CN103944881A - Cloud resource authorizing method under cloud computing environment - Google Patents
Cloud resource authorizing method under cloud computing environment Download PDFInfo
- Publication number
- CN103944881A CN103944881A CN201410100954.XA CN201410100954A CN103944881A CN 103944881 A CN103944881 A CN 103944881A CN 201410100954 A CN201410100954 A CN 201410100954A CN 103944881 A CN103944881 A CN 103944881A
- Authority
- CN
- China
- Prior art keywords
- cloud
- resource
- cloud resource
- authorization
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a cloud resource authorizing method under a cloud computing environment. When new cloud resources need to be added, an authorization step is performed, an authorization licence generation module uses an encryption algorithm to generate secret keys and serial numbers according to unique identification information of the input cloud resources, a verification step is performed when the new cloud resources need to be used, a cloud resource authorization verifying module automatically detects verification files, if a verifying result is correct, the cloud resource authorization verifying module is used for decrypting the serial numbers of the cloud resources, and comparative verification is performed on decrypted information and real-time true information of the cloud resources. According to the cloud resource authorizing method under the cloud computing environment, a cloud platform operator can conduct validity verification on the cloud resources used by different lessees in a platform of the cloud platform operator through an authorization mechanism, it is ensured that the cloud resources are mutually isolated, a cloud platform software and hardware manufacturer can conduct use validity verification on products sold by the cloud platform software and hardware manufacture, and therefore a cloud computing service provider is prevented from changing the application range of the products at will, and the legitimate interests of the cloud computing service provider are protected against losses.
Description
Technical field
The present invention relates to cloud computing safe practice field, relate in particular to the method for cloud resource authorization under a kind of cloud computing environment.
Background technology
Cloud computing is a kind of dynamic, easily expansion, based on virtualized Resource Calculation mode, normally by the Internet, provide, user does not need to understand the details of cloud inside.Cloud computing service comprises 3 layers, and infrastructure serve (IaaS), basic platform serves (PaaS) and software serve (SaaS).Infrastructure serve is to manage for basic resources such as network, main frame, storages, is the foundation stone of cloud computing system, is the first step that realizes cloud computing; Basic platform serves is to manage for middleware, database; Software served for user's application and managed.
Under cloud computing environment, cloud computing resources management platform is mainly the management of IaaS aspect, is about to the infrastructure such as server, storage and network and carries out Virtual PC, sets up a resource pool flexibly, realizes the automatic governing of resource.In general, cloud computing resources management platform is responsible for construction by cloud computing platform software and hardware manufacturer, transfers to cloud computing service provider to run.
At present, common cloud resource mainly comprises that physical equipment resource (mainly comprises server, storage, network) and logical resource (calculate, storage, network, application), host server resource wherein, the Hyper-V that comprises Microsoft, VMware(software virtual machine) ESXI, Citrix(Citrix System Co., Ltd.) Xen, the PowerVM of IBM, OpenStack(is by initiations such as the NASA of NASA and Rackspace companies, surpass a cloud computing that 200Jia manufacturer the participates in project of increasing income, follow the mandate of Apache licence) Nova-Computer and the server virtualization software KVM etc. that increases income.
Present stage, the common disadvantage that exists of cloud resource management platform was: lack a kind of legitimacy licensing scheme and judge which resource, comprise and can access physics and resource logic legally cloud computing platform and service is externally provided.The common requirements of this licensing scheme is present in cloud platform operation business and is built in the software and hardware manufacturer of cloud platform.For cloud platform operation business, they need this licensing scheme to guarantee " logical resource or physical resource that this tenant uses are only monopolized by it, and use can to other tenants " to its tenant (being the user of cloud platform resource); For the software and hardware manufacturer that builds cloud platform, they need this licensing scheme to prevent that the software and hardware product of oneself from arbitrarily being abused, thereby ensure the legitimate rights and interests of oneself.
Summary of the invention
The invention provides the method for cloud resource authorization under a kind of cloud computing environment, cloud Resource Abstract is become to unique identification information, and by sequence number licensing scheme, cloud resource is authorized, allly in cloud platform, the use of cloud resource is all carried out based on this unique identification, do not have the cloud resource of sign or error identification cannot access cloud platform or cannot be used by user, thereby guaranteed uniqueness and the legitimacy of cloud resource.
In order to achieve the above object, the invention provides the method for cloud resource authorization under a kind of cloud computing environment, the method of this cloud resource authorization comprises authorisation step and verification step, described authorisation step completes by the ticket for authorization generation module being arranged on cloud resource platform, and described verification step completes by the cloud resource authorization authentication module being arranged on cloud resource platform;
When needs add new cloud resource, carry out authorisation step, described authorisation step comprises following steps:
The unique identification information that step 1.1, resource interpolation side need to add the cloud resource of cloud resource platform to is input to ticket for authorization generation module;
Step 1.2, ticket for authorization generation module be according to the unique identification information of the cloud resource of input, use cryptographic algorithm generate key to and sequence number;
When needs are used new cloud resource, carry out verification step, described verification step comprises following steps:
Step 2.1, by the authority checking module on the sequence number input cloud resource platform of cloud resource;
Step 2.2, cloud resource authorization authentication module carry out validity check to this sequence number of input, if input effectively, enter step 3, otherwise return to " it is invalid to input " state, require to re-enter;
Step 2.3, cloud resource authorization authentication module are decrypted the sequence number of cloud resource, the cloud resource information that information after deciphering is submitted to during with patent application serial numbers before compares, if information is consistent, by checking, cloud resource authorization authentication module returns to the result to platform, and by this cloud resource authorization the user to cloud resource platform, if information is inconsistent, not by checking, cloud resource authorization authentication module returns to the result to platform, user can not obtain the authorization and also cannot further operate, and cannot access or use this resource.
In described step 1.1, in the mutual scene of cloud platform operation business and cloud platform software and hardware manufacturer, described resource interpolation side is cloud platform operation business, and in cloud platform tenant and the mutual scene of cloud platform operation business, described resource interpolation side is cloud platform tenant.
The unique identification information of hardware cloud resource is hardware ID information, and the unique identification information of software fortune resource is the unique beacon information of software.
Described step 1.2 comprises following steps:
Step 1.2.1, ticket for authorization generation module, according to the unique identification information of the cloud resource of input, generate key pair, and this key is to comprising public-key cryptography and the private cipher key of the described cloud resource of unique correspondence;
Step 1.2.2, described private cipher key is kept in ticket for authorization generation module, utilizes public-key cryptography to generate authentication document, and public-key cryptography and authentication document are kept in cloud resource authorization authentication module;
Step 1.2.3, ticket for authorization generation module utilize the unique identification information of the cloud resource of private cipher key and input, formation sequence number.
In described step 1.2.3,
In the mutual scene of cloud platform operation business and cloud platform software and hardware manufacturer, sequence number is sent to cloud platform operation business, cloud platform software and hardware manufacturer also registers the cloud resource of new interpolation simultaneously, records the sequence number of cloud resource;
In cloud platform tenant and the mutual scene of cloud platform operation business, sequence number is sent to cloud platform tenant, cloud platform operation business also registers the cloud resource of new interpolation simultaneously, records the sequence number of cloud resource.
In described step 1.2.3, when cloud platform software and hardware manufacturer registers the cloud resource of new interpolation, the sign of going back recording user, virtual machine sign, is difficult for reformed resource path.
In described step 2.2, validation verification is the cryptographic algorithm of using when authorizing, and whether length, the character string of authentication sequence number form, be an effectively input.
In the scene of cloud platform operation business and cloud platform software and hardware manufacturer, ticket for authorization generation module is deployed in third party or cloud platform software and hardware manufacturer place, and cloud resource authorization authentication module is deployed in third party, cloud platform software and hardware manufacturer or cloud platform operation business place; In cloud platform tenant and cloud platform operation business's scene, ticket for authorization generation module and cloud resource authorization authentication module are all deployed in cloud platform operation business or third party place.
The present invention also provides a kind of equipment of realizing cloud resource authorization method under cloud computing environment, and this equipment comprises ticket for authorization generation module and the cloud resource authorization authentication module being arranged on cloud resource platform;
Described ticket for authorization generation module comprises:
Input module, for inputting the unique identification information of cloud resource;
Key production module, for generating key pair;
Key management module, it connects input module and key production module, for preserving private cipher key;
Authentication document generation module, it connects key management module, for utilizing public-key cryptography to generate authentication document;
Ticket for authorization output module, it connects key management module, for utilizing the unique identification information of the cloud resource of private cipher key and input, formation sequence number;
Described cloud resource authorization authentication module comprises:
Authentication document administration module, for preserving public-key cryptography and authentication document;
Selftest module, it connects authentication document administration module, for authentication verification file;
Authentication module, it connects selftest module, for separating the sequence number of Miyun resource, and the information after deciphering and the real information of cloud resource is compared to judgement;
Resource management module, its connectivity verification module, for preserving by the specifying information of the cloud resource of checking;
Control module, its connection resource administration module, passes through for United Dispatching management the cloud resource of verifying.
The invention provides cloud platform medium cloud resource legitimacy licensing scheme; by the present invention; cloud platform operation business can be by licensing scheme in its platform; the cloud resource that different tenants use is carried out legitimate verification; guarantee isolation each other; and cloud platform software and hardware manufacturer can carry out legal use checking to the product of its sale, thereby prevent that cloud computing service provider from arbitrarily changing the scope of application of product, protect the legitimate interests of oneself not suffer a loss.
Accompanying drawing explanation
Fig. 1 is the flow chart of authorisation step of the present invention;
Fig. 2 is the flow chart of verification step of the present invention;
Fig. 3 is the schematic diagram of ticket for authorization generation module of the present invention;
Fig. 4 is the schematic diagram of cloud resource authorization authentication module of the present invention.
Embodiment
Following according to Fig. 1~Fig. 4, illustrate preferred embodiment of the present invention.
The invention provides the method for cloud resource authorization under a kind of cloud computing environment, the method for this cloud resource authorization comprises authorisation step and verification step.Described authorisation step completes by the ticket for authorization generation module being arranged on cloud resource platform, and described verification step completes by the cloud resource authorization authentication module being arranged on cloud resource platform.
Embodiment 1, in the mutual scene of cloud platform operation business and cloud platform software and hardware manufacturer.
Ticket for authorization generation module is deployed in cloud platform software and hardware manufacturer place, and cloud resource authorization authentication module is deployed in cloud platform software and hardware manufacturer or cloud platform operation business place;
As shown in Figure 1, when needs add new cloud resource, carry out authorisation step, this authorisation step completes by the ticket for authorization generation module being arranged on cloud resource platform, and described authorisation step comprises following steps:
The unique identification information that step 1, resource interpolation side need to add the cloud resource of cloud resource platform to is input to ticket for authorization generation module;
Described resource interpolation side is cloud platform operation business;
What add is hardware cloud resource, and the unique identification information of cloud resource is hardware ID information (hardware product of common regular manufacturer has a unique Product Identifying, is called hardware ID, and difficult quilt is artificially revised);
For example: when cloud platform operation business need to add hardware new resources, for example an x86 server, can submit to hardware ID information cloud platform software and hardware manufacturer;
In actual use, because the product of some manufacturers might not have unique identification, so also can adopt other artificial identification informations, as user's sign, virtual machine sign, is difficult for reformed resource path (URL) etc. and is used as the input that key generates;
Step 2, ticket for authorization generation module be according to the unique identification information of the cloud resource of input, use cryptographic algorithm generate key to and sequence number;
Described step 2 comprises following steps:
Step 2.1, ticket for authorization generation module, according to the unique identification information of the cloud resource of input, generate key pair, and this key is to comprising public-key cryptography and the private cipher key of the described cloud resource of unique correspondence;
Step 2.2, described private cipher key is kept in ticket for authorization generation module, utilizes public-key cryptography to generate authentication document, and public-key cryptography and authentication document are kept in cloud resource authorization authentication module;
Step 2.3, ticket for authorization generation module utilize the unique identification information of the cloud resource of private cipher key and input, formation sequence number, sequence number is sent to cloud platform operation business, cloud platform software and hardware manufacturer also registers the cloud resource of new interpolation simultaneously, record sequence number and other resource informations of cloud resource, as user's sign, virtual machine sign, is difficult for reformed resource path (URL) etc.
Sequence number generating algorithm, can be used the algorithm of existing various public encryption algorithm or realization voluntarily to be realized.
As shown in Figure 2, when needs are used new cloud resource, carry out verification step, this verification step completes by the cloud resource authorization authentication module being arranged on cloud resource platform, and described verification step comprises following steps:
Step 1, by the authority checking module on the sequence number input cloud resource platform of cloud resource;
This input process can be by program mode (PM), to submit to authority checking module automatically, can be also manual input;
Step 2, cloud resource authorization authentication module carry out validity check to the sequence number of input, the cryptographic algorithm of using during according to mandate, verify length, character string composition of this sequence number etc., whether be an effectively input, if input effectively, enter step 3, otherwise return to " it is invalid to input " state, require to re-enter;
Step 3, cloud resource authorization authentication module is used key to be decrypted the sequence number of cloud resource, as adopt rivest, shamir, adelman, key is herein private key, the cloud resource information that information after deciphering is submitted to during with patent application serial numbers before compares, these information need to be kept at when obtaining sequence number that in file or database, (this file or database can be used a part for authority checking module, also can independent part be deployed in server, or by third party's realization of providing services on the Internet), if information is consistent, by checking, cloud resource authorization authentication module returns to the result to platform, and by this cloud resource authorization the user to cloud resource platform, if information is inconsistent, not by checking, cloud resource authorization authentication module returns to the result to platform, user can not obtain the authorization and also cannot further operate, cannot access or use this resource.
Embodiment 2, in cloud platform tenant and the mutual scene of cloud platform operation business.
Ticket for authorization generation module and cloud resource authorization authentication module are all deployed in cloud platform operation business place.
As shown in Figure 1, when needs add new cloud resource, carry out authorisation step, this authorisation step completes by the ticket for authorization generation module being arranged on cloud resource platform, and described authorisation step comprises following steps:
The unique identification information that step 1, resource interpolation side need to add the cloud resource of cloud resource platform to is input to ticket for authorization generation module;
Described resource interpolation side is cloud platform tenant;
What add is software cloud resource, and normally to software or software instances, the unique identification information of cloud resource is the unique beacon information of software;
For example: when cloud platform tenant need to add new software resource, such as a virtual machine instance, mandate now can add that the unique identification information of this virtual machine instance forms unique beacon information jointly by the unique identification information based on this tenant;
Step 2, ticket for authorization generation module be according to the unique identification information of the cloud resource of input, use cryptographic algorithm generate key to and sequence number;
Described step 2 comprises following steps:
Step 2.1, ticket for authorization generation module, according to the unique identification information of the cloud resource of input, generate key pair, and this key is to comprising public-key cryptography and the private cipher key of the described cloud resource of unique correspondence;
Step 2.2, described private cipher key is kept in ticket for authorization generation module, utilizes public-key cryptography to generate authentication document, and public-key cryptography and authentication document are kept in cloud resource authorization authentication module;
Step 2.3, ticket for authorization generation module utilize the unique identification information of the cloud resource of private cipher key and input, formation sequence number, sequence number is sent to cloud platform tenant, cloud platform operation business also registers the cloud resource of new interpolation simultaneously, record sequence number and other resource informations of cloud resource, as user's sign, virtual machine sign, is difficult for reformed resource path (URL) etc.
Sequence number generating algorithm, can be used the algorithm of existing various public encryption algorithm or realization voluntarily to be realized.
As shown in Figure 2, when needs are used new cloud resource, carry out verification step, this verification step completes by the cloud resource authorization authentication module being arranged on cloud resource platform, and described verification step comprises following steps:
Step 1, by the authority checking module on the sequence number input cloud resource platform of cloud resource;
This input process can be by program mode (PM), to submit to authority checking module automatically, can be also manual input;
Step 2, cloud resource authorization authentication module carry out validity check to the sequence number of input, the cryptographic algorithm of using during according to mandate, verify length, character string composition of this sequence number etc., whether be an effectively input, if input effectively, enter step 3, otherwise return to " it is invalid to input " state, require to re-enter;
Step 3, cloud resource authorization authentication module is used key to be decrypted the sequence number of cloud resource, as adopt rivest, shamir, adelman, key is herein private key, the cloud resource information that information after deciphering is submitted to during with patent application serial numbers before compares, these information need to be kept at when obtaining sequence number that in file or database, (this file or database can be used a part for authority checking module, also can independent part be deployed in server, or by third party's realization of providing services on the Internet), if information is consistent, by checking, cloud resource authorization authentication module returns to the result to platform, and by this cloud resource authorization the user to cloud resource platform, if information is inconsistent, not by checking, cloud resource authorization authentication module returns to the result to platform, user can not obtain the authorization and also cannot further operate, cannot access or use this resource.
In scene described in the invention, mutual entity is not limited between cloud platform operation business and cloud platform software and hardware manufacturer, also be applicable between cloud platform user (tenant) and cloud platform operation business, for there is no conditioned disjunction to be difficult to realize machine-processed situation described in the invention, also can be by ticket for authorization generation module and the trustship of cloud resource authorization authentication module to the third-party institution.
As shown in Figure 3, described ticket for authorization generation module comprises:
Input module 101, for inputting the unique identification information of cloud resource;
Key production module 102, for generating key pair;
Key management module 103, it connects input module 101 and key production module 102, for preserving private cipher key;
Authentication document generation module 104, it connects key management module 103, for utilizing public-key cryptography to generate authentication document;
Ticket for authorization output module 105, it connects key management module 103, for utilizing the unique identification information of the cloud resource of private cipher key and input, formation sequence number;
As shown in Figure 4, described cloud resource authorization authentication module comprises:
Authentication document administration module 201, for preserving public-key cryptography and authentication document;
Selftest module 202, it connects authentication document administration module 201, for authentication verification file;
Authentication module 203, it connects selftest module 202, for separating the sequence number of Miyun resource, and the information after deciphering and the real information of cloud resource is compared to judgement;
Resource management module 204, its connectivity verification module 203, for preserving by the specifying information of the cloud resource of checking;
Control module 205, its connection resource administration module 204, passes through for United Dispatching management the cloud resource of verifying.
Basic principle of the present invention is: by conventional sequence licensing scheme based on public key algorithm, adopt in the present invention rivest, shamir, adelman known in those skilled in the art (asymmetric cryptographic algorithm) for basis, because two keys that rivest, shamir, adelman comprises, that is: public-key cryptography (publickey) and private cipher key (privatekey).Typical rivest, shamir, adelman is realized basic process and is: Party A generates a pair of secret keys handle wherein is open as Public key to other side; After using this key to be encrypted confidential information, the Party B who obtains this Public key sends to again Party A; Another private key that Party A preserves with oneself is again decrypted the information after encrypting.On the other hand, Party A sends to Party B after can using Party B's PKI to sign to confidential information again; Party B carries out sign test with the private spoon of oneself to data again.Party A can only be with its private key deciphering by any information after its public-key encryption.The confidentiality of rivest, shamir, adelman is relatively good, and it has eliminated the needs that end user exchanges key.Conventional rivest, shamir, adelman, as RSA, ECC etc., all can be used as specific implementation of the present invention.
In above-mentioned characteristic, the unique identification of cloud resource (in actual use, because the product of some manufacturers might not have unique identification, so also can adopt other artificial identification informations to be used as the input that key generates) input that generates as key, generate a pair of unique to public-key cryptography and private cipher key that should cloud resource; Wherein, Public Key is returned to Party A, such as Party A is cloud platform operation business, public keys is just corresponding to a concrete physical equipment or a software (or running example of software) so, when it is authorized for the first time, record, at every turn, when this physical equipment or software are used, all can carry out an invers verification.Due to the own characteristic of rivest, shamir, adelman, can allow two parameters calculating and counterplot calculation sequence number is used are separated from each other, be difficult to crack.Sequence number is generated with two algorithms of invers verification completely independent.Can effectively prevent that assailant from attacking this licensing scheme by cracking invers verification algorithm, thereby guarantee reliability and the fail safe of this licensing scheme.Conventionally, it is reliable implementation that this invers verification provides remote service by third party or Party B, and it is also effective in software, realizing off-line verification.
The present invention combines hardware identifier with software identification, this characteristic is specially adapted to the cloud computing environment of " software definition all ", make a cloud resource, be no matter physics or logic, all can a certain particular cloud resource of unique identification, duplication of name and the resource that can prevent cloud resource are forged, and have ensured the rationally reliable of this licensing scheme.
The present invention compared with prior art, advantage major embodiment in the following areas:
Based on unique resource identification: use the distinctive resource ID sign of hardware or software identification, by rivest, shamir, adelman, calculate and form a pair of unique public keys and the private cipher key of correspondence with it, and based on this use of resource or software is authorized and verified, because the binding of this sign and hardware device can prevent from being tampered, thereby improve the validity of resource authorization mechanism.
The ID sign of hardware device,, normally by producer's disposable injection when dispatching from the factory, be difficult to by people for distorting (such as: the identification information of server master board); Software identification information is provided by producer or system generates.These are had to the input information of unique identification effect the pair of secret keys generating, just there is effect as described in licensing scheme of the present invention.
Multiple cloud resource is supported: the present invention supports multiple cloud resource, comprises calculating, storage, network, application.
Resource authorization protection: the present invention authorizes cloud resource; can carry out resource checking to cloud resource management platform; the illegal cloud resource of shielding operator, thus help cloud resource management platform provider management platform service range to be carried out to reasonable classification, the legitimate rights and interests of protecting platform provider.
Module is independent: ticket for authorization generation module of the present invention and cloud resource authorization authentication module, as module independently, can be deployed in different places, with facilitate in the cloud resource platform under various different scenes, carry out integrated.For example, in the scene of cloud platform operation business and cloud platform software and hardware manufacturer, ticket for authorization generation module is deployed in third party or cloud platform software and hardware manufacturer place, and cloud resource authorization authentication module is deployed in third party, cloud platform software and hardware manufacturer or cloud platform operation business place; And in cloud platform tenant and cloud platform operation business's scene, ticket for authorization generation module and cloud resource authorization authentication module are all deployed in cloud platform operation business or third party place, they needn't be present in same physical equipment, but need necessary network-in-dialing when long-range checking.The dispersion that adopts relatively independent module can realize module is disposed and is rested in not in Tongfang hand, thereby improves reliability, fail safe and the flexibility of the designed licensing scheme of the present invention.
Easy and simple to handle: the present invention is easy and simple to handle, left-hand seat can, without specially training.
Safe and reliable: the present invention is based on international public key algorithm, the strong degree of this password is through international test for many years, safe and reliable.
Although content of the present invention has been done detailed introduction by above preferred embodiment, will be appreciated that above-mentioned description should not be considered to limitation of the present invention.Those skilled in the art, read after foregoing, for multiple modification of the present invention with to substitute will be all apparent.Therefore, protection scope of the present invention should be limited to the appended claims.
Claims (9)
1. the method for cloud resource authorization under a cloud computing environment, it is characterized in that, the method of this cloud resource authorization comprises authorisation step and verification step, described authorisation step completes by the ticket for authorization generation module being arranged on cloud resource platform, and described verification step completes by the cloud resource authorization authentication module being arranged on cloud resource platform;
When needs add new cloud resource, carry out authorisation step, described authorisation step comprises following steps:
The unique identification information that step 1.1, resource interpolation side need to add the cloud resource of cloud resource platform to is input to ticket for authorization generation module;
Step 1.2, ticket for authorization generation module be according to the unique identification information of the cloud resource of input, use cryptographic algorithm generate key to and sequence number;
When needs are used new cloud resource, carry out verification step, described verification step comprises following steps:
Step 2.1, by the authority checking module on the sequence number input cloud resource platform of cloud resource;
Step 2.2, cloud resource authorization authentication module carry out validity check to this sequence number of input, if input effectively, enter step 3, otherwise return to " it is invalid to input " state, require to re-enter;
Step 2.3, cloud resource authorization authentication module are decrypted the sequence number of cloud resource, the cloud resource information that information after deciphering is submitted to during with patent application serial numbers before compares, if information is consistent, by checking, cloud resource authorization authentication module returns to the result to platform, and by this cloud resource authorization the user to cloud resource platform, if information is inconsistent, not by checking, cloud resource authorization authentication module returns to the result to platform, user can not obtain the authorization and also cannot further operate, and cannot access or use this resource.
2. the method for cloud resource authorization under cloud computing environment as claimed in claim 1, it is characterized in that, in described step 1.1, in the mutual scene of cloud platform operation business and cloud platform software and hardware manufacturer, described resource interpolation side is cloud platform operation business, in cloud platform tenant and the mutual scene of cloud platform operation business, described resource interpolation side is cloud platform tenant.
3. the method for cloud resource authorization under cloud computing environment as claimed in claim 1, is characterized in that, the unique identification information of hardware cloud resource is hardware ID information, and the unique identification information of software fortune resource is the unique beacon information of software.
4. the method for cloud resource authorization under cloud computing environment as claimed in claim 1, is characterized in that, described step 1.2 comprises following steps:
Step 1.2.1, ticket for authorization generation module, according to the unique identification information of the cloud resource of input, generate key pair, and this key is to comprising public-key cryptography and the private cipher key of the described cloud resource of unique correspondence;
Step 1.2.2, described private cipher key is kept in ticket for authorization generation module, utilizes public-key cryptography to generate authentication document, and public-key cryptography and authentication document are kept in cloud resource authorization authentication module;
Step 1.2.3, ticket for authorization generation module utilize the unique identification information of the cloud resource of private cipher key and input, formation sequence number.
5. the method for cloud resource authorization under cloud computing environment as claimed in claim 4, is characterized in that, in described step 1.2.3,
In the mutual scene of cloud platform operation business and cloud platform software and hardware manufacturer, sequence number is sent to cloud platform operation business, cloud platform software and hardware manufacturer also registers the cloud resource of new interpolation simultaneously, records the sequence number of cloud resource;
In cloud platform tenant and the mutual scene of cloud platform operation business, sequence number is sent to cloud platform tenant, cloud platform operation business also registers the cloud resource of new interpolation simultaneously, records the sequence number of cloud resource.
6. the method for cloud resource authorization under cloud computing environment as claimed in claim 5, is characterized in that, in described step 1.2.3, when cloud platform software and hardware manufacturer registers the cloud resource of new interpolation, the sign of recording user also, virtual machine sign, is difficult for reformed resource path.
7. the method for cloud resource authorization under cloud computing environment as claimed in claim 6, it is characterized in that, in described step 2.2, validation verification is the cryptographic algorithm of using when authorizing, whether the length of authentication sequence number, character string form, be an effectively input.
8. as the method for cloud resource authorization under the cloud computing environment as described in any one in claim 1-7, it is characterized in that, in the scene of cloud platform operation business and cloud platform software and hardware manufacturer, ticket for authorization generation module is deployed in third party or cloud platform software and hardware manufacturer place, and cloud resource authorization authentication module is deployed in third party, cloud platform software and hardware manufacturer or cloud platform operation business place; In cloud platform tenant and cloud platform operation business's scene, ticket for authorization generation module and cloud resource authorization authentication module are all deployed in cloud platform operation business or third party place.
9. an equipment of realizing cloud resource authorization method under cloud computing environment as claimed in claim 8, is characterized in that, this equipment comprises ticket for authorization generation module and the cloud resource authorization authentication module being arranged on cloud resource platform;
Described ticket for authorization generation module comprises:
Input module (101), for inputting the unique identification information of cloud resource;
Key production module (102), for generating key pair;
Key management module (103), it connects input module (101) and key production module (102), for preserving private cipher key;
Authentication document generation module (104), it connects key management module (103), for utilizing public-key cryptography to generate authentication document;
Ticket for authorization output module (105), it connects key management module (103), for utilizing the unique identification information of the cloud resource of private cipher key and input, formation sequence number;
Described cloud resource authorization authentication module comprises:
Authentication document administration module (201), for preserving public-key cryptography and authentication document;
Selftest module (202), it connects authentication document administration module (201), for authentication verification file;
Authentication module (203), it connects selftest module (202), for separating the sequence number of Miyun resource, and the information after deciphering and the real information of cloud resource is compared to judgement;
Resource management module (204), its connectivity verification module (203), for preserving by the specifying information of the cloud resource of checking;
Control module (205), its connection resource administration module (204), passes through for United Dispatching management the cloud resource of verifying.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410100954.XA CN103944881A (en) | 2014-03-19 | 2014-03-19 | Cloud resource authorizing method under cloud computing environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410100954.XA CN103944881A (en) | 2014-03-19 | 2014-03-19 | Cloud resource authorizing method under cloud computing environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103944881A true CN103944881A (en) | 2014-07-23 |
Family
ID=51192365
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410100954.XA Pending CN103944881A (en) | 2014-03-19 | 2014-03-19 | Cloud resource authorizing method under cloud computing environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103944881A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105763518A (en) * | 2014-12-19 | 2016-07-13 | 江苏融成嘉益信息科技有限公司 | B/S architecture-based remote data encryption method |
CN107483499A (en) * | 2017-09-23 | 2017-12-15 | 张仁平 | A kind of high in the clouds multi-user service management system |
WO2018076870A1 (en) * | 2016-10-25 | 2018-05-03 | 广东欧珀移动通信有限公司 | Data processing method and apparatus, storage medium, server, and data processing system |
CN108628658A (en) * | 2017-03-17 | 2018-10-09 | 华为技术有限公司 | A kind of licence managing method and device of container |
CN109672522A (en) * | 2017-10-13 | 2019-04-23 | ***通信集团公司 | A kind of key querying method and cloud platform |
CN109873711A (en) * | 2017-12-05 | 2019-06-11 | 北京金山云网络技术有限公司 | A kind of cloud platform management method, device, electronic equipment and readable storage medium storing program for executing |
CN110149338A (en) * | 2019-05-27 | 2019-08-20 | 深圳市天启时代科技有限公司 | A kind of cloud platform encryption and authorization method |
CN110995480A (en) * | 2019-11-25 | 2020-04-10 | 百度在线网络技术(北京)有限公司 | Block chain network deployment method, device, electronic equipment and medium |
CN111143800A (en) * | 2019-12-31 | 2020-05-12 | 北京华胜天成科技股份有限公司 | Cloud computing resource management method, device, equipment and storage medium |
CN111241492A (en) * | 2019-12-27 | 2020-06-05 | 武汉烽火信息集成技术有限公司 | Product multi-tenant secure credit granting method, system and electronic equipment |
CN111464481A (en) * | 2019-01-18 | 2020-07-28 | 伊姆西Ip控股有限责任公司 | Method, apparatus and computer program product for service security protection |
CN112883400A (en) * | 2021-03-11 | 2021-06-01 | 杭州网易云音乐科技有限公司 | Business resource service method, device, electronic equipment and storage medium |
CN115766294A (en) * | 2023-01-05 | 2023-03-07 | 中国联合网络通信集团有限公司 | Cloud server resource authentication processing method, device, equipment and storage medium |
-
2014
- 2014-03-19 CN CN201410100954.XA patent/CN103944881A/en active Pending
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105763518A (en) * | 2014-12-19 | 2016-07-13 | 江苏融成嘉益信息科技有限公司 | B/S architecture-based remote data encryption method |
WO2018076870A1 (en) * | 2016-10-25 | 2018-05-03 | 广东欧珀移动通信有限公司 | Data processing method and apparatus, storage medium, server, and data processing system |
CN108628658A (en) * | 2017-03-17 | 2018-10-09 | 华为技术有限公司 | A kind of licence managing method and device of container |
CN108628658B (en) * | 2017-03-17 | 2022-04-05 | 华为技术有限公司 | License management method and device for container |
CN107483499A (en) * | 2017-09-23 | 2017-12-15 | 张仁平 | A kind of high in the clouds multi-user service management system |
CN107483499B (en) * | 2017-09-23 | 2020-04-21 | 上海臻客信息技术服务有限公司 | Cloud multi-user service management system |
CN109672522A (en) * | 2017-10-13 | 2019-04-23 | ***通信集团公司 | A kind of key querying method and cloud platform |
CN109672522B (en) * | 2017-10-13 | 2021-07-09 | ***通信集团公司 | Key query method and cloud platform |
CN109873711A (en) * | 2017-12-05 | 2019-06-11 | 北京金山云网络技术有限公司 | A kind of cloud platform management method, device, electronic equipment and readable storage medium storing program for executing |
WO2019109943A1 (en) * | 2017-12-05 | 2019-06-13 | 北京金山云网络技术有限公司 | Cloud platform management method and apparatus, electronic device and readable storage medium |
CN111464481A (en) * | 2019-01-18 | 2020-07-28 | 伊姆西Ip控股有限责任公司 | Method, apparatus and computer program product for service security protection |
CN111464481B (en) * | 2019-01-18 | 2023-01-13 | 伊姆西Ip控股有限责任公司 | Method, apparatus and computer readable medium for service security protection |
CN110149338B (en) * | 2019-05-27 | 2021-12-24 | 深圳市天启时代科技有限公司 | Cloud platform encryption authorization method |
CN110149338A (en) * | 2019-05-27 | 2019-08-20 | 深圳市天启时代科技有限公司 | A kind of cloud platform encryption and authorization method |
CN110995480A (en) * | 2019-11-25 | 2020-04-10 | 百度在线网络技术(北京)有限公司 | Block chain network deployment method, device, electronic equipment and medium |
CN111241492A (en) * | 2019-12-27 | 2020-06-05 | 武汉烽火信息集成技术有限公司 | Product multi-tenant secure credit granting method, system and electronic equipment |
CN111143800A (en) * | 2019-12-31 | 2020-05-12 | 北京华胜天成科技股份有限公司 | Cloud computing resource management method, device, equipment and storage medium |
CN111143800B (en) * | 2019-12-31 | 2022-06-28 | 北京华胜天成科技股份有限公司 | Cloud computing resource management method, device, equipment and storage medium |
CN112883400A (en) * | 2021-03-11 | 2021-06-01 | 杭州网易云音乐科技有限公司 | Business resource service method, device, electronic equipment and storage medium |
CN115766294A (en) * | 2023-01-05 | 2023-03-07 | 中国联合网络通信集团有限公司 | Cloud server resource authentication processing method, device, equipment and storage medium |
CN115766294B (en) * | 2023-01-05 | 2023-04-25 | 中国联合网络通信集团有限公司 | Cloud server resource authentication processing method, device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103944881A (en) | Cloud resource authorizing method under cloud computing environment | |
CN104639516B (en) | Identity identifying method, equipment and system | |
US20220191012A1 (en) | Methods For Splitting and Recovering Key, Program Product, Storage Medium, and System | |
KR100746030B1 (en) | Method and apparatus for generating rights object with representation by commitment | |
JP6357158B2 (en) | Secure data processing with virtual machines | |
US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
CN106687980B (en) | Management program and virtual machine protection | |
CN106105146A (en) | Prove that Energy Resources Service's protection client specifies voucher at password | |
CN110677376B (en) | Authentication method, related device and system and computer readable storage medium | |
CN103390124B (en) | Safety input and the equipment, system and method for processing password | |
US9544137B1 (en) | Encrypted boot volume access in resource-on-demand environments | |
CN106027503A (en) | Cloud storage data encryption method based on TPM | |
CN103440436A (en) | Digital rights management system and methods for accessing content from an intelligent storag | |
CN102760214B (en) | A kind of novel software copyright protecting method and device | |
KR20140099325A (en) | System and method for key management for issuer security domain using global platform specifications | |
CN104980477A (en) | Data access control method and system in cloud storage environment | |
US20180131677A1 (en) | Balancing public and personal security needs | |
WO2012064378A1 (en) | Managing data | |
KR102560295B1 (en) | User-protected license | |
CN111010430B (en) | Cloud computing security data sharing method based on double-chain structure | |
CN104794394A (en) | Virtual machine starting verification method and device | |
US20160335453A1 (en) | Managing Data | |
US10516655B1 (en) | Encrypted boot volume access in resource-on-demand environments | |
JP2024507679A (en) | Allowed Encryption | |
CN113592497A (en) | Financial transaction service security authentication method and device based on block chain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140723 |