CN113079006A - Information processing method for key, electronic device and storage medium - Google Patents

Information processing method for key, electronic device and storage medium Download PDF

Info

Publication number
CN113079006A
CN113079006A CN202110333586.3A CN202110333586A CN113079006A CN 113079006 A CN113079006 A CN 113079006A CN 202110333586 A CN202110333586 A CN 202110333586A CN 113079006 A CN113079006 A CN 113079006A
Authority
CN
China
Prior art keywords
user
authorization
key
node
identity information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110333586.3A
Other languages
Chinese (zh)
Other versions
CN113079006B (en
Inventor
孙吉平
刘思宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Weibai Technology Co ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN202110333586.3A priority Critical patent/CN113079006B/en
Publication of CN113079006A publication Critical patent/CN113079006A/en
Application granted granted Critical
Publication of CN113079006B publication Critical patent/CN113079006B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The application discloses an information processing method, an electronic device and a storage medium for a secret key, wherein the method comprises the following steps: obtaining license information of the secret key and identity information of the user, and generating an authorization certificate for authorizing the user to use the secret key based on the license information and the identity information; calling a first linked list capable of adding a plurality of nodes arranged in sequence, and adding the authorization certificate to the first linked list to form a node so that a user can obtain the using qualification of the authorization certificate at the node and a downstream node. According to the method, an authorization certificate for authorizing a user to use a key is added to a first linked list to form a node in the first linked list, and the nodes in the first linked list are arranged in sequence, so that the user can obtain the qualification of the authorization certificate at the node and the qualification of the authorization certificate at a downstream node, and efficient, accurate and safe authorization use of the key can be realized for a multi-level user.

Description

Information processing method for key, electronic device and storage medium
Technical Field
The present application relates to the field of key authorization technologies, and in particular, to an information processing method for a key, an electronic device, and a storage medium.
Background
The key is generated information used for performing operations such as encryption, decryption, signature or signature verification, and after the key is generated, the corresponding client side needs to be authorized, and the corresponding client side can use the key to perform the corresponding operation. Typically, after generating the key, authorization information is generated for the clients of different users, respectively, so that each client can use the key based on its own authorization information. However, when facing a multi-level customer group such as a company, an organization, a group, etc., how to realize efficient, accurate and safe authorized use of a key becomes a technical problem to be solved urgently.
Disclosure of Invention
In view of the foregoing problems in the prior art, the present application provides an information processing method, an electronic device, and a storage medium for a key, and an embodiment of the present application adopts the following technical solutions:
an information processing method for a key, comprising:
obtaining license information of a secret key and identity information of a user, and generating an authorization certificate for authorizing the user to use the secret key based on the license information and the identity information;
calling a first linked list capable of adding a plurality of nodes arranged in sequence, and adding the authorization certificate to the first linked list to form a node, so that the user obtains the using qualification of the authorization certificate at the node and a downstream node.
In some embodiments, the method further comprises:
receiving an operation request of the user;
obtaining the authorization voucher corresponding to the operation request from the first linked list;
and calling a corresponding key based on the acquired authorization certificate, and executing the operation requested to be executed by the operation request based on the called key.
In some embodiments, the operation request includes identity information of the user, and an identification capable of identifying a key requested for use; the obtaining the authorization credential corresponding to the operation request from the first linked list includes:
acquiring the authorization certificate authorized to be used by the user and the authorization certificate at a downstream node from the first linked list based on the identity information;
and searching the authorization certificate of the key corresponding to the identification from the obtained authorization certificate authorized to be used by the user and the authorization certificate at the downstream node.
In some embodiments, the obtaining license information of a key and identity information of a user, and generating authorization credentials for authorizing the user to use the key based on the license information and the identity information, includes:
acquiring first license information of a first key and a first tag for identifying a first user group;
generating a first authorization credential for authorizing the first user group to use the first key based on the first permission information and the first tag to authorize the first user to use the first authorization credential if first identity information of the first user is added to the first user group.
In some embodiments, the adding the authorization credential to the first linked list to form a node to qualify the user for use of the authorization credential at the node and a downstream node comprises:
and adding the first authorization certificate to the first linked list to form a first node so that a first user in the first user group obtains the first authorization certificate and the use qualification of the authorization certificate at a node downstream of the first node.
In some embodiments, the obtaining license information of a key and identity information of a user, and generating authorization credentials for authorizing the user to use the key based on the license information and the identity information, further includes:
acquiring second license information of a second key and a second tag for identifying a second user group; wherein the second group of users is located within the first group of users;
generating a second authorization credential for authorizing the second user group to use the second key based on the second permission information and the second tag, to authorize the second user to use the second authorization credential if second identity information of the second user is added to the second user group;
correspondingly, the adding the authorization credential to the first linked list forms a node so that the user can obtain the qualification of the node and the authorization credential at the downstream node, further comprising:
adding the second authorization credential to the first linked list forms a second node downstream from the first node to qualify the first user for use of the first and second authorization credentials and to qualify the second user for use of the second authorization credential.
In some embodiments, the method further comprises:
receiving a first operation request of the first user, wherein the first operation request comprises first identity information of the first user and identification capable of identifying a key requested to be used;
obtaining the first tag for identifying the first user group based on the first identity information;
based on the first label, obtaining the first authorization certificate and an authorization certificate at a downstream node of the first node from the first linked list;
searching the authorization voucher corresponding to the identification from the first authorization voucher and the authorization voucher of the downstream node of the first node;
and calling the requested key based on the authorization certificate corresponding to the identification, and executing the operation corresponding to the first operation request.
In some embodiments, the obtaining license information of a key and identity information of a user, and generating authorization credentials for authorizing the user to use the key based on the license information and the identity information, includes:
and acquiring license information of the secret key, a secret key token of the secret key and identity information of the user, and generating the authorization certificate for authorizing the user to use the secret key based on the license information, the secret key token and the identity information.
An electronic device comprising at least a memory having a program stored thereon and a processor implementing the method as described above when executing the program on the memory.
A computer-readable storage medium having stored therein computer-executable instructions that, when executed, implement a method as described above.
According to the information processing method for the key, the authorization certificate of the authorized user for using the key is added to the first chain table to form one node in the first chain table, and the nodes in the first chain table are arranged in sequence, so that the user can obtain the qualification of the authorization certificate at the node and the qualification of the authorization certificate at the downstream node, and efficient, accurate and safe authorization use of the key can be realized for multi-level users.
Drawings
Fig. 1 is a flowchart of a first embodiment of an information processing method for a key according to an embodiment of the present application;
fig. 2 is a flowchart of a second embodiment of an information processing method for a key according to an embodiment of the present application;
fig. 3 is a flowchart of a third embodiment of an information processing method for a key according to an embodiment of the present application;
fig. 4 is a flowchart of a fourth embodiment of an information processing method for a key according to an embodiment of the present application;
