[go: up one dir, main page]

CN116132026A - Method for realizing remote Web access enhanced security authentication in BMC system - Google Patents

Method for realizing remote Web access enhanced security authentication in BMC system Download PDF

Info

Publication number
CN116132026A
CN116132026A CN202211473916.XA CN202211473916A CN116132026A CN 116132026 A CN116132026 A CN 116132026A CN 202211473916 A CN202211473916 A CN 202211473916A CN 116132026 A CN116132026 A CN 116132026A
Authority
CN
China
Prior art keywords
user
key
server
decryption
salt
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202211473916.XA
Other languages
Chinese (zh)
Inventor
张欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Die Micro Technology Shanghai Co ltd
Original Assignee
Die Micro Technology Shanghai Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Die Micro Technology Shanghai Co ltd filed Critical Die Micro Technology Shanghai Co ltd
Priority to CN202211473916.XA priority Critical patent/CN116132026A/en
Publication of CN116132026A publication Critical patent/CN116132026A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for realizing remote Web access enhanced security authentication in a BMC system, which uses an asymmetric cryptosystem algorithm to generate a unique public-private key pair for each user, wherein the private key is stored in an encryption and decryption chip of a server side of the BMC system, the system does not store the private key, and the public key is stored by the user; the user browser encrypts specific data by using the public key to generate ciphertext serving as an authentication token; the server sends the ciphertext to the encryption and decryption chip, and the ciphertext is returned after being decrypted by the encryption and decryption chip. The user of the invention changes the holding of the private key into the holding of the public key, and cannot obtain the private key by the inverse operation of the public key; the server changes the public key into the private key from the public key, stores the private key in the encryption and decryption chip, and when the calculation is needed, sends data to the encryption and decryption chip, returns a result after the chip calculation is completed, and the server cannot contact the private key. Further improving the security level of the BMC system as a whole.

Description

一种在BMC系统中实现远程Web访问增强安全认证的方法A Method for Realizing Remote Web Access Enhanced Security Authentication in BMC System

技术领域technical field

本发明属于现代互联网信息技术领域,具体涉及一种在BMC系统中实现远程Web访问增强安全认证的方法。The invention belongs to the field of modern Internet information technology, and in particular relates to a method for realizing remote Web access enhanced security authentication in a BMC system.

背景技术Background technique

随着大数据和云计算的发展,越来越多的数据存储和计算任务转移到了云上,也就是由数据中心进行处理。由于数据中心需要消耗大量的电能并产生巨大的热量,因此大部分的数据中心都位于能源价格较低且具备优良散热条件的地区,以中国为例,大量的数据中心建设在位于贵州的溶洞之内。这些数据中心位置偏僻,再加上其本身噪声很大,因此数据中心的管理人员通常通过远程管理的方式对其进行监控和维护。这种远程管理通常通过BMC系统(一种由焊接在计算机主板上的管理芯片及在其上运行的配套固件组成的远程操作系统)来完成。With the development of big data and cloud computing, more and more data storage and computing tasks are transferred to the cloud, that is, processed by the data center. Because data centers need to consume a lot of power and generate huge amounts of heat, most data centers are located in areas with low energy prices and good heat dissipation conditions. Taking China as an example, a large number of data centers are built in caves in Guizhou Inside. These data centers are remote and noisy, so data center managers usually monitor and maintain them remotely. This remote management is usually accomplished through the BMC system (a remote operating system consisting of a management chip welded on the computer motherboard and supporting firmware running on it).

BMC(Baseboard Management Controller)系统是一类对服务器或交换机进行监控并提供远程控制接口的管理系统。该类系统通过LPC或USB等接口与主机内部的其他软硬件进行通信,并通过网络等远程传输接口向远程操作者提供查询和控制功能,可以让管理员远程接入主机发送指令或执行各种任务。BMC (Baseboard Management Controller) system is a management system that monitors servers or switches and provides remote control interfaces. This type of system communicates with other hardware and software inside the host through LPC or USB interfaces, and provides query and control functions to remote operators through remote transmission interfaces such as the network, allowing administrators to remotely access the host to send instructions or perform various tasks. Task.

随着BMC系统功能的扩展,越来越多的操作可以通过远程完成,包括但不限于开关机、监控系统状态、安装操作系统、升级主板BIOS固件等。这些操作关乎系统安全和稳定,如果受到攻击或者由未经授权的用户操作,很可能导致系统崩溃或发生数据泄露。With the expansion of BMC system functions, more and more operations can be done remotely, including but not limited to power on and off, monitor system status, install operating system, upgrade motherboard BIOS firmware, etc. These operations are related to system security and stability. If attacked or operated by unauthorized users, it is likely to cause system crash or data leakage.

在传统BMC系统中,通常使用账户权限控制来实现不同管理者对不同级别资源的访问权限控制。每一个管理员都拥有一个账户以及对应的密码,管理员通过该账户和密码登录至系统后执行操作。这种方法存在较多的安全隐患,比如系统存在出厂密码,用户在部署系统时常常忘记修改出厂密码;为了管理的方便,用户常常设置弱密码,导致其极易被攻击者破解;当系统存在多个管理员时,常常多人共用一套账户和密码,导致系统无法确认具体的操作命令究竟是由哪一个管理员发出的;密码没有有效期,管理人员离职或转岗后仍然可以登录账号进行操作。In a traditional BMC system, account authority control is usually used to control the access authority of different managers to different levels of resources. Each administrator has an account and a corresponding password, and the administrator logs in to the system through the account and password to perform operations. This method has many potential security risks. For example, the system has a factory password, and users often forget to change the factory password when deploying the system; for the convenience of management, users often set weak passwords, which makes them easily cracked by attackers; when the system exists When there are multiple administrators, they often share a set of accounts and passwords, so that the system cannot confirm which administrator issued the specific operation command; the password has no expiration date, and the administrator can still log in to the account to operate after resigning or transferring .

发明专利申请CN202111296468.6降低了密码泄露带来的安全风险,提高恶意攻击者发起攻击的难度,从整体上提升了BMC系统的安全等级。但其仍存在一些薄弱环节,比如客户拥有私钥,可以从私钥计算出服务器端存储的公钥;服务器端将公钥存储在系统数据库中,如果服务端受到攻击可能导致密钥泄露。The invention patent application CN202111296468.6 reduces the security risks caused by password leakage, increases the difficulty for malicious attackers to launch attacks, and improves the security level of the BMC system as a whole. However, there are still some weak links. For example, the client has a private key and can calculate the public key stored on the server from the private key; the server stores the public key in the system database. If the server is attacked, the key may be leaked.

发明内容Contents of the invention

针对发明专利申请CN202111296468.6的不足,本发明通过在服务端植入固化的加解密芯片,实现安全性增强,主要改进包括:In view of the shortcomings of the invention patent application CN202111296468.6, the present invention achieves security enhancement by implanting a solidified encryption and decryption chip on the server side. The main improvements include:

1.使用非对称密码体制算法为每一个用户生成其独有的公私密钥对,私钥存储在BMC系统服务端的加解密芯片内,BMC系统自身不保存私钥。公钥由用户保存。1. Use an asymmetric cryptosystem algorithm to generate a unique public-private key pair for each user. The private key is stored in the encryption and decryption chip of the BMC system server, and the BMC system itself does not save the private key. The public key is kept by the user.

2.用户浏览器使用公钥对特定的数据进行加密,生成密文作为认证的令牌。2. The user browser uses the public key to encrypt specific data and generates ciphertext as an authentication token.

3.服务器端将密文发送至加解密芯片,由加解密芯片解密后返回明文。3. The server sends the ciphertext to the encryption and decryption chip, and the encryption and decryption chip returns the plaintext after decryption.

本发明一种在BMC系统中实现远程Web访问增强安全认证的方法,具体采用的技术方案包括以下步骤:The present invention realizes the method for remote Web access enhanced security authentication in BMC system, and the technical scheme that specifically adopts comprises the following steps:

第一步,非对称密钥的生成和分发,包括下面具体步骤:The first step, the generation and distribution of asymmetric keys, includes the following specific steps:

①使用非对称密码体制算法为每一个用户生成其独有的公私密钥对,用户私钥KeyPri存储在BMC系统服务端的加解密芯片中,用户公钥KeyPub由用户保存;① Use the asymmetric cryptosystem algorithm to generate a unique public-private key pair for each user. The user's private key KeyPri is stored in the encryption and decryption chip of the BMC system server, and the user's public key KeyPub is saved by the user;

②服务端将用户id、用户公钥KeyPub、密钥有效期、随机盐数据Salt组成组合数据TextA;②The server combines the user id, user public key KeyPub, key validity period, and random salt data Salt into combined data TextA;

③将用户id、密钥有效期、盐数据Salt保存在BMC系统的服务端,调用加解密芯片的加密功能,使用在加解密芯片中存储的用户私钥KeyPri对上述信息签名生成SignA,将TextA和SignA交由用户保存;③Save the user id, key validity period, and salt data Salt in the server of the BMC system, call the encryption function of the encryption and decryption chip, use the user's private key KeyPri stored in the encryption and decryption chip to sign the above information to generate SignA, and convert TextA and SignA is saved by the user;

密钥分发完成后,每一个用户自身拥有用户id、用户公钥KeyPub、签名SignA;BMC服务端存储有用户id、密钥有效期、盐数据Salt,BMC服务端的加解密芯片中存储有用户私钥KeyPri;After the key distribution is completed, each user has the user id, user public key KeyPub, and signature SignA; the BMC server stores the user id, key validity period, and salt data Salt, and the encryption and decryption chip of the BMC server stores the user's private key KeyPri;

第二步,用户发起认证,包括下面具体步骤:In the second step, the user initiates authentication, including the following specific steps:

①用户向BMC服务端发送请求,获取当前会话的会话id(Session id);①The user sends a request to the BMC server to obtain the session id (Session id) of the current session;

②用户浏览器使用公钥KeyPub和签名SignA验证TextA以及用户id、密钥有效期和盐数据Salt的有效性;②The user browser uses the public key KeyPub and signature SignA to verify the validity of TextA, user id, key validity period and salt data Salt;

③用户浏览器将用户id、密钥有效期、会话id(Session id)、访问资源的路径组成组合数据TextB;③The user browser composes the combined data TextB of user id, key validity period, session id (Session id), and access resource path;

④用户浏览器使用摘要算法对上述数据TextB进行摘要提取,获得摘要HashB;④The user browser uses the digest algorithm to extract the above data TextB to obtain the digest HashB;

⑤用户浏览器使用用户公钥KeyPub对HashB进行加密,获得CipherB;⑤The user's browser uses the user's public key KeyPub to encrypt HashB to obtain CipherB;

⑥用户浏览器根据本地时间生成时间戳Timestamp;⑥The user browser generates a Timestamp according to the local time;

⑦用户浏览器使用盐数据Salt和时间戳Timestamp组合生成传输密钥KeyTransfer;⑦The user browser uses the combination of salt data Salt and timestamp Timestamp to generate the transmission key KeyTransfer;

⑧用户浏览器使用传输密钥KeyTransfer对TextB、CipherB组成的数据组进行加密获得InfoB;⑧The user browser uses the transfer key KeyTransfer to encrypt the data group composed of TextB and CipherB to obtain InfoB;

⑨用户浏览器在访问服务端资源时,将时间戳Timestamp和密文InfoB以参数或访问头(Header)键值对的形式发送给服务器端,作为认证的令牌;⑨When the user browser accesses server resources, it sends the timestamp Timestamp and ciphertext InfoB to the server in the form of parameters or header (Header) key-value pairs as authentication tokens;

第三步,服务器端认证用户,包括下面具体步骤:The third step is to authenticate the user on the server side, including the following specific steps:

①用户浏览器向服务端发起资源访问请求,并发送请求资源路径、时间戳Timestamp、InfoB;①The user browser initiates a resource access request to the server, and sends the requested resource path, timestamp Timestamp, InfoB;

②服务端接收到用户的访问请求后首先查询该用户对应的密钥有效期及盐数据Salt是否存在;②After receiving the user's access request, the server first inquires whether the key validity period corresponding to the user and the salt data Salt exist;

③若上述信息不存在或密钥有效期已经过期,则停止认证流程,并向用户返回拒绝服务的错误信息;③ If the above information does not exist or the validity period of the key has expired, the authentication process will be stopped and an error message of denial of service will be returned to the user;

④若密钥有效期未过期,服务端使用用户盐数据Salt和浏览器发送的时间戳Timestamp拼接获得传输密钥KeyTransfer’,并使用KeyTransfer’对用户发送的InfoB进行解密;④ If the key validity period has not expired, the server uses the user salt data Salt and the timestamp Timestamp sent by the browser to splicing to obtain the transmission key KeyTransfer', and uses KeyTransfer' to decrypt the InfoB sent by the user;

⑤若正确解密,则可获得由用户id、密钥有效期、会话id(Session id)和访问资源路径组成的数据组TextB’以及加密信息CipherB’;若解密失败,则向浏览器返回错误信息,并停止服务;⑤If it is decrypted correctly, the data group TextB' and encrypted information CipherB' composed of user id, key validity period, session id (Session id) and access resource path can be obtained; if the decryption fails, an error message will be returned to the browser, and stop the service;

⑥服务端使用摘要算法对TextB’签名获得摘要HashB’,并调用加解密芯片的解密功能,使用存储在加解密芯片内的私钥KeyPri对CipherB’进行解密获得HashB”;若HashB’与HashB”不相等,则验证未通过,返回错误信息并停止服务务;⑥The server uses the digest algorithm to sign TextB' to obtain the digest HashB', and calls the decryption function of the encryption and decryption chip, and uses the private key KeyPri stored in the encryption and decryption chip to decrypt CipherB' to obtain HashB"; if HashB' and HashB" If they are not equal, the verification fails, an error message is returned and the service is stopped;

⑦若验签通过,则服务端对下列每个条件进行判断,若触发其中任何一个条件,则服务端均向用户返回错误信息,并停止服务:⑦If the signature verification is passed, the server will judge each of the following conditions. If any of the conditions is triggered, the server will return an error message to the user and stop the service:

a)解密获得的用户id与发起请求的用户id不一致;a) The user id obtained by decryption is inconsistent with the user id who initiated the request;

b)解密获得的密钥有效期与服务端存储的密钥有效期不一致;b) The validity period of the key obtained by decryption is inconsistent with the validity period of the key stored on the server;

c)解密获得的会话id(Session id)在服务端不存在或已过期;c) The session id (Session id) obtained by decryption does not exist or has expired on the server side;

d)解密获得的访问资源路径与用户当前Web请求的资源路径不相等;d) The access resource path obtained by decryption is not equal to the resource path of the user's current Web request;

⑧若上述每个条件均未触发,则认证通过,服务端向用户返回其请求的资源。⑧If each of the above conditions is not triggered, the authentication is passed, and the server returns the requested resource to the user.

本发明的具体技术方案原理,进一步阐述如下:Concrete technical solution principle of the present invention is further elaborated as follows:

第一,非对称密钥的生成和分发,分为下面几个子步骤:First, the generation and distribution of asymmetric keys are divided into the following sub-steps:

1.使用非对称密码体制算法为每一个用户生成其独有的公私密钥对,私钥存储在BMC系统服务端的加密芯片中,私钥无法从外部读取。公钥由用户保存。在下文中,用户公钥称为KeyPub,用户私钥称为KeyPri。1. Use an asymmetric cryptosystem algorithm to generate a unique public-private key pair for each user. The private key is stored in the encryption chip of the BMC system server, and the private key cannot be read from the outside. The public key is kept by the user. Hereinafter, the user public key is called KeyPub, and the user private key is called KeyPri.

2.服务端将下列数据组成组合数据TextA,包括:2. The server composes the following data into combined data TextA, including:

①用户id;①User ID;

②用户公钥;②User public key;

③密钥有效期;③ Key validity period;

④随机盐数据,下文中称为Salt。④ Random salt data, hereinafter referred to as Salt.

3.将用户id、密钥有效期、盐数据Salt保存在BMC系统的服务端。调用加密芯片的加密功能,使用在芯片内存储的私钥KeyPri对上述信息签名生成SignA,将TextA和SignA交由用户保存。3. Save the user id, key validity period, and salt data Salt on the server side of the BMC system. Call the encryption function of the encryption chip, use the private key KeyPri stored in the chip to sign the above information to generate SignA, and hand over TextA and SignA to the user for storage.

密钥分发完成后,每一个用户自身拥有:用户id、用户公钥KeyPub、签名SignA。After the key distribution is completed, each user owns: user id, user public key KeyPub, and signature SignA.

BMC服务端存储有:用户id、密钥有效期、盐数据Salt、用户私钥KeyPri(存储在加解密芯片中,BMC服务端无法获取)。The BMC server stores: user id, key validity period, salt data Salt, and user private key KeyPri (stored in the encryption and decryption chip, which cannot be obtained by the BMC server).

第二,用户发起认证,分为下面几个子步骤:Second, the user initiates authentication, which is divided into the following sub-steps:

1.用户向BMC服务端发送请求,获取当前会话的会话id(Session id)。在浏览器和服务器的交互中,会话Session可以代表当前服务器与该浏览器建立的唯一的通信通道。1. The user sends a request to the BMC server to obtain the session id (Session id) of the current session. In the interaction between the browser and the server, the Session can represent the only communication channel established between the current server and the browser.

2.用户浏览器使用公钥KeyPub和签名SignA验证TextA以及用户id、密钥有效期和盐数据Salt的有效性。2. The user browser uses the public key KeyPub and signature SignA to verify the validity of TextA, user id, key validity period and salt data Salt.

3.用户浏览器将下列数据组成组合数据TextB,包括:3. The user browser composes the following data into combined data TextB, including:

①用户id;①User ID;

②密钥有效期;② Key validity period;

③会话id(Session id);③ session id (Session id);

④访问资源的路径。④ Path to access resources.

4.用户浏览器使用摘要算法对上述数据TextB进行摘要提取,获得摘要HashB。4. The user browser uses a digest algorithm to extract the above data TextB to obtain the digest HashB.

5.用户浏览器使用公钥KeyPub对HashB进行加密,获得CipherB。5. The user's browser encrypts HashB with the public key KeyPub to obtain CipherB.

6.用户浏览器根据本地时间生成时间戳Timestamp。6. The user browser generates a Timestamp according to the local time.

7.用户浏览器使用盐数据Salt和时间戳Timestamp组合生成传输密钥KeyTransfer。7. The user browser uses the combination of the salt data Salt and the timestamp Timestamp to generate the transfer key KeyTransfer.

8.用户浏览器使用传输密钥KeyTransfer对TextB、CipherB组成的数据组进行加密获得InfoB。8. The user browser uses the transfer key KeyTransfer to encrypt the data group consisting of TextB and CipherB to obtain InfoB.

9.用户浏览器在访问服务端资源时,将时间戳Timestamp和密文InfoB以参数或访问头(Header)键值对的形式发送给服务器端,作为认证的令牌。9. When the user browser accesses server resources, it sends the timestamp Timestamp and ciphertext InfoB to the server in the form of parameters or header (Header) key-value pairs as authentication tokens.

第三,服务器端认证用户的步骤:Third, the steps to authenticate users on the server side:

1.用户浏览器向服务端发起资源访问请求,并发送:请求资源地址、时间戳Timestamp、InfoB。1. The user browser initiates a resource access request to the server, and sends: request resource address, timestamp Timestamp, InfoB.

2.服务端接收到用户的访问请求后首先查询该用户对应的密钥有效期及盐数据Salt是否存在。2. After receiving the user's access request, the server first inquires whether the key validity period corresponding to the user and the salt data Salt exist.

3.若上述信息不存在或密钥已经过期,则停止认证流程,并向用户返回拒绝服务的错误信息。3. If the above information does not exist or the key has expired, stop the authentication process and return a service denial error message to the user.

4.若密钥未过期,服务端使用用户盐数据Salt和浏览器发送的时间戳拼接获得传输密钥KeyTransfer’,并使用KeyTransfer’对用户发送的InfoB进行解密。4. If the key has not expired, the server uses the user's salt data Salt and the timestamp sent by the browser to concatenate to obtain the transmission key KeyTransfer', and uses KeyTransfer' to decrypt the InfoB sent by the user.

5.如正确解密可获得由用户id、密钥有效期、会话id(Session id)和访问资源路径组成的数据组TextB’以及加密信息CipherB’;若解密失败,则向浏览器返回错误信息,并停止服务。5. If decrypted correctly, the data group TextB' and encrypted information CipherB' composed of user id, key validity period, session id (Session id) and access resource path can be obtained; if the decryption fails, an error message will be returned to the browser, and Out of service.

6.服务端使用摘要算法对TextB’签名获得摘要HashB’,并调用加解密芯片,使用存储在芯片内的私钥KeyPri对CipherB’进行解密获得HashB”。若HashB’与HashB”不相等,则验证未通过,返回错误信息并停止服务。6. The server uses the digest algorithm to sign TextB' to obtain the digest HashB', and calls the encryption and decryption chip, and uses the private key KeyPri stored in the chip to decrypt CipherB' to obtain HashB". If HashB' and HashB" are not equal, then If the verification fails, return an error message and stop the service.

7.若验证通过,则服务端对下列条件进行判断,满足如下任何一个条件,则服务端均向用户返回错误信息,并停止服务:7. If the verification is passed, the server will judge the following conditions. If any of the following conditions are met, the server will return an error message to the user and stop the service:

①解密获得的用户id与发起请求的用户id不一致;①The user id obtained by decryption is inconsistent with the user id who initiated the request;

②解密获得的公钥有效期与服务端存储的公钥有效期不一致;②The validity period of the public key obtained by decryption is inconsistent with the validity period of the public key stored on the server;

③解密获得的会话id(Session id)在服务端不存在或已过期③The session id (Session id) obtained by decryption does not exist or has expired on the server side

④解密获得的访问资源路径与用户当前Web请求的资源路径不相等。④The access resource path obtained by decryption is not equal to the resource path of the user's current Web request.

8.若上述条件均未触发,则认证通过,服务端向用户返回其请求的资源。8. If none of the above conditions are triggered, the authentication is passed, and the server returns the requested resource to the user.

本发明达到的有益效果如下:The beneficial effects that the present invention reaches are as follows:

1.用户由持有私钥改为持有公钥,用户无法由公钥逆运算得到私钥,增加安全性。1. The user changes from holding a private key to holding a public key, and the user cannot obtain the private key from the reverse operation of the public key, which increases security.

2.服务端由持有公钥变为持有私钥,私钥存储在加解密芯片中,当需要计算时,发送数据至加解密芯片,芯片计算完成后返回结果,服务端无法接触到私钥值。2. The server changes from holding a public key to holding a private key. The private key is stored in the encryption and decryption chip. When calculation is required, the data is sent to the encryption and decryption chip. The chip returns the result after the calculation is completed, and the server cannot access the private key. key value.

因此,利用本发明可以降低密码泄露带来的安全风险,提高恶意攻击者发起攻击的难度,从整体上进一步提升增强了BMC系统的安全等级。Therefore, using the present invention can reduce the security risk caused by password leakage, increase the difficulty for malicious attackers to launch attacks, and further enhance the security level of the BMC system as a whole.

附图说明Description of drawings

图1为本发明非对称密钥的生成和分发流程框图。Fig. 1 is a block diagram of the generation and distribution flow of the asymmetric key in the present invention.

图2为本发明用户发起认证和服务端认证用户流程框图1。Fig. 2 is a block diagram 1 of user-initiated authentication and server-side authenticated user flow in the present invention.

图3为本发明用户发起认证和服务端认证用户流程框图2。Fig. 3 is a block diagram 2 of user-initiated authentication and server-side authenticated user flow in the present invention.

说明:图2中的步骤合成数据组TextB、使用摘要算法生成TextB的摘要HashB、使用公钥KeyPub对HashB加密生成CipherB以及图3中的步骤使用摘要算法对TextB’提取摘要获得HashB’、向加解密芯片发送接收到的CipherB’,这些步骤都是对发明专利申请CN202111296468.6的改进。Description: The steps in Figure 2 synthesize the data group TextB, use the digest algorithm to generate the digest HashB of TextB, use the public key KeyPub to encrypt HashB to generate CipherB, and the steps in Figure 3 use the digest algorithm to extract the digest of TextB' to obtain HashB', add The decryption chip sends the received CipherB', and these steps are improvements to the invention patent application CN202111296468.6.

具体实施方式Detailed ways

本发明是对发明专利申请CN202111296468.6的改进,其主要的流程分为三个阶段:密钥的生成和分发;用户发起认证;服务器对用户进行认证。下面分别对三个阶段进行详细描述:The present invention is an improvement to the invention patent application CN202111296468.6, and its main process is divided into three stages: generation and distribution of keys; authentication initiated by the user; authentication of the user by the server. The three stages are described in detail below:

第一,密钥的生成和分发。密钥的生成和分发是将密钥生成并分发给用户和服务端的过程。在本发明中,密钥由加解密芯片使用非对称加密体制算法生成。密钥对生成后,私钥保存在芯片内部且无法从外部获取,公钥分发给用户,其具体步骤如下:First, the generation and distribution of keys. Key generation and distribution is the process of generating and distributing keys to users and servers. In the present invention, the key is generated by the encryption and decryption chip using an asymmetric encryption system algorithm. After the key pair is generated, the private key is stored inside the chip and cannot be obtained from the outside, and the public key is distributed to the user. The specific steps are as follows:

1.根管理员在密钥生成和分发系统(下文简称密钥系统)发起密钥生成请求;1. The root administrator initiates a key generation request in the key generation and distribution system (hereinafter referred to as the key system);

2.密钥系统使用加解密芯片生成公钥KeyPub和私钥KeyPri。其中私钥KeyPri存储在芯片内部,芯片仅返回公钥KeyPub。2. The key system uses encryption and decryption chips to generate public key KeyPub and private key KeyPri. The private key KeyPri is stored inside the chip, and the chip only returns the public key KeyPub.

3.密钥系统使用随机数算法生成一段盐数据Salt,数据的长度可以为64、128或256比特;3. The key system uses a random number algorithm to generate a piece of salt data Salt, and the length of the data can be 64, 128 or 256 bits;

4.密钥系统按照设置的规则设定该组密钥对的过期时间ExpireTime。为了防止用户和服务端时区不一致带来的影响,该时间统一转换为UTC时间保存。4. The key system sets the expiration time of the set of key pairs according to the set rules, ExpireTime. In order to prevent the impact caused by the time zone inconsistency between the user and the server, the time is uniformly converted to UTC time for storage.

5.密钥系统将上述数据和公钥KeyPub本身拼接成一个完整的字符串TextA:{用户id,ExpireTime,Salt,KeyPub},并使用摘要算法对TextA生成摘要HashA。5. The key system splices the above data and the public key KeyPub itself into a complete string TextA: {user id, ExpireTime, Salt, KeyPub}, and uses the digest algorithm to generate a digest HashA for TextA.

6.系统向加解密芯片发送HashA,芯片使用用户私钥KeyPri对HashA签名,返回SignA。签名时,系统仅将HashA发送给芯片,系统在签名过程中无法接触签名时用到的私钥。6. The system sends HashA to the encryption and decryption chip, and the chip signs HashA with the user's private key KeyPri and returns SignA. When signing, the system only sends HashA to the chip, and the system cannot touch the private key used for signing during the signing process.

7.系统将TextA、签名SignA发送给用户,并将用户id,过期时间ExpireTime,盐数据Salt保存在服务端数据库。7. The system sends TextA and signature SignA to the user, and saves the user id, expiration time ExpireTime, and salt data Salt in the server database.

8.用户接收到TextA后,使用TextA中包含的用户公钥验证SignA,若通过,则将公钥TextA和签名SignA保存在本地,并向服务端发送成功信息;如不等则向服务端发送失败消息;8. After the user receives TextA, use the user's public key contained in TextA to verify SignA, if passed, save the public key TextA and signature SignA locally, and send a success message to the server; if not, send it to the server failure message;

9.服务端接收到成功消息后则密钥分发完成;服务端收到失败消息后,通知加解密芯片将私钥信息删除,密钥分发失败。9. After the server receives the success message, the key distribution is completed; after the server receives the failure message, it notifies the encryption and decryption chip to delete the private key information, and the key distribution fails.

第二,用户发起认证。当用户需要发起服务端资源请求时,需要附带可供服务端认证的信息,以确认发送方的身份合法。以对资源Url发起请求为例,其过程如下:Second, the user initiates authentication. When a user needs to initiate a server-side resource request, it needs to attach information that can be authenticated by the server-side to confirm that the identity of the sender is legal. Take the request for resource Url as an example, the process is as follows:

1.用户首先向服务端发送请求,获取当前会话的会话id(Session id)。1. The user first sends a request to the server to obtain the session id (Session id) of the current session.

2.用户浏览器将下列数据组成组合数据TextB:{用户id,ExpireTime,Sessionid,Url}。2. The user's browser composes the following data into combined data TextB: {user id, ExpireTime, Sessionid, Url}.

3.用户浏览器使用摘要算法对TextB进行摘要提取获得HashB。3. The user's browser extracts TextB using a digest algorithm to obtain HashB.

4.用户浏览器使用持有的公钥KeyPub对HashB进行加密获得CipherB。4. The user's browser encrypts HashB with the held public key KeyPub to obtain CipherB.

5.用户浏览器使用盐Salt和当前时间的时间戳Timestamp拼接生成传输密钥KeyTransfer。5. The user browser uses the Salt and the timestamp of the current time to concatenate to generate the transfer key KeyTransfer.

6.用户浏览器使用KeyTransfer加密由TetxB和CipherB组成的数据组,并获得InfoB。加密使用的加密算法为对称算法,例如AES或SM4。6. The user browser uses KeyTransfer to encrypt the data group consisting of TetxB and CipherB, and obtains InfoB. The encryption algorithm used for encryption is a symmetric algorithm, such as AES or SM4.

7.用户浏览器发起对资源Url的请求时,将时间戳Timestamp和InfoB作为令牌,以参数或访问头(Header)键值对的形式发送给服务器端。7. When the user browser initiates a request for the resource Url, the timestamp Timestamp and InfoB are used as tokens and sent to the server in the form of parameters or access header (Header) key-value pairs.

第三,服务端对用户进行认证。服务端接收到用户对资源Url的访问时,需要利用请求附带的InfoB对发送方进行认证,其过程如下:Third, the server authenticates the user. When the server receives the user's access to the resource Url, it needs to use the InfoB attached to the request to authenticate the sender. The process is as follows:

1.服务端获得用户浏览器向服务端发起资源访问请求,并接收到:请求资源地址Url、时间戳Timestamp、密文InfoB。1. The server obtains the user's browser to initiate a resource access request to the server, and receives: the requested resource address Url, timestamp Timestamp, and ciphertext InfoB.

2.服务端按照用户id查询本地数据库,获得该用户密钥有效期及盐数据Salt2. The server queries the local database according to the user id, and obtains the validity period of the user key and the salt data Salt

3.若上述信息不存在或密钥已经过期,则停止认证流程,并向用户返回拒绝服务的错误信息。3. If the above information does not exist or the key has expired, stop the authentication process and return a service denial error message to the user.

4.若密钥未过期,服务端使用盐数据Salt和时间戳拼接为传输密钥KeyTransfer。4. If the key has not expired, the server uses the salt data Salt and the timestamp to concatenate it into the transfer key KeyTransfer.

5.服务端使用传输密钥KeyTransfer对用户发送的InfoB进行解密,解密算法与客户端的加密算法保持一致,获得TextB’:{用户id’,ExpireTime’,Session id’,Url’}以及密文CipherB’。若解密失败,则返回拒绝服务的错误信息。5. The server uses the transmission key KeyTransfer to decrypt the InfoB sent by the user. The decryption algorithm is consistent with the encryption algorithm of the client, and obtains TextB': {user id', ExpireTime', Session id', Url'} and ciphertext CipherB '. If the decryption fails, a denial of service error message is returned.

6.服务端使用与客户端一致的摘要算法对TextB’提取摘要获得HashB’,并将CipherB’发送给加解密芯片,并使用用户私钥解密,服务端在解密过程中无法接触到用户的私钥。解密结果为HashB”,若HashB’与HashB”不等,则返回错误信息,并停止服务。6. The server uses the digest algorithm consistent with the client to extract the digest from TextB' to obtain HashB', and sends CipherB' to the encryption and decryption chip, and decrypts it with the user's private key. The server cannot access the user's private key during the decryption process. key. The decryption result is HashB", if HashB' is not equal to HashB", an error message will be returned and the service will be stopped.

7.若验签通过,则服务端对下列条件进行判断,满足如下任何一个条件,服务端均向用户返回错误信息,并停止服务7. If the signature verification is passed, the server will judge the following conditions. If any of the following conditions are met, the server will return an error message to the user and stop the service

①解密获得的用户id’与发起请求的用户id不一致;①The user id' obtained by decryption is inconsistent with the user id who initiated the request;

②解密获得的密钥有效期ExpireTime’与服务端存储的密钥有效期不一致;②The validity period of the key obtained by decryption, ExpireTime’, is inconsistent with the validity period of the key stored on the server;

③解密获得的Session id’在服务端不存在或已过期;③The session id' obtained by decryption does not exist or has expired on the server side;

④解密获得的访问资源路径Url’与用户当前Web请求的资源路径Url不相等。④ The access resource path Url' obtained by decryption is not equal to the resource path Url of the user's current Web request.

8.若上述条件均未触发,则认证通过,服务端向用户返回其请求的资源。8. If none of the above conditions are triggered, the authentication is passed, and the server returns the requested resource to the user.

9.在服务端记录本次请求的详细信息作为审计留档。9. Record the detailed information of this request on the server side as an audit file.

Claims (1)

1.一种在BMC系统中实现远程Web访问增强安全认证的方法,其特征在于,包括以下步骤:1. A method for realizing remote web access enhanced security authentication in BMC system, is characterized in that, comprises the following steps: 第一步,非对称密钥的生成和分发,包括下面具体步骤:The first step, the generation and distribution of asymmetric keys, includes the following specific steps: ①使用非对称密码体制算法为每一个用户生成其独有的公私密钥对,用户私钥KeyPri存储在BMC系统服务端的加解密芯片中,用户公钥KeyPub由用户保存;① Use the asymmetric cryptosystem algorithm to generate a unique public-private key pair for each user. The user's private key KeyPri is stored in the encryption and decryption chip of the BMC system server, and the user's public key KeyPub is saved by the user; ②服务端将用户id、用户公钥KeyPub、密钥有效期、随机盐数据Salt组成组合数据TextA;②The server combines the user id, user public key KeyPub, key validity period, and random salt data Salt into combined data TextA; ③将用户id、密钥有效期、盐数据Salt保存在BMC系统的服务端,调用加解密芯片的加密功能,使用在加解密芯片中存储的用户私钥KeyPri对上述信息签名生成SignA,将TextA和SignA交由用户保存;③Save the user id, key validity period, and salt data Salt in the server of the BMC system, call the encryption function of the encryption and decryption chip, use the user's private key KeyPri stored in the encryption and decryption chip to sign the above information to generate SignA, and convert TextA and SignA is saved by the user; 密钥分发完成后,每一个用户自身拥有用户id、用户公钥KeyPub、签名SignA;BMC服务端存储有用户id、密钥有效期、盐数据Salt,BMC服务端的加解密芯片中存储有用户私钥KeyPri;After the key distribution is completed, each user has the user id, user public key KeyPub, and signature SignA; the BMC server stores the user id, key validity period, and salt data Salt, and the encryption and decryption chip of the BMC server stores the user's private key KeyPri; 第二步,用户发起认证,包括下面具体步骤:In the second step, the user initiates authentication, including the following specific steps: ①用户向BMC服务端发送请求,获取当前会话的会话id;①The user sends a request to the BMC server to obtain the session id of the current session; ②用户浏览器使用用户公钥KeyPub和签名SignA验证TextA以及用户id、密钥有效期和盐数据Salt的有效性;②The user browser uses the user public key KeyPub and signature SignA to verify the validity of TextA, user id, key validity period and salt data Salt; ③用户浏览器将用户id、密钥有效期、会话id、访问资源的路径组成组合数据TextB;③The user browser composes the combined data TextB of user id, key validity period, session id, and resource access path; ④用户浏览器使用摘要算法对上述数据TextB进行摘要提取,获得摘要HashB;④The user browser uses the digest algorithm to extract the above data TextB to obtain the digest HashB; ⑤用户浏览器使用用户公钥KeyPub对HashB进行加密,获得CipherB;⑤The user's browser uses the user's public key KeyPub to encrypt HashB to obtain CipherB; ⑥用户浏览器根据本地时间生成时间戳Timestamp;⑥The user browser generates a Timestamp according to the local time; ⑦用户浏览器使用盐数据Salt和时间戳Timestamp组合生成传输密钥KeyTransfer;⑦The user browser uses the combination of salt data Salt and timestamp Timestamp to generate the transmission key KeyTransfer; ⑧用户浏览器使用传输密钥KeyTransfer对TextB、CipherB组成的数据组进行加密获得InfoB;⑧The user browser uses the transfer key KeyTransfer to encrypt the data group composed of TextB and CipherB to obtain InfoB; ⑨用户浏览器在访问服务端资源时,将时间戳Timestamp和密文InfoB以参数或访问头(Header)键值对的形式发送给服务端,作为认证的令牌;⑨When the user browser accesses server resources, the timestamp Timestamp and ciphertext InfoB are sent to the server in the form of parameters or header (Header) key-value pairs as authentication tokens; 第三步,服务端认证用户,包括下面具体步骤:The third step is to authenticate the user on the server side, including the following specific steps: ①用户浏览器向服务端发起资源访问请求,并发送请求资源路径、时间戳Timestamp、InfoB;①The user browser initiates a resource access request to the server, and sends the requested resource path, timestamp Timestamp, InfoB; ②服务端接收到用户的访问请求后首先查询该用户对应的密钥有效期及盐数据Salt是否存在;②After receiving the user's access request, the server first inquires whether the key validity period corresponding to the user and the salt data Salt exist; ③若上述信息不存在或密钥有效期已经过期,则停止认证流程,并向用户返回拒绝服务的错误信息;③ If the above information does not exist or the validity period of the key has expired, the authentication process will be stopped and an error message of denial of service will be returned to the user; ④若密钥有效期未过期,服务端使用用户盐数据Salt和浏览器发送的时间戳Timestamp拼接获得传输密钥KeyTransfer’,并使用KeyTransfer’对用户发送的InfoB进行解密;④ If the key validity period has not expired, the server uses the user salt data Salt and the timestamp Timestamp sent by the browser to splicing to obtain the transmission key KeyTransfer', and uses KeyTransfer' to decrypt the InfoB sent by the user; ⑤若正确解密,则可获得由用户id、密钥有效期、会话id和访问资源路径组成的数据组TextB’以及加密信息CipherB’;若解密失败,则向浏览器返回错误信息,并停止服务;⑤If the decryption is correct, the data group TextB' and encrypted information CipherB' composed of user id, key validity period, session id and access resource path can be obtained; if the decryption fails, an error message will be returned to the browser and the service will be stopped; ⑥服务端使用摘要算法对TextB’签名获得摘要HashB’,并调用加解密芯片的解密功能,使用存储在加解密芯片内的用户私钥KeyPri对CipherB’进行解密获得HashB”;若HashB’与HashB”不相等,则验证未通过,返回错误信息并停止服务;⑥The server uses the digest algorithm to sign TextB' to obtain the digest HashB', and calls the decryption function of the encryption and decryption chip, and uses the user's private key KeyPri stored in the encryption and decryption chip to decrypt CipherB' to obtain HashB"; if HashB' and HashB " is not equal, the verification fails, an error message is returned and the service is stopped; ⑦若验签通过,则服务端对下列每个条件进行判断,若触发下列任何一个条件,则服务端均向用户返回错误信息,并停止服务:⑦If the signature verification is passed, the server will judge each of the following conditions. If any of the following conditions is triggered, the server will return an error message to the user and stop the service: a)解密获得的用户id与发起请求的用户id不一致;a) The user id obtained by decryption is inconsistent with the user id who initiated the request; b)解密获得的密钥有效期与服务端存储的密钥有效期不一致;b) The validity period of the key obtained by decryption is inconsistent with the validity period of the key stored on the server; c)解密获得的会话id在服务端不存在或已过期;c) The session id obtained by decryption does not exist or has expired on the server side; d)解密获得的访问资源路径与用户当前Web请求的资源路径不相等;d) The access resource path obtained by decryption is not equal to the resource path of the user's current Web request; ⑧若上述每个条件均未触发,则认证通过,服务端向用户返回其请求的资源。⑧If each of the above conditions is not triggered, the authentication is passed, and the server returns the requested resources to the user.
CN202211473916.XA 2022-11-22 2022-11-22 Method for realizing remote Web access enhanced security authentication in BMC system Withdrawn CN116132026A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211473916.XA CN116132026A (en) 2022-11-22 2022-11-22 Method for realizing remote Web access enhanced security authentication in BMC system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211473916.XA CN116132026A (en) 2022-11-22 2022-11-22 Method for realizing remote Web access enhanced security authentication in BMC system

Publications (1)

Publication Number Publication Date
CN116132026A true CN116132026A (en) 2023-05-16

Family

ID=86299810

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211473916.XA Withdrawn CN116132026A (en) 2022-11-22 2022-11-22 Method for realizing remote Web access enhanced security authentication in BMC system

Country Status (1)

Country Link
CN (1) CN116132026A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572076A (en) * 2016-09-27 2017-04-19 山东浪潮商用系统有限公司 Web service access method, client side and server side
CN110247762A (en) * 2019-06-20 2019-09-17 江西金格科技股份有限公司 A kind of reliable website building method based on SM9 algorithm
CN113872992A (en) * 2021-11-03 2021-12-31 管芯微技术(上海)有限公司 Method for realizing strong security authentication of remote Web access in BMC system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572076A (en) * 2016-09-27 2017-04-19 山东浪潮商用系统有限公司 Web service access method, client side and server side
CN110247762A (en) * 2019-06-20 2019-09-17 江西金格科技股份有限公司 A kind of reliable website building method based on SM9 algorithm
CN113872992A (en) * 2021-11-03 2021-12-31 管芯微技术(上海)有限公司 Method for realizing strong security authentication of remote Web access in BMC system

Similar Documents

Publication Publication Date Title
CN108092776B (en) System based on identity authentication server and identity authentication token
CN113872992B (en) Method for realizing remote Web access strong security authentication in BMC system
CN103051628B (en) Obtain the method and system of authentication token based on server
US8607045B2 (en) Tokencode exchanges for peripheral authentication
CN101159556B (en) Key Management Method in Shared Encrypted File System Based on Group Key Server
US7395549B1 (en) Method and apparatus for providing a key distribution center without storing long-term server secrets
CN1323538C (en) A method and system for dynamic identity authentication
CN102377788B (en) Single sign-on (SSO) system and single sign-on (SSO) method
CN110535851A (en) A kind of customer certification system based on oauth2 agreement
CN105577665A (en) Identity and access control management system and method in cloud environment
CN103259663A (en) User unified authentication method in cloud computing environment
CN107948156A (en) The closed key management method and system of a kind of identity-based
CN101605137A (en) Safe distribution file system
US11722303B2 (en) Secure enclave implementation of proxied cryptographic keys
CN111865609A (en) Private cloud platform data encryption and decryption system based on state cryptographic algorithm
JPH07325785A (en) Network user authentication method, encrypted communication method, application client and server
CN114244508A (en) Data encryption method, device, equipment and storage medium
Azagury et al. A two layered approach for securing an object store network
US20060224891A1 (en) Scheme for sub-realms within an authentication protocol
CN116886352A (en) Authentication and authorization method and system for digital intelligent products
CN117879819B (en) Key management method, device, storage medium, equipment and computing power service system
CN118233158A (en) Safe access method for intelligent terminal at service edge of power system
CN114362998B (en) Network security protection method based on edge cloud system
CN116132026A (en) Method for realizing remote Web access enhanced security authentication in BMC system
CN109598114B (en) Cross-platform unified user account management method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20230516

WW01 Invention patent application withdrawn after publication