CN107707528A - A kind of method and apparatus of user profile isolation - Google Patents

A kind of method and apparatus of user profile isolation Download PDF

Info

Publication number
CN107707528A
CN107707528A CN201710784930.4A CN201710784930A CN107707528A CN 107707528 A CN107707528 A CN 107707528A CN 201710784930 A CN201710784930 A CN 201710784930A CN 107707528 A CN107707528 A CN 107707528A
Authority
CN
China
Prior art keywords
user
external system
key
built
external
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710784930.4A
Other languages
Chinese (zh)
Other versions
CN107707528B (en
Inventor
高启航
朱雪妍
袁建伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Jingdong Shangke Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN201710784930.4A priority Critical patent/CN107707528B/en
Publication of CN107707528A publication Critical patent/CN107707528A/en
Application granted granted Critical
Publication of CN107707528B publication Critical patent/CN107707528B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4547Network directories; Name-to-address mapping for personal communications, i.e. using a personal identifier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method and apparatus of user profile isolation, it is related to field of computer technology.One embodiment of this method includes:Built-in system determines that the external system in the solicited message identifies corresponding key in the case where receiving the solicited message that external system is sent;Solicited message is used for the outer logo corresponding to the external system that external system obtains the user in built-in system;Specified information is encrypted based on key for built-in system, to generate outer logo of the user in the external system;The outer logo of user is returned to external system by built-in system.The embodiment is by the way that the internal information of user and external information are isolated so that the business side of external system can not be cracked by the external information of user, while effectively user profile is isolated, improve the security reliability of encryption.

Description

A kind of method and apparatus of user profile isolation
Technical field
The present invention relates to field of computer technology, more particularly to the method and apparatus of a pair of user profile isolation.
Background technology
In internet product, each user can have a unique ID to be used for identity, and each ID can have sex, The information such as age, work.Such as the ID of many products is cell-phone number, each ID corresponds to the sex of user, the age, The information such as commodity are bought, if some external business Fang Xiang and some products cooperating use some user data of product, such as A Business side wants the information such as occupation, age of user, and B business sides want sex, the information such as commodity is often bought, in order to protect use The safety and privacy at family, it is impossible to directly the ID of user is opened to external business side, it is necessary to the ID of user be encrypted, by Portion's ID and external user ID are isolated.Simultaneously in order to which external business root can not be made according to ID completion user profile, equally Need to isolating without the ID of business side.
The existing method for being isolated the inside ID of user and exterior I D, mainly there are simple Hash mapping and encryption ID Mode:
1st, simple Hash mapping:The ID of inside is mapped as externally by hash function, such as MD2, MD4, MD5 scheduling algorithm ID, for external callers use;
2nd, ID is encrypted using AES:Internal ID is encrypted first using AES, then supplies outside industry again Business side uses.
In process of the present invention is realized, inventor has found that at least there are the following problems in the prior art:
Although simple Hash mapping realizes that simply confidentiality is too poor, when there are enough data external business side Hash algorithm can easily be cracked so as to obtain the real information of user;Although the ID of user is encrypted to a certain degree by AES On can improve the confidentiality of ID, once but AES leak, it is easy to cause the id information of all users to leak, and In order to isolate different business sides, it is necessary to which ID is encrypted using different algorithms, implementation process is complex, cost It is higher.Therefore, in the prior art when the information to user is isolated, have that encryption is not strong, process is complicated and easily The problem of security reliability difference such as divulge a secret.
The content of the invention
In view of this, the embodiment of the present invention provides a kind of method and apparatus of user profile isolation, can solve the problem that existing skill In art when the information to user is isolated the problem of existing security reliability difference.
To achieve the above object, a kind of one side according to embodiments of the present invention, there is provided side of user profile isolation Method.
A kind of method isolated to user profile of the embodiment of the present invention includes:Built-in system is preserved and multiple outsides The corresponding key of system banner, built-in system determine the request in the case where receiving the solicited message that external system is sent External system in information identifies corresponding key;Solicited message is used for the correspondence that external system obtains the user in built-in system In the outer logo of the external system;Specified information is encrypted based on key for built-in system, outer at this to generate user Outer logo in portion's system;The outer logo of user is returned to external system by built-in system.
Alternatively, user's mark in user internally system is included in the information specified of the embodiment of the present invention.
Alternatively, containment mapping identifier is gone back in the information specified of the embodiment of the present invention;Map in identifier comprising clothes The one or more being engaged in device network address, server processes number and server time stamp;Internally system is by outside user After the step of portion's mark returns to external system, in addition to:Identified according to the external system of external system and determine key, according to The key and being identified corresponding to the outer logo of the external system and the external system for user are decrypted to obtain mapping mark Know symbol.
Alternatively, random string is also included in the mapping identifier of the embodiment of the present invention;And the method for the present invention is also Including:Preserve the mapping table between the user's mark of random string and user internally in system;And solved After close the step of obtaining mapping identifier, in addition to:According to the random string in mapping identifier, in mapping table Inquire user mark of the user internally in system.
Alternatively, specified information is encrypted based on key for the built-in system of the embodiment of the present invention, to generate user The step of outer logo in the external system, includes:Based on key, specified information is entered using DEA DES Row one-time pad encryption, the data then obtained using coded system Base64 to the one-time pad encryption carry out secondary encryption to generate outside Mark.
To achieve the above object, a kind of another aspect according to embodiments of the present invention, there is provided dress of user profile isolation Put.
A kind of device isolated to user profile of the embodiment of the present invention includes:Determining module, for built-in system In the case where receiving the solicited message that external system is sent, determine that the external system mark in the solicited message is corresponding close Key;Solicited message is used for the outer logo corresponding to the external system that external system obtains the user in built-in system;Processing Module, specified information is encrypted based on key for built-in system, to generate outside of the user in the external system Mark;Module is returned, the outer logo of user is returned into external system for built-in system.
Alternatively, user's mark in user internally system is included in the information specified of the embodiment of the present invention.
Alternatively, containment mapping identifier is gone back in the information specified of the embodiment of the present invention;Map in identifier comprising clothes The one or more being engaged in device network address, server processes number and server time stamp;Processing module is additionally operable to:According to External system external system mark determine key, according to the key and the outer logo corresponding to the external system of user with And external system mark is decrypted to obtain mapping identifier.
Alternatively, random string is also included in the mapping identifier of the embodiment of the present invention;And device also includes preserving Module, it is used for:Preserve the mapping table between the user's mark of random string and user internally in system;And handle Module, it is additionally operable to:According to the random string in mapping identifier, user is inquired in mapping table internally in system User mark.
Alternatively, the processing module of the embodiment of the present invention is used for:Based on key, will be specified using DEA DES Information carry out one-time pad encryption, the data then obtained to the one-time pad encryption using coded system Base64 carry out secondary encryption with Generate outer logo.
To achieve the above object, a kind of another further aspect according to embodiments of the present invention, there is provided side of user profile isolation The electronic equipment of method.
The a kind of electronic equipment of the embodiment of the present invention includes:One or more processors;Storage device, for storing one Or multiple programs, when one or more of programs are by one or more of computing devices so that one or more of The method that processor realizes the user profile isolation of the embodiment of the present invention.
To achieve the above object, a kind of another aspect according to embodiments of the present invention, there is provided computer-readable medium.
A kind of computer-readable medium of the embodiment of the present invention, is stored thereon with computer program, and described program is processed Device realizes the user profile isolation of embodiment of the present invention method when performing.
One embodiment in foregoing invention has the following advantages that or beneficial effect:Because use utilizes and outer logo phase Specified information is encrypted the key answered, and then generates the technological means of the outer logo of user, so overcoming The technical problem of existing security reliability difference when isolating to the information of user, and then improve its security reliability Technique effect;By the way that the internal information of user and external information are isolated so that the business side of external system can not pass through The external information of user is cracked, and while effectively user profile is isolated, improves the safe and reliable of encryption Property.
Further effect adds hereinafter in conjunction with embodiment possessed by above-mentioned non-usual optional mode With explanation.
Brief description of the drawings
Accompanying drawing is used to more fully understand the present invention, does not form inappropriate limitation of the present invention.Wherein:
Fig. 1 is a kind of schematic diagram of the main flow of the method for user profile isolation according to embodiments of the present invention;
Fig. 2 is the method schematic diagram isolated according to the user profile of a specific embodiment of the invention;
Fig. 3 is the schematic flow sheet for the method isolated according to the user profile of a specific embodiment of the invention;
Fig. 4 is the schematic flow sheet for the method inquired about according to the user profile of another specific embodiment of the present invention;
Fig. 5 is the schematic diagram of the main modular of the device of user profile isolation according to embodiments of the present invention;
Fig. 6 is that the embodiment of the present invention can apply to exemplary system architecture figure therein;
Fig. 7 is adapted for the structural representation for realizing the terminal device of the embodiment of the present invention or the computer system of server Figure.
Embodiment
The one exemplary embodiment of the present invention is explained below in conjunction with accompanying drawing, including the various of the embodiment of the present invention Details should think them only exemplary to help understanding.Therefore, those of ordinary skill in the art should recognize Arrive, various changes and modifications can be made to the embodiments described herein, without departing from scope and spirit of the present invention.Together Sample, for clarity and conciseness, the description to known function and structure is eliminated in following description.
Fig. 1 is a kind of schematic diagram of the main flow of the method for user profile isolation according to embodiments of the present invention, such as Fig. 1 Shown, a kind of method of user profile isolation of the embodiment of the present invention mainly comprises the following steps:
Step S101:Built-in system determines that the request is believed in the case where receiving the solicited message that external system is sent External system in breath identifies corresponding key;The user's that solicited message is used in external system acquisition built-in system corresponds to The outer logo of the external system.Internally pre-saved in system corresponding with multiple external systems of external system mark Key, therefore, when receiving the solicited message that external system is sent, the solicited message can be determined according to corresponding relation In external system identify corresponding key.Here, the external system can be obtained relative with the external system by the key The outer logo of user in the built-in system answered, so as to reach user, internally system uses internal indicator, and in outside System uses the purpose of outer logo.
Step S102:Specified information is encrypted based on key for built-in system, to generate user in the external system In outer logo.As described in step S101, the user in the built-in system corresponding with the external system is obtained using key Outer logo, be that specified information is encrypted based on key, so as to generate corresponding outer logo.
In some embodiments, user's mark in user internally system is included in the information specified.That is, Based on key, directly user's mark in built-in system can be encrypted, generation user is with outside in external system System identifies corresponding outer logo.
In other embodiments, containment mapping identifier is gone back in the information specified;Map in identifier comprising service One or more in device network address, server processes number and server time stamp.That is, mapping can be marked Know at least one of the server network address included in symbol, server processes number and server time stamp to be encrypted, Then can with generate user in external system with the corresponding outer logo of external system mark.
Furthermore, it is desirable to, it is noted that after the step of internally outer logo of user is returned to external system by system, Also include:Identified according to the external system of external system and determine key, the external system is corresponded to according to the key and user Outer logo and external system mark be decrypted to obtain mapping identifier.So, it is possible to according to key, outside Portion identifies and external system mark completes decryption, and then obtains mapping identifier, it is of course also possible to obtain mapping mark At least one of the server network address, server processes number and the server time stamp that are included in symbol information, Ran Houjin The determination of one step needs the network information handled.
In other embodiments, map in identifier and also include random string;And the method for the present invention is also wrapped Include:Preserve the mapping table between the user's mark of random string and user internally in system;And it is being decrypted After the step of obtaining mapping identifier, in addition to:According to the random string in mapping identifier, looked into mapping table Ask out user mark of the user internally in system.Determine to need the network equipment to be processed it is then possible to be identified according to the user Information.
In certain embodiments of the present invention, specified information is encrypted based on key for built-in system, with generation The step of outer logo of the user in the external system, includes:Based on key, using DEA DES by specified letter Breath carries out one-time pad encryption, and the data then obtained using coded system Base64 to the one-time pad encryption carry out secondary encryption to generate Outer logo.It should be noted that DEA DES of the present invention and coded system Base64 are only a kind of excellent The mode of choosing, and be not limited to mode of the present invention and can also solve the of the invention purpose to be encrypted.
Step S103:The outer logo of user is returned to external system by built-in system.The outer logo of generation is returned To corresponding external system.
Fig. 2 is the method schematic diagram isolated according to the user profile of a specific embodiment of the invention.As shown in Fig. 2 this hair It is bright as follows including external system and built-in system, concrete implementation mode:
External system:The id information of external system internally system request user, external system have different business sides, often Individual business side has a business ID (i.e. said external system banner) to identify.External system obtain is by adding Close open ID (outer logo of i.e. above-mentioned user).
Built-in system:Built-in system is according to the business ID of different business side, and by the ID of inside, (i.e. above-mentioned user exists User's mark in built-in system) it is encrypted to different open ID and returns to external business side.
Fig. 3 is the schematic flow sheet for the method isolated according to the user profile of a specific embodiment of the invention.Such as Fig. 3 institutes Show, the present invention, so as to generate corresponding open ID process, namely the process of encryption, has according to the business ID received Body step is as follows:
1. obtain the business ID carried in business side's solicited message.
2. judging whether the business ID are effective, directly terminate if the business ID are invalid.
3. obtaining secret key (i.e. above-mentioned key) according to business ID, the mode of acquisition is to be internally in advance Blanket insurance has the relation table with the corresponding key of multiple external systems mark, the pass for then identifying and preserving according to external system It is that table determines key.And the secret key are the keys of AES below in the present invention, it is necessary to hold in close confidence, it is impossible to Leak to outside.
4. judge whether internal UID (i.e. above-mentioned user internally user's mark in system) is effective, if user deletes Except UID, UID can be caused to fail, then need to delete UID and mapping ID (the i.e. above-mentioned mapping marks in redis (database) Know symbol) mapping relations.
5. if UID is effective, mapping ID are inquired about from redis caching according to UID.
6. judge that mapping ID whether there is.If mapping ID exist, directly according to mapping ID, Business ID and secret key are according to rule generation open ID;If mapping ID are not present, mapping is generated ID。
7. producing mapping ID according to rule, specific generation mapping ID process is as follows:
Mapping ID=server ips;Server processes number;Server time stabs;Random string
It should be noted that when above-mentioned server ip, server processes number, server can be included in mapping ID Between stamp and at least one of random string, can also all include.
8. UID and mapping ID corresponding relation is write into redis.Corresponding relation includes:When key values are UID, Value values are mapping ID, and the corresponding relation is used for ciphering process;When key values are random string, value values are UID, the corresponding relation are used for decrypting process.
9. obtaining secret key, open ID are generated according to the rule of correspondence after mapping ID, business ID, specifically Generation formula it is as follows:
Open ID=Base64 (DES (secret key, mapping ID+business ID))
Wherein, DES is used for the encryption to mapping ID, and base64 is used for the transmission information on network.Due to not of the same trade or business Business ID and the secret key of business side are not the same, therefore in face of different trafficwises, even identical UID can also obtain different open ID, so as to isolate different business sides, protect the privacy of user;For identical industry It is also very easily, because even business ID, secret key, UID that business side, which wants a set of new open ID of generation, It is identical, because server ip, server processes number and server timestamp also will not be identical, so different time, difference service The mapping ID that device process obtains are also what is differed, and the open ID of generation also will not be identical.
Fig. 4 is the schematic flow sheet for the method inquired about according to the user profile of another specific embodiment of the present invention.Such as Fig. 4 institutes Show, the process of the invention according to query-related information in the business ID received internally system, namely the mistake of decryption Journey, comprise the following steps that:
1. secret key are obtained according to business ID.The external system mark equally preserved according further to built-in system The relation table known and preserved determines key.
2. the source code (source code includes open ID) of pair encryption is decoded to obtain mapping ID, open ID are carried out DeBase64 operates to obtain the character string of former encryption, and then carrying out deDES according to secret key decodes to obtain mapping ID.
3. UID is inquired according to mapping ID.Information in mapping ID inquires about pair preserved in redis It should be related to, so as to obtain UID.
It should be noted that because generation open ID service arrangement is in multiple devices, once divulging a secret and cracking needs Track is that the open ID that server generates are cracked, it is necessary to regenerate open ID.Then further tracking The equipment divulged a secret simultaneously regenerates open ID.It is according to the open being decrypted first during open ID are regenerated ID decodes to obtain mapping ID (process that the process is decrypted as described above), then the server ip in mapping ID and Server time stabs, it may be determined that the mapping ID generated by the server handle precarious position, according to these mapping ID can determine which open ID and UID is cracked, and finally regenerate the mapping ID of the server again, As long as all mapping ID cans generated by the server are deleted during generation in redis, because the clothes of server Be engaged in device IP, and server processes, timestamp difference is different, so can also be generated even if the request of next identical business side new Mapping ID, and generate a set of new open ID.
The method of user profile isolation according to embodiments of the present invention can be seen that because use utilizes and outer logo phase Specified information is encrypted the key answered, and then generates the technological means of the outer logo of user, so overcoming The technical problem of existing security reliability difference when isolating to the information of user, and then improve its security reliability Technique effect;By the way that the internal information of user and external information are isolated so that the business side of external system can not pass through The external information of user is cracked, and while effectively user profile is isolated, improves the safe and reliable of encryption Property.
Fig. 5 is the schematic diagram of the main modular of the device of user profile isolation according to embodiments of the present invention.Such as Fig. 5 institutes Show, the device 500 of the user profile isolation of the embodiment of the present invention mainly includes:Determining module 501, processing module 502 and return Return module 503.Wherein:
Determining module 501, for built-in system in the case where receiving the solicited message that external system is sent, it is determined that should External system in solicited message identifies corresponding key;The user's that solicited message is used in external system acquisition built-in system Corresponding to the outer logo of the external system;Processing module 502, specified information is added based on key for built-in system It is close, to generate outer logo of the user in the external system;Module 503 is returned, marks the outside of user for built-in system Knowledge returns to external system.
Alternatively, user's mark in user internally system is included in the information specified of the embodiment of the present invention.
Alternatively, containment mapping identifier is gone back in the information specified of the embodiment of the present invention;Map in identifier comprising clothes The one or more being engaged in device network address, server processes number and server time stamp;Processing module 502 is additionally operable to:Root Key is determined according to the external system mark of external system, according to the key and the outer logo corresponding to the external system of user And external system mark is decrypted to obtain mapping identifier.
Alternatively, random string is also included in the mapping identifier of the embodiment of the present invention;And device also includes preserving Module (not shown), is used for:The mapping preserved between the user's mark of random string and user internally in system is closed It is table;And processing module, it is additionally operable to:According to the random string in mapping identifier, use is inquired in mapping table Family internally user's mark in system.
Alternatively, the processing module 502 of the embodiment of the present invention is used for:Based on key, will be referred to using DEA DES Fixed information carries out one-time pad encryption, and the data then obtained using coded system Base64 to the one-time pad encryption carry out secondary encryption To generate outer logo.
From the above, it can be seen that specified information is added using key corresponding with outer logo because using It is close, the technological means of the outer logo of user is then generated, is existed so overcoming when the information to user is isolated Security reliability difference technical problem, and then improve the technique effect of its security reliability;By by the inside of user Information and external information are isolated so that and the business side of external system can not be cracked by the external information of user, While effectively user profile is isolated, the security reliability of encryption is improved.
Fig. 6, which is shown, can apply the user profile partition method of the embodiment of the present invention or showing for user profile isolating device Example sexual system framework 600.
As shown in fig. 6, system architecture 600 can include terminal device 601,602,603, network 604 and server 605. Network 604 between terminal device 601,602,603 and server 605 provide communication link medium.Network 604 can be with Including various connection types, such as wired, wireless communication link or fiber optic cables etc..
User can be interacted with using terminal equipment 601,602,603 by network 604 with server 605, to receive or send out Send message etc..Various telecommunication customer end applications, such as the application of shopping class, net can be installed on terminal device 601,602,603 (merely illustrative) such as the application of page browsing device, searching class application, JICQ, mailbox client, social platform softwares.
Terminal device 601,602,603 can have a display screen and a various electronic equipments that supported web page browses, bag Include but be not limited to smart mobile phone, tablet personal computer, pocket computer on knee and desktop computer etc..
Server 605 can be to provide the server of various services, such as utilize terminal device 601,602,603 to user The shopping class website browsed provides the back-stage management server (merely illustrative) supported.Back-stage management server can be to receiving To the data such as information query request analyze etc. processing, and by result (such as target push information, product letter Breath -- merely illustrative) feed back to terminal device.
It should be noted that the user profile partition method that the embodiment of the present invention is provided typically is performed by server 605, Correspondingly, user profile isolating device is generally positioned in server 605.
It should be understood that the number of the terminal device, network and server in Fig. 6 is only schematical.According to realizing need Will, can have any number of terminal device, network and server.
Below with reference to Fig. 7, it illustrates suitable for for realizing the computer system 700 of the terminal device of the embodiment of the present invention Structural representation.Terminal device shown in Fig. 7 is only an example, to the function of the embodiment of the present invention and should not use model Shroud carrys out any restrictions.
As shown in fig. 7, computer system 700 includes CPU (CPU) 701, it can be read-only according to being stored in Program in memory (ROM) 702 or be loaded into program in random access storage device (RAM) 703 from storage part 708 and Perform various appropriate actions and processing.In RAM 703, also it is stored with system 700 and operates required various programs and data. CPU 701, ROM 702 and RAM 703 are connected with each other by bus 704.Input/output (I/O) interface 705 is also connected to always Line 704.
I/O interfaces 705 are connected to lower component:Importation 706 including keyboard, mouse etc.;Penetrated including such as negative electrode The output par, c 707 of spool (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage part 708 including hard disk etc.; And the communications portion 709 of the NIC including LAN card, modem etc..Communications portion 709 via such as because The network of spy's net performs communication process.Driver 710 is also according to needing to be connected to I/O interfaces 705.Detachable media 711, such as Disk, CD, magneto-optic disk, semiconductor memory etc., it is arranged on as needed on driver 710, in order to read from it Computer program be mounted into as needed storage part 708.
Especially, according to embodiment disclosed by the invention, may be implemented as counting above with reference to the process of flow chart description Calculation machine software program.For example, embodiment disclosed by the invention includes a kind of computer program product, it includes being carried on computer Computer program on computer-readable recording medium, the computer program include the program code for being used for the method shown in execution flow chart. In such embodiment, the computer program can be downloaded and installed by communications portion 709 from network, and/or from can Medium 711 is dismantled to be mounted.When the computer program is performed by CPU (CPU) 701, system of the invention is performed The above-mentioned function of middle restriction.
It should be noted that the computer-readable medium shown in the present invention can be computer-readable signal media or meter Calculation machine readable storage medium storing program for executing either the two any combination.Computer-readable recording medium for example can be --- but not Be limited to --- electricity, magnetic, optical, electromagnetic, system, device or the device of infrared ray or semiconductor, or it is any more than combination.Meter The more specifically example of calculation machine readable storage medium storing program for executing can include but is not limited to:Electrical connection with one or more wires, just Take formula computer disk, hard disk, random access storage device (RAM), read-only storage (ROM), erasable type and may be programmed read-only storage Device (EPROM or flash memory), optical fiber, portable compact disc read-only storage (CD-ROM), light storage device, magnetic memory device, Or above-mentioned any appropriate combination.In the present invention, computer-readable recording medium can any include or store journey The tangible medium of sequence, the program can be commanded the either device use or in connection of execution system, device.And at this In invention, computer-readable signal media can include in a base band or as carrier wave a part propagation data-signal, Wherein carry computer-readable program code.The data-signal of this propagation can take various forms, including but unlimited In electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be that computer can Any computer-readable medium beyond storage medium is read, the computer-readable medium, which can send, propagates or transmit, to be used for By instruction execution system, device either device use or program in connection.Included on computer-readable medium Program code can be transmitted with any appropriate medium, be included but is not limited to:Wirelessly, electric wire, optical cable, RF etc., or it is above-mentioned Any appropriate combination.
Flow chart and block diagram in accompanying drawing, it is illustrated that according to the system of various embodiments of the invention, method and computer journey Architectural framework in the cards, function and the operation of sequence product.At this point, each square frame in flow chart or block diagram can generation The part of one module of table, program segment or code, a part for above-mentioned module, program segment or code include one or more For realizing the executable instruction of defined logic function.It should also be noted that some as replace realization in, institute in square frame The function of mark can also be with different from the order marked in accompanying drawing generation.For example, two square frames succeedingly represented are actual On can perform substantially in parallel, they can also be performed in the opposite order sometimes, and this is depending on involved function.Also It is noted that the combination of each square frame and block diagram in block diagram or flow chart or the square frame in flow chart, can use and perform rule Fixed function or the special hardware based system of operation are realized, or can use the group of specialized hardware and computer instruction Close to realize.
Being described in module involved in the embodiment of the present invention can be realized by way of software, can also be by hard The mode of part is realized.Described module can also be set within a processor, for example, can be described as:A kind of processor bag Include determining module, processing module and return to module.Wherein, the title of these modules is not formed to the mould under certain conditions The restriction of block in itself.
As on the other hand, present invention also offers a kind of computer-readable medium, the computer-readable medium can be Included in equipment described in above-described embodiment;Can also be individualism, and without be incorporated the equipment in.Above-mentioned calculating Machine computer-readable recording medium carries one or more program, when said one or multiple programs are performed by the equipment, makes Obtaining the equipment includes:Built-in system is determined in the solicited message in the case where receiving the solicited message that external system is sent External system identify corresponding key;The user's that solicited message is used in external system acquisition built-in system is outer corresponding to this The outer logo of portion's system;Specified information is encrypted based on key for built-in system, to generate user in the external system In outer logo;The outer logo of user is returned to external system by built-in system.
Technical scheme according to embodiments of the present invention, because using using key corresponding with outer logo to specified letter Breath is encrypted, and then generates the technological means of the outer logo of user, thus overcome the information of user is carried out every From when the poor technical problem of existing security reliability, and then improve the technique effect of its security reliability;By that will use The internal information and external information at family are isolated so that the business side of external system can not be carried out by the external information of user Crack, while effectively user profile is isolated, improve the security reliability of encryption.
Above-mentioned embodiment, does not form limiting the scope of the invention.Those skilled in the art should be bright It is white, depending on design requirement and other factors, various modifications, combination, sub-portfolio and replacement can occur.It is any Modifications, equivalent substitutions and improvements made within the spirit and principles in the present invention etc., should be included in the scope of the present invention Within.

Claims (12)

  1. A kind of 1. method of user profile isolation, it is characterised in that built-in system is preserved corresponding to multiple external systems mark Key, methods described includes:
    Built-in system determines the external system in the solicited message in the case where receiving the solicited message that external system is sent Identify corresponding key;The user's that the solicited message is used in external system acquisition built-in system corresponds to the external system Outer logo;
    Specified information is encrypted based on the key for built-in system, outer in the external system to generate the user Portion identifies;
    The outer logo of the user is returned to external system by built-in system.
  2. 2. according to the method for claim 1, it is characterised in that be internally comprising the user in the information specified User's mark in system.
  3. 3. according to the method for claim 2, it is characterised in that
    Containment mapping identifier is gone back in the information specified;Server network address, service are included in the mapping identifier One or more in device process number and server time stamp;
    After the step of outer logo of the user is returned to external system by the built-in system, in addition to:Root Key is determined according to the external system mark of external system, according to the key and the outer logo corresponding to the external system of user And external system mark is decrypted to obtain the mapping identifier.
  4. 4. according to the method for claim 3, it is characterised in that
    Random string is also included in the mapping identifier;
    And methods described also includes:Preserve between the user's mark of the random string and the user internally in system Mapping table;
    And after described the step of being decrypted to obtain the mapping identifier, in addition to:According to the mapping identifier In random string, user mark of the user internally in system is inquired in the mapping table.
  5. 5. method according to any one of claim 1 to 4, it is characterised in that the built-in system is based on the key Specified information is encrypted, included with generating the step of outer logo of the user in the external system:
    Based on the key, the information specified is subjected to one-time pad encryption using DEA DES, then utilizes coding The data that mode Base64 obtains to the one-time pad encryption carry out secondary encryption to generate the outer logo.
  6. 6. a kind of device of user profile isolation, it is characterised in that built-in system is preserved corresponding to multiple external systems mark Key, described device includes:
    Determining module, for built-in system in the case where receiving the solicited message that external system is sent, determine that the request is believed External system in breath identifies corresponding key;The solicited message is used for pair that external system obtains the user in built-in system Should be in the outer logo of the external system;
    Processing module, specified information is encrypted based on the key for built-in system, to generate the user at this Outer logo in external system;
    Module is returned, the outer logo of the user is returned into external system for built-in system.
  7. 7. device according to claim 6, it is characterised in that be internally comprising the user in the information specified User's mark in system.
  8. 8. device according to claim 7, it is characterised in that go back containment mapping identifier in the information specified;Institute State in mapping identifier comprising the one or more in server network address, server processes number and server time stamp;
    The processing module is additionally operable to:Identified according to the external system of external system and determine key, according to the key and user It is decrypted to obtain the mapping identifier corresponding to the outer logo of the external system and external system mark.
  9. 9. device according to claim 8, it is characterised in that
    Random string is also included in the mapping identifier;
    And described device also includes preserving module, is used for:The random string and the user are preserved internally in system User mark between mapping table;
    And the processing module, is additionally operable to:According to the random string in the mapping identifier, in the mapping table In inquire user mark of the user internally in system.
  10. 10. according to the device any one of claim 6-9, it is characterised in that the processing module is used for:
    Based on the key, the information specified is subjected to one-time pad encryption using DEA DES, then utilizes coding The data that mode Base64 obtains to the one-time pad encryption carry out secondary encryption to generate the outer logo.
  11. 11. a kind of electronic equipment, it is characterised in that including:
    One or more processors;
    Storage device, for storing one or more programs,
    When one or more of programs are by one or more of computing devices so that one or more of processors are real The now method as described in any in claim 1-5.
  12. 12. a kind of computer-readable medium, is stored thereon with computer program, it is characterised in that described program is held by processor The method as described in any in claim 1-5 is realized during row.
CN201710784930.4A 2017-09-04 2017-09-04 Method and device for isolating user information Active CN107707528B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710784930.4A CN107707528B (en) 2017-09-04 2017-09-04 Method and device for isolating user information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710784930.4A CN107707528B (en) 2017-09-04 2017-09-04 Method and device for isolating user information

Publications (2)

Publication Number Publication Date
CN107707528A true CN107707528A (en) 2018-02-16
CN107707528B CN107707528B (en) 2020-06-30

Family

ID=61171928

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710784930.4A Active CN107707528B (en) 2017-09-04 2017-09-04 Method and device for isolating user information

Country Status (1)

Country Link
CN (1) CN107707528B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491772A (en) * 2018-09-28 2019-03-19 深圳财富农场互联网金融服务有限公司 Business serial number gencration method, apparatus, computer equipment and storage medium
CN111382409A (en) * 2020-03-19 2020-07-07 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739708A (en) * 2011-04-07 2012-10-17 腾讯科技(深圳)有限公司 System and method for accessing third party application based on cloud platform
US20130024919A1 (en) * 2011-07-21 2013-01-24 Microsoft Corporation Cloud service authentication
CN103297436A (en) * 2013-06-14 2013-09-11 大连三通科技发展有限公司 Electronic authorization method and system
CN105812341A (en) * 2014-12-31 2016-07-27 阿里巴巴集团控股有限公司 User identity identifying method and device
CN106817358A (en) * 2015-12-02 2017-06-09 阿里巴巴集团控股有限公司 The encryption and decryption method and equipment of a kind of user resources

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739708A (en) * 2011-04-07 2012-10-17 腾讯科技(深圳)有限公司 System and method for accessing third party application based on cloud platform
US20130024919A1 (en) * 2011-07-21 2013-01-24 Microsoft Corporation Cloud service authentication
CN103297436A (en) * 2013-06-14 2013-09-11 大连三通科技发展有限公司 Electronic authorization method and system
CN105812341A (en) * 2014-12-31 2016-07-27 阿里巴巴集团控股有限公司 User identity identifying method and device
CN106817358A (en) * 2015-12-02 2017-06-09 阿里巴巴集团控股有限公司 The encryption and decryption method and equipment of a kind of user resources

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491772A (en) * 2018-09-28 2019-03-19 深圳财富农场互联网金融服务有限公司 Business serial number gencration method, apparatus, computer equipment and storage medium
CN109491772B (en) * 2018-09-28 2020-10-27 深圳财富农场互联网金融服务有限公司 Service sequence number generation method and device, computer equipment and storage medium
CN111382409A (en) * 2020-03-19 2020-07-07 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy

Also Published As

Publication number Publication date
CN107707528B (en) 2020-06-30

Similar Documents

Publication Publication Date Title
US20200092267A1 (en) Secure processing environment for protecting sensitive information
US9355389B2 (en) Purchase transaction system with encrypted payment card data
CN107408135A (en) For carrying out the database server and client of query processing to encryption data
CN111934879A (en) Data transmission encryption method, device, equipment and medium for internal and external network system
KR20190061078A (en) Establish a link between identifiers without disclosing specific identification information
CN113179323B (en) HTTPS request processing method, device and system for load balancing equipment
CN107248984A (en) Data exchange system, method and apparatus
CN108880812A (en) The method and system of data encryption
CN110198248A (en) The method and apparatus for detecting IP address
CN112489742B (en) Prescription circulation processing method and device
JP6557338B2 (en) Concealed similarity search system and similarity concealment search method
CN116383867A (en) Data query method, device, electronic equipment and computer readable medium
CN107707528A (en) A kind of method and apparatus of user profile isolation
CN110363025A (en) A kind of user data privacy management method, apparatus and electronic equipment
US20200145200A1 (en) Attribute-based key management system
CN109995534A (en) The method and apparatus that a kind of pair of application program carries out safety certification
CN110492998A (en) The method of encryption and decryption data
CN111008236A (en) Data query method and system
US20200396055A1 (en) Method and Apparatus for Use in Information Processing
CN110351262A (en) A kind of data interactive method, device, electronic equipment
CN110264205A (en) A kind of electric quotient data cochain method and its equipment applied to block chain
CN110490003B (en) User trusted data generation method, user trusted data acquisition method, device and system
CN108694326A (en) Text encryption method, apparatus and server
CN112118208B (en) Method and device for reporting data
CN116933290A (en) Data query method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant