CN104717223A - Data access method and device - Google Patents
Data access method and device Download PDFInfo
- Publication number
- CN104717223A CN104717223A CN201510138114.7A CN201510138114A CN104717223A CN 104717223 A CN104717223 A CN 104717223A CN 201510138114 A CN201510138114 A CN 201510138114A CN 104717223 A CN104717223 A CN 104717223A
- Authority
- CN
- China
- Prior art keywords
- terminal equipment
- access request
- data
- data access
- certification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a data access method and device. The data access method and device are used for improving the data access protection degree. The method comprises the steps that when a data access request from a terminal device is received, a user identification corresponding to the data access request is certified; after the user identification passes the certification, the network position of the terminal device is certified; after the network position of the terminal device passes the certification, a device identification of the terminal device is certified, and if the device identification passes the certification, the terminal device is allowed to have access to data corresponding to the data access request. The data access method and device can well prevent an attacker from having access to data with sensitive attributes, and the data access protection degree is greatly improved.
Description
Technical field
The disclosure relates to Internet technical field, particularly relates to a kind of data access method and device.
Background technology
Along with the competition of internet industry is more fierce, information security issue is also more severe, the sensitive data that each enterprise has (such as, the financial statement, management tactics etc. of company) also become the object of attack of assailant, and sensitive data is the specific people needing to be supplied to company, and need to protect especially sensitive data, thus prevent victim from obtaining.In correlation technique, when assailant obtains the username and password with access sensitive data authority, assailant can by determining an equipment with agency service in the internal lan of company belonging to sensitive data, when assailant is in outside access sensitive data, access request can be sent to this have the equipment of agency service, then send to the server storing sensitive data the access request needing to access this sensitive data by this equipment, in that case, server can think that this access request comes from internal lan, and then allow assailant's access sensitive data, cause sensitive data by success attack.
Summary of the invention
For overcoming Problems existing in correlation technique, disclosure embodiment provides a kind of data access method and device, in order to improve the degree of protection when data are accessed.
According to the first aspect of disclosure embodiment, provide a kind of data access method, application on the server, comprising:
When receiving the data access request from terminal equipment, the user ID corresponding to described data access request carries out certification;
After described user ID certification is passed through, certification is carried out to the network site at described terminal equipment place;
After the network site certification at described terminal equipment place is passed through, certification is carried out to the device identification of described terminal equipment, if described device identification certification is passed through, allow described terminal equipment to access the data corresponding to described data access request.
In one embodiment, the described user ID to described data access request carries out certification, can comprise:
According to the list of described data access request determination user right, described user right list comprises multiple user ID and the multiple different access rights corresponding from described multiple user ID;
Described user ID is determined whether there is in described multiple user ID;
If there is described user ID, determine whether described user ID has the authority of data corresponding to the described data access request of access;
If there is no described user ID, carries out safety instruction to described data access request, and forbids the data that the access of described terminal equipment is corresponding to described data access request.
In one embodiment, certification is carried out in the described network site to described terminal equipment place, can comprise:
Determine the network ip address of described terminal equipment;
Determine that whether described network ip address is the IP address in the local area network (LAN) at described server place;
If the IP address in described local area network (LAN), determine that the location-authentication of described terminal equipment is passed through;
If not the IP address in described local area network (LAN), safety instruction is carried out to described data access request, and forbid the data that the access of described terminal equipment is corresponding to described data access request.
In one embodiment, certification is carried out in the described device identification to described terminal equipment, can comprise:
Determine that the device identification of described terminal equipment is whether in device registry;
If described device identification is in described device registry, determine that the device identification certification of described terminal equipment is passed through;
If described device identification, not in described device registry, carries out safety instruction to described data access request, and forbid the data that the access of described terminal equipment is corresponding to described data access request.
In one embodiment, whether the described device identification determining described terminal equipment, in device registry, can comprise:
Determine the identity type of the device identification of described terminal equipment;
If described identity type is medium access control MAC Address, in the first list in device registry, determine whether there is described MAC Address;
If described identity type is mobile device international identity code IMEI, in the second list in device registry, determine whether there is described IMEI.
In one embodiment, described method also can comprise:
When described terminal equipment accesses the local area network (LAN) at described server place, for described terminal equipment distributes lan address;
The device identification of described lan address and described terminal equipment is bound.
In one embodiment, described method also can comprise:
The data that described data access request is accessed are identified, when the data determining that described data access request is accessed are sensitive data, performs the step that the described user ID corresponding to described data access request carries out certification.
According to the second aspect of disclosure embodiment, provide a kind of DAA, application on the server, comprising:
First authentication module, is configured to when receiving the data access request from terminal equipment, and the user ID corresponding to described data access request carries out certification;
Second authentication module, is configured to, after described first authentication module passes through described user ID certification, carry out certification to the network site at described terminal equipment place;
3rd authentication module, be configured to after the network site certification of described second authentication module to described terminal equipment place is passed through, certification is carried out to the device identification of described terminal equipment, if described device identification certification is passed through, described terminal equipment is allowed to access the data corresponding to described data access request.
In one embodiment, described first authentication module can comprise:
First determines submodule, is configured to according to the list of described data access request determination user right, and described user right list comprises multiple user ID and the multiple different access rights corresponding from described multiple user ID;
Second determines submodule, is configured to determine to determine whether there is described user ID in described multiple user ID that submodule is determined described first;
3rd determines submodule, if be configured to described second to determine that submodule is determined to there is described user ID, determines that described user ID has the authority of data corresponding to the described data access request of access;
First prompting submodule, if be configured to described second to determine that submodule is determined to there is not described user ID, carries out safety instruction to described data access request, and forbids the data that the access of described terminal equipment is corresponding to described data access request.