fig. 5 is a flowchart of a fifth embodiment of an information processing method for a key according to an embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of alternative forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
It is also to be understood that although the present application has been described with reference to some specific examples, those skilled in the art are able to ascertain many other equivalents to the practice of the present application.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
Fig. 1 is a flowchart of a first embodiment of an information processing method for a secret key according to an embodiment of the present application, and referring to fig. 1, the information processing method for a secret key according to the embodiment of the present application specifically includes the following steps in a secret key authorization link:
and S1, obtaining the license information of the key and the identity information of the user, and generating an authorization certificate for authorizing the user to use the key based on the license information and the identity information.
In particular implementations, generating the authorization credential may be performed in response to an authorization instruction, such as a system administrator user. The authorization instruction may include license information for the key and identity information for the user, i.e., the license information and identity information may be obtained from, for example, a system administrator user. Of course, the license information for the key and the identity information for the user may also be obtained locally from the server, e.g., the license information for the indicated key and the identity information for the indicated user may be recalled locally from the server in response to obtaining the authorization instruction. Here, the system administrator user may be a user dedicated to system management, or may be a user having system management authority among general users.
Wherein the license information may be configuration information for a key usage attribute. The license information may specifically include a start time, an end time, and a license period of the license use for the key, may also include the number of times of license use for the key and a parent license of the license, and may also include a license use policy, such as permission to inherit, permission to perform a decryption operation, permission to perform an encryption operation, permission to perform a printing operation, or permission to perform an export operation. The license information may be generated at the time of key creation or may be generated by configuration by, for example, a system administrator user after the key is created and before the authorization credential is generated. The identity information of the user is used to uniquely identify a user within a certain range, and may include, for example, a user name, a user number, a user job title, address information, and the like, where the user refers to a user who needs to perform a corresponding operation using the key.
Under the condition that the license information of the key and the identity information of the user are obtained, an authorization certificate for authorizing the user to use the key can be generated, and the authorization certificate serves as a proof that the user has corresponding key use permission, so that the user can call the key to execute corresponding operation based on the authorization certificate. Specifically, for example, an encryption operation, a decryption operation, a signature verification operation, or the like may be performed based on the key.
It should be noted that after a key is created, an owner of the key, such as a system administrator, may authorize the key for one or more users. The licensing information configured by the system administrator may be the same or different for different users, but the authorization credentials generated are necessarily different entities. The authorization credential generated in this step is the authorization credential generated for the specific user identified by the identity information of the user.
Illustratively, the authorization credential, as a kind of data credential, may include a key identifier, an issuer identifier, a user identifier, and license information. The key identifier is used to uniquely identify a specific key within a certain range. The issuer identification is used to indicate the owner of the particular key. The user identification is used to indicate a particular user or organization, i.e., the owner of a particular key allows the principal to use that particular key. The license information is used to indicate the rights to use a particular key that the particular user is entitled to by the owner of the particular key.
In actual application, the server may include a calling unit, an organization management unit, an authorization management unit, and a key management unit. The key may be created by a key management unit. The calling unit is used as an interface between the server and the user and also used as an interface connected with the underlying database, and the license information and the identity information can be acquired from a system administrator user by the calling unit or can be acquired from the database by the calling unit. The authorization management unit may be operable to generate an authorization credential for authorizing the user to use the key based on the license information and the identity information.
In an alternative embodiment, authorization credentials for authorizing the user to use the key may be generated based on the license information, the key token for the key, and the identity information of the user.
The key token may be generated by, for example, a key management unit at the time of key creation. The key token may comprise, for example, a key number of a key, an authorization credential pointing to the key number may be generated based on the key number, and a corresponding key may be searched for based on the key number included in the authorization credential when in use, which is beneficial to improve response speed.
The key token can also comprise an authentication code such as a key, and an authorization certificate generated based on the authentication code can comprise the authentication code.
S2, a first linked list capable of adding a plurality of nodes arranged in sequence is called, and the authorization voucher is added to the first linked list to form a node, so that a user can obtain the using qualification of the authorization voucher at the node and the downstream node.
The first linked list serves as a data storage structure for storing authorization credentials, and can be created by an authorization management unit, such as a server, based on instructions of a system administrator user, for example. A plurality of authorization certificates can be added into the first linked list, each authorization certificate can form a node, and the nodes are sequentially arranged. The sequential arrangement here may be implemented by storing the authorization credentials sequentially in the first linked list, or may be implemented logically by, for example, pointers.
The authorization management unit may add the authorization credential to the first linked list to form a node when the authorization credential is created. Specifically, under the condition that the existing node does not exist in the first linked list, the authorization management unit can directly add the authorization certificate into the first linked list; in the case that there are existing nodes in the first linked list, the authorization management unit may add an authorization credential to the first linked list based on, for example, an indication of a system administrator user, and configure a location relationship of the authorization credential and the existing nodes in the first linked list to configure a user qualification for the authorization credential.
For example, in a company or an organization, the confidential information is usually processed by a higher-level key such as a first-level key, the confidential information is usually processed by a middle-level key such as a second-level key, the confidential information is usually processed by a lower-level key such as a third-level key, and the general information is usually processed by a common key such as a fourth-level key to ensure data security and integrity. The method comprises the steps of granting the use permission of a primary key to a primary user such as a high-grade leader of a company or an organization to generate a primary authorization certificate, granting the use permission of a secondary key to a secondary user such as a department leader to generate a secondary authorization certificate, granting the use permission of a tertiary key to a tertiary user such as a group leader to generate a tertiary authorization certificate, granting the use permission of a quaternary key to common employees or common members to generate a quaternary authorization certificate, and sequentially adding the primary authorization certificate, the secondary authorization certificate, the tertiary authorization certificate and the quaternary authorization certificate to a first linked list. Therefore, for the first-level user, the first-level user can obtain the first-level authorization certificate and the use qualification of the second-level authorization certificate, the third-level authorization certificate and the fourth-level authorization certificate of the downstream node only by authorizing the first-level key, and repeated authorization is not needed. By analogy, the secondary user obtains the use qualification of the secondary authorization certificate, the tertiary authorization certificate and the quaternary authorization certificate, and the quaternary user only obtains the use qualification of the quaternary authorization certificate.
In the key authorization link, the authorization certificate of the authorized user using the key is added to the first linked list to form a node in the first linked list, and the nodes in the first linked list are arranged in sequence, so that the user can obtain the qualification of the authorization certificate at the node and the qualification of the authorization certificate at the downstream node, and the efficient, accurate and safe authorization use of the key can be realized for multi-level users.
Referring to fig. 2, in some embodiments, the step S1 of obtaining license information of the key and identity information of the user, and generating authorization credentials for authorizing the user to use the key based on the license information and the identity information includes:
s11, obtaining the permission information of the key and the label for identifying the user group;
s12, based on the permission information and the label, generating an authorization voucher for authorizing the user group to use the key, so as to authorize the user to use the authorization voucher under the condition that the identity information of the user is added to the user group;
accordingly, in step S2, adding the authorization ticket to the first linked list to form a node, so that the user can obtain the qualification of the node and the authorization ticket at the downstream node, includes:
and S21, adding the authorization certificate to the first linked list to form a node, so that the users in the user group can obtain the use qualification of the authorization certificate at the node and the downstream node.
Aiming at users at the same level in a company or an organization, a user group can be created through the organization management unit, the identity information of the users at the level is added into the user group, then an authorization voucher aiming at the user group is generated through the authorization management unit, the authorization voucher aiming at the user group is added into the first linked list, and the users at the level can all obtain the use qualification of the authorization voucher only through one-time authorization, so that the authorization use operation is further simplified, and the management efficiency of the system is improved.
In specific implementation, as shown in fig. 3, the server may receive an instruction of the system administrator user through the invoking unit, send the instruction to the authorization management unit, create the first linked list by the authorization management unit, and feed back a linked list token of the first linked list to the system administrator user through the invoking unit. The linked list token may include a linked list number that identifies the first linked list. The server may also receive another instruction of a system administrator user, and the organization management unit may create one or more user groups in response to the another instruction and generate a label identifying the user group. The tag may specifically include information such as a user group number, a user group name, etc. The key management unit creates keys corresponding to the respective user groups, respectively, and generates key tokens. The authorization management unit generates an authorization voucher for authorizing the user group to use the key based on the permission information and the label, so that the user group obtains the use authority of the key, adds the authorization voucher aiming at the user group to the first linked list to form a node, enables the whole user group to obtain the use qualification of the node and the authorization voucher at the downstream node, and then feeds back information to the user to inform that the user group is successfully created, the key aiming at the user group and the authorization voucher aiming at the user group are also successfully created, and the authorization voucher is already added to the first linked list. When the server receives a further instruction of the system administrator user through the invoking unit, the organization management unit may add the identity information of the user indicated by the further instruction to the corresponding user group in response to receiving the further instruction, so that the user obtains the qualification of all the authorization credentials acquired by the user group, and then feed back information to the system administrator user to inform that the operation of adding the identity information to the user group is completed. So far, the operation of key authorization for the users in the user group is completed, and the user added to the user group can invoke the corresponding key by the authorization credential obtained by the user group to execute the corresponding operation. It should be noted that the sequence of the above steps may be adjusted based on actual requirements, as long as the purpose of performing key authorization for the users in the user group can be achieved.
In a specific embodiment, obtaining license information of a key and identity information of a user, and generating an authorization credential for authorizing the user to use the key based on the license information and the identity information includes:
acquiring first license information of a first key and a first tag for identifying a first user group;
generating a first authorization credential for authorizing the first user group to use the first key based on the first permission information and the first tag, to authorize the first user to use the first authorization credential if the first identity information of the first user is added to the first user group;
acquiring second license information of a second key and a second tag for identifying a second user group; wherein the second user group is located within the first user group;
generating a second authorization credential for authorizing the second user group to use the second key based on the second permission information and the second tag, so as to authorize the second user to use the second authorization credential if the second identity information of the second user is added to the second user group;
correspondingly, adding the authorization certificate to the first linked list to form a node so that the user can obtain the qualification of the node and the authorization certificate at the downstream node, comprising:
and adding the first authorization certificate to the first linked list to form a first node, adding the second authorization certificate to the first linked list to form a second node positioned at the downstream of the first node, so that the first user obtains the using qualification of the first authorization certificate and the second authorization certificate, and the second user obtains the using qualification of the second authorization certificate.
