CN113572740B - Cloud management platform authentication encryption method based on state password - Google Patents

Cloud management platform authentication encryption method based on state password Download PDF

Info

Publication number
CN113572740B
CN113572740B CN202110743370.4A CN202110743370A CN113572740B CN 113572740 B CN113572740 B CN 113572740B CN 202110743370 A CN202110743370 A CN 202110743370A CN 113572740 B CN113572740 B CN 113572740B
Authority
CN
China
Prior art keywords
server
management platform
client
cloud management
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110743370.4A
Other languages
Chinese (zh)
Other versions
CN113572740A (en
Inventor
陈都
唐卓
马兴旺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changsha Zhengtong Cloud Calculating Co ltd
Shenzhen Zhengtong Electronics Co Ltd
Original Assignee
Changsha Zhengtong Cloud Calculating Co ltd
Shenzhen Zhengtong Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changsha Zhengtong Cloud Calculating Co ltd, Shenzhen Zhengtong Electronics Co Ltd filed Critical Changsha Zhengtong Cloud Calculating Co ltd
Priority to CN202110743370.4A priority Critical patent/CN113572740B/en
Publication of CN113572740A publication Critical patent/CN113572740A/en
Application granted granted Critical
Publication of CN113572740B publication Critical patent/CN113572740B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a cloud management platform authentication encryption method based on a state password, which comprises the following steps of S110, building a multi-node Openstack cluster; step S120, modifying an algorithm library in the OpenVPN source code, and adding SM2, SM3 and SM4 cryptographic algorithms to form a cryptographic VPN; step S130, deploying a cloud management platform on a control node on the Openstack cluster; and step S140, calling an API (application program interface) or IAAS (International Association of applications) by the cloud management platform based on the national secret VPN. According to the cloud management platform data transmission method, a multi-node Openstack cluster is built, a state secret VPN is formed by adding SM2, SM3 and SM4 state secret algorithms, data are encrypted to prevent data from being stolen midway, safety and automatic control of a physical machine, a virtual machine and service are guaranteed from the source, and safe transmission of cloud management platform data is achieved.

Description

Cloud management platform authentication encryption method based on state password
Technical Field
The invention relates to the technical field of network security, in particular to a cloud management platform authentication encryption method based on a national password.
Background
With the deepening of the informatization process and the rapid development of the Internet, the work, study and life styles of people are greatly changed, the efficiency is greatly improved, and information resources are shared to the greatest extent. The problem of information security, which is developed along with informatization, is increasingly prominent, is a problem of major concern of countries in the world at present, and becomes the basis of national political security, economic security, social stability and public interest protection.
The autonomous controllability is the premise of guaranteeing network security and information security, and the requirement of guaranteeing the security and controllability of the core information system of the government and various industries of China is remarkably highlighted under the large background that international trade friction disputes are frequently found in recent years. A high-security autonomous controllable product developed based on a domestic password system is a key point of the information security industry, and a cloud management platform is used as a centralized management physical machine, a virtualization platform, a private cloud, a public cloud and cloud platforms of different suppliers, which is related to the storage of data of various companies and the development of services, so that the access security on the cloud is particularly important. Most users access the cloud platform in an open environment of the internet, the environment is complex and cannot be controlled, and once data is cracked, irretrievable loss is caused.
The cryptographic algorithm is the core for guaranteeing the data transmission safety, and most of cloud management platform product service communication accesses to most of the foreign cryptographic systems based on DES/RSA and the like in China at present, and certain risks need to be borne.
Disclosure of Invention
Based on this, it is necessary to provide a cloud management platform authentication encryption method based on a national password to ensure that the security of a physical machine, a virtual machine and a service is independently controllable from the source, so that the cloud management platform is safer and more reliable, and the information encryption is not easy to break through.
In order to solve the technical problems, the invention adopts the following technical scheme:
the invention provides a cloud management platform authentication encryption method based on a national password, which comprises the following steps:
s110, building a multi-node Openstack cluster;
step S120, modifying an algorithm library in the OpenVPN source code, and adding SM2, SM3 and SM4 cryptographic algorithms to form a cryptographic VPN;
step S130, deploying a cloud management platform on a control node on the Openstack cluster;
step S140, calling an API (application programming interface) or an IAAS (integrated access service) by the cloud management platform based on the national secret VPN, wherein the API is provided by an API compatible layer, and the IAAS is provided by an IAAS infrastructure layer; the cloud management platform is set as a client, and the IAAS infrastructure layer or the API compatible layer is set as a server.
In one embodiment, in the step S140, the cloud management platform based on the cryptographic VPN calls an API interface or an IAAS method, and the specific operations include:
step S141, the client sends a Server _ hello message to the Server based on the request of the user, wherein the content of the Server _ hello message comprises SSL version information, a Server random number used for generating a key, a session number and a selected SM2 encryption algorithm;
step S142, after receiving, the Server responds to the Server _ hello message, and returns SSL protocol version information, encryption algorithm type, random number, and a public key certificate encrypted by the SM2 algorithm issued by the Server trust CA;
step S143, verifying whether the public key certificate of the server side received by the client side is legal; if yes, go to step S144; if not, terminating the communication;
step S144, the server side verifies whether the CA of the client side issues a public key certificate to be legal or not; if yes, go to step S145; if not, terminating the communication;
step S145, after the client certificate passes verification, the server generates a section of random number as a secret key for SM4 symmetric encryption, and the server obtains the public key of the client;
step S146, the client sends the SM4 symmetric encryption algorithm scheme supported by the client to the server to select;
s147, the server side selects an encryption scheme with the highest security from the encryption algorithm schemes provided by the client side to encrypt through the obtained public key of the client side, an encryption mode is formed, and the encryption mode is returned to the client side;
step S148, after receiving the encryption mode, the client decrypts the encrypted data by using a private key to generate a random code which is used as a symmetric encryption key, then encrypts the random code by using a public key of the server and sends the random code to the server;
and S149, the server side decrypts by using the private key to obtain an SM4 secret key, and a tunnel is established.
In one embodiment, the SM4 symmetric encryption algorithm scheme in step S146 is formed by modifying an algorithm library in an OpenVPN source code.
In one embodiment, the method further comprises
And S150, accessing the cloud management platform through the browser based on the national password one-way authentication.
In one embodiment, in the step S150, the method for accessing the cloud management platform through the browser based on the cryptographic one-way authentication specifically includes:
step S151, the client sends TSL version information, server random number used for generating the key, session number and selected SM2 encryption algorithm to the server;
step S152, the server side responds to SSL information, random numbers and signed SM2 certificate public keys;
step S153, the client verifies the certificate of the server to the CA trusted by the browser;
step S154, the client sends the SM4 symmetric encryption algorithm scheme required by the server;
s155, the server side selects a scheme with the highest encryption intensity in the encryption algorithm schemes and sends the scheme to the client side;
step S156, after receiving the SM4 encryption scheme, the client generates a random code as an SM2 asymmetric encryption key, then uses the public key of the server to encrypt, and sends encryption information to the server;
step S157, the server side decrypts the encrypted information by using the private key to obtain an SM4 symmetric encrypted key;
and step S158, establishing an intranet access encryption channel and starting communication.
In one embodiment, the method further comprises
And step S160, accessing the cloud management platform of the external network based on the national password TLS bidirectional authentication.
In one embodiment, in the step S160, the method for accessing the cloud management platform of the external network based on the cryptographic TLS mutual authentication includes:
step S161, the Client sends a Client _ hello message to the server;
step S162, after receiving the response, the Server-hello message is sent to respond, and then the SM2 certificate of the CA authentication of the Server-hello is sent;
step S163, after receiving the SM2 certificate, the client side performs certificate verification to the CA mechanism trusted by the client side;
s164, after the verification is passed, the client encrypts and sends the SM2 certificate of the client by using the public key of the server;
s165, the server decrypts by using a server private key to obtain a client certificate, and the legitimacy of the certificate is verified;
step S166, after the certificate verification of the two parties is completed legally, the negotiation of the password suite scheme is carried out; the client side adopts an SM4 symmetric encryption algorithm and sends a password suite scheme supported by the client side to the server side;
step S167, the server decrypts the cipher suite scheme supported by the client by using SM4 algorithm, selects the encryption scheme with the highest security from the cipher suite schemes, and returns the encryption scheme to the client;
step S168, the user accesses to the encryption channel establishment of the cloud management platform in the external network to perform data transmission.
In one embodiment, the Client _ hello message content in step S160 includes TLS protocol information, a random number, a session ID, and a supported encryption algorithm.
In one embodiment, the method further comprises
And S170, accessing the virtual machine by using a cloud management platform based on the national secret SSH tunnel.
In one embodiment, the step S170, the method for accessing the virtual machine by using the cloud management platform based on the cryptographic SSH tunnel includes:
step S171, virtual machines are created on the cloud management platform;
step S172, accessing a cloud management platform by using a national password browser, and presetting a signed national password certificate by the national password browser;
step S173, compiling opensh-server on the virtual machine, and expanding the algorithm library of the opensh-server to support SM2, SM3 and SM4 cryptographic algorithms;
and step S174, installing an opensh-client terminal supporting the national cryptographic algorithm.
In conclusion, the cloud management platform authentication encryption method based on the state secret forms the state secret VPN by building a multi-node Openstack cluster and adding SM2, SM3 and SM4 state secret algorithms, encrypts data to prevent the data from being stolen midway, ensures the safety, the independence and the controllability of a physical machine, a virtual machine and service from the source, and realizes the safety transmission of the cloud management platform data.
Drawings
Fig. 1 is a schematic flowchart of a first cloud management platform authentication encryption method based on a national secret according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a second authentication and encryption method for a cloud management platform based on a national secret according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a third authentication and encryption method for a cloud management platform based on a cryptographic key according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a fourth authentication and encryption method for a cloud management platform based on a national password according to an embodiment of the present invention;
fig. 5 is an architecture diagram corresponding to a cloud management platform authentication and encryption method based on a national password according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a first cloud management platform authentication and encryption method based on a national secret provided in an embodiment of the present invention, and as shown in fig. 1, the cloud management platform authentication and encryption method based on the national secret specifically includes the following steps:
step S110, building a multi-node Openstack cluster; the cloud management platform generally builds a highly available Openstack cluster, each component of the Openstack cluster is distributed on different nodes, and messages are issued to each component through a control node on the Openstack cluster.
And step S120, modifying an algorithm library in the OpenVPN source code, adding SM2, SM3 and SM4 cryptographic algorithms to form a cryptographic VPN to replace message communication among node components in the Openstack cluster, such as Nova components, glance components and the like, encrypting a key by using the SM2 cryptographic algorithm, wherein the algorithm is more complex, and the data transmission across nodes is effectively ensured not to be cracked easily.
The national secret VPN can be used for a virtual network card and an SSL (Secure Sockets Layer) protocol, the host can automatically generate a virtual network card after the national secret VPN is installed, and the national secret VPN provides two virtual network interfaces: the universal Tun/Tap drives a virtual network interface, a three-layer IP tunnel or a virtual two-layer Ethernet can be established through the virtual network interface, the virtual network interface can transmit any type of two-layer Ethernet data, the transmitted two-layer Ethernet data is compressed more conveniently and quickly through an LZO algorithm, and after network connection is established, message communication among all node components of the Openstack cluster is transmitted through a virtual network card.
Step S130, a cloud management platform is deployed on the control node on the Openstack cluster, so that user data and passwords are guaranteed to be encrypted by adopting an SM2 cryptographic algorithm and then stored in a background database of the cloud management platform.
Step S140, calling an API (application program interface) or IAAS (integrated access system) by the cloud management platform based on the national secret VPN; specifically, a cloud management platform in the external network accesses an API interface or a bottom IAAS in the internal network and performs data transmission by using a bidirectional encryption tunnel based on a private VPN.
The system comprises an API interface, an IAAS infrastructure layer, a cloud management platform, a server and an infrastructure IAAS layer, wherein the API interface is provided by an API compatible layer, the IAAS infrastructure layer or the API compatible layer is provided by an IAAS infrastructure layer, the cloud management platform is set as a client, the IAAS infrastructure layer or the API compatible layer is set as a server, and the infrastructure IAAS layer uses a domestic autonomous controllable server or operating system, such as a Huawei Taishan server, an kylin operating system and the like, so that the purpose of isolating an intranet is achieved.
In the step S140, the cloud management platform based on the cryptographic VPN calls the API interface or the IAAS, and the specific operations are as follows:
step S141, the client sends a Server _ hello message to the Server based on the request of the user, wherein the content of the Server _ hello message comprises SSL version information, a Server random number used for generating a key, a session number and a selected SM2 encryption algorithm;
step S142, after receiving, the Server responds to the Server _ hello message, and returns SSL protocol version information, encryption algorithm type, random number, and a public key certificate encrypted by the SM2 algorithm issued by the Server trust CA;
step S143, verifying whether the public key certificate received by the client side from the server side is legal, such as whether the certificate is overdue, whether the CA of the hairstyle server side certificate is reliable, whether the returned public key certificate can unlock the digital signature in the returned certificate, and whether the domain names are matched; if yes, go to step S144; if not, terminating the communication;
step S144, the server side verifies whether the CA of the client side issues a public key certificate to be legal or not; if yes, go to step S145; if not, terminating the communication; the method is different from one-way authentication, prevents hacker impersonation, improves the transmission reliability and safety of both the client and the server, and is characterized in that the client sends a certificate of the client to the server, and the server verifies the certificate of the client to a CA (certificate authority) trusted by the server;
step S145, after the client certificate passes verification, the server generates a random number as a secret key for SM4 symmetric encryption, and the server obtains the public key of the client;
step S146, the client sends the SM4 symmetric encryption algorithm scheme supported by the client to the server to select; the SM4 symmetric encryption algorithm scheme is formed by modifying an algorithm library in an OpenVPN source code.
S147, the server side selects an encryption scheme with the highest security from the encryption algorithm schemes provided by the client side to encrypt through the obtained public key of the client side, an encryption mode is formed, and the encryption mode is returned to the client side; the encryption mode is an encryption scheme with highest security after encryption is carried out through a public key of the client.
And S148, after receiving the encryption mode, the client decrypts the encrypted data by using the private key to generate a random code serving as a symmetric encryption key, encrypts the random code by using the public key of the server and sends the encrypted random code to the server.
S149, the server side decrypts by using a private key to obtain an SM4 secret key, and a tunnel is established; subsequent communication between the client and the server is encrypted by the SM4 secret key, so that the safety of information in communication between the client and the server is guaranteed.
In this embodiment, the data transmission security of the bottom Openstack is called for a cloud management platform in an external network, and the data transmission security is realized by using a national secret VPN bidirectional encryption, so that not only is a virtual network card used for transmission when a bottom API interface is called to transmit data, but also a national secret algorithm bidirectional encryption is used when the cloud management platform is used as a client and the bottom API interface is used as a server to establish connection to transmit data, and public key certificates of opposite parties are mutually authenticated, so that the connection can be established and the data can be transmitted truthfully.
As shown in fig. 2, in one embodiment, a cloud management platform authentication encryption method based on a cryptographic key further includes:
s150, accessing a cloud management platform through a browser based on the national password one-way authentication; the platform administrator and the operation and maintenance personnel access the cloud management platform through national secret one-way authentication, generally access the cloud management platform through an intranet browser of a company, belong to a controllable environment and can finish the national secret https one-way authentication only by checking the safety of a server.
The step S150 of accessing the cloud management platform through the browser based on the one-way authentication with the cryptographic key specifically includes:
step S151, the client sends TSL version information, server random number used for generating the secret key, session number and selected SM2 encryption algorithm to the server;
step S152, the server side responds to the SSL information, the random number and the signed SM2 certificate public key;
step S153, the client verifies the certificate of the server to the CA trusted by the browser;
step S154, the client sends the SM4 symmetric encryption algorithm scheme required by the server;
s155, the server side selects a scheme with the highest encryption intensity in the encryption algorithm schemes and sends the scheme to the client side;
step S156, after receiving the SM4 encryption scheme, the client generates a random code as an SM2 asymmetric encryption key, then uses the public key of the server to encrypt, and sends the encrypted information to the server;
step S157, the server side decrypts the encrypted information by using a private key to obtain an SM4 symmetric encrypted key;
and step S158, establishing an intranet access encryption channel and starting communication.
In the embodiment, for the data access safety when operation and maintenance personnel and administrators of a cloud management platform access cloud services in a controllable environment of a company intranet, a national secret TLS protocol is adopted to replace an SSL protocol, and a national secret one-way authentication mechanism is added. Compared with the SSL protocol, the TLS protocol has great improvement on security, for example, a key algorithm is used for message authentication, and the TLS protocol adopts a 'cipher hashing method of message authentication codes' to ensure that records cannot be changed during data transmission; the enhanced Pseudo Random Function (PRF) ensures the safety of the algorithm by using two hash algorithms of the enhanced pseudo random function, and the other algorithm can protect the data safety even if any algorithm is exposed; processing a consistency certificate, wherein a TLS protocol specifies a certificate type when a server certificate and a client certificate are exchanged; specific alarm information, alarm information provided by the TLS protocol, and detection of problems at any end point in the communication process are recorded.
As shown in fig. 3, in one embodiment, a cloud management platform authentication encryption method based on a national secret further includes:
step S160, accessing a cloud management platform of an external network based on the national security TLS bidirectional authentication; specifically, in step S160, the method for accessing the cloud management platform of the external network based on the cryptographic TLS mutual authentication specifically includes:
step S161, the Client sends a Client _ hello message to the server, wherein the content of the Client _ hello message comprises TLS protocol information, a random number, a session ID, a supported encryption algorithm and the like;
step S162, after receiving the response, the Server-hello message is sent to respond, and then the SM2 certificate of the CA authentication of the Server-hello is sent;
step S163, after receiving the SM2 certificate, the client side verifies the certificate to the CA mechanism trusted by the client side;
s164, after the verification is passed, the client encrypts and sends the SM2 certificate of the client by using the public key of the server;
s165, the server decrypts by using a server private key to obtain a client certificate, and the legitimacy of the certificate is verified;
step S166, after the certificate verification of the two parties is completed legally, the negotiation of the password suite scheme is carried out; the client side adopts an SM4 symmetric encryption algorithm and sends a password suite scheme supported by the client side to the server side;
step S167, the server decrypts the cipher suite scheme supported by the client by using SM4 algorithm, selects the encryption scheme with the highest security from the cipher suite schemes, and returns the encryption scheme to the client;
step S168, the user accesses to the encryption channel establishment of the cloud management platform in the external network to perform data transmission.
In the embodiment, aiming at the security of a user accessing a cloud management platform under an uncontrollable internet environment, the TLS bidirectional authentication based on the national password is adopted, the client and the server both adopt the SM2-SM3-SM4 national password algorithm to encrypt transmission data, the public key certificate of the opposite side is verified, and the tampering of a middleman is prevented.
As shown in fig. 4, in one embodiment, a cloud management platform authentication encryption method based on a national secret further includes:
step S170, accessing the virtual machine by using a cloud management platform based on the national secret SSH tunnel; the traditional virtual machine login access generally uses OpenSSL to issue a certificate to configure a key for secret-free login or plaintext password access. OpenSSL uses an RSA asymmetric encryption algorithm, the asymmetric encryption key is long, generally 1024 bits are difficult to remember, the GmSSL is used for replacing OpenSSL, the GmSSL adds the support to an SM2/SM3/SM4 cryptographic algorithm and ECIES, CPK and ZUC algorithms on the basis of OpenSSL, and can replace OpenSSL components in application, and the application automatically has security capability based on cryptographic keys; the user can use the SM2 asymmetric algorithm to access the virtual machine by using the certificate issued by the GmSSL, the SM3 hash algorithm verifies the digital signature to ensure that the secret key is not tampered, and finally, the SM4 algorithm is used for encrypting the data transmitted to the virtual machine by the user to ensure the link security of the user accessing the virtual machine.
The step S170, the method for accessing the virtual machine by using the cloud management platform based on the cryptographic SSH tunnel, includes the specific operations:
step S171, virtual machines are created on a cloud management platform;
step S172, accessing a cloud management platform by using a national password browser, and presetting a signed national password certificate by the national password browser;
step S173, compiling opensh-server on the virtual machine, and expanding the algorithm library of the opensh-server to support SM2, SM3 and SM4 cryptographic algorithms; wherein the virtual machine is provided with GmSSL;
and S174, installing an opensh-client terminal supporting the national cryptographic algorithm, so that the user can access the virtual machine more safely and reliably through the cloud management platform.
In the embodiment, for the security of virtual machine data transmission of a cloud management platform user directly accessing a bottom layer, a national secret SSH tunnel transmission encryption is adopted, SM2-SM3-SM4 national secret algorithm adaptation is added based on an OpenSSH client and a server, SM2 encryption is used in a key algorithm negotiation process, and SM3 verifies the integrity of data; after the connection is established, encrypting data by using SM4 which is faster in transmission, and digitally signing by using an SM3 algorithm; the method adopts a safe and reliable national password algorithm, logs in the virtual machine based on the key, and accesses the virtual machine more conveniently and quickly relative to the clear text access of the account password.
As shown in fig. 5, in order to make the technical solution of the present invention more clear, the following describes a preferred embodiment.
S110, building a multi-node Openstack cluster;
step S120, modifying an algorithm library in the OpenVPN source code, and adding SM2, SM3 and SM4 cryptographic algorithms to form a cryptographic VPN;
step S130, deploying a cloud management platform on a control node on the Openstack cluster;
step S140, calling an API (application program interface) or IAAS (International Association of applications) by the cloud management platform based on the national secret VPN;
s150, accessing a cloud management platform through a browser based on the national password one-way authentication;
step S160, accessing a cloud management platform of an external network based on the national security TLS bidirectional authentication;
and S170, accessing the virtual machine by using a cloud management platform based on the national secret SSH tunnel.
In conclusion, the cloud management platform authentication encryption method based on the state cipher forms the state cipher VPN by building a multi-node Openstack cluster and adding SM2, SM3 and SM4 state cipher algorithms, encrypts data to prevent the data from being stolen midway, ensures the safety, the independence and the controllability of a physical machine, a virtual machine and service from the source and realizes the safety transmission of the cloud management platform data.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. For example, the system embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.
The above examples are merely illustrative of several embodiments of the present invention, and the description thereof is more specific and detailed, but not to be construed as limiting the scope of the invention. It should be noted that various changes and modifications can be made by those skilled in the art without departing from the spirit of the invention, and these changes and modifications are all within the scope of the invention. Therefore, the protection scope of the present invention should be subject to the appended claims.

Claims (9)

1. A cloud management platform authentication encryption method based on a national password is characterized by comprising the following steps:
s110, building a multi-node Openstack cluster;
step S120, modifying an algorithm library in the OpenVPN source code, and adding SM2, SM3 and SM4 cryptographic algorithms to form a cryptographic VPN;
step S130, deploying a cloud management platform on a control node on the Openstack cluster;
step S140, calling an API (application programming interface) or an IAAS (integrated access service) by the cloud management platform based on the national secret VPN, wherein the API is provided by an API compatible layer, and the IAAS is provided by an IAAS infrastructure layer; the cloud management platform is set as a client, and the IAAS infrastructure layer or the API compatible layer is set as a server;
in step S140, the cloud management platform based on the cryptographic VPN calls an API interface or an IAAS method, and the specific operations include:
step S141, the client sends a Server _ hello message to the Server based on the request of the user, wherein the content of the Server _ hello message comprises SSL version information, a Server random number used for generating a key, a session number and a selected SM2 encryption algorithm;
step S142, after receiving, the Server responds to the Server _ hello message, and returns SSL protocol version information, encryption algorithm type, random number, and a public key certificate encrypted by the SM2 algorithm issued by the Server trust CA;
step S143, verifying whether the public key certificate of the server side received by the client side is legal; if yes, go to step S144; if not, terminating the communication;
step S144, the server side verifies whether the CA of the client side issues a public key certificate to be legal or not; if yes, go to step S145; if not, terminating the communication;
step S145, after the client certificate passes verification, the server generates a section of random number as a secret key for SM4 symmetric encryption, and the server obtains the public key of the client;
step S146, the client sends the SM4 symmetric encryption algorithm scheme supported by the client to the server to select;
s147, the server side selects an encryption scheme with the highest security from the encryption algorithm schemes provided by the client side to encrypt through the obtained public key of the client side, an encryption mode is formed, and the encryption mode is returned to the client side;
step S148, after receiving the encryption mode, the client decrypts the encrypted data by using a private key to generate a random code which is used as a symmetric encryption key, then encrypts the random code by using a public key of the server and sends the random code to the server;
and S149, the server side decrypts by using the private key to obtain an SM4 secret key, and a tunnel is established.
2. The cloud management platform authentication and encryption method based on the national password of claim 1, wherein the SM4 symmetric encryption algorithm scheme in the step S146 is formed by modifying an algorithm library in an OpenVPN source code.
3. The cloud management platform authentication encryption method based on the national password as claimed in claim 1, wherein: also comprises
And S150, accessing the cloud management platform through the browser based on the national password one-way authentication.
4. The cloud management platform authentication encryption method based on the national password of claim 3, wherein the step S150 of accessing the cloud management platform through the browser based on the national password one-way authentication specifically comprises:
step S151, the client sends TSL version information, server random number used for generating the key, session number and selected SM2 encryption algorithm to the server;
step S152, the server side responds to SSL information, random numbers and signed SM2 certificate public keys;
step S153, the client verifies the certificate of the server to the CA trusted by the browser;
step S154, the client sends the SM4 symmetric encryption algorithm scheme required by the server;
s155, the server side selects a scheme with the highest encryption intensity in the encryption algorithm schemes and sends the scheme to the client side;
step S156, after receiving the SM4 encryption scheme, the client generates a random code as an SM2 asymmetric encryption key, then uses the public key of the server to encrypt, and sends encryption information to the server;
step S157, the server side decrypts the encrypted information by using the private key to obtain an SM4 symmetric encrypted key;
and step S158, establishing an intranet access encryption channel and starting communication.
5. The cloud management platform authentication encryption method based on the national password as claimed in claim 1, wherein: also comprises
And step S160, accessing the cloud management platform of the external network based on the national password TLS bidirectional authentication.
6. The cloud management platform authentication encryption method based on the national password of claim 5, wherein the step S160 of the method for accessing the cloud management platform of the external network based on the national password TLS bidirectional authentication comprises the following specific operations:
step S161, the Client sends a Client _ hello message to the server;
step S162, after receiving the response, the Server-hello message is sent to respond, and then the SM2 certificate of the CA authentication of the Server-hello is sent;
step S163, after receiving the SM2 certificate, the client side verifies the certificate to the CA mechanism trusted by the client side;
s164, after the verification is passed, the client encrypts and sends the SM2 certificate of the client by using the public key of the server;
s165, the server decrypts by using a server private key to obtain a client certificate, and the legitimacy of the certificate is verified;
step S166, after the certificate verification of the two parties is completed legally, the negotiation of the password suite scheme is carried out; the client side adopts an SM4 symmetric encryption algorithm and sends a password suite scheme supported by the client side to the server side;
step S167, the server decrypts the cipher suite scheme supported by the client by using SM4 algorithm, selects the encryption scheme with the highest security from the cipher suite schemes, and returns the encryption scheme to the client;
step S168, the user accesses to the encryption channel establishment of the cloud management platform in the external network to perform data transmission.
7. The cloud management platform authentication encryption method based on the national password of claim 6, wherein the Client _ hello message content in the step S160 includes TLS protocol information, a random number, a session ID, and a supported encryption algorithm.
8. The cloud management platform authentication encryption method based on the national password as claimed in claim 1, wherein: and also comprises
And S170, accessing the virtual machine by using a cloud management platform based on the national secret SSH tunnel.
9. The cloud management platform authentication encryption method based on the national secret according to claim 8, wherein the step S170, the method for accessing the virtual machine by using the cloud management platform based on the national secret SSH tunnel, includes:
step S171, virtual machines are created on the cloud management platform;
step S172, accessing the cloud management platform by using a national secret browser, wherein the national secret browser presets a signed national secret certificate;
step S173, compiling opensh-server on the virtual machine, and expanding the algorithm library of the opensh-server to support SM2, SM3 and SM4 cryptographic algorithms;
and S174, installing an opensh-client terminal supporting the national cryptographic algorithm.
CN202110743370.4A 2021-06-30 2021-06-30 Cloud management platform authentication encryption method based on state password Active CN113572740B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110743370.4A CN113572740B (en) 2021-06-30 2021-06-30 Cloud management platform authentication encryption method based on state password

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110743370.4A CN113572740B (en) 2021-06-30 2021-06-30 Cloud management platform authentication encryption method based on state password

Publications (2)

Publication Number Publication Date
CN113572740A CN113572740A (en) 2021-10-29
CN113572740B true CN113572740B (en) 2023-04-18

Family

ID=78163401

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110743370.4A Active CN113572740B (en) 2021-06-30 2021-06-30 Cloud management platform authentication encryption method based on state password

Country Status (1)

Country Link
CN (1) CN113572740B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114553957B (en) * 2022-01-10 2024-05-24 网宿科技股份有限公司 Service system and method compatible with national cipher and international HTTPS transmission
CN114978576A (en) * 2022-04-06 2022-08-30 黄子琦 Communication method and system for coexistence of national password/IPSec VPN
CN114499897B (en) * 2022-04-14 2022-08-02 成都边界元科技有限公司 Self-adaptive verification method and verification system for SM2 security certificate
CN114979105B (en) * 2022-05-31 2023-06-27 杭州迪普科技股份有限公司 Method and device for automatically identifying national cipher and commercial cipher business through SSL load balancing equipment
CN115567211A (en) * 2022-10-10 2023-01-03 广州大学 Encryption communication method for multi-robot PLC control system
CN115378578B (en) * 2022-10-25 2023-02-03 国网信息通信产业集团有限公司 SD-WAN (secure digital-to-Wide area network) implementation method and system based on SM4 cryptographic key

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107959588A (en) * 2017-12-07 2018-04-24 郑州云海信息技术有限公司 Cloud resource management method, cloud resource management platform and the management system of data center
CN109743205A (en) * 2018-12-29 2019-05-10 浪潮电子信息产业股份有限公司 A kind of cloud platform OS network management, device and server
CN110677499A (en) * 2019-10-30 2020-01-10 北京普瑞华夏国际教育科技有限公司 Cloud resource management application system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10515562B2 (en) * 2015-11-04 2019-12-24 EDUCATION4SIGHT GmbH Systems and methods for instrumentation of education processes

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107959588A (en) * 2017-12-07 2018-04-24 郑州云海信息技术有限公司 Cloud resource management method, cloud resource management platform and the management system of data center
CN109743205A (en) * 2018-12-29 2019-05-10 浪潮电子信息产业股份有限公司 A kind of cloud platform OS network management, device and server
CN110677499A (en) * 2019-10-30 2020-01-10 北京普瑞华夏国际教育科技有限公司 Cloud resource management application system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种基于云芯一号的OpenStack块存储加速方案;王界兵等;《软件导刊》(第12期);全文 *
基于国密算法安全中间件的安全功能研究与设计;刘迪等;《网络安全技术与应用》;20170415(第04期);正文第2页 *

Also Published As

Publication number Publication date
CN113572740A (en) 2021-10-29

Similar Documents

Publication Publication Date Title
CN113572740B (en) Cloud management platform authentication encryption method based on state password
US9847882B2 (en) Multiple factor authentication in an identity certificate service
JP5860815B2 (en) System and method for enforcing computer policy
US20190238334A1 (en) Communication system, communication client, communication server, communication method, and program
US10057060B2 (en) Password-based generation and management of secret cryptographic keys
CN109951513B (en) Quantum-resistant computing smart home quantum cloud storage method and system based on quantum key card
CN111181723B (en) Method and device for offline security authentication between Internet of things devices
US20220029819A1 (en) Ssl communication system, client, server, ssl communication method, and computer program
CN113992702B (en) Ceph distributed file system storage state password reinforcement method and system
US11888822B1 (en) Secure communications to multiple devices and multiple parties using physical and virtual key storage
CN115473655B (en) Terminal authentication method, device and storage medium for access network
US11658941B2 (en) Server for detecting a proxy device in a communications path and related methods
CN113381855A (en) Communication method and system
CN112184960A (en) Intelligent lock control method and device, intelligent lock system and storage medium
CN106790164B (en) L2TP password modification method and device
WO2023151427A1 (en) Quantum key transmission method, device and system
TWI811178B (en) Cybersecurity method and system based on multiparty and multifactor dynamic strong encryption authentication
CN114866253B (en) Reliable cloud host login system and cloud host login method implemented by same
JP2005165671A (en) Multiplex system for authentication server and multiplex method therefor
CN115208696B (en) Remote communication method and device for substation telecontrol device
EP3051770A1 (en) User opt-in computer implemented method for monitoring network traffic data, network traffic controller and computer programs
CN113282948A (en) Information system using method and information system
Lin et al. A Certificate Management Mechanism Using Distributed Ledger
CN116744298A (en) Identity recognition method, identification system and related equipment of card equipment of Internet of things
CN114826620A (en) Method and system for safely binding intelligent door lock and intelligent door lock

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant