CN111949335A - Method and apparatus for sharing financial data - Google Patents
Method and apparatus for sharing financial data Download PDFInfo
- Publication number
- CN111949335A CN111949335A CN201910406602.XA CN201910406602A CN111949335A CN 111949335 A CN111949335 A CN 111949335A CN 201910406602 A CN201910406602 A CN 201910406602A CN 111949335 A CN111949335 A CN 111949335A
- Authority
- CN
- China
- Prior art keywords
- api
- determining
- security level
- data
- level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 41
- 230000004044 response Effects 0.000 claims description 15
- 238000012545 processing Methods 0.000 claims description 14
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 22
- 238000012797 qualification Methods 0.000 description 19
- 230000007246 mechanism Effects 0.000 description 12
- 230000006870 function Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000035945 sensitivity Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 5
- 238000007726 management method Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000002441 reversible effect Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/448—Execution paradigms, e.g. implementations of programming paradigms
- G06F9/4482—Procedural
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Physics & Mathematics (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The present disclosure provides a method, apparatus, computer-readable storage medium for sharing of financial data. The method comprises the following steps: receiving an operation request aiming at an API of the API open platform from a requester at the API open platform, wherein the operation request at least comprises operation items; determining a first security level based on the type of the API called by the operation item; determining a second security level based on sensitive data associated with the operational event; and determining the access control mode of the API called by the API open platform for the operation item based on the first security level, the second security level and the access mode of the requester to the API open platform. The method and the system can realize safe financial data sharing based on the API open platform with the complex network environment.
Description
Technical Field
The present disclosure relates to management of an Application Programming Interface (API) open platform, and more particularly, to a method and apparatus for sharing financial data, and a computer-readable storage medium.
Background
An API refers to a predefined function that provides an application and developer the ability to access a set of routines based on certain software or hardware without having to access source code or understand the details of the internal working mechanisms. Generally, an API is a set of collections consisting of definition conventions, procedures, and control protocols. The traditional internet API open platform modularly packages specific services provided by a network and opens a series of data interfaces which are easily identified by a computer, so that a third party can call the interfaces according to parameters, and therefore, data sharing among different application programs can be realized.
Traditional financial services typically employ financial data interaction with the user directly faced by the banking system. The financial service mode is not beneficial to integrating the financial service into the business scene of the third-party business system. And the API is opened, so that the possibility of directly connecting the financial service to a business scene of a third party (such as a partner) is provided. However, the traditional data sharing scheme of the internet API open platform cannot meet the security requirement required in the financial data service process, and meanwhile, the existing financial service security mechanism cannot adapt to the complex and various situations of third-party service scenes and systems.
Therefore, it is necessary to construct a data sharing scheme for financial data in order to implement secure financial data sharing based on an API open platform having a complex network environment.
Disclosure of Invention
The present disclosure provides a method and apparatus for secure sharing of financial data, which can implement secure financial data sharing based on an API open platform having a complex network environment.
According to a first aspect of the present disclosure, a data sharing method for financial data is provided. The method comprises the following steps: receiving an operation request aiming at an API of the API open platform from a requester at the API open platform, wherein the operation request at least comprises operation items; determining a first security level based on the type of the API called by the operation item; determining a second security level based on sensitive data associated with the operational event; and determining an access control mode of the API called by the API open platform for the operation item based on the first security level, the second security level and the access mode of the requester to the API open platform. The method and the system can realize safe financial data sharing based on the API open platform with the complex network environment.
According to a second aspect of the invention, there is also provided an apparatus for sharing of financial data. The apparatus comprises: a memory configured to store one or more programs; a processing unit coupled to the memory and configured to execute the one or more programs to cause the management device to perform the method of the first aspect of the disclosure.
According to a third aspect of the disclosure, a non-transitory computer-readable storage medium is provided. The non-transitory computer readable storage medium has stored thereon machine executable instructions which, when executed, cause a machine to perform the method of the first aspect of the disclosure.
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the disclosure, nor is it intended to be used to limit the scope of the disclosure.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following more particular descriptions of exemplary embodiments of the disclosure as illustrated in the accompanying drawings wherein like reference numbers generally represent like parts throughout the exemplary embodiments of the disclosure.
FIG. 1 shows an architecture diagram of a data sharing system 100 for financial data, in accordance with an embodiment of the present disclosure;
FIG. 2 shows a flow diagram of a method 200 for data sharing of financial data, according to an embodiment of the present disclosure;
FIG. 3 shows a flow diagram of a method 300 for data sharing of financial data, in accordance with an embodiment of the present disclosure;
FIG. 4 illustrates a flow diagram of an access blacklist verification method 400 according to an embodiment of the present disclosure;
FIG. 5 shows a flow diagram of a method 500 for sharing financial data according to an embodiment of the present disclosure; and
FIG. 6 schematically illustrates a block diagram of an electronic device 600 suitable for use in implementing embodiments of the present disclosure.
Like or corresponding reference characters designate like or corresponding parts throughout the several views.
Detailed Description
Preferred embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the preferred embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The term "include" and variations thereof as used herein is meant to be inclusive in an open-ended manner, i.e., "including but not limited to". Unless specifically stated otherwise, the term "or" means "and/or". The term "based on" means "based at least in part on". The terms "one example embodiment" and "one embodiment" mean "at least one example embodiment". The term "another embodiment" means "at least one additional embodiment". The terms "first," "second," and the like may refer to different or the same object. Other explicit and implicit definitions are also possible below.
As described above, the data shared by the data sharing scheme of the conventional internet API open platform does not need a complex data security mechanism since it does not involve operations on private data such as accounts, passwords, etc., nor the flow of financial capital; the traditional financial security mechanism directly faces the end user, and does not need to deal with third-party changeable service scenes and diversified systems of the API open platform, so that the data security mechanism of the original financial service institution cannot be applied to the complex Internet environment of the API open platform. Thus, the conventional data sharing scheme cannot perform secure financial data sharing based on an API open platform having a complex network environment.
To address, at least in part, one or more of the above problems, as well as other potential problems, example embodiments of the present disclosure propose a data sharing scheme for financial data. In this aspect, the method comprises: receiving an operation request aiming at an associated application of the API open platform from a requester at a management device of the API open platform (application program interface), wherein the operation request at least comprises operation items; determining a first safety level based on the type of the operation item; determining a second security level based on operational data associated with the operational event; and determining an access control mode for the gateway of the API open platform to authenticate the operation item to the requester based on the first security level, the second security and the data interaction mode between the requester and the API open platform.
In the above solution, an access control manner for authenticating the gateway of the API open platform to the requester is determined according to the first security level related to the type of the operation item, the second security level related to the sensitive data related to the operation item, and the data interaction manner between the API open platform, so that the data interaction security mechanism between the requester and the API open platform for the operation item can be configured differently according to the application scenario of the API called by the request item of the requester, the sensitivity of the data related to the API, the API deployment characteristics of the requester, and the like.
Fig. 1 shows an architecture diagram of a data sharing system 100 for financial data according to an embodiment of the present disclosure. As shown in fig. 1, the system 100 includes an API open platform 170, one or more third party application systems 160, and a plurality of user terminals (e.g., including mobile terminal 140, computer 150). The API open platform 170, the third-party application system 160, the mobile terminal 140, and the computer 150 perform data interaction via the network 130.
The API open platform 170 is a platform for providing an open API to the outside. The API open platform 170 is, for example and without limitation, a banking system capable of encapsulating banking services into a plurality of APIs to be provided to the third party application system 160 or the user terminal for calling. The API-open platform 170 includes at least an API gateway 120, a business system 110, and a database (not shown).
The API gateway 120 is configured to uniformly manage multiple APIs that are open outside by the API opening platform 170. Network security protection devices such as IDS/IPS devices are deployed between the API gateway 120 and the Internet boundary firewall to perform network security protection. All third party application systems 160 or user terminals that call the API need to be accessed through the API gateway. The API gateway 120 has functions such as authentication, flow control, service routing, logging, service registration, protocol conversion, authority classification, flow management, and the like. Fig. 1 exemplarily shows the authentication module 122, the traffic control module 123, the service routing module 124, the logging module 125, and the service registration module 126 included in the API gateway 120. In some embodiments, the API gateway 120 supports, for example, SSL encrypted transmission channels, and can ensure confidentiality and integrity of transmitted data. For example, using a relatively high version of the protocol above SSL3.0, disabling support for SSL weak encryption algorithms, using algorithms with key lengths not below 128 bits.
As for the user terminal, it is, for example, but not limited to, a mobile phone, a personal computer. The user can directly send an operation request to the API opening platform 170 via the user terminal (e.g., the computer 150). The user terminal (e.g., the mobile terminal 140) may also send an operation request for the API-associated application of the API-open platform to the API-open platform 170 through the third-party application system 160.
The third party application system 160, such as but not limited to an application server, is used to provide third party application services and can make appropriate calls to the APIs of the open platform 170 according to the collaboration agreement. In some embodiments, the third party application system 160 is configured with a front-end server (not shown) of the DMZ network zone and sends an operation request to the API gateway 120 through the network-isolated service front-end server to access the open resources. In some embodiments, the third party application system 160 may not be configured with a network isolated device, which sends the operation request directly to the API open platform 170; the third party application system 160 may also transmit an operation request to the API opening platform 170 in response to an operation of the user terminal. For example, the third party application system 160 embeds one or more icons for API open business applications on the application interface it provides. The user 150 logs in the application interface, for example, using the mobile terminal 140, and clicks a corresponding icon (for example, an account balance icon or a payment icon), and the third-party application system 160 sends an operation request to the API gateway 120 after obtaining the clicked operation of the icon.
FIG. 2 shows a flow diagram of a method 200 for sharing financial data according to an embodiment of the present disclosure. In fig. 2, the various actions are performed, for example, by a processor of the API opening platform 170 shown in fig. 1. Method 200 may also include additional acts not shown and/or may omit acts shown, as the scope of the disclosure is not limited in this respect.
At block 202, at an API open platform, an operation request is received from a requestor for an API of the API open platform, the operation request including at least an operation entry. The requesting party may be a third-party application system 160 having a cooperative relationship with the API opening platform 170, or may be the mobile terminal 140 or the computer 150. The API open platform 170 is, for example, a banking system. The third party application system 160 is, for example, a provider of an internet application service in a cooperative relationship with a bank. The operation items are, for example, an inquiry of an account balance of the terminal user, a transfer of funds between the account for the terminal and an account of the provider of the application service, and the like.
With respect to the operation request, in some embodiments, it may also indicate the IP address of the requestor. In some embodiments, the operation request further includes authentication information. The authentication information and the operation item are included in the same operation request. The user can be prevented from modifying the identity authentication response message (failure is modified to success, so that an identity authentication mechanism is bypassed), in some embodiments, if authentication information and operation items need to be completed through a multi-step request, a corresponding identifier needs to be allocated to the user after the authentication is passed, the identifier is verified in a subsequent request, the identifier is bound with the user to prevent unauthorized use, an authentication result needs to be recorded after the identifier is verified, and the identifier is immediately reset to prevent the identifier from being reused.
At block 204, the API opening platform 170 determines a first security level based on the type of API called by the operation transaction.
In some embodiments, the API-opening platform 170, in some embodiments, classifies the APIs into several types, for example, according to whether the called API is related to financial security, financial risk. The types of APIs include, for example: the system comprises a non-financial information inquiry API, a general financial information inquiry API, a non-financial information operation API, a user financial information inquiry API and a user financial information operation API. The non-financial information query API relates to, for example, business site query, self-service equipment query, and the like. The general financial information query API mainly relates to query services of non-confidential financial information, and comprises the following steps: bank deposit interest rate inquiry, foreign exchange price inquiry, charge standard inquiry and the like. The non-financial information operations class API relates primarily to non-financial interactions, including, for example: business office business handling is reserved, marketing short messages are sent through client tags, and the like. The user financial information query API mainly relates to query the financial information of a specific user, and includes: account balance inquiry, held financing products, credit limit and the like. The user financial information operation API mainly relates to financial interactive operation, such as change transaction, agreement signing and other operations of user assets including funds, points and the like, such as purchasing financing products, transfer transaction, payment on behalf of others and the like.
The first security level is a risk level associated with the transaction attribute. The API opening platform 170 may first determine the API called by the operation item based on the operation item in the received operation request, and then determine the first security level based on the type of the called API. In some embodiments, the API opening platform 170 divides the API into several types according to whether the called API is related to financial security, financial risk, for example, and corresponds the belonging type of the different API to several type levels that are increased layer by layer in security level, for example, five type levels of a first type level to a fifth type level. The following table one exemplarily shows the type correspondence relationship between the affiliated type of the API according to the embodiment of the present disclosure and five type levels in the first security level. In some embodiments, API opening platform 170 determines the first security level based on the received operational transaction, a locally stored type correspondence.
Watch 1
In some embodiments, the API opening platform 170 determines the first security level as a first type level if it determines that the API called by the operation transaction is a query for any one of non-financial information and general-purpose financial information; if it is determined that the API called by the operation transaction is any one of a query for non-financial information operation and user financial information, the API-opening platform 170 determines that the first security level is a second type level; if it is determined that the API called by the operational event is for a flow operation of funds between multiple accounts associated with the same user, the API opening platform 170 determines that the first security level is a third type level. In some embodiments, API opening platform 170 determines that the first security level is a fourth type level if it determines that the API called by the operational transaction is for a money movement operation between a plurality of accounts associated with different users; if it is determined that the API called by the operation event is for an unlimited flow operation of funds, the API opening platform 170 determines the first security level as a fifth type level. By adopting the means, the financial data sharing scheme disclosed by the embodiment of the disclosure can realize the API application scene of practical and differentiated configuration of the security mechanism.
At block 206, the API opening platform 170 determines a second security level based on sensitive data associated with the operational transaction. The second security level refers to a risk level associated with data value, and/or data sensitivity, involved in the operational issue. In some embodiments, the risk is divided into several data levels with decreasing risk level by level according to the data sensitivity risk associated with the API called by the operation item, for example, four data levels from the first data level to the fourth data level, and in general, a higher data level means a stricter security mechanism configured correspondingly to the API open platform 170. Table two below exemplarily shows data correspondence of the associated data and four data levels in the second security level according to an embodiment of the present disclosure. In some embodiments, API opening platform 170 determines the second security level based on the association data of the received operation transaction, the locally stored data correspondence.
Watch two
In some embodiments, API opening platform 170 may confirm whether data associated with an API called by an operational event includes any one of a predefined set of sensitive data, including at least: any one of identity authentication information, identity document numbers, names, financial account numbers, account balances and contact information; and if it is determined that the data associated with the API called by the operational event does not include any of the predetermined set of sensitive data, the API opening platform 170 may determine that the second security level is a fourth data level. I.e., the data associated with the API called by the operation transaction relates only to data other than sensitive data. In some embodiments, API opening platform 170 determines the second security level to be the first data level if it is confirmed that sensitive data associated with the API called by the operation transaction includes authentication information; determining the second security level as a second data level if the confirmation sensitive data comprises any one of an identity document number, a name, a financial account number and an account balance; and if the confirmation sensitive data includes a telephone number, determining the second security level to be a third data level.
In some embodiments, sensitive data requires encrypted storage or access protection rights. The method for encrypting the storage comprises two methods of password encryption and compression encryption. Computing devices that store sensitive data need to perform strict login authentication and access control. For highly sensitive data such as identity authentication information, irreversible cryptographic algorithm is used for encryption storage, and if reversible cryptographic algorithm is used, reverse operation is only performed in the security encryption equipment.
In some embodiments, the API-open platform 170 confirms whether the transmission data in the network communication message relates to sensitive data, and if the transmission data in the message does not relate to sensitive data, symmetrically encrypts the entire message. If the data part of the message relates to sensitive data (such as card number, identification card number, password, amount of money and the like), the key words related to the sensitive data can be encrypted, and then the mixed message containing plaintext and ciphertext can be encrypted once by the full message so as to realize double-layer security protection.
In some embodiments, the API open platform 170 checks the integrity of the network communication message by using a digital signature to prevent the message data from being tampered. For important service sensitive data transmitted between the API open platform and the external application system, except for adopting security protection mechanisms such as network transmission channel encryption, data message encryption and the like. The integrity protection of the service sensitive data is carried out by adopting the following encryption technology: the sender uses the Client _ Secret hash value issued by the API open platform to the API user or the Secret key uploaded by the API user, calculates the digital signature by the asymmetric encryption algorithm, sends the digital signature to the receiver along with other communication data, and the receiver recalculates the digital signature and checks the accuracy, thereby checking whether the integrity of the communication data is damaged. In some embodiments, the API opening platform 170 should employ a digital signature (based on public key infrastructure PKI) appended with a timestamp in an API application scenario involving a fund transaction, a sign-up, a reconciliation, a clearing, a fund transfer, etc., and a transaction initiator appends a digital signature and timestamp information in submitted transaction data to ensure that it cannot deny the transaction under any circumstances and guarantee information anti-repudiation. Meanwhile, the API open platform adds a replay-preventing technology of adding a timestamp and random number verification into the HTTP request, and replay attack of message information is prevented.
At block 208, the API opening platform 170 determines an access control manner for the API called by the API opening platform for the operation transaction based on the first security level, the second security level, and the manner in which the requestor accesses the API opening platform. The access control manner may include, for example: control of the authentication mode, data transmission mode, and/or output data storage mode of the requester. In some embodiments, API-opening platform 170 makes the output data of the API called by the operation transaction non-storable if it determines that the second security level is the first data level. In some embodiments, the access control means comprises at least one of: based on the digital signature, performing identity authentication on the API of the access reservation set of the requester; performing access white list authority control on a requesting party; performing access blacklist check on the requesting party; and making the API called by the operation transaction inaccessible to the requestor.
The access mode of the requester to the API open platform is generally determined by the system deployment architecture of the requester. In the process of calling the API, the system deployment architecture of different requesters (i.e., API users) has a difference in access modes to the API open platform, and accordingly, the risk brought by the API open platform 170 and its related data is also different. In some embodiments, the access mode comprises any one of: the user terminal of the requester directly sends an operation request to the API open platform 170; the application server of the requester directly sends an operation request to the API open platform 170; and the application server of the requestor sends the operation request to the API opening platform 170 (e.g., to the API gateway 120) through the network-isolated front-end server. In some embodiments, the API opening platform 170 may determine which of the three access manners the requester has access to the API opening platform 170 based on the IP address indicated by the received operation request or based on configuration information stored locally in the opening platform 170 when the requester registers.
In some embodiments, when the API opening platform 170 determines that the access manner is that the user terminal of the requester directly sends the operation request to the API gateway 120 of the opening platform 170, the API that matches the access manner is determined to be, for example, an API type corresponding to the first type class and the second type class. Such as a non-financial information query type API, a general financial information query type API, or a non-financial information operation type API, a user financial information query type API. If the API-opening platform 170 determines that the API called by the operation transaction of the requester belongs to the third data class, if the API called by the operation transaction relates to the third type class (for example, relates to a money flow operation between a plurality of accounts associated with the same user) in the access mode in which the user terminal directly transmits the operation request, the API gateway 120 makes the API called by the operation transaction inaccessible to the requester. This is because, in the access mode in which the user terminal directly transmits the operation request, the number scale of the user terminals may be very large, and the security hierarchy level of the user terminal is low and the security protection capability is relatively weak. The API opening platform 170 cannot allocate an application identification (APPID) and an application key (APPKEY) to the user terminal, and thus it is API applications corresponding to the first type class and the second type class that match this access pattern. If the API-opening platform 170 determines that the access manner is that the application server directly sends the operation request to the API gateway 120, since there is no network isolation from the application server in such an access manner, API applications corresponding to the first type class, the second type class, and the third type class are matched thereto. If the API open platform 170 determines that the access manner is that the application server sends an operation request to the API gateway 120 through the front-end server isolated by the network, the API applications corresponding to all security levels, such as the first type level to the fourth type level, are matched to the access manner.
In the above-described scheme, the access control manner of the API opening platform 170 for the API called by the requester is determined by a first security level associated with the type to which the called API belongs, a second security level associated with the data sensitivity involved in the operation transaction, and the access manner. The access security mechanism of the API open platform can be configured in a differentiated mode according to the associated transaction attribute and the associated data of the called API and the system deployment characteristics of the API user, and therefore safe financial data sharing of the API open platform with the complex network environment is achieved.
In some embodiments, the API-opening platform 170 also determines a third security level based on the first security level and the second security level; and determining the access control mode of the API called by the API gateway of the API open platform for the operation items based on the matching degree of the third security level and the access mode. The third security level is a composite risk level associated with the transaction attributes to which the API called by the transaction, and the sensitivity of the data to which the transaction relates. For example, table three below exemplarily shows the association of the first security level, the second security level, and the third security level according to the embodiment of the present disclosure. In some embodiments, according to the comprehensive risk related to the transaction attribute and the data sensitivity, for example, the third security level is divided into several levels with increasing risk level by level, for example, four levels from the first level to the fourth level, and in general, a higher level means that the security mechanism configured correspondingly to the API open platform 170 is more strict.
Watch III
In some embodiments, if it is determined that the third security level is any one of the third predetermined value and the fourth predetermined value (e.g., the third level in table three, or the fourth level), the API-opening platform 170 authenticates the requestor access API based on the authentication information, the identity information, and the contact information. In some embodiments, the information on which the identity authentication is based includes, for example, authentication information (passwords, stamps, digital signatures, etc.), identity information (identification number, passport number, financial account number, etc.), contact information (cell phone number, mailbox address, etc.). If the third security level is determined to be a second predetermined value (e.g., the second level in table three), the API opening platform 170 may authenticate the requestor access API based on the identity information.
In some embodiments, the method 200 further comprises: the API open platform 170 acquires input data associated with the operation item, and determines whether the format and length of the input data meet predetermined conditions; if the format and length of the input data meet the predetermined conditions, it is further confirmed whether the input data includes illegal characters. By the means, the validity of the key data input through the man-machine interface or the communication interface can be verified. For example, the input data regarding the transaction amount cannot include illegal characters such as special characters and negative numbers.
In some embodiments, the method 200 further comprises: the API gateway of the API opening platform 170 records log information associated with the API call. For example, at least one of the following information is recorded with the API called by the requestor: the method comprises the steps of recording successful access or failed access of an API open platform, deleting a user, changing the authority, downloading operation of scheduled data and executing scheduled operation items. The predetermined data is generally important data, such as business reports, user information, reconciliation files, and the like. The appointment transaction is typically an important business transaction, such as a loan approval, a transaction execution, and the like. The log information recorded includes, for each event, a date and time of the event, an IP address, a visitor identification, an event type, an event result, and a change item, for example. The log information is protected and can be accessed by an authorized party only.
Fig. 3 illustrates a flow diagram of a whitelist entitlement control method 300 in accordance with an embodiment of the present disclosure. In fig. 3, the various actions are performed, for example, by a processor of the API opening platform 170 shown in fig. 1. Method 300 may also include additional acts not shown and/or may omit acts shown, as the scope of the disclosure is not limited in this respect.
At block 302, the API opening platform 170 determines a first set of APIs associated with the attribute information based on the attribute information of the requestor; at block 304, it is determined whether the API called by the operation transaction is included in a first set of APIs; at block 306, the called API of the operation transaction is included in the first set of APIs in response to determining that the operation transaction is accessible to the requestor. In some embodiments, the first set of APIs are, for example, APIs that include a plurality of callable APIs that match the attribute information of the requestor. The API open platform is, for example, a banking system with an API open function, and relates to a plurality of main bodies such as API users and end users, and weak links exist in data protection of any party, which may increase the risk of leakage of transaction data, thereby compromising the security of the transaction data. It is therefore necessary to avoid design defects or improper setting of access rights of the service interface to prevent the transaction data from being improperly utilized. Through the access white list authority control means, the matched API access white list authority control can be set according to the attribute information of the requesting party, and the transaction data is prevented from being improperly utilized.
FIG. 4 illustrates a flow diagram of an access blacklist verification method 400 according to an embodiment of the present disclosure. In fig. 4, the various actions are performed, for example, by a processor of the API opening platform 170 shown in fig. 1. Method 400 may also include additional acts not shown and/or may omit acts shown, as the scope of the disclosure is not limited in this respect.
In some embodiments, at block 402, the API opening platform 170 determines whether any of the following conditions are satisfied: the IP address of the requester belongs to a first set, and the IP address is obtained based on the operation request; the account associated with the operation request belongs to an abnormal account set; and the operation request relates to an exception access. At block 404, the operation request from the requestor is intercepted in response to determining that any of the above conditions are satisfied. The first set is, for example, a set of IP address blacklists. The set of anomalous accounts includes, for example: a set of accounts for the risky users and accounts for the risky regions. In some embodiments, the API open platform 170 determines whether the operation request relates to an abnormal access based on at least one of: a time of receiving the operation request; the amount of funds involved in the operation; and the concentration of the requesters. For example, if the time at which the operation request is received is an abnormal time, and/or the amount of money involved in the operation event is abnormally large, and/or an excessively high proportion of requesters are the same user, it may be determined that the operation request involves abnormal access, for example. In some embodiments, by the access blacklist verification means, spam operation requests and malicious attacks can be effectively filtered.
In some embodiments, the method 200 further includes a method 500 for data sharing of financial data associated with attribute information of a requestor.
FIG. 5 shows a flow diagram of a method 500 for sharing financial data according to an embodiment of the present disclosure. In fig. 5, the various actions are performed, for example, by a processor of the API opening platform 170 shown in fig. 1. Method 500 may also include additional acts not shown and/or may omit acts shown, as the scope of the disclosure is not limited in this respect.
At block 502, the API opening platform 170 determines attribute information of the requestor. The attribute information indicates, for example, the type of requestor, such as a person, bank, insurance, dealer, trust, third party payment platform, and the like. In some embodiments, attribute information of the requestor may be determined based on the received operation request, or based on information stored locally on the open platform 170 by the requestor at the time of registration.
At block 504, the API-opening platform 170 determines a third security level based on the first security level, the second security level. The manner of determining the third security level in the method 500 is similar to that in the method 200, and is not described in detail herein.
At block 506, the API-opening platform 170 determines an access control manner based on the degree of matching between the third security level and the attribute information.
In some embodiments, if the API open platform 170 determines that the third security level is any one of the third predetermined value and the fourth predetermined value (e.g., the third level in table three, or the fourth level), the API open platform 170 may further determine whether qualification data associated with the requestor belongs to a predetermined set of qualification data, the qualification data being included in the operation request or stored at the API open platform 170, for example; in response to determining that the qualification data associated with the requestor does not belong to the predetermined set of qualification data, making the associated application for which the operation request is directed inaccessible to the requestor. The predetermined qualification data set includes, for example, but is not limited to, at least one of the following data: bank qualification data, insurance qualification data, security dealer qualification data, trust qualification data, third party payment qualification data, fund sales payment qualification data, futures qualification data, financing lease qualification data, financial lease qualification data, small loan company qualification data, consumption financial qualification data, and the like. The qualification data may be a digital certificate of the license plate.
In some embodiments, if the API-opening platform 170 determines that the third security level is any one of the third predetermined value and the fourth predetermined value (e.g., the third level in table three, or the fourth level), the API-opening platform 170 may determine whether further validation of the qualification data associated with the requestor is required according to the property or application scenario of the API called by the operation request.
In some embodiments, the method 500 further comprises: if it is determined that the data associated with the operational event relates to cryptographic information, the input interface is set in the manner of a randomly arranged soft keyboard. In some embodiments, the API gateway may perform SSL one-way or two-way authentication, possibly in conjunction with a third security level required or determined by the API user. If bidirectional SSL authentication is performed, a carrier bearing a certificate, such as a security chip, a USBKey and the like, needs to be issued by a safe and reliable means.
In some embodiments, the method 500 further comprises: the API opening platform 170 confirms whether the operation transaction relates to the end user 150, and if the operation transaction relates to the end user 150, determines an authentication manner for the end user 150 to which the called API relates, based on the third security level. The authentication method for the end user 150 involved in the called API includes, for example: anonymous authentication, delegated authentication, and platform authentication. Anonymous authentication refers to an authentication matter in which the API open platform 170 does not participate in authentication information of the end user 150. Authentication of the authentication information of end user 150 may be performed by an API user (e.g., third party application system 160). The delegated authentication means that the API open platform 170 does not participate in the authentication of the authentication information of the end user 150, but stores the authentication credentials of the API user for the end user 150. Platform authentication refers to the API open platform 170 participating in the entire authentication process of the end user 150. In some embodiments, if the third security level is determined to be either of the third predetermined value and the fourth predetermined value (e.g., the third level in table three, or the fourth level), API opening platform 170 is caused to authenticate the requestor and end user 150 associated with the operational transaction. If the third security level is determined to be a second predetermined value (e.g., the second level in table three), API opening platform 170 is caused to authenticate the requestor for end user 150 and store the requestor's authentication credentials for end user 150 in association with the operational transaction.
FIG. 6 schematically illustrates a block diagram of an electronic device 600 suitable for use in implementing embodiments of the present disclosure. The device 600 may be used to implement one or more hosts in the user authentication data management system 100 of fig. 1 and 3. As shown, device 600 includes a Central Processing Unit (CPU)601 that may perform various appropriate actions and processes in accordance with computer program instructions stored in a Read Only Memory (ROM)602 or loaded from a storage unit 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data required for the operation of the device 600 can also be stored. The CPU 601, ROM602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
A number of components in the device 600 are connected to the I/O interface 605, including: an input unit 606 such as a keyboard, a mouse, or the like; an output unit 607 such as various types of displays, speakers, and the like; a storage unit 608, such as a magnetic disk, optical disk, or the like; and a communication unit 609 such as a network card, modem, wireless communication transceiver, etc. The communication unit 609 allows the device 600 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The processing unit 601 performs the various methods and processes described above, e.g., performs the methods 200, 300, 400, 500. For example, in some embodiments, the methods 200, 300, 400, 500 may be implemented as a computer software program stored on a machine-readable medium, such as the storage unit 608. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 600 via the ROM602 and/or the communication unit 609. When the computer program is loaded into RAM603 and executed by CPU 601, one or more of the operations of methods 200, 300, 400, 500 described above may be performed. Alternatively, in other embodiments, the CPU 601 may be configured by any other suitable means (e.g., by way of firmware) to perform one or more acts of the methods 200, 300, 400, 500.
The present disclosure may be methods, apparatus, systems, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for carrying out various aspects of the present disclosure.
The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
The computer program instructions for carrying out operations of the present disclosure may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, the electronic circuitry that can execute the computer-readable program instructions implements aspects of the present disclosure by utilizing the state information of the computer-readable program instructions to personalize the electronic circuitry, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA).
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
The above are merely alternative embodiments of the present disclosure and are not intended to limit the present disclosure, which may be modified and varied by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.
Claims (15)
1. A method for sharing financial data, comprising:
receiving, at an (application program interface) API open platform, an operation request from a requestor for an API of the API open platform, the operation request including at least an operation transaction;
determining a first security level based on the type of the API called by the operation item;
determining a second security level based on sensitive data associated with the operational event; and
and determining the access control mode of the API called by the API open platform for the operation item based on the first security level, the second security level and the access mode of the requester to the API open platform.
2. The method of claim 1, wherein the access mode comprises any one of:
the operation request is directly sent to the API open platform by the user terminal of the requester;
the operation request is directly sent to the API open platform by an application server of the requester; and
and the operation request is sent to the API open platform by the application server of the requester through a front server isolated by a network.
3. The method of claim 1, wherein the access control manner comprises at least one of:
authenticating an identity of the requestor to access an API of a subscription set based on the digital signature;
performing access white list authority control on the requesting party;
performing access blacklist check on the requesting party; and
making the API called by the operational transaction inaccessible to the requestor.
4. The method of claim 3, wherein controlling access to whitelist permissions for the requestor comprises:
determining a first set of APIs associated with the attribute information based on the attribute information of the requestor;
determining whether the API called by the operational transaction is included in the first set of APIs; and
in response to determining that the API called by the operation transaction is included in the first set of APIs, making the API called by the operation transaction accessible to the requestor.
5. The method of claim 3, wherein performing an access blacklist check on the requestor comprises:
determining whether any of the following conditions are satisfied:
the IP address of the requester belongs to a first set, and the IP address is obtained based on the operation request;
the account associated with the operation request belongs to an abnormal account set; and
the operation request relates to an exception access;
in response to determining that either of the conditions is satisfied, intercepting the operation request from the requestor.
6. The method of claim 5, further comprising:
determining whether the operation request relates to an abnormal access based on at least one of:
receiving the time of the operation request;
the amount of funds to which the operational transaction relates; and
the concentration of the requesting parties.
7. The method of claim 1, wherein determining the access control manner comprises:
determining a third security level based on the first security level and the second security level; and
and determining the access control mode of the API called by the API gateway of the API open platform for the operation item based on the matching degree of the third security level and the access mode, wherein the access mode is determined based on the operation request, and the API open platform is a bank system.
8. The method of claim 1, wherein determining the first security level comprises:
determining that the first security level is a first type level in response to determining that the API called by the operational transaction is a query for any of non-financial information and general-purpose financial information;
determining that the first security level is a second type level in response to determining that the API called by the operational transaction is for any of a non-financial information operation and a query of a user's financial information; and
determining that the first security level is a third type level in response to determining that the API called by the operational transaction is for a money movement operation between a plurality of accounts associated with the same user.
9. The method of claim 8, wherein determining the first security level comprises:
determining that the first security level is a fourth type level in response to determining that the API called by the operational transaction is for a flow operation of funds between a plurality of accounts associated with different users; and
determining that the first security level is a fifth type level in response to determining that the API called by the operational event is for a funds unrestricted flow operation.
10. The method of claim 1, wherein determining the second security level comprises:
responsive to confirming that the sensitive data includes authentication information, determining that the second security level is the first data level;
responsive to confirming that the sensitive data includes any of an identity document number, a name, a financial account number, and an account balance, determining the second security level to be a second data level; and
in response to confirming that the sensitive data includes contact information, determining that the second security level is a third data level.
11. The method of claim 10, wherein determining the access control manner comprises:
in response to determining that the second security level is the first data level, making output data of the API called by the operational transaction non-storable.
12. The method of claim 1, further comprising:
determining attribute information of the requester;
determining a third security level based on the first security level and the second security level; and
and determining the access control mode based on the matching degree between the third security level and the attribute information.
13. The method of claim 1, further comprising:
determining whether data associated with an API called by the operational issue includes any sensitive data in a predefined set of sensitive data, the predefined set of sensitive data including at least: any one of identity authentication information, identity document numbers, names, financial account numbers, account balances and contact information; and
determining the second security level to be a fourth data level in response to determining that data associated with the API called by the operational event does not include any of the predetermined set of sensitive data.
14. An apparatus for sharing of financial data, the apparatus comprising:
a memory configured to store one or more programs;
a processing unit coupled to the memory and configured to execute the one or more programs to cause the apparatus to perform the method of any of claims 1-13.
15. A non-transitory computer readable storage medium having stored thereon machine executable instructions which, when executed, cause a machine to perform the steps of the method of any of claims 1-13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910406602.XA CN111949335A (en) | 2019-05-15 | 2019-05-15 | Method and apparatus for sharing financial data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910406602.XA CN111949335A (en) | 2019-05-15 | 2019-05-15 | Method and apparatus for sharing financial data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111949335A true CN111949335A (en) | 2020-11-17 |
Family
ID=73335490
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910406602.XA Pending CN111949335A (en) | 2019-05-15 | 2019-05-15 | Method and apparatus for sharing financial data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111949335A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112785424A (en) * | 2021-02-07 | 2021-05-11 | 中国工商银行股份有限公司 | Processing method, device, computing equipment and medium for financial data |
| CN113536319A (en) * | 2021-07-07 | 2021-10-22 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
| CN114006754A (en) * | 2021-10-29 | 2022-02-01 | 重庆长安汽车股份有限公司 | Method for protecting API (application programming interface) interface configuration security policy data and method and system for calling open platform service based on gateway |
| CN114666113A (en) * | 2022-03-14 | 2022-06-24 | 北京计算机技术及应用研究所 | Dynamic response data desensitization method based on API gateway |
| CN115665246A (en) * | 2022-09-01 | 2023-01-31 | 浪潮通信信息系统有限公司 | Registration request processing method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120030354A1 (en) * | 2010-08-02 | 2012-02-02 | Ebay, Inc. | Application platform with flexible permissioning |
| CN105306534A (en) * | 2015-09-21 | 2016-02-03 | 拉扎斯网络科技(上海)有限公司 | Information verification method based on open platform and open platform |
| CN105704154A (en) * | 2016-04-01 | 2016-06-22 | 金蝶软件(中国)有限公司 | RESTful-based service processing method, device and system |
| CN106651586A (en) * | 2016-12-30 | 2017-05-10 | 上海富聪金融信息服务有限公司 | Multi-distributor oriented financial product marketing open service platform |
| CN109493038A (en) * | 2018-09-25 | 2019-03-19 | 法信公证云(厦门)科技有限公司 | A kind of front-end system and method for applying to financial industry and having pressure notarization function |
-
2019
- 2019-05-15 CN CN201910406602.XA patent/CN111949335A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120030354A1 (en) * | 2010-08-02 | 2012-02-02 | Ebay, Inc. | Application platform with flexible permissioning |
| CN105306534A (en) * | 2015-09-21 | 2016-02-03 | 拉扎斯网络科技(上海)有限公司 | Information verification method based on open platform and open platform |
| CN105704154A (en) * | 2016-04-01 | 2016-06-22 | 金蝶软件(中国)有限公司 | RESTful-based service processing method, device and system |
| CN106651586A (en) * | 2016-12-30 | 2017-05-10 | 上海富聪金融信息服务有限公司 | Multi-distributor oriented financial product marketing open service platform |
| CN109493038A (en) * | 2018-09-25 | 2019-03-19 | 法信公证云(厦门)科技有限公司 | A kind of front-end system and method for applying to financial industry and having pressure notarization function |
Non-Patent Citations (1)
| Title |
|---|
| 宋赢硕: "基于分级访问控制的政府数据开放平台及安全设计", 《中国优秀博硕士学位论文全文数据库(硕士) 社会科学Ⅰ辑》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112785424A (en) * | 2021-02-07 | 2021-05-11 | 中国工商银行股份有限公司 | Processing method, device, computing equipment and medium for financial data |
| CN113536319A (en) * | 2021-07-07 | 2021-10-22 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
| CN113536319B (en) * | 2021-07-07 | 2022-12-13 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
| CN114006754A (en) * | 2021-10-29 | 2022-02-01 | 重庆长安汽车股份有限公司 | Method for protecting API (application programming interface) interface configuration security policy data and method and system for calling open platform service based on gateway |
| CN114666113A (en) * | 2022-03-14 | 2022-06-24 | 北京计算机技术及应用研究所 | Dynamic response data desensitization method based on API gateway |
| CN115665246A (en) * | 2022-09-01 | 2023-01-31 | 浪潮通信信息系统有限公司 | Registration request processing method, device, equipment and storage medium |
| CN115665246B (en) * | 2022-09-01 | 2024-03-08 | 浪潮通信信息系统有限公司 | Registration request processing method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220277307A1 (en) | Systems and methods for personal identification and verification | |
| US11727400B2 (en) | Telecommunication system and method for settling session transactions | |
| CN111316278B (en) | Secure identity and profile management system | |
| US20230291571A1 (en) | Dynamic management and implementation of consent and permissioning protocols using container-based applications | |
| US10038726B2 (en) | Data sensitivity based authentication and authorization | |
| US20180295121A1 (en) | Secure element authentication | |
| US11095646B2 (en) | Method and system for data security within independent computer systems and digital networks | |
| CN113015989A (en) | Block chain supervision | |
| US9852276B2 (en) | System and methods for validating and managing user identities | |
| CN111949335A (en) | Method and apparatus for sharing financial data | |
| WO2021169107A1 (en) | Internet identity protection method and apparatus, electronic device, and storage medium | |
| US20220303258A1 (en) | Computer-implemented system and method | |
| EP3867849B1 (en) | Secure digital wallet processing system | |
| US11507945B2 (en) | Method and system for usage of cryptocurrency, preventing financial crime | |
| US20220391859A1 (en) | Secure cryptocurrency transaction with identification information | |
| KR102211033B1 (en) | Agency service system for accredited certification procedures | |
| KR102199486B1 (en) | Authorized authentication agency for content providers | |
| US20140143147A1 (en) | Transaction fee negotiation for currency remittance | |
| US20190095923A1 (en) | System and method for enforcing granular privacy controls during transaction fraud screening by a third party | |
| TWI790985B (en) | Data read authority control system based on block chain and zero-knowledge proof mechanism, and related data service system | |
| KR102347642B1 (en) | System and method of agent service for subscription of financial instrument and computer program for the same | |
| CN114826616B (en) | Data processing method, device, electronic equipment and medium | |
| Wilusz et al. | Secure protocols for smart contract based insurance services | |
| US20240086905A1 (en) | Mitigation of cryptographic asset attacks | |
| CA3236147A1 (en) | Systems and methods for managing tokens and filtering data to control data access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201117 |
|
| RJ01 | Rejection of invention patent application after publication |