The first user can be a user with a higher middle-position level in a company or an organization, the second user can be a user with a lower middle-position level in the company or the organization, the second user group is built in the first user group, or the second user group is added to the first user group, so that the first user group comprises the second user group, a data structure similar to an organization structure of the company or the organization is formed, identity information management and authorized use of a secret key are facilitated according to the organization structure, and better user experience is achieved.
As shown in fig. 4, in some embodiments, in the key using step, the method includes:
s3, receiving the operation request of the user;
s4, obtaining the authorization voucher corresponding to the operation request from the first linked list;
s5, calling the corresponding key based on the obtained authorization certificate, and executing the operation requested to be executed by the operation request based on the called key.
When the user needs to execute corresponding operation by using the key, the operation request can be sent, and after the server receives the operation request through the invoking unit, the authorization management unit can search the authorization credential corresponding to the operation request, namely the authorization credential of the key requested to be used, from the first linked list based on the operation request. Then, the key management unit may retrieve the corresponding key based on the found authorization credential, and then perform the operation requested to be performed by the operation request based on the retrieved key. The operation may be, for example, an encryption, decryption, signature verification, etc. After the operation is completed, the operation result can be fed back to the user. For example, after the decryption operation is performed on the target file, the decrypted file may be fed back to the user.
In some embodiments, the operation request includes identity information of the user, and an identification capable of identifying a key requested for use; the obtaining the authorization credential corresponding to the operation request from the first linked list includes:
s41, obtaining the authorization certificate used by the user and the authorization certificate at the downstream node from the first linked list based on the identity information;
s42, searching the authorization certificate of the key corresponding to the identification from the authorization certificate used by the user and the authorization certificate at the downstream node.
In an application scenario of authorization for a single user, identity information contained in an operation request can be directly matched with the first linked list, and an authorization credential authorized to be used by the user and an authorization credential at a downstream node, that is, all authorization credentials that the user has a qualification for use, can be obtained. Then, based on the identification, the authorization certificate of the key corresponding to the identification is searched from all the authorization certificates which the user qualifies for, namely the authorization certificate of the key requested to be used. The identifier may be, for example, a key number of the key, or may be, for example, a security level of the information to be handled, the security level being associated with the key. Then, based on the found authorization certificate, the corresponding key is called, so that the operation requested to be executed by the operation request can be executed. In this way, the user can not only request to invoke the corresponding key to perform the operation by using the authorization certificate authorized to be used by the user, but also invoke other keys to perform the operation by using the authorization certificate at the downstream node. For example, the primary user may not only request to invoke the primary key to perform the operation using the primary authorization credential, but also invoke the corresponding key to perform the operation based on the secondary authorization credential, the tertiary authorization credential, and the quaternary authorization credential.
In some embodiments, the method further comprises:
receiving a first operation request of the first user, wherein the first operation request comprises first identity information of the first user and identification capable of identifying a key requested to be used;
obtaining the first tag for identifying the first user group based on the first identity information;
based on the first label, obtaining the first authorization certificate and an authorization certificate at a downstream node of the first node from the first linked list;
searching the authorization voucher corresponding to the identification from the first authorization voucher and the authorization voucher of the downstream node of the first node;
and calling the requested key based on the authorization certificate corresponding to the identification, and executing the operation corresponding to the first operation request.
In the application scenario of authorizing a user group, as shown in fig. 5, first, it may be verified, for example, by the organization management unit, whether the first user is in a certain user group based on the first identity information included in the operation request, and when it is determined that the first user is in the first user group, a first tag for identifying the first user group may be obtained; the authorization management unit may obtain the first authorization credential and the authorization credential at the node downstream of the first node from the first linked list based on the first tag, e.g., may obtain the first authorization credential and the second authorization credential if the node downstream of the first node includes only the second authorization credential. Then, the authorization credential corresponding to the identifier included in the operation request can be searched from the first authorization credential and the second authorization credential, and at this time, the identifier can also be information corresponding to the user group. When the first operation request requests to perform an operation using a first key corresponding to the first authorization credential, the first authorization credential may be fetched to find the first key, and the key management unit may perform a corresponding operation based on the first key. And then, feeding back the operation result to the user.
The embodiment of the present application further provides an electronic device, which at least includes a memory and a processor, where the memory stores a program, and the processor implements the method according to any of the above embodiments when executing the program on the memory. Specifically, the electronic device may be a server, a cloud server, a distributed processing system, or the like.
The embodiment of the present application further provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions in the computer-readable storage medium are executed, the method according to any one of the above embodiments is implemented.
It will be apparent to one skilled in the art that embodiments of the present application may be provided as methods, electronic devices, computer-readable storage media, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied in the medium. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The processor may be a general purpose processor, a digital signal processor, an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. A general purpose processor may be a microprocessor or any conventional processor or the like.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
The readable storage medium may be a magnetic disk, an optical disk, a DVD, a USB, a Read Only Memory (ROM), a Random Access Memory (RAM), etc., and the specific form of the storage medium is not limited in this application.
The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application, and the protection scope of the present application is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present application and such modifications and equivalents should also be considered to be within the scope of the present application.

Claims (10)

1. An information processing method for a key, comprising:
obtaining license information of a secret key and identity information of a user, and generating an authorization certificate for authorizing the user to use the secret key based on the license information and the identity information;
calling a first linked list capable of adding a plurality of nodes arranged in sequence, and adding the authorization certificate to the first linked list to form a node, so that the user obtains the using qualification of the authorization certificate at the node and a downstream node.
2. The method of claim 1, further comprising:
receiving an operation request of the user;
obtaining the authorization voucher corresponding to the operation request from the first linked list;
and calling a corresponding key based on the acquired authorization certificate, and executing the operation requested to be executed by the operation request based on the called key.
3. The method of claim 2, wherein the operation request includes identity information of the user and an identification capable of identifying the key requested to be used; the obtaining the authorization credential corresponding to the operation request from the first linked list includes:
acquiring the authorization certificate authorized to be used by the user and the authorization certificate at a downstream node from the first linked list based on the identity information;
and searching the authorization certificate of the key corresponding to the identification from the obtained authorization certificate authorized to be used by the user and the authorization certificate at the downstream node.
4. The method of claim 1, wherein obtaining license information of a key and identity information of a user, and generating authorization credentials for authorizing the user to use the key based on the license information and the identity information comprises:
acquiring first license information of a first key and a first tag for identifying a first user group;
generating a first authorization credential for authorizing the first user group to use the first key based on the first permission information and the first tag to authorize the first user to use the first authorization credential if first identity information of the first user is added to the first user group.
5. The method of claim 4, wherein adding the authorization ticket to the first linked list forms a node to qualify the user for use of the authorization ticket at the node and a downstream node, comprising:
and adding the first authorization certificate to the first linked list to form a first node so that a first user in the first user group obtains the first authorization certificate and the use qualification of the authorization certificate at a node downstream of the first node.
6. The method of claim 5, wherein obtaining license information of a key and identity information of a user, and generating authorization credentials for authorizing the user to use the key based on the license information and the identity information further comprises:
acquiring second license information of a second key and a second tag for identifying a second user group; wherein the second group of users is located within the first group of users;
generating a second authorization credential for authorizing the second user group to use the second key based on the second permission information and the second tag, to authorize the second user to use the second authorization credential if second identity information of the second user is added to the second user group;
correspondingly, the adding the authorization credential to the first linked list forms a node so that the user can obtain the qualification of the node and the authorization credential at the downstream node, further comprising:
adding the second authorization credential to the first linked list forms a second node downstream from the first node to qualify the first user for use of the first and second authorization credentials and to qualify the second user for use of the second authorization credential.
7. The method of claim 5, further comprising:
receiving a first operation request of the first user, wherein the first operation request comprises first identity information of the first user and identification capable of identifying a key requested to be used;
obtaining the first tag for identifying the first user group based on the first identity information;
based on the first label, obtaining the first authorization certificate and an authorization certificate at a downstream node of the first node from the first linked list;
searching the authorization voucher corresponding to the identification from the first authorization voucher and the authorization voucher of the downstream node of the first node;
and calling the requested key based on the authorization certificate corresponding to the identification, and executing the operation corresponding to the first operation request.
8. The method of claim 1, wherein obtaining license information of a key and identity information of a user, and generating authorization credentials for authorizing the user to use the key based on the license information and the identity information comprises:
and acquiring license information of the secret key, a secret key token of the secret key and identity information of the user, and generating the authorization certificate for authorizing the user to use the secret key based on the license information, the secret key token and the identity information.
9. An electronic device comprising at least a memory and a processor, the memory having a program stored thereon, wherein the processor, when executing the program on the memory, implements the method of any of claims 1-8.
10. A computer-readable storage medium having computer-executable instructions stored therein, wherein the method of any one of claims 1-8 is implemented when the computer-executable instructions in the computer-readable storage medium are executed.
CN202110333586.3A 2021-03-29 2021-03-29 Information processing method for key, electronic device and storage medium Active CN113079006B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110333586.3A CN113079006B (en) 2021-03-29 2021-03-29 Information processing method for key, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110333586.3A CN113079006B (en) 2021-03-29 2021-03-29 Information processing method for key, electronic device and storage medium

Publications (2)

Publication Number Publication Date
CN113079006A true CN113079006A (en) 2021-07-06
CN113079006B CN113079006B (en) 2021-11-30

Family

ID=76611097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110333586.3A Active CN113079006B (en) 2021-03-29 2021-03-29 Information processing method for key, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN113079006B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150244707A1 (en) * 2014-02-25 2015-08-27 Amazon Technologies, Inc. Provisioning digital certificates in a network environment
US20150256347A1 (en) * 2014-03-05 2015-09-10 Industrial Technology Research Institute Apparatuses and methods for certificate generation, certificate revocation and certificate verification
US9332002B1 (en) * 2013-03-14 2016-05-03 Amazon Technologies, Inc. Authenticating and authorizing a user by way of a digital certificate
CN106301788A (en) * 2016-08-12 2017-01-04 武汉大学 A kind of group key management method supporting authenticating user identification
CN108229962A (en) * 2018-01-04 2018-06-29 众安信息技术服务有限公司 Right management method and system based on block chain
CN108616539A (en) * 2018-05-03 2018-10-02 东莞市翔实信息科技有限公司 A kind of method and system that block chain transaction record accesses
CN110581860A (en) * 2019-09-19 2019-12-17 腾讯科技(深圳)有限公司 identity authentication method, device, storage medium and equipment based on block chain
CN110619236A (en) * 2019-08-15 2019-12-27 中国人民银行数字货币研究所 File authorization access method, device and system based on file credential information
CN110636043A (en) * 2019-08-16 2019-12-31 中国人民银行数字货币研究所 File authorization access method, device and system based on block chain
CN111064708A (en) * 2019-11-25 2020-04-24 精硕科技(北京)股份有限公司 Authorization authentication configuration method, authorization authentication device and electronic equipment
EP3681101A1 (en) * 2017-09-07 2020-07-15 China Iwncomm Co., Ltd. Digital credential management method and device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9332002B1 (en) * 2013-03-14 2016-05-03 Amazon Technologies, Inc. Authenticating and authorizing a user by way of a digital certificate
US20150244707A1 (en) * 2014-02-25 2015-08-27 Amazon Technologies, Inc. Provisioning digital certificates in a network environment
US20150256347A1 (en) * 2014-03-05 2015-09-10 Industrial Technology Research Institute Apparatuses and methods for certificate generation, certificate revocation and certificate verification
CN106301788A (en) * 2016-08-12 2017-01-04 武汉大学 A kind of group key management method supporting authenticating user identification
EP3681101A1 (en) * 2017-09-07 2020-07-15 China Iwncomm Co., Ltd. Digital credential management method and device
CN108229962A (en) * 2018-01-04 2018-06-29 众安信息技术服务有限公司 Right management method and system based on block chain
CN108616539A (en) * 2018-05-03 2018-10-02 东莞市翔实信息科技有限公司 A kind of method and system that block chain transaction record accesses
CN110619236A (en) * 2019-08-15 2019-12-27 中国人民银行数字货币研究所 File authorization access method, device and system based on file credential information
CN110636043A (en) * 2019-08-16 2019-12-31 中国人民银行数字货币研究所 File authorization access method, device and system based on block chain
CN110581860A (en) * 2019-09-19 2019-12-17 腾讯科技(深圳)有限公司 identity authentication method, device, storage medium and equipment based on block chain
CN111064708A (en) * 2019-11-25 2020-04-24 精硕科技(北京)股份有限公司 Authorization authentication configuration method, authorization authentication device and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
周素芳1: "基于属性的密钥授权签名", 《计算机应用研究》 *

Also Published As

Publication number Publication date
CN113079006B (en) 2021-11-30

Similar Documents

Publication Publication Date Title
US11314891B2 (en) Method and system for managing access to personal data by means of a smart contract
US11652608B2 (en) System and method to protect sensitive information via distributed trust
JP7426031B2 (en) Key security management system and method, medium, and computer program
US9558228B2 (en) Client computer for querying a database stored on a server via a network
US7925023B2 (en) Method and apparatus for managing cryptographic keys
US9558366B2 (en) Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method
US8533469B2 (en) Method and apparatus for sharing documents
US8590030B1 (en) Credential seed provisioning system
US20180115587A1 (en) Security policies with probabilistic actions
KR102422183B1 (en) Enabling access to data
US20110276490A1 (en) Security service level agreements with publicly verifiable proofs of compliance
US20150026462A1 (en) Method and system for access-controlled decryption in big data stores
US11418499B2 (en) Password security
US11943345B2 (en) Key management method and related device
US10936741B2 (en) Management of access to data stored on a distributed ledger
US20170279786A1 (en) Systems and methods to protect sensitive information in data exchange and aggregation
CN110826091B (en) File signature method and device, electronic equipment and readable storage medium
CN113079154B (en) Key authorization use method, electronic device and computer readable storage medium
US20170093844A1 (en) Data Theft Deterrence
CN113079006B (en) Information processing method for key, electronic device and storage medium
CN115514578B (en) Block chain based data authorization method and device, electronic equipment and storage medium
CN101192263A (en) Information processing system and method
US11868460B2 (en) Authorized encryption
WO2020077048A1 (en) Methods for securing and accessing a digital document
US11625496B2 (en) Methods for securing and accessing a digital document

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TA01 Transfer of patent application right

Effective date of registration: 20211117

Address after: 201203 room 906, floor 9, building 1, No. 169 shengxia road and No. 1658 Zhangdong Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai

Applicant after: Shanghai Weibai Technology Co.,Ltd.

Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Applicant before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd.

TA01 Transfer of patent application right
CP02 Change in the address of a patent holder

Address after: 201203 room 906, floor 9, building 1, No. 169 shengxia road and No. 1658 Zhangdong Road, pilot Free Trade Zone, Pudong New Area, Shanghai

Patentee after: Shanghai Weibai Technology Co.,Ltd.

Address before: 201203 room 906, floor 9, building 1, No. 169 shengxia road and No. 1658 Zhangdong Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai

Patentee before: Shanghai Weibai Technology Co.,Ltd.

CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 201203 room 912, 9 / F, building 1, No. 169 shengxia road and No. 1658 Zhangdong Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai

Patentee after: Shanghai Weibai Technology Co.,Ltd.

Address before: 201203 room 906, floor 9, building 1, No. 169 shengxia road and No. 1658 Zhangdong Road, pilot Free Trade Zone, Pudong New Area, Shanghai

Patentee before: Shanghai Weibai Technology Co.,Ltd.

CP02 Change in the address of a patent holder