the data is ensured.

And (3) user authentication, wherein the system provides a user authentication function, a user can log in through a client authorized by the system, the system generates a token representing the identity of the user after successful login, signs the token, and simultaneously uses a public key of the client to encrypt and protect the token and return the token to the client. When the client side with the access token accesses the resources of other services, the obtained token needs to be added into the request, the other services carry out authority detection, and the client side directly refuses access to illegal or overdue tokens; and for the effective token, after extracting the user identity identification from the token, initiating a permission judgment request of the system, and judging whether the user operates to continue accessing or not by the system according to the authorization strategy of the resource owner.

And judging the authority, wherein the system judges according to the resource information, the resource owner information, the logged-in resource visitor information, the access destination, the operation executed on the resource and other information in the authority judgment request, and the judgment result comprises permission access, non-permission access and non-judgment.

According to one embodiment of the present application, as shown in fig. 2, the main workflow of the personal authorization access control system based on the cryptographic algorithm is as follows:

(1) the client prepares original service data X according to service requirements;

(2) the client calculates summary information DX for the original service data X by using a cryptographic SM3 algorithm;

(3) the client encrypts the summary information DX by using a private key CSK of SM2 of the client to calculate a signature value SX;

(4) the client generates a random symmetric encryption key EK;

(5) the client side uses the SM2 public key of the server side to perform asymmetric encryption protection on the encryption key EK to obtain an encrypted symmetric encryption key EEK;

(6) the client side uses a symmetric encryption key EK to symmetrically encrypt an original protective equipment X, abstract information DX and a signature value SX in SM4 mode to obtain encrypted data EX;

(7) the client submits the encrypted data EX, the encrypted key EKK protected by asymmetric encryption, a server SM2 public key SPK used for protecting the EKK and a public key CPK corresponding to a client SM2 signature private key CSK to the server;

(8) after receiving the data submitted by the client, the server detects whether the server public key SPK is the own SM2 public key, if so, the EKK is decrypted by using an SM2 private key SSK corresponding to the SPK to obtain an original encryption key EK;

(9) the server decrypts the encrypted data EX by using EK and SM4 algorithms to obtain original data X, summary information DX and a signature value SX;

(10) the server side decrypts the signature value SX by using the client side public key CPK to obtain decrypted abstract information DX ', compares DX and DX', and if the DX and DX are different, the DX is not signed by the client side, the signature value SX is possibly tampered in the transmission process, the message is not credible and cannot be processed any more, and the processing is ended abnormally;

(11) if DX and DX ' are the same, continue processing, calculate its summary information DX ' to original data X with SM3 algorithm, compare DX ' with DX ', if DX ' is different from DX ', show that original message X may be modified in the course of transmission, the message is not credible, can't continue processing, end processing abnormally;

(12) if DX ' ' is the same as DX ', processing the service data according to the service requirement.

In the process, the client and the server represent two interactive parties, and any end in the first diagram can be the server or the client. In addition, the secure transmission of data returned to the client by the server is consistent with this flow, which is not described herein again, and is what needs to be protected in this patent.

According to an embodiment of the present application, as shown in fig. 3, the process of user authentication of the personal authorization access control system based on the cryptographic algorithm is as follows:

(1) the client side obtains user data of a user input information preparation application client side token;

(2) the client side processes the prepared user data according to a transmission flow and submits the processed user data to a user authorized access control system based on a national cryptographic algorithm;

(3) a user authorization access control system based on a state secret algorithm receives encrypted data submitted by a client, and processes the encrypted data according to a transmission flow according to the data to obtain original data;

(4) the user authorization access control system based on the national cryptographic algorithm starts to verify the user account information, and directly terminates the process under the condition of failure, such as the condition of no user name, error user password and the like, and does not return a client token to the client;

(5) for the condition that the verification passes, the system issues a client token, processes the token according to the transmission flow and returns the processed token to the client;

(6) and the client data security transmission flow receives and processes the encrypted data to obtain an encrypted client token, and the token is signed by a user authorization access control system based on a national secret algorithm.

(7) The client stores the original token, and can use the token to access other services before the token is invalid, so that the token is prevented from being acquired by repeatedly calling the system, and after the token is invalid, the system can be called to regenerate a new token according to the flow.

According to an embodiment of the present application, as shown in fig. 4, the process of determining the authority of the personal authorization access control system based on the cryptographic algorithm is as follows:

(1) the client firstly checks whether a client token exists or whether the client token is expired, and for the condition that no client token exists or the client token is expired, the client applies the client token to a user authorization access control system based on a cryptographic algorithm and stores the client token in the client, and the process refers to a user authentication process and is not repeated herein;

(2) the client prepares to call the original service data of the service A and combines the original service data and the client token to form original request data;

(3) the client processes the original request data according to the flow of data safe transmission and submits the processed original request data to the service A;

(4) the service A receives encrypted data sent by a client according to a data security transmission process, processes the encrypted data, and obtains original service data and a client token after frequent processing;

(5) the service A generates an authority judgment request by using original service data and a client token and submits the authority judgment request to a user authorization access control system based on a state cryptographic algorithm;

(6) after receiving the request, the user authorization access control system based on the state cryptographic algorithm loads all authorization strategies related to the request, executes authority judgment and returns an authority judgment result;

(7) the service A receives the permission judgment result, and directly refuses the access of the client side for the conditions that the judgment result is inaccessible and can not be judged, and the process is ended;

(8) for the condition that the judgment result is accessible, the service A executes the relevant operation according to the service logic and then finishes the flow operation;

(9) in the flow, the service a only represents a certain business service, and the same is true for the case that the client accesses other business services.

The above-mentioned embodiments only show some embodiments of the present invention, and the description thereof is more specific and detailed, but should not be construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present invention should be subject to the claims.

Claims

1. A personal authorization access control system based on a cryptographic algorithm is characterized by comprising the following modules:

2. The personal authorization access control system based on cryptographic algorithm of claim 1, wherein: the authorization policy information includes the protected resource, the subject of accessing the resource, the operations performed on the resource, other environment variable information necessary to provide permission decisions, and information whether to run the access when the policy is matched.

3. The personal authorization access control system based on cryptographic algorithm of claim 1, wherein: when registering a client, a public key of an SM2 key pair of the client needs to be uploaded, and a system uses the public key of the client to carry out signature verification and identify the identity of the client;

meanwhile, the client needs to download the SM2 public key of the system, and the client uses the public key to verify the signature of the system, so that high-security bidirectional trust management between the client and the system is established.

4. The personal authorization access control system based on cryptographic algorithm of claim 1, wherein: in the data interaction process between the client and the system, firstly, the SM3 digest algorithm is used for calculating digest information of partial fields of request messages, then the digest information is mutually subjected to SM2 asymmetric encryption by using a public key of the opposite side to form a symmetric encryption key, and finally, the SM4 and the symmetric key are used for symmetrically encrypting a message body, so that data is prevented from being stolen in the transmission process, and the transmission safety of the data is ensured.

5. The personal authorization access control system based on cryptographic algorithm of claim 1, wherein: when the client side which receives the access token accesses the resources of other services, the obtained token needs to be added into the request, and the other services perform permission detection;

denying access to an illegal or expired token;

and for the effective token, after extracting the user identity identification from the token, initiating a permission judgment request of the system, and judging whether the user operates to continue accessing or not by the system according to the authorization strategy of the resource owner.