In one embodiment, described second authentication module can comprise:
4th determines submodule, is configured to the network ip address determining described terminal equipment;
5th determines submodule, is configured to determine that the described 4th determines that whether described network ip address that submodule determines is the IP address in the local area network (LAN) at described server place;
6th determines submodule, if be configured to the described 5th to determine that submodule determines that described network ip address is the IP address in described local area network (LAN), determines that the location-authentication of described terminal equipment is passed through;
Second prompting submodule, if be configured to the described 5th to determine that submodule determines that described network ip address is not the IP address in described local area network (LAN), safety instruction is carried out to described data access request, and forbids the data that the access of described terminal equipment is corresponding to described data access request.
In one embodiment, described 3rd authentication module can comprise:
7th determines submodule, is configured to determine that the device identification of described terminal equipment is whether in device registry;
8th determines submodule, if be configured to the described 7th to determine that submodule determines that described device identification is in described device registry, determines that the device identification certification of described terminal equipment is passed through;
3rd prompting submodule, if be configured to the described 7th to determine that submodule determines described device identification not in described device registry, safety instruction is carried out to described data access request, and forbids the data that the access of described terminal equipment is corresponding to described data access request.
In one embodiment, the described 7th determines that submodule can comprise:
9th determines submodule, is configured to the identity type of the device identification determining described terminal equipment;
Tenth determines submodule, if be configured to the described 9th to determine that submodule determines that described identity type is medium access control MAC Address, determines whether there is described MAC Address in the first list in device registry;
11 determines submodule, if be configured to the described 9th to determine that submodule determines that described identity type is mobile device international identity code IMEI, determines whether there is described IMEI in the second list in device registry.
In one embodiment, described device also can comprise:
Address assignment module, is configured to when described terminal equipment accesses the local area network (LAN) at described server place, for described terminal equipment distributes lan address;
Address binding module, is configured to the device identification of described lan address and described terminal equipment to bind.
In one embodiment, described device also can comprise:
Data identification module, the data be configured to described data access request is accessed identify, when the data determining that described data access request is accessed are sensitive data, described first authentication module performs the step that the described user ID corresponding to described data access request carries out certification.
According to the third aspect of disclosure embodiment, a kind of DAA is provided, comprises:
Processor;
For the memory of storage of processor executable instruction;
Wherein, described processor is configured to:
When receiving the data access request from terminal equipment, the user ID corresponding to described data access request carries out certification;
After described user ID certification is passed through, certification is carried out to the network site at described terminal equipment place;
After the network site certification at described terminal equipment place is passed through, certification is carried out to the device identification of described terminal equipment, if described device identification certification is passed through, allow described terminal equipment to access the data corresponding to described data access request.
The technical scheme that embodiment of the present disclosure provides can comprise following beneficial effect: by the certification of the certification of the user ID to the data access request from terminal equipment, the certification of the network site of terminal equipment and the device identification of terminal equipment; after above-mentioned three certifications are passed through; just allow the data that terminal equipment access is corresponding to data access request; the corresponding data of assailant's visit data access request can be stoped well, substantially increase the degree of protection when data are accessed.
Should be understood that, it is only exemplary and explanatory that above general description and details hereinafter describe, and can not limit the disclosure.
Accompanying drawing explanation
Accompanying drawing to be herein merged in specification and to form the part of this specification, shows embodiment according to the invention, and is used from specification one and explains principle of the present invention.
Fig. 1 is the flow chart of the data access method according to an exemplary embodiment.
Fig. 2 is the flow chart of the data access method according to an exemplary embodiment one.
Fig. 3 A is the flow chart of the data access method according to an exemplary embodiment two.
Fig. 3 B is the flow chart of the step S304 according to an exemplary embodiment two.
Fig. 4 is the flow chart of the data access method according to an exemplary embodiment three.
Fig. 5 is the block diagram of a kind of DAA according to an exemplary embodiment.
Fig. 6 A is the block diagram of the another kind of DAA according to an exemplary embodiment.
Fig. 6 B is the 7th block diagram determining submodule according to an exemplary embodiment.
Fig. 7 is the block diagram of another DAA according to an exemplary embodiment.
Fig. 8 is a kind of block diagram being applicable to DAA according to an exemplary embodiment.
Embodiment
Here will be described exemplary embodiment in detail, its sample table shows in the accompanying drawings.When description below relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawing represents same or analogous key element.Execution mode described in following exemplary embodiment does not represent all execution modes consistent with the present invention.On the contrary, they only with as in appended claims describe in detail, the example of apparatus and method that aspects more of the present invention are consistent.
Fig. 1 is the flow chart of the data access method according to an exemplary embodiment, and this data access method can be applied on the server, and as shown in Figure 1, this data access method comprises the following steps S101-S103:
In step S101, when receiving the data access request from terminal equipment, the user ID corresponding to data access request carries out certification.
In one embodiment, the data that server stores can arrange different access rights for different users, such as, for the financial staff of enterprise, can financial statement on access services device, for the sales force of enterprise, can sales data on access services device, for the senior executive of enterprise, both can financial statement on access services device, also can access sales data, that is, data access request can be different according to the difference of user ID.In one embodiment, different user rights can being represented by user ID, by carrying out certification to user ID, can determine whether this user ID accesses the data of this data access request institute request access further.It will be appreciated by persons skilled in the art that above-mentioned storage on the server and the data setting access rights can be called sensitive data.
In step s 102, after user ID certification is passed through, certification is carried out to the network site at terminal equipment place.
In one embodiment, the network site at terminal equipment place can be parsed from data access request, in one embodiment, network site can be the network ip address of terminal equipment, by determine this network ip address be whether server place local area network (LAN) in IP address determine the network site of terminal equipment.
In step s 103, after the network site certification at terminal equipment place is passed through, certification is carried out to the device identification of terminal equipment, if device identification certification is passed through, allow the data that terminal equipment access is corresponding to data access request.
In one embodiment, record can be carried out to the device identification of terminal equipment by device registry, in one embodiment, both medium access control (Media Access Control can have been comprised in device registry, referred to as MAC) address list, also mobile device international identity code (InternationalMobile Equipment Identity can be comprised, referred to as IMEI) list, the thing that it will be appreciated by those skilled in the art that, above-mentioned MAC Address and IMEI are only the exemplary illustrations carried out the device identification of terminal equipment, the concrete title of the disclosure to device identification does not limit, as long as can be distinguished by the identity of device identification to terminal equipment.Correspondingly, terminal equipment both can be PC equipment, also can be mobile device.
In the present embodiment, by the certification of the user ID to the data access request from terminal equipment, the certification of the certification of the network site of terminal equipment and the device identification of terminal equipment, after above-mentioned three certifications are passed through, just allow the data that terminal equipment access is corresponding to data access request, user ID and the password of the authority with access sensitive data has been stolen assailant, or, assailant has stolen user ID and the password of the authority with access sensitive data, utilize server equipment in a local network agency service is set, attempt access sensitive data, or, assailant has not only stolen user ID and the password of the authority with access sensitive data, under also having stolen above-mentioned three kinds of situations such as the terminal equipment with access rights, the corresponding data of assailant's visit data access request can be stoped well, substantially increase the degree of protection when data are accessed.
In one embodiment, certification is carried out to the user ID of data access request, can comprise:
According to the list of data access request determination user right, user right list comprises multiple user ID and the multiple different access rights corresponding from multiple user ID;
User ID is determined whether there is in multiple user ID;
If there is user ID, determine that user ID has the authority of data corresponding to this data access request of access;
If there is no user ID, carries out safety instruction to data access request, and forbids the data that terminal equipment access is corresponding to data access request.
In one embodiment, certification is carried out to the network site at terminal equipment place, can comprise:
Determine the network ip address of terminal equipment;
Determine that whether network ip address is the IP address in the local area network (LAN) at server place;
If the IP address in local area network (LAN), determine that the location-authentication of terminal equipment is passed through;
If not the IP address in local area network (LAN), safety instruction is carried out to data access request, and forbid the data that terminal equipment access is corresponding to data access request.
In one embodiment, certification is carried out to the device identification of terminal equipment, can comprise:
Determine that the device identification of terminal equipment is whether in device registry;
If device identification is in device registry, determine that the device identification certification of terminal equipment is passed through;
If device identification is not in device registry, safety instruction is carried out to data access request, and forbid the data that terminal equipment access is corresponding to data access request.
In one embodiment, determine that the device identification of terminal equipment is whether in device registry, can comprise:
Determine the identity type of the device identification of terminal equipment;
If identity type is medium access control MAC Address, in the first list in device registry, determine whether there is MAC Address;
If identity type is mobile device international identity code IMEI, in the second list in device registry, determine whether there is IMEI.
In one embodiment, method also can comprise:
When the local area network (LAN) at terminal equipment access server place, for terminal equipment distributes lan address;
The device identification of lan address and terminal equipment is bound.
In one embodiment, method also can comprise:
The data that data access request is accessed are identified, when the data determining that data access request is accessed are sensitive data, performs the step that the user ID corresponding to data access request carries out certification.
Specifically how how to protect when data are accessed, please refer to subsequent embodiment.
So far, the said method that disclosure embodiment provides, can stop assailant to access the data with Sensitive Attributes well, substantially increase the degree of protection when data are accessed.
With specific embodiment, the technical scheme that disclosure embodiment provides is described below.
Fig. 2 is the flow chart of the data access method according to an exemplary embodiment one; The said method that the present embodiment utilizes disclosure embodiment to provide, carries out certification for how to the network site of user ID and terminal equipment and carries out exemplary illustration, as shown in Figure 2, comprise the steps:
In step s 201, when receiving the data access request from terminal equipment, according to the list of data access request determination user right, user right list comprises multiple user ID and the multiple different access rights corresponding from multiple user ID.
In one embodiment, the access rights of user right list records different user mark, such as, in user right list, the access rights of user Boby are can sales data on access services device, the access rights of user Tony are can financial statement on access services device, the access rights of user Simon be both can sales data on access services device also can financial statement on access services device.
In step S202, in multiple user ID, determine whether there is user ID, if there is user ID, perform step S203, if there is no user ID, perform step S209.
Such as, user Sunny have sent the data access request of access sales data to server by terminal equipment, by determining user Sunny not in user right list after inquiry in user right list, if user Boby have sent the data access request of access financial statement to server by terminal equipment, by determining that user Boby is in user right list after inquiry in user right list.
In step S203, if there is user ID, determine whether user ID has the authority of data corresponding to this data access request of access, if have the authority of data corresponding to this data access request of access, perform step S204, if do not have the authority of data corresponding to this data access request of access, perform step S209.
Such as, although user Boby is in user right list, because Boby only has the authority of access sales data, therefore Boby is the authority without access financial statement.
In step S204, determine the network ip address of terminal equipment.
In one embodiment, when terminal equipment is linked into the local area network (LAN) at server place, the IP address in local area network (LAN) can be distributed for terminal equipment, and record terminal equipment and be its IP address distributed.
In step S205, determine that whether network ip address is the IP address in the local area network (LAN) at server place, if the IP address in local area network (LAN), perform step S206, if not the IP address in local area network (LAN), perform step S209.
In step S206, if the IP address in local area network (LAN), determine that terminal equipment passes through location-authentication.
In step S207, after the network site certification at terminal equipment place is passed through, determine whether certification is passed through to the device identification of terminal equipment, if device identification certification is passed through, perform step S208, if certification is not passed through, perform step S209.
In one embodiment, if terminal equipment is PC, portable computer or panel computer, device identification can be MAC Address, and in another embodiment, if terminal equipment is mobile device, device identification can be IMEI.
Step S208, allow the data that terminal equipment access is corresponding to data access request, flow process terminates.
In step S209, safety instruction is carried out to data access request, and forbid the data that terminal equipment access is corresponding to data access request.
