| (11) | EP 3 197 121 A1 |
(12) | EUROPEAN PATENT APPLICATION |
published in accordance with Art. 153(4) EPC |
|
|
|
| |||||||||||||||||||||||||||||||||||
(54) | INFORMATION SECURITY REALIZING METHOD AND SYSTEM BASED ON DIGITAL CERTIFICATE |
(57) A digital certificate based information security realization method and system are provided. The method includes: separately issuing a digital certificate for a cloud management host, a physical cloud computing host and a virtual cloud computing machine; and carrying out a compliance authentication according to a corresponding digital certificate when the cloud management host, the physical cloud computing host and the virtual cloud computing machine start up or are in the running process. By using a digital certificate trust chain technology for reference and combining with a cloud management system, the digital certificate based information security realization method and system provided in embodiments of the present invention realize trusted systems of the cloud management system, the physical host and the virtual machine; beside, by putting emphasis on the security protection of the host platform of a system itself, the security of a virtual cloud platform is improved. |
Technical Field
Background
Summary
separately issuing a digital certificate for a cloud management host, a physical cloud computing host and a virtual cloud computing machine; and
carrying out a compliance authentication according to a corresponding digital certificate when the cloud management host, the physical cloud computing host and the virtual cloud computing machine start up or are in running process.
a CA center generates a digital certificate for the cloud management host according to the key attribute information of the cloud management host and makes a card;
the cloud management host acquires the key attribute information of the physical cloud computing host through a certificate proxy deployed on a corresponding physical cloud computing host and sends an application for a digital certificate for the physical cloud computing host to the CA center according to the key attribute information acquired; and
the CA center verifies the digital certificate of the cloud management host and, if the verification is passed, it generates a digital certificate for the physical cloud computing host according to the key attribute information of the physical cloud computing host and makes a card.
after verifying that the physical cloud computing host to which the virtual cloud computing machine belongs is normal, the cloud management host acquires the key attribute information of the virtual cloud computing machine and sends an application for a digital certificate for the virtual cloud computing machine to the CA center according to the key attribute information acquired;
the CA center verifies the digital certificate of the cloud management host and, if the verification is passed, it generates a digital certificate file for the virtual cloud computing machine according to the key attribute information of the virtual cloud computing machine;
the CA center returns an encrypted digital certificate file for the virtual cloud computing machine to the cloud management host; and
the cloud management host returns the encrypted digital certificate file for the virtual cloud computing machine to the physical cloud computing host to which the virtual cloud computing machine belongs; the physical cloud computing host verifies the encrypted digital certificate file for the virtual cloud computing machine through a proxy program deployed thereon, creates an isolated certificate container in a certificate key according to the key attribute information of the virtual cloud computing machine and writes the digital certificate for the virtual cloud computing machine in the certificate container.
a certificate proxy deployed on the cloud management host sends an online or offline authentication request to the CA center and generates a random number Ra for the current authentication, and the CA center responds to the request and returns a random number Rb for authentication;
the certificate proxy of the cloud management host reads the digital certificate of the cloud management host from the certificate key according to the key attribute information of the cloud management host, performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication using the digital certificate and sends the result of the signature, the digital certificate of the cloud management host and the random number Ra for the current authentication to the CA center; and the CA center authenticates the information received and, if the authentication is past, informs the cloud management host to continue to start up the flow.
a certificate proxy deployed on the physical cloud computing host reads the digital certificate of the physical cloud computing host from the certificate key according to the key attribute information of the physical cloud computing host, sends an online or offline authentication request to the CA center and generates a random number Ra for the current authentication, and the CA center responds to the request and returns a random number Rb for authentication; and
the certificate proxy of the physical cloud computing host reads the digital certificate of the physical cloud computing host from the certificate key according to the key attribute information of the physical cloud computing host, performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication using the digital certificate and sends the result of the signature, the digital certificate of the physical cloud computing host and the random number Ra for the current authentication to the CA center; and the CA center authenticates the information received and, if the authentication is past, informs the physical cloud computing host to continue to start up the flow.
a certificate proxy on the physical cloud computing host to which the virtual cloud computing machine belongs reads the digital certificate of the virtual cloud computing machine from a corresponding certificate container in the certificate key according to the key attribute information of the virtual cloud computing machine, sends an online or offline authentication request to the CA center and generates a random number Ra for the current authentication, and the CA center responds to the request and returns a random number Rb for authentication; and
the certificate proxy on the physical cloud computing host performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication according to the digital certificate of the virtual cloud computing machine and sends the result of the signature, the digital certificate of the virtual cloud computing machine and the random number Ra for the current authentication to the CA center; and the CA center authenticates the information received and, if the authentication is past, informs the virtual cloud computing machine to continue to start up the flow.
when the time set by a preset first timer is up, the certificate proxy of the cloud management host acquires the key attribute information of the cloud management host, reads the digital certificate of the cloud management host from the certificate key according to the key attribute information acquired and sends an online or offline authentication request to the CA center; and the cloud management host continues to run if the authentication implemented by the CA center is past.
when the time set by a preset second timer is up, the certificate proxy of the physical cloud computing host acquires the key attribute information of the physical cloud computing host, reads the digital certificate of the physical cloud computing host from the certificate key according to the key attribute information acquired and sends an online or offline authentication request to the CA center; and the physical cloud computing host continues to run if the authentication implemented by the CA center is past.
when the time set by a preset third timer is up, the certificate proxy of the physical cloud computing host to which the virtual cloud computing machine belongs acquires the key attribute information of the virtual cloud computing machine, reads the digital certificate of the virtual cloud computing machine from a corresponding certificate container in the certificate key according to the key attribute information acquired and sends an online or offline authentication request to the CA center; and the virtual cloud computing machine continues to run if the authentication implemented by the CA center is past.
Brief Description of Drawings
Fig. 1 is a flowchart illustrating the issuing of a digital certificate for a cloud management host in an embodiment of the present invention;
Fig. 2 is a flowchart illustrating the issuing of a digital certificate for a physical cloud computing host in an embodiment of the present invention;
Fig. 3 is a flowchart illustrating the issuing of a digital certificate for a virtual cloud computing machine in an embodiment of the present invention;
Fig. 4 is a flowchart illustrating an online authentication carried out by a cloud management host according to a digital certificate in an embodiment of the present invention;
Fig. 5 is a flowchart illustrating an online authentication carried out by a physical cloud computing host according to a digital certificate in an embodiment of the present invention;
Fig. 6 is a flowchart illustrating an online authentication carried out by a virtual cloud computing machine according to a digital certificate when the virtual cloud computing machine is manually started in an embodiment of the present invention; and
Fig. 7 is a flowchart illustrating an online authentication carried out by a virtual cloud computing machine according to a digital certificate when the virtual cloud computing machine is started automatically in an embodiment of the present invention.
Preferred Embodiments of the Present Invention
separately issuing a digital certificate for a cloud management host, a physical cloud computing host and a virtual cloud computing machine and carrying out a compliance authentication according to a corresponding digital certificate when the network elements start up or are in running process.
S101: the CA center generates a certificate by taking a unique string generated using the hash algorithm according to on the key attribute information of the cloud management host (a cloud management node) as an input for the generation of a certificate for the cloud management host and writes the generated certificate into the certificate key to complete the making of a card, in the present embodiment, the key attribute information of the cloud management host includes, but is not limited to, the MAC address and the CPU number of the cloud management host.
S102: the attribute information of a specified physical cloud computing host (a cloud computing node) is collected so as to apply for a device certificate for the specified cloud computing node, specifically, the cloud management host acquires the key attribute information (e.g. the MAC address, the CPU number and other key information) of the physical cloud computing host through a certificate proxy deployed on a corresponding physical cloud computing host and sends an application for a digital certificate for the physical cloud computing host to the CA center according to the key attribute information acquired.
S103: the CA center authenticates the cloud management node to generate a digital certificate for the specified cloud computing node and make a card, specifically, the CA center authenticates the digital certificate of the cloud management host and, if the authentication is past, generates a digital certificate for the physical cloud computing host according to the key attribute information of the physical cloud computing host and makes a card.
S104: the cloud management host first selects a resource pool and creates a virtual cloud computing machine of the physical cloud computing host, acquires, after verifying that the physical cloud computing host to which the virtual cloud computing machine belongs is normal, the key attribute information of the virtual cloud computing machine and sends an application for a digital certificate for the virtual cloud computing machine to the CA center according to the key attribute information acquired;
S105: the CA center verifies the digital certificate of the cloud management host and, if the verification is passed, generates a digital certificate file for the virtual cloud computing machine according to the key attribute information of the virtual cloud computing machine;
S106: the CA center returns an encrypted digital certificate file for the virtual cloud computing machine to the cloud management host; and
S107: the cloud management host returns the encrypted digital certificate file for the virtual cloud computing machine to the physical cloud computing host to which the virtual cloud computing machine belongs; the physical cloud computing host verifies the encrypted digital certificate file for the virtual cloud computing machine through a proxy program deployed thereon, creates an isolated certificate container in the certificate key according to the key attribute information of the virtual cloud computing machine and writes the digital certificate for the virtual cloud computing machine in the certificate container.
S201: when the cloud management host starts up, a certificate proxy deployed on the cloud management host sends an online or offline authentication request to the CA center and generates a random number Ra for the current authentication to request a random number Rb;
S202: the CA center responds to the request and returns the random number Rb for authentication;
S203: the certificate proxy on the cloud management host reads the digital certificate of the cloud management host from the certificate key according to the key attribute information of the cloud management host, performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication using the digital certificate and sends the result of the signature, the digital certificate CerA of the cloud management host and the random number Ra for the current authentication to the CA center;
S204: the CA center authenticates the information received and, if the authentication is past, informs the cloud management host to continue to start up the flow, herein the authentication is carried out in a way that is well known to those of ordinary skill in the art and is therefore not described here repeatedly.
S205: when the physical cloud computing host starts up, a certificate proxy deployed on the physical cloud computing host reads the digital certificate of the physical cloud computing host from the certificate key according to the key attribute information of the physical cloud computing host, and sends an online or offline authentication request to the CA center and generates a random number Ra for the current authentication to apply for a random number Rb;
S206: the CA center responds to the request and returns the random number Rb for authentication;
S207: the certificate proxy on the physical cloud computing host reads the digital certificate of the physical cloud computing host from the certificate key according to the key attribute information of the physical cloud computing host, performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication using the digital certificate and sends the result of the signature, the digital certificate CerA of the physical cloud computing host and the random number Ra for the current authentication to the CA center; and
S208: the CA center authenticates the information received and, if the authentication is past, informs the physical cloud computing host to continue to start up the flow.
S209: when the virtual cloud computing machine starts up, a certificate proxy on the physical cloud computing host to which the virtual cloud computing machine belongs reads the digital certificate of the virtual cloud computing machine from a corresponding certificate container in the certificate key according to the key attribute information (e.g. the MAC address, the CPU number and so on) of the virtual cloud computing machine, sends an online or offline authentication request to the CA center and generates a random number Ra for the current authentication;
S210: the CA center responds to the request and returns the random number Rb for authentication;
S211: the certificate proxy on the physical cloud computing host performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication according to the digital certificate of the virtual cloud computing machine and sends the result of the signature, the digital certificate of the virtual cloud computing machine and the random number Ra for the current authentication to the CA center; and
S212: the CA center authenticates the information received and, if the authentication is past, informs the virtual cloud computing machine to continue to start up the flow.
S61: a manager manually starts a virtual cloud computing machine in a way known in the prior art of the field.
S62: after the virtual cloud computing machine is started, the physical cloud computing host to which the virtual cloud computing machine belongs reads the digital certificate of the virtual cloud computing machine from a corresponding certificate container in the certificate key according to the key attribute information (e.g. the MAC address, the CPU number and so on) of the virtual cloud computing machine, sends an online or offline authentication request to the CA center, and generates a random number Ra for the current authentication to apply for a random number Rb;
S63: the CA center responds to the request and returns the random number Rb for authentication;
S64: the certificate proxy on the physical cloud computing host performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication according to the digital certificate of the virtual cloud computing machine and sends the result of the signature, the digital certificate CerA of the virtual cloud computing machine and the random number Ra for the current authentication to the CA center; and
S65: the CA center authenticates the information received and, if the authentication is past, informs the virtual cloud computing machine to continue to start up the flow.
S71: a virtual cloud computing machine restarts automatically according to a preset automatic startup strategy, herein the automatic startup strategy is the prior art of the field;
S72: after the virtual cloud computing machine is started, the physical cloud computing host to which the virtual cloud computing machine belongs reads the digital certificate of the virtual cloud computing machine from a corresponding certificate container in the certificate key according to the key attribute information (e.g. the MAC address, the CPU number and so on) of the virtual cloud computing machine, sends an online or offline authentication request to the CA center and generates a random number Ra for the current authentication to apply for a random number Rb;
S73: the CA center responds to the request and returns the random number Rb for authentication;
S74: the certificate proxy on the physical cloud computing host performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication according to the digital certificate of the virtual cloud computing machine and sends the result of the signature, the digital certificate CerA of the virtual cloud computing machine and the random number Ra for the current authentication to the CA center; and
S75: the CA center authenticates the information received and, if the authentication is past, informs the virtual cloud computing machine to continue to start up the flow.
the certificate proxy of the cloud management host checks the compliance of the certificate cyclically, acquires the key attribute information of the cloud management host when the time set by a monitoring timer is up, reads the digital certificate of the cloud management host from the certificate key according to the key attribute information acquired and sends an online or offline authentication request to the CA center; if the authentication implemented by the CA center is past, the cloud management host continues to run, otherwise, the CA center generates a warning and sends a notification message to inform the manager to implement a processing. Herein, based on the first timer, the compliance authentication is carried out periodically according to a corresponding digital certificate when the cloud management host is in running process.
the certificate proxy of the physical cloud host checks the compliance of the certificate cyclically, acquires the key attribute information of the physical cloud computing host when the time set by a monitoring timer is up, reads the digital certificate of the physical cloud computing host from the certificate key according to the key attribute information acquired, and sends an online or offline authentication request to the CA center; if the authentication implemented by the CA center is past, the physical cloud computing host continues to run, otherwise, the CA center generates a warning and sends a notification message to inform the manager to implement a processing. Herein, based on the second timer, the compliance authentication is carried out periodically according to a corresponding digital certificate when the physical cloud computing host is in running process.
the certificate proxy of the physical cloud computing host to which the virtual cloud computing machine belongs checks the compliance of the certificate cyclically, acquires the key attribute information of the virtual cloud computing machine when the time set by a monitoring timer is up, reads the digital certificate of the virtual cloud computing machine from a corresponding certificate container in the certificate key according to the key attribute information acquired, and sends an online or offline authentication request to the CA center; if the authentication implemented by the CA center is past, the virtual cloud computing machine continues to run, otherwise, the CA center generates a warning and sends a notification message to inform the manager to implement a processing. Herein, based on the third timer, the compliance authentication is carried out periodically according to a corresponding digital certificate when the virtual cloud computing machine is in the running process.
the cloud management host is specifically arranged in the following way:
when the cloud management host starts up, a certificate proxy deployed on the cloud management host sends an online or offline authentication request to the CA center and generate a random number Ra for the current authentication, receives a random number Rb for authentication which is returned to the cloud management host as a response to the request from the CA center, the certificate proxy of the cloud management host reads the digital certificate of the cloud management host from the certificate key according to the key attribute information of the cloud management host, performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication using the digital certificate and sends the result of the signature, the digital certificate of the cloud management host and the random number Ra for the current authentication to the CA center; and the cloud management host receives, from the CA center, a notice on the success of the authentication on the received information and then continues to start up the flow.
when the physical cloud computing host starts up, a certificate proxy deployed on the physical cloud computing host reads the digital certificate of the physical cloud computing host from the certificate key according to the key attribute information of the physical cloud computing host, sends an online or offline authentication request to the CA center and generate a random number Ra for the current authentication, receives a random number Rb for authentication which is returned to the physical cloud computing host as a response to the request from the CA center, the certificate proxy of the physical cloud computing host reads the digital certificate of the physical cloud computing host from the certificate key according to the key attribute information of the physical cloud computing host, performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication using the digital certificate, and sends the result of the signature, the digital certificate of the physical cloud computing host and the random number Ra for the current authentication to the CA center; and the physical cloud computing host receives, from the CA center, a notice on the success of the authentication on the received information and then continues to start up the flow.
when the virtual cloud computing machine starts up, a certificate proxy deployed on the physical cloud computing host to which the virtual cloud computing machine belongs reads the digital certificate of the virtual cloud computing machine from a corresponding certificate container in the certificate key according to the key attribute information of the virtual cloud computing machine, sends an online or offline authentication request to the CA center and generates a random number Ra for the current authentication; receives a random number Rb for authentication which is returned to the virtual cloud computing machine as a response to the request from the CA center, the certificate proxy of the virtual cloud computing machine performs digital signature on the random number Ra for the current authentication and the random number Rb for authentication according to the digital certificate of the virtual cloud computing machine and sends the result of the signature, the digital certificate of the virtual cloud computing machine and the random number Ra for the current authentication to the CA center; and the virtual cloud computing machine receives, from the CA center, a notice on the success of the authentication on the received information and then continues to start up the flow.
the cloud management host is specifically arranged in the following way: when the time preset by the first timer is up, the certificate proxy of the cloud management host acquires the key attribute information of the cloud management host, reads the digital certificate of the cloud management host from the certificate key according to the key attribute information acquired, and sends an online or offline authentication request to the CA center, and the cloud management host continues to run after receiving, from the CA center, a notice on the success of the authentication.
Industrial Applicability
separately issuing a digital certificate for a cloud management host, a physical cloud computing host and a virtual cloud computing machine; and
carrying out a compliance authentication according to a corresponding digital certificate when the cloud management host, the physical cloud computing host and the virtual cloud computing machine start up or are in a running process.
generating, by a Certificate Authority, CA, center, a digital certificate of the cloud management host according to key attribute information of the cloud management host, and making a card by the CA center.
acquiring, by the cloud management host, key attribute information of the physical cloud computing host through a certificate proxy deployed on a corresponding physical cloud computing host; and sending, by the cloud management host, an application for a digital certificate of the physical cloud computing host to a CA center according to the acquired key attribute information; and
verifying, by the CA center, the digital certificate of the cloud management host; and if the verification is passed, generating, by the CA center, the digital certificate of the physical cloud computing host according to the key attribute information of the physical cloud computing host and making a card by the CA center.
after the cloud management host verifies that the physical cloud computing host to which the virtual cloud computing machine belongs is normal, acquiring, by the cloud management host, key attribute information of the virtual cloud computing machine; and sending, by the cloud management host, an application for a digital certificate of the virtual cloud computing machine to a CA center according to the acquired key attribute information;
verifying, by the CA center, the digital certificate of the cloud management host; and if the verification is passed, generating, by the CA center, a digital certificate file for the virtual cloud computing machine according to the key attribute information of the virtual cloud computing machine;
returning, by the CA center, an encrypted digital certificate file for the virtual cloud computing machine to the cloud management host; and
returning, by the cloud management host, the encrypted digital certificate file for the virtual cloud computing machine to the physical cloud computing host to which the virtual cloud computing machine belongs; verifying, by the physical cloud computing host, the encrypted digital certificate file for the virtual cloud computing machine through a proxy program deployed thereon; creating, by the physical cloud computing host, an isolated certificate container in a certificate key according to the key attribute information of the virtual cloud computing machine; and writing, by the physical cloud computing host, the digital certificate of the virtual cloud computing machine into the certificate container.
sending, by a certificate proxy deployed on the cloud management host, an online or offline authentication request to the CA center; and generating, by the certificate proxy, a random number Ra for a current authentication, and returning, by the CA center, a random number Rb for authentication as a response to the request; and
reading, by the certificate proxy of the cloud management host, the digital certificate of the cloud management host from a certificate key according to the key attribute information of the cloud management host; performing, by the certificate proxy, digital signature on the random number Ra for the current authentication and the random number Rb for authentication using the digital certificate; sending, by the certificate proxy, the result of the signature, the digital certificate of the cloud management host and the random number Ra for the current authentication to the CA center; authenticating, by the CA center, the received information; and if the authentication is successful, informing, by the CA center, the cloud management host to continue to start up the flow.
reading, by a certificate proxy deployed on the physical cloud computing host, the digital certificate of the physical cloud computing host from a certificate key according to the key attribute information of the physical cloud computing host; sending, by the certificate proxy, an online or offline authentication request to the CA center; and generating, by the certificate proxy, a random number Ra for a current authentication; and returning, by the CA center, a random number Rb for authentication as a response to the request; and
reading, by the certificate proxy of the physical cloud computing host, the digital certificate of the physical cloud computing host from the certificate key according to the key attribute information of the physical cloud computing host; performing, by the certificate proxy of the physical cloud computing host, digital signature on the random number Ra for a current authentication and the random number Rb for authentication using the digital certificate; sending, by the certificate proxy of the physical cloud computing host, the result of the signature, the digital certificate of the physical cloud computing host and the random number Ra for the current authentication to the CA center; authenticating, by the CA center, the received information; and if the authentication is successful, informing, by the CA center, the physical cloud computing host to continue to start up the flow.
reading, by a certificate proxy on the physical cloud computing host to which the virtual cloud computing machine belongs, the digital certificate of the virtual cloud computing machine from a corresponding certificate container in a certificate key according to the key attribute information of the virtual cloud computing machine; sending, by the certificate proxy, an online or offline authentication request to the CA center; generating, by the certificate proxy, a random number Ra for a current authentication; and returning, by the CA center, a random number Rb for authentication as a response to the request; and
performing, by the certificate proxy on the physical cloud computing host, digital signature on the random number Ra for the current authentication and the random number Rb for authentication according to the digital certificate of the virtual cloud computing machine; sending, by the certificate proxy, the result of the signature, the digital certificate of the virtual cloud computing machine and the random number Ra for the current authentication to the CA center; authenticating, by the CA center, the received information; and if the authentication is successful, informing, by the CA center, the virtual cloud computing machine to continue to start up the flow.
acquiring, by a certificate proxy of the cloud management host, key attribute information of the cloud management host when time preset by a first timer is up; reading, by the certificate proxy, the digital certificate of the cloud management host from a certificate key according to the acquired key attribute information; and sending, by the certificate proxy, an online or offline authentication request to a CA center, the cloud management host continues to run if the authentication implemented by the CA center is passed.
acquiring, by a certificate proxy of the physical cloud computing host, key attribute information of the physical cloud computing host when time preset by a second timer is up; reading, by the certificate proxy, the digital certificate of the physical cloud computing host from a certificate key according to the acquired key attribute information; and sending, by the certificate proxy, an online or offline authentication request to a CA center, the physical cloud computing host continues to run if the authentication implemented by the CA center is passed.
acquiring, by a certificate proxy of the physical cloud computing host to which the virtual cloud computing machine belongs, key attribute information of the virtual cloud computing machine when time preset by a third timer is up; reading, by the certificate proxy, the digital certificate of the virtual cloud computing machine from a corresponding certificate container in a certificate key according to the acquired key attribute information; and sending, by the certificate proxy, an online or offline authentication request to a CA center, the virtual cloud computing machine continues to run if the authentication implemented by the CA center is passed.