CN109587100A - A kind of cloud computing platform user authentication process method and system - Google Patents
A kind of cloud computing platform user authentication process method and system Download PDFInfo
- Publication number
- CN109587100A CN109587100A CN201710909245.XA CN201710909245A CN109587100A CN 109587100 A CN109587100 A CN 109587100A CN 201710909245 A CN201710909245 A CN 201710909245A CN 109587100 A CN109587100 A CN 109587100A
- Authority
- CN
- China
- Prior art keywords
- authentication
- user
- user information
- identity management
- authentication request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the present application discloses a kind of cloud computing platform user authentication process method and system.The system comprises: certificate server for receiving ID authentication request, and forwards the ID authentication request to cloud identity management services device;Cloud identity management services device parses user information for receiving the ID authentication request, and from the ID authentication request, and, for carrying out authentication according to the user information, and the result of authentication is back to the certificate server.Using technical scheme, user identity authentication and user identity management can be integrated in the original user identity management system of cloud computing, save the O&M cost and use cost of cloud computing platform.
Description
Technical field
This application involves field of information security technology, in particular to a kind of cloud computing platform user authentication process method and it is
System.
Background technique
Authentication is the basis of information system security, and authentication refers in computer and computer network system really
Recognize the process of user identity, so that it is determined that whether the user has access and access right to certain resource, and then makes to calculate
Machine and the access strategy of network system can be executed reliably and efficiently, prevent attacker from palming off the visit that legitimate user obtains resource
It asks permission, guarantees the safety of system and data, and the legitimate interests of authorization visitor.
Have many agreements for being used for authentication at present, it is typical as Kerberos agreement, MD5challenge agreement,
GTC agreement, EAP-TLS agreement etc..Wherein, Kerberos agreement has a wide range of applications background, is such as applied to Windows system
On system and some well-known cloud service platforms.Agreement based on above-mentioned authentication during carrying out authentication, when
After the account of user and password are sent on certificate server by client, certificate server generally requires to get the user
User information (such as user name, password).So in certificate server one end, generally require to establish a set of Identity Management system
System, for storing the user data of corresponding registration user.
But the system architecture of many Integrating Authentication agreements, often there is identity management system independent, if
One system architecture needs two identity management systems of O&M, generally requires to expend biggish O&M cost and use cost.
Therefore, a kind of identification authentication mode and system based on low O&M cost is needed in the prior art.
Summary of the invention
The embodiment of the present application is designed to provide a kind of cloud computing platform user authentication process method and system, can incite somebody to action
User identity authentication and user identity management are integrated in the original user identity management system of cloud computing, and it is flat to save cloud computing
The O&M cost and use cost of platform.
A kind of cloud computing platform user authentication process method and system provided by the embodiments of the present application are specifically realized in
:
A kind of cloud computing platform user authentication process system, comprising:
Certificate server for receiving ID authentication request, and forwards the ID authentication request to cloud Identity Management
Server;
Cloud identity management services device is solved for receiving the ID authentication request, and from the ID authentication request
User information is precipitated, and, for carrying out authentication according to the user information, and the result of authentication is back to institute
State certificate server.
A kind of cloud computing platform user authentication process system, comprising:
Client, for obtaining user information, and, for sending ID authentication request to cloud identity management services
Device includes the user information in the ID authentication request;
Cloud identity management services device is solved for receiving the ID authentication request, and from the ID authentication request
The user information is precipitated, and, for carrying out authentication according to the user information, and the result of authentication is returned
To the client.
A kind of server, the server include based on cloud computing platform for managing user account data and user's money
The server of source access authority, the server include processor and the memory for storage processor executable instruction,
The processor is realized when executing described instruction:
Receive ID authentication request;
User information is parsed from the ID authentication request;
Authentication is carried out according to the user information, generates the result of authentication;
Return to the result of the authentication.
A kind of cloud computing platform user authentication process method, comprising:
Certificate server receives ID authentication request, and forwards the ID authentication request to cloud identity management services
Device;
The cloud identity management services device receives the ID authentication request, and parses from the ID authentication request
The user information out;
The cloud identity management services device carries out authentication according to the user information, and by the result of authentication
It is back to the certificate server.
Cloud computing platform user authentication process method and system provided by the present application can will be used on cloud computing platform
The working link of family certification, which is transferred on the identity management services device of cloud, to be executed.In compared with the existing technology, on cloud computing platform
The technology of two identity management systems of O&M is needed to compare, the technical solution of the application can be by user identity authentication and user
Identity Management is integrated in the original user identity management system of cloud computing, and removal is in the prior art in order to store authentication institute
The user information that needs and the background data base specially established, save the O&M cost and use cost of cloud computing platform.In addition,
The cloud identity management services device can also control the access authority of user, realize user identity authentication and access
The dual command of authority managing and controlling, i.e. both available access authority to user at the time of user passes through authentication, are promoted
The treatment effeciency of cloud platform data access.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The some embodiments recorded in application, for those of ordinary skill in the art, in the premise of not making the creative labor property
Under, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is to carry out identity authentication method flow chart based on Kerberos identity authentication protocol in the prior art;
Fig. 2 is the method flow diagram that certificate server authenticates client in the prior art;
Fig. 3 is that the modular structure of one embodiment of cloud computing platform user authentication process system provided by the present application is shown
It is intended to;
Fig. 4 is a kind of method flow diagram of embodiment of cloud computing platform user authentication process system provided by the present application;
Fig. 5 is that the modular structure of one embodiment of cloud computing platform user authentication process system provided by the present application is shown
It is intended to;
Fig. 6 is the modular structure schematic diagram of one embodiment of server provided by the present application.
Specific embodiment
In order to make those skilled in the art better understand the technical solutions in the application, below in conjunction with the application reality
The attached drawing in example is applied, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described implementation
Example is merely a part but not all of the embodiments of the present application.Based on the embodiment in the application, this field is common
The application protection all should belong in technical staff's every other embodiment obtained without creative efforts
Range.
For convenience those skilled in the art understand that technical solution provided by the embodiments of the present application, below first to technical solution
The technological accumulation and inheritance of realization is illustrated.
It is first in order to clearly express the identity identifying method for the identity-based authentication protocol that following each embodiment describes
First unrestrictedly illustrate general identity authentication method process by taking Kerberos identity authentication protocol as an example.As shown in Figure 1,
In authentication procedures based on Kerberos identity authentication protocol, it is related to three main bodys altogether, is client respectively
(Client), Key Distribution Center (KDC) and server-side (Service Server), wherein also wrapped in Key Distribution Center
Containing certificate server (AS) and ticket authorisation server (TGS).As shown in Figure 1, client can be successfully connected to server-side,
Generally require two stages, wherein authentication of the certificate server to client when the first stage.Specifically, client can
Ticket authorisation bill (TGT) is obtained to carry identity information (such as user name) request certificate server, wherein ticket authorisation bill
It is the bill for obtaining authorization of service bill (SGT).Certificate server, can be rear after receiving the request of client
The corresponding password of the user name is searched in platform database, and generates relevant reply message using the password.The reply message
It may include two parts information, wherein first part's information is the ticket authorisation bill, and the ticket authorisation bill is used for
The information for needing to carry when client carries out ID authentication request to ticket authorisation server in second stage;Second part information
It is the corresponding password of the encrypted user name.Client is after the reply message for receiving certificate server return, and one
As can not be decrypted with the information of the ticket authorisation bill, at this point it is possible to the second part information be decrypted, i.e.,
User name password is decrypted.If client decoding is correct, success is authenticated, and obtain ticket authorisation server session key
(TGS Session Key), the TGS session key are used for when second stage conversates with ticket authorisation server to phase
Information is closed to be encrypted;Otherwise, authentification failure.
In the second stage of Kerberos authentication, need that server-side is completed to authenticate to client, client just may be used
With normal access service.Specifically, client can carry the information such as ticket authorisation server session key and take to ticket authorisation
Business device issues ID authentication request.Ticket authorisation server after receiving the information such as ticket authorisation server session key,
Some information checking processing can be done, for example, examining the user name in ticket authorisation server session key with certification user's
User name be all match and timestamp verification etc..If verifying successfully, ticket authorisation server can return to authorization of service ticket
Client is given according to (SGT), the authorization of service bill is the bill of client access server-side.
Similarly, if authenticating successfully, the available reply message returned to ticket authorisation server of client is described to answer
First part's information of complex information is authorization of service bill, and client can not be to this decryption.The second part of the reply message
Information can use ticket authorisation server session key and it is decrypted, and generate service conversation key (SSK).Client
It can use the service conversation key to encrypt some information and generate an authentication password (Authenticator).Then, such as
Shown in Fig. 1, client can issue certification request to server-side, include in the certification request service conversation key and
The authentication password.Server-side can use the service conversation key and described after receiving the certification request
Authentication password authenticates client.If authenticating successfully, the service of the accessible server-side offer of client.
Based on above-mentioned Kerberos authentication procedures, it is found that Kerberos identity authentication protocol is with higher
Performance, bi-directional verification high security, therefore, Kerberos identity authentication protocol can be applied to current numerous application platforms
On, it is typical as in Windows system and some cloud computing platforms.Currently, the Kerberos authentication of common open source
Realization such as MIT Kerberos, Apache Kerby etc..
Verification process of the certificate server to client is described in detail below with reference to Fig. 2.As shown in Fig. 2, as visitor
When user name is sent to certificate server by family end, certificate server needs to obtain the corresponding encrypted message of the user name.It is existing
In the MIT kerberos system of technology, the user name of each user and close can be prestored by the database built in system
Code, or the user name of each user and close is stored by user's system of the lightweight directory access service (LDAP) of access
Code.Operating process of the client after getting user name password is specifically as described above, and details are not described herein.It can send out
It is existing, when increasing new registration user in MIT kerberos system, need the operation maintenance personnel of MIT kerberos system need to
The user information for accessing the user of service shifts to an earlier date typing into database or user's system of lightweight directory access service,
It can be seen that O&M cost is very high, application scenarios especially more in number of users.In addition, in some application environments, such as cloud computing
In environment, often there is independent identity management system, if MIT kerberos system another identity management system of O&M again,
So, for whole system frame, biggish O&M cost and use cost certainly will be consumed.
Based on technical need similarly as described above, technical scheme can be by the existing identity pipe of system framework
Reason system is combined with Kerberos identity authorization system, and two user identity operational systems are merged into one, reduce system
The O&M cost and use cost of frame.
Based on above-mentioned technological accumulation and inheritance, this application provides a kind of cloud computing platform user authentication process system, Fig. 3 is this Shen
The example system 300 for data authentication based on cloud computing platform that please be provide.For example, as shown in figure 3, provided by the present application
The example system 300 of cloud computing platform user authentication process may include client 310, certificate server 320 and cloud body
Part management server 330, wherein the client 310 and certificate server 320 are coupled, certificate server 320 and cloud body
Part management server 330 is coupled.The example system 300 of the cloud computing platform user authentication process may include one or
Multiple client 310.The certificate server 320, which can be deployed in, provides the virtual machine or physical server of Service Source
On, specifically, the Service Source can use the system frameworks such as Hadoop, Spark, HBase and be disposed.The certification clothes
Business device 320, the cloud identity management services device 330 can be one or more servers, also can integrate and service in one
In device.Certainly, the cloud computing platform user authentication process system 300 is not limited to be applied to cloud computing platform, in other implementations
In example, the cloud computing platform user authentication process system 300 can be applied to any required progress user identity authentication and sheet
Body has had the system framework of identity management system or identity management module, for cloud computing platform user authentication process system
300 application environment the application is herein with no restrictions.
Below with reference to Fig. 4 flow chart to the interaction flow of each main body in cloud computing platform user authentication process system into
Row is described in detail.
Firstly, the certificate server 320 can be based on the user identity authentications agreements such as Kerberos, the authentication service
Device 320 can be deployed on the service clusters such as Hadoop, and the service clusters such as described Hadoop can provide certain clothes for client
Business resource, such as expert data resource is provided.In application scenes, the various moneys of service provider's offer are can be used in enterprise
Source, as utilized the various data provided on cloud computing platform.On the cloud computing platform that cloud service is provided, it is often provided with resource
Access control module (Identity and Access Management of such as Amazon Web Service, Ali's cloud computing
RAM), for for enterprise provide centralization access control service.The administrative staff of enterprise can pass through resources accessing control
Module is managed resource, and for example some of the staff create new account, and each account has respective access authority (as managed
Reason personnel and non-management employee be not generally identical to the access authority of data).
Generally, in order to get the information such as the corresponding access authority of different accounts, the cloud computing for providing service is flat
Platform is often provided with cloud identity management services device, and the cloud identity management services device can be based on cloud computing platform for managing
Manage the server of user account data and user resources access authority.When enterprise needs to create user's account on cloud computing platform
When family, the cloud identity management services device can provide relevant service (as creation user account, setting user access
Permission etc.), and the user information of creation (such as user name, user data access authority) is stored.
As shown in figure 4, user during carrying out authentication, can input user information in client 310.Visitor
Family end 310 can send ID authentication request, the body to certificate server 320 after receiving the user information of input
It may include the user information in part certification request.In one embodiment, in order to guarantee the safety in data transmission procedure
Property, the user information for including in the ID authentication request can be by encryption, such as using hash algorithm to the user
Information is transmitted again after being encrypted.In addition, can also include other information, such as timestamp in the ID authentication request
Information etc., the application to this with no restriction.In another embodiment, the client 310 can also be according to the user
The corresponding access key of user information described in acquisition of information includes user name and password in the access key.For example, the use
Name in an account book and password may include Access Key and Access Secret, wherein Access Key/Secret is to create
While user account (including User ID), another pair user name corresponding with User ID of the creation of identity management system 330
And password, but Access Key/Secret have higher safety, therefore, when in the user information include Access
When Key/Secret, it is ensured that the user information has higher safety.In addition, to Access Key/Secret
During being transmitted, Access Secret can be encrypted, prevent Access Secret in transmission process
In be cracked, improve user information transmission safety.
As shown in figure 4, the certificate server 320 is after getting the ID authentication request, it can be in response to institute
ID authentication request is stated, the ID authentication request is transmitted to the cloud identity management services device 330.Specifically, one
In a embodiment, the cloud identity management services device 330 can provide an api interface, for supplying the certificate server
320 transmit data to the cloud identity management services device 330.The cloud identity management services device 330 receive it is described
After ID authentication request, the data in the ID authentication request can be parsed, obtain user information therein.Tool
Body, if including access key A ccess Key and Access Secret in the user information, wherein the Access
Secret passes through encryption, then after the cloud identity management services device can use preset algorithm to the encryption
Access Secret is decoded processing, obtains the Access Secret.It is then possible to according to the access key
Access Key and Access Secret obtain the user information (such as User ID).It should be noted that in the application
One embodiment in, the api interface of the cloud identity management services device 330 can have the required parameter of preset format.
At this point, the certificate server 320 receive client 310 transmission the ID authentication request after, can be to described
ID authentication request formats, and the ID authentication request is converted into the required parameter of the preset format.For example,
In one example, the required parameter of the preset format may include Access Key, encrypted Access Secret,
Timestamp, destination service resource information }, then, the certificate server 320 can be asked according to the authentication received
It asks, the ID authentication request is converted into the required parameter of above-mentioned default required parameter format, and passing through the api interface will
The required parameter is sent to the cloud identity management services device 330.
Then, the cloud identity management services device 330 is receiving the ID authentication request or the default lattice
The required parameter of formula can carry out authentication to the user.For example, specifically in authentication procedures, the cloud body
Part management server 330 can be parsed out the letter of the user in the required parameter of the ID authentication request or the preset format
Breath.For example, the cloud identity management services device 330 is getting the access key A ccess Key and encrypted
After Access Secret, it can use preset algorithm and processing be decoded to the encrypted Access Secret.Institute
Stating preset algorithm for example may include being solved using the Access Secret to the encrypted Access Secret
Code, if successfully decoded, can determine that Access Key and encrypted Access Secret match, user identity is recognized
It demonstrate,proves successfully.If decoding is unsuccessful, the Access Key and encrypted Access Secret not phase can be determined
Match, user identity authentication failure.
The cloud identity management services device 330 generates the result of authentication after carrying out authentication.Then,
The result of authentication can be back to the certificate server 320 by the cloud identity management services device 330.The certification
Server 320 can determine the workflow of next step after receiving the result according to the authentication result.Such as
Based on the certificate server of Kerberos identity authentication protocol, if the authentication result is the user information by authenticating,
The client 310 will be returned to by the credential information (such as described ticket authorisation bill) of certification.If authentication fails, institute
Client 310 can also be returned to for the result of authentication failure by stating certificate server 320.
In one embodiment, the cloud identity management services device 330 to the user information authentication success after,
The corresponding access authority information of the user information can also be back to the certificate server 320.For example, in an example
In, if the format that the certificate server 320 returns to the required parameter of the cloud identity management services device 330API is
{ Access Key, encrypted Access Secret, timestamp, destination service resource information }, it is found that the request
It include destination service resource information in parameter, the destination service resource information may include that the client 310 needs to access
Destination service resource information.The destination service resource for example may include the server sets such as Hadoop, Spark, HBase
The Service Source passed through on group.The cloud identity management services device 330 can verify the destination service resource of request,
If verifying successfully, it can determine that the user information has the permission for accessing the destination service resource.If verification failure,
It can determine that user information does not have the permission for accessing the destination service resource.
In this way, certificate server 320 can be actively engaged in the control of access privilege.With in the prior art completely by cloud
The mode of end identity management services device control access privilege is compared, can be by the power of part authority managing and controlling in the present embodiment
It is transferred to certificate server 320.In this way, can not only reduce the operating pressure of cloud identity management services device 330, can also mention
The control efficiency of high user's access rights.
Cloud computing platform user authentication process method and system provided by the present application can will be used on cloud computing platform
The working link of family certification, which is transferred on the identity management services device of cloud, to be executed.In compared with the existing technology, on cloud computing platform
The technology of two identity management systems of O&M is needed to compare, the technical solution of the application can be by user identity authentication and user
Identity Management is integrated in the original user identity management system of cloud computing, and removal is in the prior art in order to store authentication institute
The user information that needs and the background data base specially established, save the O&M cost and use cost of cloud computing platform.In addition,
The cloud identity management services device can also control the access authority of user, realize user identity authentication and access
The dual command of authority managing and controlling, i.e. both available access authority to user at the time of user passes through authentication, are promoted
The treatment effeciency of cloud platform data access.
In another embodiment of the application, user identity authentication directly can be requested to send by the client 310
Authentication is carried out to the cloud identity management services device 330.Specifically, the real example system 500 of the present embodiment such as Fig. 5 institute
Show, as shown in figure 5, the system 500 may include client 310 and cloud identity management services device 330.The client
310 are used to obtain user information, and, for sending ID authentication request to cloud identity management services device 330, the identity
It include the user information in certification request;The cloud identity management services device 330, is asked for receiving the authentication
It asks, and parses the user information from the ID authentication request, and, for carrying out identity according to the user information
Certification, and the result of authentication is back to the client 310.Hereafter, as shown in figure 5, the client 310 can be with
The result of the authentication received is back to certificate server 320.
Cloud computing platform user authentication process method and system provided by the present application can will be used on cloud computing platform
The working link of family certification, which is transferred on the identity management services device of cloud, to be executed.In compared with the existing technology, on cloud computing platform
The technology of two identity management systems of O&M is needed to compare, the technical solution of the application can be by user identity authentication and user
Identity Management is integrated in the original user identity management system of cloud computing, and removal is in the prior art in order to store authentication institute
The user information that needs and the background data base specially established, save the O&M cost and use cost of cloud computing platform.In addition,
The cloud identity management services device can also control the access authority of user, realize user identity authentication and access
The dual command of authority managing and controlling, i.e. both available access authority to user at the time of user passes through authentication, are promoted
The treatment effeciency of cloud platform data access.
As shown in fig. 6, on the other hand the application also provides a kind of server, the server includes being based on cloud computing platform
For managing the server of user account data and user resources access authority, the server includes processor and is used for
The memory of storage processor executable instruction, the processor are realized when executing described instruction:
Receive ID authentication request;
User information is parsed from the ID authentication request;
Authentication is carried out according to the user information, generates the result of authentication;
Return to the result of the authentication.
Optionally, in one embodiment of the application, the processor realize step according to the user information into
Row authentication after the result for generating authentication, is also realized:
If the result of the authentication includes the user information by certification, it is corresponding to obtain the user information
Access privilege, and the access privilege is back to the certificate server.
Optionally, in one embodiment of the application, if in the user information including the information of destination service resource,
Then the processor is to include: realizing that step obtains the corresponding access privilege of the user information
It is verified according to access authority of the information of the destination service resource to the destination service resource;
If passing through verification, it is determined that have the access authority to the destination service resource.
Although mentioned in teachings herein the processing ID authentication request in embodiment, data parsing, encryption etc. it
The data processing of class describes, and still, the application is not limited to comply fully with industry programming language design standard or reality
The case where applying data processing described in example.Reality modified slightly on the basis of certain Pages Design language or embodiment description
The scheme of applying can also carry out above-described embodiment it is identical, it is equivalent or it is close or deformation after it is anticipated that implementation result.Certainly, even if
Not by the way of upper data processing, judgement, as long as meeting the data study of the application the various embodiments described above, processing description, still
Identical application so may be implemented, details are not described herein.
Although this application provides the method operating procedure as described in embodiment or flow chart, based on conventional or noninvasive
The means for the property made may include more or less operating procedure.The step of enumerating in embodiment sequence is only numerous steps
One of execution sequence mode, does not represent and unique executes sequence.It, can when device or client production in practice executes
To execute or parallel execute (such as at parallel processor or multithreading according to embodiment or method shown in the drawings sequence
The environment of reason).
It is also known in the art that other than realizing controller in a manner of pure computer readable program code, it is complete
Entirely can by by method and step carry out programming in logic come so that controller with logic gate, switch, specific integrated circuit, programmable
Logic controller realizes identical function with the form for being embedded in microcontroller etc..Therefore this controller is considered one kind
Hardware component, and the structure that the device for realizing various functions that its inside includes can also be considered as in hardware component.Or
Person even, can will be considered as realizing the device of various functions either the software module of implementation method can be hardware again
Structure in component.
The application can describe in the general context of computer-executable instructions executed by a computer, such as program
Module.Generally, program module includes routines performing specific tasks or implementing specific abstract data types, programs, objects, group
Part, data structure, class etc..The application can also be practiced in a distributed computing environment, in these distributed computing environments,
By executing task by the connected remote processing devices of communication network.In a distributed computing environment, program module can
To be located in the local and remote computer storage media including storage equipment.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
It realizes by means of software and necessary general hardware platform.Based on this understanding, the technical solution essence of the application
On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product
It can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a computer equipment
(can be personal computer, mobile terminal, server or the network equipment etc.) executes each embodiment of the application or implementation
Method described in certain parts of example.
Each embodiment in this specification is described in a progressive manner, the same or similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.The application can be used for crowd
In mostly general or special purpose computing system environments or configuration.Such as: personal computer, server computer, handheld device or
Portable device, laptop device, multicomputer system, microprocessor-based system, set top box, programmable electronics set
Standby, network PC, minicomputer, mainframe computer, distributed computing environment including any of the above system or equipment etc..
Although depicting the application by embodiment, it will be appreciated by the skilled addressee that the application there are many deformation and
Variation is without departing from spirit herein, it is desirable to which the attached claims include these deformations and change without departing from the application's
Spirit.
Claims (24)
1. a kind of cloud computing platform user authentication process system characterized by comprising
Certificate server for receiving ID authentication request, and forwards the ID authentication request to cloud identity management services
Device;
Cloud identity management services device is parsed for receiving the ID authentication request, and from the ID authentication request
User information, and, for carrying out authentication according to the user information, and the result of authentication is back to and described is recognized
Demonstrate,prove server.
2. system according to claim 1, which is characterized in that the system also includes:
Client, for obtaining user information, and, for sending ID authentication request to the certificate server, the body
It include the user information in part certification request.
3. system according to claim 2, which is characterized in that the client is also used to:
Obtain the corresponding access key of the user information according to the user information, in the access key including user name and
Password;
The password is encrypted, and the password after the user name and encryption is added to the authentication
In request;
The ID authentication request is sent to the certificate server.
4. system according to claim 3, which is characterized in that the cloud identity management services implement body is according to following sides
Formula parses the user information from the ID authentication request:
Processing is decoded to the password after the encryption using preset algorithm, obtains the password;
The user information is obtained according to the user name and the password.
5. system according to claim 1, which is characterized in that the cloud identity management services device includes being based on cloud computing
Platform is used to manage the server of user account data and user resources access authority.
6. system according to claim 1, which is characterized in that the cloud identity management services device is also used to:
If the result of the authentication includes the user information by certification, the corresponding user of the user information is obtained
Access authority, and the access privilege is back to the certificate server.
7. system according to claim 6, which is characterized in that if in the user information including the letter of destination service resource
Breath, then the cloud identity management services implement body obtains the corresponding user's access right of the user information in the following manner
Limit:
It is verified according to access authority of the information of the destination service resource to the destination service resource;
If passing through verification, it is determined that have the access authority to the destination service resource.
8. system according to claim 2, which is characterized in that the certificate server is also used to:
If the result of the authentication includes the user information by certification, transmission is passed through into the credential information of certification extremely
The client.
9. a kind of cloud computing platform user authentication process system characterized by comprising
Client, for obtaining user information, and, for sending ID authentication request to cloud identity management services device, institute
Stating includes the user information in ID authentication request;
Cloud identity management services device is parsed for receiving the ID authentication request, and from the ID authentication request
The user information, and, for carrying out authentication according to the user information, and the result of authentication is back to institute
State client.
10. system according to claim 9, which is characterized in that the client is also used to:
Obtain the corresponding access key of the user information according to the user information, in the access key including user name and
Password;
The password is encrypted, and the password after the user name and encryption is added to the authentication
In request;
The ID authentication request is sent to cloud identity management services device.
11. system according to claim 10, which is characterized in that the cloud identity management services implement body is according to following
Mode parses the user information from the ID authentication request:
Processing is decoded to the password after the encryption using preset algorithm, obtains the password;
The user information is obtained according to the user name and the password.
12. system according to claim 9, which is characterized in that the cloud identity management services device includes based on cloud
Calculate the server that platform is used to manage user account data and user resources access authority.
13. system according to claim 9, which is characterized in that the cloud identity management services device is also used to:
If the result of the authentication includes the user information by certification, the corresponding user of the user information is obtained
Access authority, and the access privilege is back to the client.
14. system according to claim 13, which is characterized in that if including destination service resource in the user information
Information, then the cloud identity management services implement body obtains the corresponding user's access right of the user information in the following manner
Limit:
It is verified according to access authority of the information of the destination service resource to the destination service resource;
If passing through verification, it is determined that have the access authority to the destination service resource.
15. system according to claim 9, which is characterized in that the system also includes certificate server, the certification clothes
Business device is used to obtain the result of the authentication from the client.
16. a kind of server, which is characterized in that the server includes based on cloud computing platform for managing user account data
And the server of user resources access authority, the server include processor and for storage processor executable instruction
Memory, the processor realizes when executing described instruction:
Receive ID authentication request;
User information is parsed from the ID authentication request;
Authentication is carried out according to the user information, generates the result of authentication;
Return to the result of the authentication.
17. server according to claim 16, which is characterized in that the processor is realizing step according to the user
Information carries out authentication, after the result for generating authentication, also realizes:
If the result of the authentication includes the user information by certification, the corresponding user of the user information is obtained
Access authority, and the access privilege is back to the certificate server.
18. server according to claim 17, which is characterized in that if in the user information including destination service resource
Information, then the processor is to include: realizing that step obtains the corresponding access privilege of the user information
It is verified according to access authority of the information of the destination service resource to the destination service resource;
If passing through verification, it is determined that have the access authority to the destination service resource.
19. a kind of cloud computing platform user authentication process method characterized by comprising
Certificate server receives ID authentication request, and forwards the ID authentication request to cloud identity management services device;
The cloud identity management services device receives the ID authentication request, and institute is parsed from the ID authentication request
State user information;
The cloud identity management services device carries out authentication according to the user information, and the result of authentication is returned
To the certificate server.
20. according to the method for claim 19, which is characterized in that receive the authentication in the certificate server and ask
Before asking, the method also includes:
Client obtains user information, and generates ID authentication request according to the user information;
The ID authentication request is sent to certificate server by client.
21. according to the method for claim 20, which is characterized in that send the ID authentication request in the client
To before certificate server, the method also includes:
Client obtains the corresponding access key of the user information according to the user information, includes using in the access key
Name in an account book and password;
The password is encrypted, and the password after the user name and encryption is added to the authentication
In request;
The ID authentication request is sent to certificate server.
22. according to the method for claim 19, which is characterized in that the cloud identity management services device includes based on cloud
Calculate the server that platform is used to manage user account data and user resources access authority.
23. according to the method for claim 19, which is characterized in that if the result of the authentication includes user's letter
Breath by certification, then it is described the result of authentication is back to the certificate server after, the method also includes:
The corresponding access privilege of the user information is obtained, and the access privilege is back to the authentication service
Device.
24. according to the method for claim 23, which is characterized in that if including destination service resource in the user information
Information, then the corresponding access privilege of the user information that obtains include:
It is verified according to access authority of the information of the destination service resource to the destination service resource;
If passing through verification, it is determined that have the access authority to the destination service resource.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710909245.XA CN109587100A (en) | 2017-09-29 | 2017-09-29 | A kind of cloud computing platform user authentication process method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710909245.XA CN109587100A (en) | 2017-09-29 | 2017-09-29 | A kind of cloud computing platform user authentication process method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109587100A true CN109587100A (en) | 2019-04-05 |
Family
ID=65918922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710909245.XA Pending CN109587100A (en) | 2017-09-29 | 2017-09-29 | A kind of cloud computing platform user authentication process method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109587100A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110620782A (en) * | 2019-09-29 | 2019-12-27 | 深圳市珍爱云信息技术有限公司 | Account authentication method and device, computer equipment and storage medium |
| CN111865895A (en) * | 2020-05-29 | 2020-10-30 | 广西博士海意信息科技有限公司 | Data secret transmission method and system based on cloud platform |
| CN112532561A (en) * | 2019-08-28 | 2021-03-19 | 斑马智行网络(香港)有限公司 | Method, device, system and storage medium for realizing access between devices |
| CN114089674A (en) * | 2021-11-22 | 2022-02-25 | 安徽健坤通信股份有限公司 | A cloud terminal management and control system based on quantum identity authentication |
| CN114254289A (en) * | 2021-12-17 | 2022-03-29 | 青岛海尔科技有限公司 | Access method and device for cloud platform |
| CN114567509A (en) * | 2022-03-18 | 2022-05-31 | 上海派拉软件股份有限公司 | Web application access system and method |
| CN115242400A (en) * | 2022-06-29 | 2022-10-25 | 重庆长安汽车股份有限公司 | Vehicle Token uniqueness and cloud authentication system and method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120117142A1 (en) * | 2010-11-05 | 2012-05-10 | Inventec Corporation | Cloud computing system and data accessing method thereof |
| CN102916965A (en) * | 2012-10-29 | 2013-02-06 | 广州杰赛科技股份有限公司 | Safety authentication mechanism and safety authentication system thereof for cloud service interfaces |
| CN103107985A (en) * | 2012-12-04 | 2013-05-15 | 百度在线网络技术(北京)有限公司 | Cloud terminal authentication method, system and device |
| CN104301328A (en) * | 2014-10-29 | 2015-01-21 | 北京思特奇信息技术股份有限公司 | Resource operation safety authentication method and system under cloud calculation environment |
| CN107026860A (en) * | 2017-04-01 | 2017-08-08 | 成都虫洞奇迹科技有限公司 | Login authentication method, apparatus and system |
-
2017
- 2017-09-29 CN CN201710909245.XA patent/CN109587100A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120117142A1 (en) * | 2010-11-05 | 2012-05-10 | Inventec Corporation | Cloud computing system and data accessing method thereof |
| CN102916965A (en) * | 2012-10-29 | 2013-02-06 | 广州杰赛科技股份有限公司 | Safety authentication mechanism and safety authentication system thereof for cloud service interfaces |
| CN103107985A (en) * | 2012-12-04 | 2013-05-15 | 百度在线网络技术(北京)有限公司 | Cloud terminal authentication method, system and device |
| CN104301328A (en) * | 2014-10-29 | 2015-01-21 | 北京思特奇信息技术股份有限公司 | Resource operation safety authentication method and system under cloud calculation environment |
| CN107026860A (en) * | 2017-04-01 | 2017-08-08 | 成都虫洞奇迹科技有限公司 | Login authentication method, apparatus and system |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112532561A (en) * | 2019-08-28 | 2021-03-19 | 斑马智行网络(香港)有限公司 | Method, device, system and storage medium for realizing access between devices |
| CN110620782A (en) * | 2019-09-29 | 2019-12-27 | 深圳市珍爱云信息技术有限公司 | Account authentication method and device, computer equipment and storage medium |
| CN111865895A (en) * | 2020-05-29 | 2020-10-30 | 广西博士海意信息科技有限公司 | Data secret transmission method and system based on cloud platform |
| CN111865895B (en) * | 2020-05-29 | 2021-01-12 | 广西博士海意信息科技有限公司 | Data secret transmission method and system based on cloud platform |
| CN114089674A (en) * | 2021-11-22 | 2022-02-25 | 安徽健坤通信股份有限公司 | A cloud terminal management and control system based on quantum identity authentication |
| CN114254289A (en) * | 2021-12-17 | 2022-03-29 | 青岛海尔科技有限公司 | Access method and device for cloud platform |
| CN114567509A (en) * | 2022-03-18 | 2022-05-31 | 上海派拉软件股份有限公司 | Web application access system and method |
| CN114567509B (en) * | 2022-03-18 | 2024-04-30 | 上海派拉软件股份有限公司 | Web application access system and method |
| CN115242400A (en) * | 2022-06-29 | 2022-10-25 | 重庆长安汽车股份有限公司 | Vehicle Token uniqueness and cloud authentication system and method |
| CN115242400B (en) * | 2022-06-29 | 2024-06-04 | 重庆长安汽车股份有限公司 | Vehicle-mounted Token uniqueness and cloud authentication system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108064440B (en) | Blockchain-based FIDO authentication method, device and system | |
| CN105027107B (en) | Migrate the computer implemented method and computing system of computing resource | |
| US10243742B2 (en) | Method and system for accessing a device by a user | |
| Carretero et al. | Federated identity architecture of the European eID system | |
| US9264232B2 (en) | Cryptographic device that binds an additional authentication factor to multiple identities | |
| CN109587100A (en) | A kind of cloud computing platform user authentication process method and system | |
| Laborde et al. | A user-centric identity management framework based on the W3C verifiable credentials and the FIDO universal authentication framework | |
| US20100154041A1 (en) | Transforming claim based identities to credential based identities | |
| CN106850201B (en) | Intelligent terminal multiple-factor authentication method, intelligent terminal, certificate server and system | |
| CN107257334A (en) | Identity authentication method for Hadoop cluster | |
| US11750391B2 (en) | System and method for performing a secure online and offline login process | |
| CN113515756B (en) | High-credibility digital identity management method and system based on block chain | |
| US20140317401A1 (en) | Server, system, and method for issuing mobile certificate | |
| Aung et al. | Ethereum-based emergency service for smart home system: Smart contract implementation | |
| CN114760071A (en) | Zero-knowledge proof based cross-domain digital certificate management method, system and medium | |
| Perugini et al. | On the integration of Self-Sovereign Identity with TLS 1.3 handshake to build trust in IoT systems | |
| CN103024735B (en) | Method and equipment for service access of card-free terminal | |
| CN103716280A (en) | Data transmission method, server and system | |
| Aiash | A formal analysis of authentication protocols for mobile devices in next generation networks | |
| Shehu et al. | Spidverify: A secure and privacy-preserving decentralised identity verification framework | |
| CN113992380B (en) | Trusted employee certificate authentication method and system based on network mapping certificate | |
| KR20200030345A (en) | Method for providing private blockchain based privacy information management service | |
| Danda et al. | SSH-DAuth: secret sharing based decentralized OAuth using decentralized identifier | |
| Hauck | OpenID for Verifiable Credentials: formal security analysis using the Web Infrastructure Model | |
| Pejaś et al. | Authentication protocol for software and hardware components in distributed electronic signature creation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190405 |