In one embodiment, when at least one item of certification of user ID, device location, device identification is unverified pass through time, the relevant informations such as the user ID can be correlated with to this data access request, the network address at the current place of terminal equipment, the device identification of terminal equipment are pointed out, such as, above-mentioned relevant information is sent to relevant responsible organization, to monitor above-mentioned anomaly.
In the present embodiment, be there is by user right list determination user ID the authority of data corresponding to this data access request of access, by determining that network ip address is IP address in the local area network (LAN) at server place and has access rights to the device identification of terminal equipment, guarantee to need to possess following condition to data access: the user of terminal equipment has access rights, terminal equipment needs to be connected in the local area network (LAN) at server place, and terminal equipment also needs the authority with visit data, in this case, fully prevent the corresponding data of assailant's visit data access request, substantially increase the degree of protection when data are accessed.
Fig. 3 A is the flow chart of the data access method according to an exemplary embodiment two, and Fig. 3 B is the flow chart of the step S304 according to an exemplary embodiment two; The said method that the present embodiment utilizes disclosure embodiment to provide, carries out exemplary illustration how to carry out certification to the device identification of terminal equipment, as shown in Figure 3A, comprises the steps:
In step S301, when receiving the data access request from terminal equipment, the data that data access request is accessed are identified.
In one embodiment, nonsensitive data and sensitive data can be divided into the data that server stores, and sensitive data is identified, when user attempts the data on access services device, if the Data Identification of accessing is sensitive data, then need to carry out certification by the disclosure to user ID, network site and device identification.
In step s 302, when the data determining that data access request is accessed are sensitive data, certification is carried out to the user right of user ID corresponding to data access request.
The description of step S302 with reference to the description of above-mentioned steps S101, can not repeat them here.
In step S303, after user ID certification is passed through, certification is carried out to the network site at terminal equipment place.
The description of step S303 with reference to the description of above-mentioned steps S102, can not repeat them here.
In step s 304, determine that the device identification of terminal equipment is whether in device registry, if in device registry, performs step S305, if not in device registry, perform step S306.
The description of step S304 with reference to the description of following Fig. 3 B illustrated embodiment, can be not described in detail in this.
In step S305, if device identification is in device registry, determine that the device identification certification of terminal equipment is passed through, allow the data that terminal equipment access is corresponding to data access request.
In step S306, if device identification is not in device registry, safety instruction is carried out to data access request, and forbid the data that terminal equipment access is corresponding to data access request.
The description of step S306 with reference to the description of above-mentioned steps S208, can not repeat them here.
As shown in Figure 3 B, be step S304 flow chart in one embodiment, comprise the steps:
In step S311, determine the identity type of the device identification of terminal equipment, if identity type is MAC Address, perform step S312, if identity type is IMEI, perform step S313.
In step S312, if identity type is MAC Address, in the first list in device registry, determine whether there is MAC Address.
In step S313, if identity type is IMEI, in the second list in device registry, determine whether there is IMEI.
In one embodiment, first list can record the MAC Address of the PC equipment in the local area network (LAN) being registered in server place, second list can record the IMEI of the mobile device in the local area network (LAN) being registered in server place, if the MAC Address of the terminal equipment recorded from the first list is deleted, then forbid that this terminal equipment conducts interviews to the data on server.
It will be appreciated by persons skilled in the art that the first list and the second list have been only device identification corresponding to the dissimilar terminal equipment of differentiation, the sequence of " first ", " second " can not be formed restriction of the present disclosure.In addition, the above-mentioned MAC Address of the disclosure and IMEI are only the exemplary illustration of the device identification of terminal equipment, can not be formed restriction of the present disclosure, as long as can represent that the address information of the device identification of terminal equipment all covered in disclosure embodiment.
In the present embodiment; by determining the identity type of the device identification of terminal equipment; can realize carrying out certification to the device identification of various dissimilar terminal equipment; both can support that more eurypalynous terminal equipment conducted interviews to the data on server; can also fully prevent assailant by the corresponding data of visit data access request; substantially increase the degree of protection when data are accessed; in this case; fully prevent the corresponding data of assailant's visit data access request, substantially increase the degree of protection when data are accessed.
Fig. 4 is one of flow chart of data access method according to an exemplary embodiment three; The said method that the present embodiment utilizes disclosure embodiment to provide, carries out binding example with the device identification how realizing network ip address and terminal equipment and carries out exemplary illustration, as shown in Figure 4, comprise the steps:
In step S401, when the local area network (LAN) at terminal equipment access server place, for terminal equipment distributes lan address.
In step S402, the device identification of lan address and terminal equipment is bound.
Take device identification as MAC Address for example carries out exemplary illustration, the local area network (LAN) at server place can pass through DHCP (Dynamic Host Configuration Protocol, referred to as DHCP) to access network terminal equipment distribute lan address (such as, IP address in local area network (LAN)), give which terminal equipment by each IP address assignment in record local area network (LAN), make the MAC Address of the IP address in local area network (LAN) and terminal equipment be provided with binding relationship.When user have passed location-authentication, the MAC Address of terminal equipment can be determined whether there is by the IP address in this local area network (LAN).
In the present embodiment; by the device identification of lan address and terminal equipment is bound; when assailant is from data public internet access services device; even if assailant is by the data on in-company network access server; if the terminal equipment that assailant uses is not bound mutually with its IP address; then assailant still haves no right the sensitive data on access services device, thus substantially increases the degree of protection when data are accessed.
To sum up, disclosure embodiment can effectively prevent assailant in the following way to the attack of the sensitive data on server:
One, assailant has stolen the user ID and corresponding password with access rights, the sensitive data on access services device is attempted by public internet by user ID and corresponding password, in this case, because the disclosure needs the terminal equipment to assailant uses to carry out location-authentication, and terminal equipment is not in the local area network (LAN) at server place, therefore assailant cannot have access to the sensitive data on server;
They are two years old; assailant has stolen the user ID and corresponding password with the visit of access limit; by the equipment in the local area network (LAN) at server place, agency service is set; attempt the sensitive data on access services device; in this case; because the disclosure needs the certification terminal equipment of assailant being carried out to device identification; and the terminal equipment that assailant uses is not by device authentication of the present disclosure; therefore assailant can not sensitive data on access services device, thus reaches the object that the data on protection server are not stolen.
They are three years old, assailant has not only stolen the user ID and corresponding password with access rights, but also stolen the terminal equipment that device identification has access rights, in this case, if assailant is from the sensitive data public internet access services device, due to cannot by the certification of device location by embodiment of the present disclosure, therefore assailant cannot have access to the sensitive data on server.
Fig. 5 is the block diagram of a kind of DAA according to an exemplary embodiment, and as shown in Figure 5, DAA comprises:
First authentication module 51, is configured to when receiving the data access request from terminal equipment, carries out certification to the user right of user ID corresponding to data access request;
Second authentication module 52, is configured to, after the 51 pairs of user ID certifications of the first authentication module are passed through, carry out certification to the network site at terminal equipment place;
3rd authentication module 53, be configured to after the network site certification at second authentication module 52 pairs of terminal equipment places is passed through, certification is carried out to the device identification of terminal equipment, if device identification certification is passed through, allows the data that terminal equipment access is corresponding to data access request.
Fig. 6 A is the block diagram of the another kind of DAA according to an exemplary embodiment, and on the basis of above-mentioned embodiment as shown in Figure 5, the first authentication module 51 can comprise:
First determines submodule 511, is configured to according to the list of data access request determination user right, and user right list comprises multiple user ID and the multiple different access rights corresponding from multiple user ID;
Second determines submodule 512, is configured to determine to determine whether there is user ID in multiple user ID that submodule 511 is determined first;
3rd determines submodule 513, if be configured to second to determine that submodule 512 determines to there is user ID, determines the access rights that user ID is corresponding;
First prompting submodule 514, if be configured to second to determine that submodule 512 determines to there is not user ID, carries out safety instruction to data access request, and forbids the data that terminal equipment access is corresponding to data access request.
In one embodiment, the second authentication module 52 can comprise:
4th determines submodule 521, is configured to the network ip address determining terminal equipment;
5th determines submodule 522, is configured to determine that the 4th determines that whether network ip address that submodule 521 determines is the IP address in the local area network (LAN) at server place;
6th determines submodule 523, if be configured to the 5th to determine that submodule 522 determines that network ip address is the IP address in local area network (LAN), determines that the location-authentication of terminal equipment is passed through;
Second prompting submodule 524, if be configured to the 5th to determine that submodule 522 determines that network ip address is not the IP address in local area network (LAN), carries out safety instruction to data access request, and forbids the data that terminal equipment access is corresponding to data access request.
In one embodiment, the 3rd authentication module 53 can comprise:
7th determines submodule 531, is configured to determine that the device identification of terminal equipment is whether in device registry;
8th determines submodule 532, if be configured to the 7th to determine that submodule 531 determines that device identification is in device registry, determines that the device identification certification of terminal equipment is passed through;
3rd prompting submodule 533, if be configured to the 7th to determine that submodule 531 determines device identification not in device registry, carries out safety instruction to data access request, and forbids the data that terminal equipment access is corresponding to data access request.
As shown in Figure 6B, in one embodiment, the 7th determines that submodule 531 can comprise:
9th determines submodule 5311, is configured to the identity type of the device identification determining terminal equipment;
Tenth determines submodule 5312, if be configured to the 9th to determine that submodule 5311 determines that identity type is medium access control MAC Address, determines whether there is MAC Address in the first list in device registry;
11 determines submodule 5313, if be configured to the 9th to determine that submodule 5311 determines that identity type is mobile device international identity code IMEI, determines whether there is IMEI in the second list in device registry.
Fig. 7 is the block diagram of another DAA according to an exemplary embodiment, and on the basis of above-mentioned embodiment as shown in Figure 5 or Figure 6, device also can comprise:
Address assignment module 54, is configured to when the local area network (LAN) at terminal equipment access server place, for terminal equipment distributes lan address;
Address binding module 55, the device identification being configured to lan address and terminal equipment address assignment module 54 distributed is bound.
In one embodiment, device also can comprise:
Data identification module 56, the data be configured to data access request is accessed identify, when the data determining that data access request is accessed are sensitive data, the first authentication module 51 performs in the step receiving the data access request from terminal equipment.
About the device in above-described embodiment, wherein the concrete mode of modules executable operations has been described in detail in about the embodiment of the method, will not elaborate explanation herein.
Fig. 8 is a kind of block diagram being applicable to the device controlling the indicator light be arranged on smart machine according to an exemplary embodiment.Such as, device 800 may be provided in a smart mobile phone or panel computer.With reference to Fig. 8, device 800 comprises processing components 822, and it comprises one or more processor further, and the memory resource representated by memory 832, can such as, by the instruction of the execution of processing unit 822, application program for storing.The application program stored in memory 832 can comprise each module corresponding to one group of instruction one or more.In addition, processing components 822 is configured to perform instruction, to perform above-mentioned data access method.
Device 800 can also comprise the power management that a power supply module 828 is configured to final controlling element 800, and a wired or wireless network interface 850 is configured to device 800 to be connected to network, and input and output (I/O) interface 858.Device 800 can operate the operating system based on being stored in memory 832, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM or similar.
Those skilled in the art, at consideration specification and after putting into practice disclosed herein disclosing, will easily expect other embodiment of the present disclosure.The application is intended to contain any modification of the present disclosure, purposes or adaptations, and these modification, purposes or adaptations are followed general principle of the present disclosure and comprised the undocumented common practise in the art of the disclosure or conventional techniques means.Specification and embodiment are only regarded as exemplary, and true scope of the present disclosure and spirit are pointed out by claim below.
Should be understood that, the disclosure is not limited to precision architecture described above and illustrated in the accompanying drawings, and can carry out various amendment and change not departing from its scope.The scope of the present disclosure is only limited by appended claim.
Claims (15)
1. a data access method, on the server, it is characterized in that, described method comprises in application:
When receiving the data access request from terminal equipment, the user ID corresponding to described data access request carries out certification;
After described user ID certification is passed through, certification is carried out to the network site at described terminal equipment place;
After the network site certification at described terminal equipment place is passed through, certification is carried out to the device identification of described terminal equipment, if described device identification certification is passed through, allow described terminal equipment to access the data corresponding to described data access request.
2. method according to claim 1, is characterized in that, the described user ID to described data access request carries out certification, comprising:
According to the list of described data access request determination user right, described user right list comprises multiple user ID and the multiple different access rights corresponding from described multiple user ID;
Described user ID is determined whether there is in described multiple user ID;
If there is described user ID, determine that described user ID has the authority of data corresponding to the described data access request of access;
If there is no described user ID, carries out safety instruction to described data access request, and forbids the data that the access of described terminal equipment is corresponding to described data access request.
3. method according to claim 1, is characterized in that, certification is carried out in the described network site to described terminal equipment place, comprising:
Determine the network ip address of described terminal equipment;
Determine that whether described network ip address is the IP address in the local area network (LAN) at described server place;
If the IP address in described local area network (LAN), determine that described terminal equipment passes through location-authentication;
If not the IP address in described local area network (LAN), safety instruction is carried out to described data access request, and forbid the data that the access of described terminal equipment is corresponding to described data access request.
4. method according to claim 1, is characterized in that, certification is carried out in the described device identification to described terminal equipment, comprising:
Determine that the device identification of described terminal equipment is whether in device registry;
If described device identification is in described device registry, determine that the device identification certification of described terminal equipment is passed through;
If described device identification, not in described device registry, carries out safety instruction to described data access request, and forbid the data that the access of described terminal equipment is corresponding to described data access request.
5. method according to claim 4, is characterized in that, whether the described device identification determining described terminal equipment, in device registry, comprising:
Determine the identity type of the device identification of described terminal equipment;
If described identity type is medium access control MAC Address, in the first list in device registry, determine whether there is described MAC Address;
If described identity type is mobile device international identity code IMEI, in the second list in device registry, determine whether there is described IMEI.
6. method according to claim 1, is characterized in that, described method also comprises:
When described terminal equipment accesses the local area network (LAN) at described server place, for described terminal equipment distributes lan address;
The device identification of described lan address and described terminal equipment is bound.
7. method according to claim 1, is characterized in that, described method also comprises:
The data of described data access request institute request access are identified, when the data determining that described data access request is accessed are sensitive data, performs the step that the described user ID corresponding to described data access request carries out certification.
8. a DAA, on the server, it is characterized in that, described device comprises in application:
First authentication module, is configured to when receiving the data access request from terminal equipment, and the user ID corresponding to described data access request carries out certification;
Second authentication module, is configured to, after described first authentication module passes through described user ID certification, carry out certification to the network site at described terminal equipment place;
3rd authentication module, be configured to after the network site certification of described second authentication module to described terminal equipment place is passed through, certification is carried out to the device identification of described terminal equipment, if described device identification certification is passed through, described terminal equipment is allowed to access the data corresponding to described data access request.
9. device according to claim 8, is characterized in that, described first authentication module comprises:
First determines submodule, is configured to according to the list of described data access request determination user right, and described user right list comprises multiple user ID and the multiple different access rights corresponding from described multiple user ID;
Second determines submodule, is configured to determine to determine whether there is described user ID in described multiple user ID that submodule is determined described first;
3rd determines submodule, if be configured to described second to determine that submodule is determined to there is described user ID, determines that described user ID has the authority of data corresponding to the described data access request of access;
First prompting submodule, if be configured to described second to determine that submodule is determined to there is not described user ID, carries out safety instruction to described data access request, and forbids the data that the access of described terminal equipment is corresponding to described data access request.
10. device according to claim 8, is characterized in that, described second authentication module comprises:
4th determines submodule, is configured to the network ip address determining described terminal equipment;
5th determines submodule, is configured to determine that the described 4th determines that whether described network ip address that submodule determines is the IP address in the local area network (LAN) at described server place;
6th determines submodule, if be configured to the described 5th to determine that submodule determines that described network ip address is the IP address in described local area network (LAN), determines that the location-authentication of described terminal equipment is passed through;
Second prompting submodule, if be configured to the described 5th to determine that submodule determines that described network ip address is not the IP address in described local area network (LAN), safety instruction is carried out to described data access request, and forbids the data that the access of described terminal equipment is corresponding to described data access request.
11. devices according to claim 8, is characterized in that, described 3rd authentication module comprises:
7th determines submodule, is configured to determine that the device identification of described terminal equipment is whether in device registry;
8th determines submodule, if be configured to the described 7th to determine that submodule determines that described device identification is in described device registry, determines that the device identification certification of described terminal equipment is passed through;
3rd prompting submodule, if be configured to the described 7th to determine that submodule determines described device identification not in described device registry, safety instruction is carried out to described data access request, and forbids the data that the access of described terminal equipment is corresponding to described data access request.
12. devices according to claim 11, is characterized in that, the described 7th determines that submodule comprises:
9th determines submodule, is configured to the identity type of the device identification determining described terminal equipment;
Tenth determines submodule, if be configured to the described 9th to determine that submodule determines that described identity type is medium access control MAC Address, determines whether there is described MAC Address in the first list in device registry;
11 determines submodule, if be configured to the described 9th to determine that submodule determines that described identity type is mobile device international identity code IMEI, determines whether there is described IMEI in the second list in device registry.
13. devices according to claim 8, is characterized in that, described device also comprises:
Address assignment module, is configured to when described terminal equipment accesses the local area network (LAN) at described server place, for described terminal equipment distributes lan address;
Address binding module, is configured to the device identification of described lan address and described terminal equipment to bind.
14. devices according to claim 8, is characterized in that, described device also comprises:
Data identification module, the data be configured to described data access request is accessed identify, when the data determining that described data access request is accessed are sensitive data, described first authentication module performs the step that the described user ID corresponding to described data access request carries out certification.
15. 1 kinds of DAAs, is characterized in that, described device comprises:
Processor;
For the memory of storage of processor executable instruction;
Wherein, described processor is configured to:
When receiving the data access request from terminal equipment, the user ID corresponding to described data access request carries out certification;
After described user ID certification is passed through, certification is carried out to the network site at described terminal equipment place;
After the network site certification at described terminal equipment place is passed through, certification is carried out to the device identification of described terminal equipment, if described device identification certification is passed through, allow described terminal equipment to access the data corresponding to described data access request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510138114.7A CN104717223B (en) | 2015-03-26 | 2015-03-26 | Data access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510138114.7A CN104717223B (en) | 2015-03-26 | 2015-03-26 | Data access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104717223A true CN104717223A (en) | 2015-06-17 |
| CN104717223B CN104717223B (en) | 2018-05-08 |
Family
ID=53416184
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510138114.7A Active CN104717223B (en) | 2015-03-26 | 2015-03-26 | Data access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104717223B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105391686A (en) * | 2015-10-15 | 2016-03-09 | 桂林电子科技大学 | Data access method and data access device |
| CN106375332A (en) * | 2016-09-23 | 2017-02-01 | 北京巨龟科技有限责任公司 | Network safe browsing method and device |
| CN107317792A (en) * | 2016-03-30 | 2017-11-03 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus for realizing access control in virtual proprietary network |
| CN107465688A (en) * | 2017-09-04 | 2017-12-12 | 广西电网有限责任公司电力科学研究院 | A kind of identification method of status monitoring evaluation system network application authority |
| CN107517176A (en) * | 2016-06-15 | 2017-12-26 | 杭州昕派科技有限公司 | File security delivery system and method based on Bluetooth beacon |
| CN107911340A (en) * | 2017-10-25 | 2018-04-13 | 平安普惠企业管理有限公司 | Login validation method, device, equipment and the storage medium of application program |
| CN107948125A (en) * | 2016-10-13 | 2018-04-20 | 腾讯科技(深圳)有限公司 | A kind of processing method and processing device of network attack |
| CN108702360A (en) * | 2016-02-15 | 2018-10-23 | 思科技术公司 | Use the digital asset Preservation tactics of dynamic network attribute |
| CN108881309A (en) * | 2018-08-14 | 2018-11-23 | 北京奇虎科技有限公司 | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform |
| CN110071932A (en) * | 2019-04-29 | 2019-07-30 | 云深互联(北京)科技有限公司 | A kind of security access system and method |
| CN110232292A (en) * | 2019-05-06 | 2019-09-13 | 平安科技(深圳)有限公司 | Data access authority authentication method, server and storage medium |
| CN110768972A (en) * | 2019-10-17 | 2020-02-07 | 中国联合网络通信集团有限公司 | Security verification method and router |
| CN111181831A (en) * | 2019-06-10 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Communication data processing method and device, storage medium and electronic device |
| CN111666578A (en) * | 2020-06-08 | 2020-09-15 | 北京百度网讯科技有限公司 | Data management method and device, electronic equipment and computer readable storage medium |
| CN111953664A (en) * | 2020-07-27 | 2020-11-17 | 新浪网技术(中国)有限公司 | User request verification method and system based on variable security level |
| CN114036223A (en) * | 2020-11-13 | 2022-02-11 | 武汉联影医疗科技有限公司 | Medical information management method, system, apparatus, computer device and storage medium |
| CN114915498A (en) * | 2022-07-14 | 2022-08-16 | 国网思极网安科技(北京)有限公司 | Safety access gateway based on key protection |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355564A (en) * | 2008-09-19 | 2009-01-28 | 广东南方信息安全产业基地有限公司 | Method for implementing credible LAN and internet |
| CN101375626A (en) * | 2006-01-31 | 2009-02-25 | 微软公司 | Determining the network location of a user device based on transmitter fingerprints |
| CN101789906A (en) * | 2010-02-24 | 2010-07-28 | 杭州华三通信技术有限公司 | Method and system for access authentication of user |
| US20110004918A1 (en) * | 2007-09-28 | 2011-01-06 | Alcatel-Lucent | Facilitating heterogeneous authentication for allowing network access |
| CN101980233A (en) * | 2010-10-15 | 2011-02-23 | 上海聚力传媒技术有限公司 | Method and equipment for authenticating service based on equipment identifier |
| CN102421097A (en) * | 2010-09-27 | 2012-04-18 | 中国移动通信集团公司 | User authorization method, device and system |
| CN102916949A (en) * | 2012-10-11 | 2013-02-06 | 北京东土科技股份有限公司 | Web authentication method and device |
-
2015
- 2015-03-26 CN CN201510138114.7A patent/CN104717223B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101375626A (en) * | 2006-01-31 | 2009-02-25 | 微软公司 | Determining the network location of a user device based on transmitter fingerprints |
| US20110004918A1 (en) * | 2007-09-28 | 2011-01-06 | Alcatel-Lucent | Facilitating heterogeneous authentication for allowing network access |
| CN101355564A (en) * | 2008-09-19 | 2009-01-28 | 广东南方信息安全产业基地有限公司 | Method for implementing credible LAN and internet |
| CN101789906A (en) * | 2010-02-24 | 2010-07-28 | 杭州华三通信技术有限公司 | Method and system for access authentication of user |
| CN102421097A (en) * | 2010-09-27 | 2012-04-18 | 中国移动通信集团公司 | User authorization method, device and system |
| CN101980233A (en) * | 2010-10-15 | 2011-02-23 | 上海聚力传媒技术有限公司 | Method and equipment for authenticating service based on equipment identifier |
| CN102916949A (en) * | 2012-10-11 | 2013-02-06 | 北京东土科技股份有限公司 | Web authentication method and device |
Non-Patent Citations (1)
| Title |
|---|
| 张毅,高东怀,许卫中,许浩: "校园网网络用户安全身份认证体系分析", 《医院数字化》 * |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105391686A (en) * | 2015-10-15 | 2016-03-09 | 桂林电子科技大学 | Data access method and data access device |
| CN108702360A (en) * | 2016-02-15 | 2018-10-23 | 思科技术公司 | Use the digital asset Preservation tactics of dynamic network attribute |
| CN108702360B (en) * | 2016-02-15 | 2022-02-25 | 思科技术公司 | Digital asset protection policy using dynamic network attributes |
| CN107317792A (en) * | 2016-03-30 | 2017-11-03 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus for realizing access control in virtual proprietary network |
| CN107317792B (en) * | 2016-03-30 | 2020-10-30 | 阿里巴巴集团控股有限公司 | Method and equipment for realizing access control in virtual private network |
| CN107517176A (en) * | 2016-06-15 | 2017-12-26 | 杭州昕派科技有限公司 | File security delivery system and method based on Bluetooth beacon |
| CN106375332A (en) * | 2016-09-23 | 2017-02-01 | 北京巨龟科技有限责任公司 | Network safe browsing method and device |
| CN107948125A (en) * | 2016-10-13 | 2018-04-20 | 腾讯科技(深圳)有限公司 | A kind of processing method and processing device of network attack |
| CN107465688B (en) * | 2017-09-04 | 2020-09-11 | 广西电网有限责任公司电力科学研究院 | Method for identifying network application permission of state monitoring and evaluating system |
| CN107465688A (en) * | 2017-09-04 | 2017-12-12 | 广西电网有限责任公司电力科学研究院 | A kind of identification method of status monitoring evaluation system network application authority |
| CN107911340A (en) * | 2017-10-25 | 2018-04-13 | 平安普惠企业管理有限公司 | Login validation method, device, equipment and the storage medium of application program |
| CN108881309A (en) * | 2018-08-14 | 2018-11-23 | 北京奇虎科技有限公司 | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform |
| CN110071932B (en) * | 2019-04-29 | 2021-10-08 | 云深互联(北京)科技有限公司 | Safety access system and method |
| CN110071932A (en) * | 2019-04-29 | 2019-07-30 | 云深互联(北京)科技有限公司 | A kind of security access system and method |
| CN110232292A (en) * | 2019-05-06 | 2019-09-13 | 平安科技(深圳)有限公司 | Data access authority authentication method, server and storage medium |
| CN111181831A (en) * | 2019-06-10 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Communication data processing method and device, storage medium and electronic device |
| CN111181831B (en) * | 2019-06-10 | 2021-08-06 | 腾讯科技(深圳)有限公司 | Communication data processing method and device, storage medium and electronic device |
| CN110768972A (en) * | 2019-10-17 | 2020-02-07 | 中国联合网络通信集团有限公司 | Security verification method and router |
| CN110768972B (en) * | 2019-10-17 | 2022-02-18 | 中国联合网络通信集团有限公司 | Security verification method and router |
| CN111666578A (en) * | 2020-06-08 | 2020-09-15 | 北京百度网讯科技有限公司 | Data management method and device, electronic equipment and computer readable storage medium |
| CN111953664A (en) * | 2020-07-27 | 2020-11-17 | 新浪网技术(中国)有限公司 | User request verification method and system based on variable security level |
| CN114036223A (en) * | 2020-11-13 | 2022-02-11 | 武汉联影医疗科技有限公司 | Medical information management method, system, apparatus, computer device and storage medium |
| CN114915498A (en) * | 2022-07-14 | 2022-08-16 | 国网思极网安科技(北京)有限公司 | Safety access gateway based on key protection |
| CN114915498B (en) * | 2022-07-14 | 2022-09-27 | 国网思极网安科技(北京)有限公司 | Safety access gateway based on secret key protection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104717223B (en) | 2018-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104717223A (en) | Data access method and device | |
| US8832796B2 (en) | Wireless communication terminal, method for protecting data in wireless communication terminal, program for having wireless communication terminal protect data, and recording medium storing the program | |
| CN104683336B (en) | A kind of Android private data guard method and system based on security domain | |
| Lee et al. | An empirical study of wireless carrier authentication for {SIM} swaps | |
| US11856015B2 (en) | Anomalous action security assessor | |
| US10028147B1 (en) | Dynamic defenses to secure a proximity-based communication system of linked wireless-enabled devices | |
| US11824850B2 (en) | Systems and methods for securing login access | |
| Chung et al. | 2TAC: Distributed access control architecture for" Bring Your Own Device" security | |
| JP2014527767A (en) | Network identifier location determination system and method | |
| US20130047210A1 (en) | Systems and Methods for Providing Security When Accessing a User Account of a Browser-Based Communications Application | |
| CN105162763A (en) | Method and device for processing communication data | |
| KR20110002947A (en) | Network access control system using install information of mandatory program and method thereof | |
| Kobezak et al. | Host inventory controls and systems survey: evaluating the cis critical security control one in higher education networks | |
| KR101467228B1 (en) | Method for preventing outflow file and device thereof | |
| US20140096211A1 (en) | Secure identification of intranet network | |
| HARRIS et al. | Mobile Device Security Issues Within the US Disadvantaged Business Enterprise Program. | |
| US20130055393A1 (en) | Method and apparatus for enhancing privacy of contact information in profile | |
| Kao et al. | Managing bring your own device services in campus wireless networks | |
| KR101314822B1 (en) | System and method for mobile office and recording medium | |
| Yevseyeva et al. | Addressing consumerization of IT risks with nudging | |
| Mooney et al. | Mobile Risks Demand C‐Suite Action! | |
| Mansoor | Intranet Security | |
| Neira | Securing Corporate Resources Using Identity Governance | |
| Bolun et al. | The infosecurity polygon concept | |
| Brown et al. | Analysis of the NIST Mobile Device Security Practice Guide’s Applicability to Australia |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |