CN113055160B - Intelligent education safety protection method and system based on Kerberos identity authentication protocol - Google Patents

Intelligent education safety protection method and system based on Kerberos identity authentication protocol Download PDF

Info

Publication number
CN113055160B
CN113055160B CN202110253070.8A CN202110253070A CN113055160B CN 113055160 B CN113055160 B CN 113055160B CN 202110253070 A CN202110253070 A CN 202110253070A CN 113055160 B CN113055160 B CN 113055160B
Authority
CN
China
Prior art keywords
user
service
information
kerberos
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110253070.8A
Other languages
Chinese (zh)
Other versions
CN113055160A (en
Inventor
卢启伟
陈铿帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Yingshuo Intelligent Technology Co ltd
Original Assignee
Shenzhen Yingshuo Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Yingshuo Intelligent Technology Co ltd filed Critical Shenzhen Yingshuo Intelligent Technology Co ltd
Priority to CN202110253070.8A priority Critical patent/CN113055160B/en
Publication of CN113055160A publication Critical patent/CN113055160A/en
Application granted granted Critical
Publication of CN113055160B publication Critical patent/CN113055160B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a Kerberos identity authentication protocol-based intelligent education safety protection method and system, wherein the safety protection method comprises the following steps: the user performs identity authentication on the Kerberos server through a password, and the validity after the identity authentication is locally reserved to a preset reserved time period; verifying the authenticity of the user by using a Kerberos server in combination with a background server corresponding to the service required by the user according to the application of the user, and determining whether the background server performs service connection on the user according to a verification result; and sending the service requirement required by the real user to a block chain network, wherein the block chain network carries out corresponding processing on the user requirement. The system comprises modules corresponding to the method steps.

Description

Intelligent education safety protection method and system based on Kerberos identity authentication protocol
Technical Field
The invention provides a method and a system for intelligent education safety protection based on a Kerberos identity authentication protocol, and belongs to the technical field of intelligent education.
Background
At present, a Hadoop ecological component is mainly adopted in a main stream of a big data platform, a safety mechanism is not designed in the Hadoop ecology at first, a safety model and an integral safety plan are not designed, and malicious behavior phenomena such as unauthorized Job submission, job Trace state modification and data tampering exist in the later period along with the continuous increase of application scenes. Therefore, security measures such as Kerberos authentication, file ACL access control, network layer encryption and the like are added, and the security functions can solve part of security problems but still have limitations. In the aspects of identity management and access control, the method can depend on an identity and authority management mechanism of Linux, but the identity management only supports users and user groups and does not support roles; the Hadoop ecological component has multiple contents and multiple versions, so that the safety control operation of each version of each component is difficult to perform, and therefore a fine-grained authority management mechanism is required to grant access safety of each component, and the use safety of the big data bottom layer component is ensured.
Disclosure of Invention
The invention provides a Kerberos identity authentication protocol-based intelligent education safety protection method, which is used for solving the problem that the use safety of a big data bottom layer component cannot be ensured:
a safety protection method for intelligent education based on Kerberos identity authentication protocol comprises the following steps:
the user performs identity authentication on the Kerberos server through a password, and the validity after the identity authentication is locally reserved to a preset reserved time period in the user;
verifying the authenticity of the user by using a Kerberos server in combination with a background server corresponding to the service required by the user according to the application of the user, and determining whether the background server performs service connection on the user according to a verification result;
and sending the service requirement required by the real user to a block chain network, wherein the block chain network carries out corresponding processing on the user requirement.
Further, the preset reserved time period is determined by the following formula:
Figure BDA0002959474460000011
wherein, T y Representing a preset reserved time period; f i Showing the access frequency of the user when the intelligent education system runs for the ith hour; n represents the number of operating hours of the intelligent education system; f max The maximum value of the user access frequency per hour after the intelligent education system operates for the current time length is represented; f min The minimum value of the user access frequency per hour after the intelligent education system operates for the current time length is represented; c represents the stored data amount of the validity of the user after the authentication and stored locally in the user; c max A storage amount threshold representing a local allowable storage of authentication validity of the user; t is 0 Indicating the reservation period initial value.
Further, the verifying the authenticity of the user by using the Kerberos server in combination with the background server corresponding to the service required by the user according to the application of the user, and determining whether the background server performs service connection on the user according to a verification result includes:
the method comprises the steps that a user applies for a service secret key corresponding to a specific service from a Kerberos server, the Kerberos server encrypts service required information corresponding to a service to be connected by the user and user self information after receiving the application of the service secret key to obtain a corresponding service secret key, and the corresponding service secret key is returned to the user;
the user forwards the corresponding service secret key to a specific background server corresponding to the service required by the user;
after receiving a corresponding service secret key sent by a user, the background server decrypts the corresponding service secret key by using the secret key to obtain user information authenticated by the Kerberos server;
the background server compares the user information obtained by decryption from the Kerberos server with the user information obtained by decryption from the corresponding service secret key sent by the user, and judges whether the user information is consistent with the user information; if the identity of the user is consistent with the identity of the user, determining that the identity of the user is real, and allowing the background server to perform corresponding service connection on the user; and if the user information is not consistent with the service information, determining that the user information is unsafe information, and not performing service connection on the user.
Further, the user information is obtained by encrypting with a key of a background service corresponding to the service connection required by the user.
Further, the sending the service requirement required by the real user to the blockchain network, where the blockchain network performs corresponding processing on the user requirement, includes:
when the block chain node processes data of corresponding service of a user and when one node in the block chain is changed, sending a data change docking request to a shared node with a shared data link relation between the nodes;
when the shared node receives a data change docking request of the block chain node, the shared node requests the block chain node to acquire a corresponding service key provided by a user, and simultaneously decrypts the data change docking request from a Kerberos server to acquire user information of the corresponding service;
after receiving a corresponding service key providing request sent by the sharing node, the block chain node sends user information acquired by the background server to the sharing node;
and the sharing node compares the user information of the corresponding service obtained by decryption from the Kerberos server with the user information provided by the block chain nodes, if the user information is consistent, the sharing node changes the corresponding data, and if the user information is inconsistent, a safety warning is sent to the background server.
Further, the safety protection method further comprises the following steps: if the same user performs multiple identity authentications after the reserved time period, adjusting the reserved time period for the user, including:
monitoring the specific condition of user identity authentication in real time, and recording the number of times of identity authentication of the user within a preset specified monitoring time length when the same user starts to perform identity authentication again after the reserved time period;
and when the authentication times exceed the threshold of the authentication times, adjusting the reserved time period for the user by a reserved time adjusting model.
Further, the reserved time adjustment model is as follows:
Figure BDA0002959474460000031
wherein, T 1 A locally reserved time period representing an adjusted validity of the authentication for the certain user; t is z Indicating a predetermined monitoring time period set in advance; t is t max The maximum time interval value of the multiple times of authentication of the user in the preset specified monitoring time length is represented; t is t min The minimum time interval value of the multiple times of identity authentication of the user in the preset specified monitoring time length is represented; k represents the occurrence times of the time interval of the user for carrying out multiple times of identity authentication within the preset specified monitoring time length; t is t i An ith time interval representing that the user performs identity authentication for a plurality of times within the preset specified monitoring time length; m represents the user is in the preset stateThe total times of identity authentication is carried out according to the specified monitoring time length; m 0 Representing a threshold number of verifications.
A wisdom education security protection system based on Kerberos identity authentication protocol, the security protection system includes:
the identity authentication module is used for carrying out identity authentication on the Kerberos server through a password by a user, and the validity after the identity authentication is locally reserved to a preset reserved time period in the user;
the connection judging module is used for verifying the authenticity of the user by combining a background server corresponding to the service required by the user according to the application of the user by using the Kerberos server and determining whether the background server performs service connection on the user according to a verification result;
the processing module is used for sending the service requirement required by the real user to a block chain network, and the block chain network correspondingly processes the user requirement;
a reserved time period adjusting module, configured to adjust a reserved time period for the user if the same user performs multiple times of identity authentication after the reserved time period;
wherein the reserved time period adjusting module comprises:
the real-time monitoring module is used for monitoring the specific condition of user identity authentication in real time, and recording the number of times of identity authentication of the user within the preset specified monitoring time length when the same user starts to perform identity authentication again after the reserved time period;
and the adjusting module is used for adjusting the reserved time period for the user through the reserved time adjusting model when the authentication times exceed the authentication time threshold.
Further, the connection judging module includes:
the system comprises an encryption module, a service key generation module and a service key generation module, wherein the encryption module is used for applying a service key corresponding to a specific service from a Kerberos server by a user, after receiving the application of the service key, the Kerberos server encrypts service required information corresponding to a service to be connected by the user and user self information to obtain a corresponding service key, and returns the corresponding service key to the user;
the forwarding module is used for forwarding the corresponding service secret key to a specific background server corresponding to the service required by the user;
the decryption module is used for decrypting the user information authenticated by the Kerberos server by using the self secret key after the background server receives the corresponding service secret key sent by the user;
the comparison module is used for comparing the user information obtained by decryption from the Kerberos server with the user information obtained by decryption from the corresponding service secret key sent by the user by the background server and judging whether the user information is consistent with the user information; if the identity of the user is consistent with the identity of the user, determining that the identity of the user is real, and allowing the background server to perform corresponding service connection on the user; and if the user information is not consistent with the service information, determining that the user information is unsafe information, and not performing service connection on the user.
Further, the processing module comprises:
the data change request module is used for sending a data change docking request to a shared node with a shared data link relation between nodes when the data change occurs to one node in the block chain when the block chain node processes the data of the service corresponding to the user;
a service key obtaining module, configured to, when the shared node receives a data change docking request of the blockchain node, request the blockchain node to obtain a corresponding service key provided by a user, and decrypt and obtain user information of the corresponding service from a Kerberos server;
the sending module is used for sending the user information acquired by the background server to the sharing node after the block link node receives the corresponding service key providing request sent by the sharing node;
and the comparison and judgment module is used for comparing the user information of the corresponding service obtained by decrypting the user information from the Kerberos server with the user information provided by the block link point by the sharing node, if the user information is consistent, the sharing node performs corresponding data change, and if the user information is inconsistent, the sharing node sends a safety warning to the background server.
The invention has the beneficial effects that:
the intelligent education safety protection method and system based on the Kerberos identity authentication protocol can effectively meet the authority management requirements of big data component memorability identity authentication and fine granularity. The system can meet new safety requirements of role-based identity management, fine-grained access control and the like, and meanwhile, under the conditions of numerous contents and numerous versions of the Hadoop ecological component, each version of each component can carry out effective safety management and control operation.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
fig. 2 is a system block diagram of the system of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
The embodiment of the invention provides an intelligent education safety protection method based on a Kerberos identity authentication protocol, which comprises the following steps of:
s1, a user carries out identity authentication on a Kerberos server through a password, and the validity after the identity authentication is locally reserved to a preset reserved time period in the user;
s2, verifying the authenticity of the user by using a Kerberos server in combination with a background server corresponding to the service required by the user according to the application of the user, and determining whether the background server performs service connection on the user according to a verification result;
and S3, sending the service requirement required by the real user to a block chain network, wherein the block chain network carries out corresponding processing on the user requirement.
Wherein the preset reserved time period is determined by the following formula:
Figure BDA0002959474460000051
wherein, T y Representing a preset reserved time period; f i Showing the access frequency of the user when the intelligent education system runs for the ith hour; n represents the number of operating hours of the intelligent education system; f max The maximum value of the user access frequency per hour after the intelligent education system operates for the current time length is represented; f min The minimum value of the user access frequency per hour after the intelligent education system operates for the current time length is represented; c represents the stored data amount of the validity of the user after the identity verification and stored in the local of the user; c max A storage amount threshold representing a local allowable storage of authentication validity of the user; t is 0 Indicating the reservation period initial value.
The working principle of the technical scheme is as follows: the Kerberos protocol is mainly used for Authentication (Authentication) of computer networks, and is characterized in that a user only needs to input Authentication information once to access a plurality of services, namely SSO (Single Sign On), through a ticket (ticket-writing ticket) obtained through Authentication. The protocol has considerable security because a shared secret key is established between each Client and Service.
The Kerberos core is to provide a centralized identity authentication server, and various background services do not directly authenticate the identity of the user, but authenticate the user through the Kerberos third-party service. The identity and secret code information of the user are uniformly managed in a Kerberos service framework. Thus, various background services do not need to manage and authenticate the information by themselves, and users do not need to register own identity and password information on a plurality of systems.
The identity of the user is firstly verified to the Kerberos server through the password, the validity after verification can be kept for a period of time locally by the user, and therefore the user does not need to input the password every time the user is connected with a certain background service. Then, the user applies for a service key of a specific service to Kerberos, the Kerberos encrypts information required for connecting the service and information of the user, and returns the information to the user, and the information of the user is further encrypted by using a key of a corresponding background service, so that the user cannot disguise or tamper the information because the user does not know the key of the background service. Then, the user forwards the part of information to a specific background server, after the background server receives the information, the background server decrypts the information by using the private key of the user to obtain the user information authenticated by the Kerberos service, and then the user information is compared with the user who sends the information to the user, if the information is consistent, the identity of the user can be considered to be real, and the user can be served for the user.
The effect of the above technical scheme is as follows: the authority management requirements of big data assembly memorability identity authentication and fine granularity can be effectively met. The system can meet new safety requirements of role-based identity management, fine-grained access control and the like, and meanwhile, under the conditions of numerous contents and numerous versions of the Hadoop ecological component, each version of each component can carry out effective safety management and control operation. On the other hand, the reserved time period obtained by the calculation formula can be reasonably set by effectively combining the user access condition and the authentication validity reservation condition of the intelligent education system, wherein the set interval of the reserved time period is set by the time length of the reserved time period every 3 hours, and through the setting of the reserved time period, when the user logs in more or less, the matching adjustment of the stored reserved time and the user access amount is carried out, so that the storage equipment or the system for locally storing the authentication validity can always reserve an effective storage space, the problem that the user authentication is wrong due to the fact that the authentication information of the user of the intelligent education system cannot be reserved due to insufficient storage space is prevented, and the reliability of the user authentication is effectively improved. Simultaneously, the specific setting mode of the reserved time period calculated by the formula can be reasonably matched with the setting frequency of the reserved time setting which is carried out once every three hours, so that the storage of the user identity validity of the intelligent education system is effectively and timely monitored, the timeliness of the reserved time setting is improved, and the occurrence of the saturated condition of the storage space is completely avoided.
In an embodiment of the present invention, the verifying the authenticity of the user by using the Kerberos server in combination with the background server corresponding to the service required by the user according to the application of the user, and determining whether the background server performs service connection on the user according to the verification result, includes:
s201, a user applies for a service key corresponding to a specific service to a Kerberos server, and after receiving the application of the service key, the Kerberos server encrypts service required information corresponding to a service to be connected by the user and user self information to obtain a corresponding service key and returns the corresponding service key to the user; the user self information is obtained by encrypting by using a secret key of a background service corresponding to the service connection required by the user.
S202, the user forwards the corresponding service secret key to a specific background server corresponding to the service required by the user;
s203, after receiving the corresponding service secret key sent by the user, the background server decrypts the corresponding service secret key by using the own secret key to obtain the user information authenticated by the Kerberos server;
s204, the background server compares the user information obtained by decryption from the Kerberos server with the user information obtained by decryption from the corresponding service secret key sent by the user, and judges whether the user information is consistent with the user information; if the identity of the user is consistent with the identity of the user, determining that the identity of the user is real, and allowing the background server to perform corresponding service connection on the user; and if the user information is not consistent with the user information, determining that the user information is unsafe information, and not performing service connection on the user.
The working principle of the technical scheme is as follows: firstly, a user applies for a service key corresponding to a specific service from a Kerberos server, after receiving the application of the service key, the Kerberos server encrypts service required information corresponding to a service to be connected by the user and user self information to obtain a corresponding service key, and returns the corresponding service key to the user; the user self information is obtained by encrypting by using a secret key of a background service corresponding to the service connection required by the user. Then, the user forwards the corresponding service secret key to a specific background server corresponding to the service required by the user; then, after receiving a corresponding service secret key sent by a user, the background server decrypts the corresponding service secret key by using the own secret key to obtain user information authenticated by the Kerberos server; finally, the background server compares the user information obtained by decryption from the Kerberos server with the user information obtained by decryption from the corresponding service secret key sent by the user, and judges whether the user information is consistent with the user information; if the identity of the user is consistent with the identity of the user, determining that the identity of the user is real, and allowing the background server to perform corresponding service connection on the user; and if the user information is not consistent with the service information, determining that the user information is unsafe information, and not performing service connection on the user.
The effect of the above technical scheme is as follows: by the verification method, the efficiency of the identity verification of the access of each user can be improved, the repeated identity verification of the users is avoided, meanwhile, the system safety of the intelligent education system is effectively improved, the illegal access of malicious third parties is avoided, and the requirement of authority management on big data component memorability and identity verification and fine granularity can be effectively met. The system can meet new safety requirements of identity management based on roles, fine-grained access control and the like, and meanwhile, under the condition that Hadoop ecological components are numerous in content and versions, each version of each component can carry out effective safety management and control operation.
In an embodiment of the present invention, sending a service requirement required by a real user to a blockchain network, where the blockchain network performs corresponding processing on the user requirement, includes:
s301, when the block chain nodes process data of corresponding services of a user and when one node in a block chain is changed, sending a data change docking request to a shared node with a shared data link relation between the nodes;
s302, when receiving a data change docking request of the block chain node, the sharing node requests the block chain node to acquire a corresponding service key provided by a user, and simultaneously decrypts the data change docking request from a Kerberos server to acquire user information of the corresponding service;
s303, after receiving a corresponding service key providing request sent by the sharing node, the block chain node sends the user information acquired by the background server to the sharing node;
s304, the sharing node compares the user information of the corresponding service obtained by decryption from the Kerberos server with the user information provided by the block link point, if the user information is consistent, the sharing node changes the corresponding data, and if the user information is inconsistent, the sharing node sends a safety warning to the background server.
The working principle of the technical scheme is as follows: firstly, when the block chain node processes data of corresponding service of a user, and when data change occurs to one node in a block chain, a data change docking request is sent to a shared node with a shared data link relation between the nodes; then, when receiving a data change docking request of the block chain node, the sharing node requests the block chain node to acquire a corresponding service key provided by a user, and simultaneously decrypts the data change docking request from a Kerberos server to acquire user information of the corresponding service; subsequently, after receiving a corresponding service key providing request sent by the sharing node, the blockchain node sends the user information acquired by the background server to the sharing node; and finally, the sharing node compares the user information of the corresponding service obtained by decryption from the Kerberos server with the user information provided by the block link point, if the user information is consistent, the sharing node changes the corresponding data, and if the user information is inconsistent, a safety warning is sent to the background server.
The effect of the above technical scheme is as follows: through the data change verification mode of the block chain network at the rear end of the intelligent education system, the data change of the subsequent block chain network is closely combined with the data change of the front-end user based on Kerberos identity verification, the data updating safety of the rear-end block chain network is effectively improved, malicious third parties are prevented from carrying out malicious attack on the block chain network through the data illegal updating mode, and the safety protection performance of the intelligent education system is further improved.
In an embodiment of the present invention, the safety protection method further includes: if the same user performs multiple identity authentications after the reserved time period, adjusting the reserved time period for the user, including:
monitoring the specific condition of user identity authentication in real time, and recording the number of times of identity authentication of the user within a preset specified monitoring time length when the same user starts to perform identity authentication again after the reserved time period;
and when the authentication times exceed the authentication times threshold, adjusting the reserved time period for the user through a reserved time adjustment model.
Wherein the reserved time adjustment model is as follows:
Figure BDA0002959474460000081
wherein, T 1 A locally reserved time period representing an adjusted validity of the authentication for the certain user; t is a unit of z Indicating a predetermined monitoring time period set in advance; t is t max The maximum time interval value of the multiple times of authentication of the user in the preset specified monitoring time length is represented; t is t min The minimum time interval for carrying out multiple times of identity authentication on the user within the preset specified monitoring time length is represented; k represents the occurrence times of the time interval of the user for carrying out multiple times of identity authentication within the preset specified monitoring time length; t is t i An ith time interval representing that the user performs identity authentication for a plurality of times within the preset specified monitoring time length; m represents the total number of times of identity authentication of the user in the preset specified monitoring time length; m 0 Representing a threshold number of verifications.
The effect of the above technical scheme is as follows: through the reserved time adjusting mode, targeted convenient service can be effectively provided for the user with high-frequency access, the duration of the reserved time period of the authentication effectiveness of the user with high-frequency access is effectively increased, repeated authentication of the user for multiple times is avoided, and user experience is effectively improved. On the other hand, through the reserved time adjusting value obtained simultaneously, a specific reserved time increasing adjusting value matched with the actual access condition of the user can be obtained according to the actual access condition of the user, the reserved time adjusting mode of the reserved time period corresponding to the user access characteristic one by one is obtained according to the actual condition of the user, the validity of the authentication of the user can be increased, the effective balance between the user and the storage amount of the validity of the identity can be achieved, and the problem that the storage pressure caused by the uniformly fixed adjusted reserved time obtained after the uniform reserved time of all high-frequency access users is adjusted is uniformly increased due to the traditional reserved time increasing adjusting amount with a fixed value, and further the storage space is saturated is solved.
The embodiment of the invention provides an intelligent education safety protection system based on a Kerberos identity authentication protocol, as shown in figure 2, the safety protection system comprises:
the identity authentication module is used for carrying out identity authentication on the Kerberos server through a password by a user, and the validity after the identity authentication is locally reserved to a preset reserved time period in the user;
the connection judging module is used for verifying the authenticity of the user by combining a background server corresponding to the service required by the user according to the application of the user by using the Kerberos server and determining whether the background server performs service connection on the user according to a verification result;
the processing module is used for sending the service requirement required by the real user to a block chain network, and the block chain network correspondingly processes the user requirement;
a reserved time period adjusting module, configured to adjust a reserved time period for the user if the same user performs multiple times of identity authentication after the reserved time period;
wherein the reserved time period adjusting module comprises:
the real-time monitoring module is used for monitoring the specific condition of user identity authentication in real time, and recording the number of times of identity authentication of the user within the preset specified monitoring time length when the same user starts to perform identity authentication again after the reserved time period;
and the adjusting module is used for adjusting the reserved time period for the user through the reserved time adjusting model when the authentication times exceed the authentication time threshold.
Wherein, the connection judging module comprises:
the system comprises an encryption module, a service key generation module and a service key generation module, wherein the encryption module is used for a user to apply a service key corresponding to a specific service to a Kerberos server, and the Kerberos server encrypts service required information corresponding to a service to be connected by the user and user self information after receiving a service key application to obtain a corresponding service key and returns the corresponding service key to the user;
the forwarding module is used for forwarding the corresponding service secret key to a specific background server corresponding to the service required by the user;
the decryption module is used for decrypting by using the self secret key after the background server receives the corresponding service secret key sent by the user to obtain the user information authenticated by the Kerberos server;
the comparison module is used for comparing the user information obtained by decryption in the Kerberos server with the user information obtained by decryption in the corresponding service secret key sent by the user by the background server and judging whether the user information is consistent with the user information; if the identity of the user is consistent with the identity of the user, determining that the identity of the user is real, and allowing the background server to perform corresponding service connection on the user; and if the user information is not consistent with the user information, determining that the user information is unsafe information, and not performing service connection on the user.
The processing module comprises:
the data change request module is used for sending a data change docking request to a shared node with a shared data link relation between nodes when the data change occurs to one node in the block chain when the block chain node processes the data of the service corresponding to the user;
a service key obtaining module, configured to, when the shared node receives a data change docking request of the blockchain node, request the blockchain node to obtain a corresponding service key provided by a user, and decrypt and obtain user information of the corresponding service from a Kerberos server;
the sending module is used for sending the user information acquired by the background server to the sharing node after the block chain node receives the corresponding service key providing request sent by the sharing node;
and the comparison and judgment module is used for comparing the user information of the corresponding service obtained by decrypting the user information from the Kerberos server with the user information provided by the block link point by the sharing node, if the user information is consistent, the sharing node carries out corresponding data change, and if the user information is inconsistent, the sharing node sends a safety warning to the background server.
The effect of the above technical scheme is: each module of the intelligent education safety protection system based on the Kerberos identity authentication protocol is used for executing the corresponding steps of the method, and the authority management requirements of big data component identity verification and fine granularity can be effectively met. Above-mentioned wisdom education safety protection system based on Kerberos identity authentication agreement can make wisdom education system can satisfy new security demands such as identity management and fine grit access control based on the role, simultaneously, under the numerous and numerous circumstances of version of the ecological subassembly content of Hadoop, makes every version of every subassembly can both carry out effectual safety control operation.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (9)

1. A safety protection method for intelligent education based on Kerberos identity authentication protocol is characterized by comprising the following steps:
the user performs identity authentication on the Kerberos server through a password, and the validity after the identity authentication is locally reserved to a preset reserved time period;
verifying the authenticity of a user by using a Kerberos server in combination with a background server corresponding to a service required by the user according to the application of the user, and determining whether the background server performs service connection on the user according to a verification result;
sending a service requirement required by a real user to a block chain network, wherein the block chain network carries out corresponding processing on the user requirement;
the preset reserved time period is determined by the following formula:
Figure FDA0003750738270000011
wherein, T y Representing a preset reserved time period; f i Representing the access frequency of the user when the intelligent education system runs for the ith hour; n represents the number of operating hours of the intelligent education system; f max The maximum value of the user access frequency per hour after the intelligent education system operates for the current time length is represented; f min The minimum value of the user access frequency per hour after the intelligent education system operates for the current time length is represented; c represents the stored data amount of the validity of the user after the authentication and stored locally in the user; c max A storage threshold representing a local permission to store the user's authentication validity; t is a unit of 0 Indicating the reservation period initial value.
2. The security protection method according to claim 1, wherein the verifying the authenticity of the user by using the Kerberos server in combination with a background server corresponding to the service required by the user according to the application of the user, and determining whether the background server performs service connection on the user according to a verification result comprises:
the method comprises the steps that a user applies for a service secret key corresponding to a specific service from a Kerberos server, the Kerberos server encrypts service required information corresponding to a service to be connected by the user and user self information after receiving the application of the service secret key to obtain a corresponding service secret key, and the corresponding service secret key is returned to the user;
the user forwards the corresponding service secret key to a specific background server corresponding to the service required by the user;
after receiving a corresponding service secret key sent by a user, the background server decrypts by using the secret key of the background server to obtain user information authenticated by the Kerberos server;
the background server compares the user information obtained by decryption from the Kerberos server with the user information obtained by decryption from the corresponding service secret key sent by the user, and judges whether the user information is consistent with the user information; if the identity of the user is consistent with the identity of the user, determining that the identity of the user is real, and allowing the background server to perform corresponding service connection on the user; and if the user information is not consistent with the user information, determining that the user information is unsafe information, and not performing service connection on the user.
3. The security protection method according to claim 2, wherein the user's own information is obtained by encrypting with a key of a background service corresponding to the service connection required by the user.
4. The security protection method according to claim 1, wherein the sending the service requirement required by the real user to a blockchain network, and the blockchain network performing corresponding processing on the user requirement includes:
when a block chain node processes data of a service corresponding to a user, and when data change occurs to one node in the block chain, sending a data change docking request to a shared node with a shared data link relation between the nodes;
when the shared node receives a data change docking request of the block chain node, the shared node requests the block chain node to acquire a corresponding service key provided by a user, and simultaneously decrypts the data change docking request from a Kerberos server to acquire user information of the corresponding service;
after receiving a corresponding service key providing request sent by the sharing node, the block chain node sends user information acquired by the background server to the sharing node;
and the sharing node compares the user information of the corresponding service obtained by decryption from the Kerberos server with the user information provided by the block chain nodes, if the user information is consistent, the sharing node changes the corresponding data, and if the user information is inconsistent, the sharing node sends a safety warning to the background server.
5. The security protection method of claim 1, further comprising: if the same user performs multiple identity authentications after the reserved time period, adjusting the reserved time period for the user, including:
monitoring the specific condition of user identity authentication in real time, and recording the number of times of identity authentication of the user within a preset specified monitoring time length when the same user starts to perform identity authentication again after the reserved time period;
and when the authentication times exceed the authentication times threshold, adjusting the reserved time period for the user through a reserved time adjustment model.
6. The security protection method according to claim 5, wherein the reserved time adjustment model is as follows:
Figure FDA0003750738270000021
wherein, T 1 A locally reserved time period representing an adjusted validity of the authentication for the certain user; t is z Indicating a predetermined monitoring time period set in advance; t is t max The maximum value of the time interval for carrying out multiple times of authentication on the user within the preset specified monitoring time length is represented; t is t min The minimum time interval value of the multiple times of identity authentication of the user in the preset specified monitoring time length is represented; k represents the occurrence times of the time interval of the user for carrying out multiple times of identity authentication within the preset specified monitoring time length; t is t i The ith time interval represents that the user performs identity verification for a plurality of times within the preset specified monitoring time length; m represents the user in the presetThe total times of identity authentication is carried out within a fixed specified monitoring time length; m 0 Representing a threshold number of verifications.
7. A wisdom education security protection system based on Kerberos authentication protocol, its characterized in that, the security protection system includes:
the identity authentication module is used for carrying out identity authentication on the Kerberos server through a password by a user, and the validity after the identity authentication is locally reserved to a preset reserved time period in the user;
the connection judging module is used for verifying the authenticity of the user by combining a background server corresponding to the service required by the user according to the application of the user by using the Kerberos server and determining whether the background server performs service connection on the user according to a verification result;
the processing module is used for sending the service requirement required by the real user to a block chain network, and the block chain network correspondingly processes the user requirement;
a reserved time period adjusting module, configured to adjust a reserved time period for the user if the same user performs multiple times of identity authentication after the reserved time period;
the preset reserved time period is determined by the following formula:
Figure FDA0003750738270000031
wherein, T y Representing a preset reserved time period; f i Representing the access frequency of the user when the intelligent education system runs for the ith hour; n represents the number of operating hours of the intelligent education system; f max The maximum value of the user access frequency per hour after the intelligent education system operates for the current time length is represented; f min The minimum value of the user access frequency per hour after the intelligent education system operates for the current time length is represented; c represents the stored data amount of the validity of the user after the authentication and stored locally in the user; c max Representing locally allowed storage usersA memory storage threshold of authentication validity of (1); t is 0 Indicating the reservation period initial value.
8. The security system of claim 7, wherein the connection determining module comprises:
the system comprises an encryption module, a service key generation module and a service key generation module, wherein the encryption module is used for applying a service key corresponding to a specific service from a Kerberos server by a user, after receiving the application of the service key, the Kerberos server encrypts service required information corresponding to a service to be connected by the user and user self information to obtain a corresponding service key, and returns the corresponding service key to the user;
the forwarding module is used for forwarding the corresponding service secret key to a specific background server corresponding to the service required by the user;
the decryption module is used for decrypting the user information authenticated by the Kerberos server by using the self secret key after the background server receives the corresponding service secret key sent by the user;
the comparison module is used for comparing the user information obtained by decryption from the Kerberos server with the user information obtained by decryption from the corresponding service secret key sent by the user by the background server and judging whether the user information is consistent with the user information; if the identity of the user is consistent with the identity of the user, determining that the identity of the user is real, and allowing the background server to perform corresponding service connection on the user; and if the user information is not consistent with the service information, determining that the user information is unsafe information, and not performing service connection on the user.
9. The safety shield system of claim 7, wherein the processing module comprises:
the data change request module is used for sending a data change docking request to a shared node with a shared data link relation between nodes when a data change occurs to one node in a block chain when the data processing of the corresponding service of the user is carried out by the block chain node;
the service key acquisition module is used for requesting the shared node to acquire a corresponding service key provided by a user from the block chain node when the shared node receives a data change docking request of the block chain node, and simultaneously decrypting the data change docking request from the Kerberos server to acquire user information of the corresponding service;
the sending module is used for sending the user information acquired by the background server to the sharing node after the block chain node receives the corresponding service key providing request sent by the sharing node;
and the comparison and judgment module is used for comparing the user information of the corresponding service obtained by decrypting the Kerberos server with the user information provided by the block link point by the sharing node, if the user information is consistent, the sharing node changes the corresponding data, and if the user information is inconsistent, the sharing node sends a safety warning to the background server.
CN202110253070.8A 2021-03-03 2021-03-03 Intelligent education safety protection method and system based on Kerberos identity authentication protocol Active CN113055160B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110253070.8A CN113055160B (en) 2021-03-03 2021-03-03 Intelligent education safety protection method and system based on Kerberos identity authentication protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110253070.8A CN113055160B (en) 2021-03-03 2021-03-03 Intelligent education safety protection method and system based on Kerberos identity authentication protocol

Publications (2)

Publication Number Publication Date
CN113055160A CN113055160A (en) 2021-06-29
CN113055160B true CN113055160B (en) 2022-11-11

Family

ID=76510753

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110253070.8A Active CN113055160B (en) 2021-03-03 2021-03-03 Intelligent education safety protection method and system based on Kerberos identity authentication protocol

Country Status (1)

Country Link
CN (1) CN113055160B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826666A (en) * 2022-03-21 2022-07-29 深圳市鹰硕技术有限公司 Question answering method of intelligent pen and handwriting data acquisition system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109145540A (en) * 2018-08-24 2019-01-04 广州大学 A kind of intelligent terminal identity identifying method and device based on block chain

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9811532B2 (en) * 2010-05-03 2017-11-07 Panzura, Inc. Executing a cloud command for a distributed filesystem
CN108055258B (en) * 2017-12-08 2021-02-05 苏州朗润创新知识产权运营有限公司 Identity data management method, system and computer readable storage medium
US10939295B1 (en) * 2018-08-21 2021-03-02 HYPR Corp. Secure mobile initiated authentications to web-services
US11368446B2 (en) * 2018-10-02 2022-06-21 International Business Machines Corporation Trusted account revocation in federated identity management
CN111324881B (en) * 2020-02-20 2020-10-30 铭数科技(青岛)有限公司 Data security sharing system and method fusing Kerberos authentication server and block chain

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109145540A (en) * 2018-08-24 2019-01-04 广州大学 A kind of intelligent terminal identity identifying method and device based on block chain

Also Published As

Publication number Publication date
CN113055160A (en) 2021-06-29

Similar Documents

Publication Publication Date Title
CN111708991B (en) Service authorization method, device, computer equipment and storage medium
CN106888084B (en) Quantum fort machine system and authentication method thereof
CN101401387B (en) Access control protocol for embedded devices
US20030081774A1 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
CN109728903B (en) Block chain weak center password authorization method using attribute password
CN104767731A (en) Identity authentication protection method of Restful mobile transaction system
CN113872944A (en) Block chain-oriented zero-trust security architecture and cluster deployment framework thereof
CN111914293A (en) Data access authority verification method and device, computer equipment and storage medium
CN106027473A (en) Identity card reading terminal and cloud authentication platform data transmission method and system
CN113872992B (en) Method for realizing remote Web access strong security authentication in BMC system
CN115865320A (en) Block chain-based security service management method and system
CN116192481A (en) Analysis method for secure communication mechanism between cloud computing server models
CN114866346A (en) Password service platform based on decentralization
CN113055160B (en) Intelligent education safety protection method and system based on Kerberos identity authentication protocol
CN109040109B (en) Data transaction method and system based on key management mechanism
CN106992978A (en) Network safety managing method and server
Ma et al. Research on data security and privacy protection of smart grid based on alliance chain
CN116388986B (en) Certificate authentication system and method based on post quantum signature
CN106658076A (en) Digital copyright management system
CN114362998B (en) Network security protection method based on edge cloud system
CN109981662A (en) A kind of safe communication system and method
CN111682936B (en) Kerberos authentication method based on physical unclonable function
CN108632254B (en) Access control method of intelligent home environment based on private chain
Kim et al. A secure channel establishment method on a hardware security module
CN113872986A (en) Power distribution terminal authentication method, system, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 301, building D, Hongwei Industrial Zone, No.6 Liuxian 3rd road, Xingdong community, Xin'an street, Bao'an District, Shenzhen City, Guangdong Province

Applicant after: Shenzhen Yingshuo Intelligent Technology Co.,Ltd.

Address before: Room 301, building D, Hongwei Industrial Zone, No.6 Liuxian 3rd road, Xingdong community, Xin'an street, Bao'an District, Shenzhen City, Guangdong Province

Applicant before: Shenzhen YINGSHUO Education Service Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant