CN117176457A - Transaction request processing method and device and computer equipment - Google Patents

Transaction request processing method and device and computer equipment Download PDF

Info

Publication number
CN117176457A
CN117176457A CN202311244718.0A CN202311244718A CN117176457A CN 117176457 A CN117176457 A CN 117176457A CN 202311244718 A CN202311244718 A CN 202311244718A CN 117176457 A CN117176457 A CN 117176457A
Authority
CN
China
Prior art keywords
domain name
channel
transaction
client
access domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311244718.0A
Other languages
Chinese (zh)
Inventor
赵文波
李华宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
CCB Finetech Co Ltd
Original Assignee
China Construction Bank Corp
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp, CCB Finetech Co Ltd filed Critical China Construction Bank Corp
Priority to CN202311244718.0A priority Critical patent/CN117176457A/en
Publication of CN117176457A publication Critical patent/CN117176457A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure relates to the technical field of financial science and technology, and in particular, to a transaction request processing method, apparatus and computer device. The transaction request processing method comprises the following steps: distributing an access domain name for the client, wherein the access domain name is used for accessing the external equipment; a first transaction request sent by a client can be received, wherein the first transaction request comprises an access domain name and transaction parameters; matching the access domain name in a channel identifier set to obtain target channel identifiers, wherein the channel identifier set comprises at least one channel identifier, each channel identifier corresponds to the access domain name, and the target channel identifier is used for identifying a target access channel; constructing a second transaction request according to the transaction parameters; a second transaction request may be sent to a channel host corresponding to the target access channel. Thus, each channel host of the financial institution can process the transaction requests from the specific access channels, and can distinguish and isolate the transaction requests of different access channels, thereby improving the security.

Description

Transaction request processing method and device and computer equipment
Technical Field
The present disclosure relates to the technical field of financial science and technology, and in particular, to a transaction request processing method, apparatus and computer device.
Background
There is a need for access by a large number of outsourced units by financial institutions. The offal system of the financial institution needs to receive the transaction requests sent by the offal units in a unified manner. In the prior art, after receiving a transaction request, an external connection system can verify an external connection unit to which the transaction request belongs, and after verification is passed, the transaction request can be provided to an internal service processing device for processing.
But the channels of the external connection unit access financial institutions can be multiple. Different access channels may have different characteristics. In the prior art, the transaction requests from different access channels cannot be distinguished and isolated, so that potential safety hazards exist.
Disclosure of Invention
The embodiment of the specification provides a transaction request processing method, a transaction request processing device and computer equipment, which are used for distinguishing and isolating transaction requests of different access channels and realizing transaction access control at the level of the access channels, so that the security is improved.
The embodiment of the specification provides a transaction request processing method, which comprises the following steps:
distributing an access domain name for the client, wherein the access domain name is used for accessing the external equipment;
receiving a first transaction request sent by a client, wherein the first transaction request comprises an access domain name and transaction parameters;
matching the access domain name in a channel identifier set to obtain target channel identifiers, wherein the channel identifier set comprises at least one channel identifier, each channel identifier corresponds to the access domain name, and the target channel identifier is used for identifying a target access channel;
constructing a second transaction request according to the transaction parameters;
and sending a second transaction request to the channel host corresponding to the target access channel.
The embodiment of the specification also provides a transaction request processing device, which comprises:
the distribution unit is used for distributing an access domain name for the client, wherein the access domain name is used for accessing the external equipment;
the receiving unit is used for receiving a first transaction request sent by the client, wherein the first transaction request comprises an access domain name and a transaction parameter;
the matching unit is used for matching the access domain name in a channel identifier set to obtain target channel identifiers, the channel identifier set comprises at least one channel identifier, each channel identifier corresponds to the access domain name, and the target channel identifier is used for identifying a target access channel;
the construction unit is used for constructing a second transaction request according to the transaction parameters;
and the sending unit is used for sending a second transaction request to the channel host corresponding to the target access channel.
The embodiment of the specification also provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the transaction request processing method when executing the computer program.
The transaction request processing method of the embodiment of the specification can allocate an access domain name for the client, wherein the access domain name is used for accessing the external equipment; a first transaction request sent by a client can be received, wherein the first transaction request comprises an access domain name and transaction parameters; the access domain name can be matched in a channel identifier set to obtain a target channel identifier, the channel identifier set comprises at least one channel identifier, each channel identifier corresponds to the access domain name, and the target channel identifier is used for identifying a target access channel; the second transaction request may be constructed from the transaction parameters; a second transaction request may be sent to a channel host corresponding to the target access channel. Thus, the external client can request the channel host to process the transaction without knowing the communication address of the channel host, and the processing result of the transaction is obtained. Therefore, the communication address of the channel host can be hidden at the external client, the leakage of the communication address of the channel host is avoided, and the data security of the financial institution is improved. In addition, by distributing the access domain name for the client, and further utilizing the corresponding relation between the access domain name and the channel identifier, the target access channel corresponding to the transaction request of the client can be determined, and thus the second transaction request is sent to the channel host corresponding to the target access channel. Each channel host of the financial institution can process the transaction requests from the specific access channels, and can distinguish and isolate the transaction requests of different access channels, so that the transaction access control of the access channel level is realized, and the data security of the financial institution is improved.
Drawings
In order to more clearly illustrate the embodiments of the present description or the solutions in the prior art, the drawings that are required for the embodiments or the description of the prior art will be briefly described, the drawings in the following description are only some embodiments described in the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic functional diagram of a transaction request processing system according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of a transaction request processing method according to an embodiment of the present disclosure;
fig. 3 is a schematic flow chart of bidirectional authentication between a client and an external device in the embodiment of the present disclosure;
fig. 4 is a functional schematic diagram of a transaction request processing device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions of the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is apparent that the described embodiments are only some embodiments of the present specification, not all embodiments. The specific embodiments described herein are to be considered in an illustrative rather than a restrictive sense. All other embodiments derived by a person of ordinary skill in the art based on the described embodiments of the present disclosure fall within the scope of the present disclosure. In addition, relational terms such as "first" and "second", and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
For example, different access channels have different security conditions. Transaction requests from different access channels may also vary in security. For example, the risk hidden trouble of the transaction request from the PC end is different from the transaction request from the mobile banking end. In the prior art, the transaction requests from different access channels cannot be distinguished and isolated, and potential safety hazards exist.
Please refer to fig. 1. Embodiments of the present disclosure provide a transaction request processing system.
The transaction request processing system may include an external device and an internal device.
The external device may include a client of the tenant. The tenant may comprise an outsourcing unit of a financial institution, which may comprise an enterprise, school, unit, etc. The tenant may access the financial institution through various clients to use financial services provided by the financial institution. The client may include an electronic device such as a smart phone, tablet electronic device, network set top box, portable computer, desktop computer, personal Digital Assistant (PDA), vehicle device, smart wearable device, etc. Of course, the client may also include software running in the electronic device. For example, the client may also include an applet, a web page, an application APP, etc. One or more access channels may be determined based on access needs of the tenant. One client under the tenant may correspond to one access channel. Or, multiple clients under the tenant may also collectively correspond to one access channel. For example, a smart phone and a tablet electronic device may together correspond to one access channel, and a desktop computer may correspond to another access channel. For another example, the applet end and the web page may correspond to one access channel, and the application APP may correspond to another access channel. The manner of determining the access channel in the embodiment of the present specification is not particularly limited. In one example scenario, each client of a tenant may be considered a way to access a financial institution. Multiple paths of tenant access to financial institutions can be divided into one or more access channels according to security conditions of the access paths. In other scenario examples, the access needs of the tenant may also be divided into sub-needs under multiple business domains. Each sub-requirement may correspond to one access channel.
The internal device may be an internal device of a financial institution. The financial institution may include a banking institution, a third party payment institution, or the like. The internal devices may include an extranet device and a channel host. The external device may include a server, a server cluster including a plurality of servers, and the like. The number of channel hosts may be plural. Each of the channel hosts may correspond to a channel identification. The channel identification is used to identify an access channel. Each of the channel hosts may specifically include a routing device and a plurality of service processing devices. Each business device may correspond to a transaction code. The transaction code is used to represent a transaction type.
Please refer to fig. 2. The embodiment of the specification provides a transaction request processing method. The transaction request processing method can be applied to an external connection device. The transaction request processing method may include the following steps.
Step 21: the client is assigned an access domain name.
In some embodiments, the external device is configured to interface with various tenants in a unified manner, so that the tenants can access the financial institution. The tenant may have a variety of clients. The multiple clients may be assigned different access domain names. The access domain name may be used to represent a communication address of the alien device. So that the external device can be accessed according to the access domain name. The access domain name may also be used to identify the client. The access domain names of different clients are different. Can be located to clients based on domain names.
In some embodiments, the client of the tenant may send a domain name assignment request to the external device. The external connection equipment can receive an access domain name allocation request sent by the client; the access domain name can be generated according to the client identifier and the tenant identifier in the domain name allocation request; an access channel of the client can be determined, and the access channel corresponds to a channel identifier; the corresponding relation between the access domain name and the channel identifier can be established; the access domain name may be fed back to the client.
The access domain name allocation request may include a client identifier and a tenant identifier. The client identification is used to identify the client, and may include, for example, the name of the client, the encoding of the client, etc. The tenant identification is used to identify the tenant to which the client belongs, and may include, for example, a name of the tenant, an encoding of the tenant, and the like. The communication address of the external connection equipment can be obtained; the tenant domain name may be generated from the tenant identity and the communication address, the client domain name may be generated from the client identity and the communication address, and the access domain name may be generated from the tenant domain name and the client domain name. The communication address may include an IP address of the external device, a domain name of the external device, etc. Alternatively, a random number may be generated as the communication address of the alien device. The communication address may be encoded according to the tenant identity to obtain a tenant domain name. For example, the communication address may be modulated according to the tenant identity. The modulating may include adding the tenant identity to the communication address. Of course, the modulation may also include other ways of performing mathematical operations on tenant identities and communication addresses. The manner of generating the client domain name is the same as that of generating the tenant domain name, and will not be described here again. The tenant domain name and the client domain name can be spliced, so that an access domain name of the client is obtained. Of course, the access domain name may also be generated in other ways. For example, a tenant domain name may be generated from the tenant identity and the communication address; the access domain name may be generated from the client identification and the tenant domain name. For example, the client identifier and the tenant domain name may be spliced to obtain the access domain name. For another example, a client domain name may be generated based on the client identifier and the communication address; the access domain name may be generated from the tenant identity and the client domain name. For example, the tenant identity and the client domain name may be spliced to obtain the access domain name.
The access channel corresponding to the client can be determined according to the client identified by the client identification; a channel identification for identifying the access channel may be obtained. A correspondence between the access domain name and the channel identifier may be established. It should be noted that each client of the tenant may be regarded as a way to access the financial institution. Therefore, the access channel corresponding to the client can be determined according to the security condition of the access path corresponding to the client. Alternatively, the access requirement of the tenant may be further divided into sub-requirements in multiple service areas, where each sub-requirement may correspond to one access channel. Therefore, the sub-access requirements corresponding to the client can be determined, and the access channel corresponding to the sub-access requirements can be used as the access channel corresponding to the client. It should be further noted that one client may correspond to one access channel, or a plurality of clients may collectively correspond to one access channel. Thus, an access domain name may correspond to a channel identification. Alternatively, multiple access domain names may collectively correspond to a channel identification. By establishing the corresponding relation between the access domain name and the channel identifier, the client can only access one or more specific access channels under the tenant, so that the transaction requests of different access channels are distinguished and isolated, and the security is improved.
In some embodiments, for each access domain name generated, the external device may further obtain a corresponding first digital certificate, so that a correspondence between the access domain name and the first digital certificate may be established. The first digital certificate may be issued to the external device by an authoritative certificate authority (also known as CA authority, certificate Authority). The first digital certificate can be obtained by encrypting the public key and the access domain name of the external device by the private key of the authority certificate authority. For example, the external device may generate matching public and private keys; the public key and the access domain name may be sent to an authoritative certificate authority device. The authority certificate authority equipment can receive the public key and the access domain name of the external equipment, can encrypt the public key and the access domain name of the external equipment by utilizing the private key of the authority certificate authority equipment to obtain a first digital certificate, and can send the first digital certificate to the external equipment. The external device may receive the first digital certificate, and may thereby establish a correspondence between the first digital certificate and the access domain name.
In some embodiments, the client may also obtain a corresponding second digital certificate for the received access domain name. The second digital certificate is issued to the client by an authoritative certificate authority (also known as CA authority, certificate Authority). The second digital certificate can be obtained by encrypting the public key of the client and the access domain name by the private key of the authority certificate authority. For example, the client may generate matching public and private keys; the public key and the access domain name may be sent to an authoritative certificate authority device. The authority certificate authority equipment can receive the public key and the access domain name of the client, can encrypt the public key and the access domain name of the client by utilizing the private key of the authority certificate authority equipment to obtain a second digital certificate, and can send the first digital certificate to the client. The client may receive the second digital certificate and may establish a correspondence between the second digital certificate and the access domain name.
In some embodiments, to improve security, the client may also verify the identity of the external device to verify whether the external device is legitimate, prior to step 22. The external device may also perform authentication on the client to verify whether the client is legitimate. Thereby realizing bidirectional authentication. Please refer to fig. 3. The mutual authentication procedure may include the following steps.
Step 211: and receiving a connection request sent by the client, wherein the connection request comprises an access domain name.
In some embodiments, when the client needs to send a transaction request to the external device, a connection request may be sent to the external device first to initiate a two-way authentication process. The connection request may include an access domain name assigned to itself. Of course, other information may be included in the connection request, such as protocol version, compression algorithm, etc. The external device may receive a connection request.
Step 212: and in response to the connection request, encrypting the random number according to the private key of the user to obtain first ciphertext data.
In some embodiments, the alien device may generate a random number after receiving the connection request. The random number may be used to verify the client identity. The external device can encrypt the random number according to the private key of the external device to obtain first ciphertext data.
Step 213: and sending the first digital certificate and the first ciphertext data to the client.
In some embodiments, the external device may provide a digital certificate set. The set of digital certificates may include at least one first digital certificate. Each of the first digital certificates may correspond to an access domain name. After receiving the connection request, the external device can match in the digital certificate set according to the access domain name in the connection request, so as to obtain a corresponding first digital certificate. The external device may send the first digital certificate and the first ciphertext data to the client.
In some embodiments, the client may receive a first digital certificate and first ciphertext data sent by the external device; the first digital certificate may be decrypted to obtain the public key and the access domain name of the external device contained therein. For example, the client may decrypt the first digital certificate according to the public key of the authority certificate authority to obtain the public key and the access domain name of the external device.
The client can judge whether the access domain name in the first digital certificate is the same as the access domain name in the connection request; if the identity of the external connection equipment and the identity of the external connection equipment are the same, the external connection equipment can be determined to be legal external connection equipment, and the identity of the external connection equipment is verified to pass; if the external connection equipment is different from the external connection equipment, the external connection equipment can be determined to be illegal external connection equipment, the identity verification of the external connection equipment is not passed, and the connection with the external connection equipment can be disconnected. By verifying the identity of the external device, the interaction with false devices can be prevented, and the data security of the client is improved.
When the access domain name in the first digital certificate is the same as the access domain name in the connection request, the client can decrypt the first ciphertext data according to the public key of the external device to obtain the random number; a symmetric key may be generated; encrypting the random number according to the symmetric key to obtain ciphertext data of the random number; the symmetric key and the ciphertext data of the random number can be encrypted according to the public key of the external device to obtain second ciphertext data and third ciphertext data; the second digital certificate, the second ciphertext data, and the third ciphertext data may be transmitted to an external device.
Step 214: and receiving the second digital certificate, the second ciphertext data and the third ciphertext data which are sent by the client.
Step 215: when the access domain name in the second digital certificate is the same as the access domain name in the connection request, decrypting the second ciphertext data and the third ciphertext data according to the private key of the second digital certificate to obtain ciphertext data of the symmetric key and the random number, and decrypting the ciphertext data of the random number according to the symmetric key to judge whether the decryption result is the same as the generated random number;
in some embodiments, the external device may receive the second digital certificate, the second ciphertext data, and the third ciphertext data sent by the client; the second digital certificate may be decrypted to obtain the public key and the access domain name of the client. For example, the client may decrypt the second digital certificate according to the public key of the authority certificate authority to obtain the public key of the client and the access domain name.
The external device can judge whether the access domain name in the second digital certificate is the same as the access domain name in the connection request; if the two ciphertext data are the same, the second ciphertext data and the third ciphertext data can be decrypted according to the private key of the two ciphertext data to obtain ciphertext data of the symmetric key and the random number; the ciphertext data of the random number can be decrypted according to the symmetric key; so that it can be further judged whether the decryption result is identical to the previously generated random number. If the decryption result is the same as the generated random number, the external connection device can determine that the client is a legal client, and the identity of the client passes the authentication; if the client is different, the client can be determined to be an illegal client, the authentication of the client is not passed, and the connection with the client can be disconnected. In this way, the authentication of the client can be determined to pass under the condition that the access domain name in the second digital certificate is the same as the access domain name in the connection request, and the decryption result is the same as the generated random number. Thereby improving the accuracy of the authentication of the client. By verifying the identity of the client, the risk of random attack of the channel host can be effectively reduced, and the safety of a financial institution is improved.
Step 216: and when the decryption result is the same as the generated random number, determining the symmetric key as the service key.
In some embodiments, when the decryption result is the same as the generated random number, it indicates that the authentication of the client is passed, so that the symmetric key may be determined as the service key. The service key is held by the external connection device and the client side together and is used for encrypted communication between the client side and the external connection device. Thus, the security of data transmission between the client and the external connection device can be improved.
Step 22: a first transaction request sent by a client is received, wherein the first transaction request comprises an access domain name and a transaction parameter.
In some embodiments, the transaction parameters may include a transaction code. The transaction code is used to represent a transaction type. Of course, the transaction parameters may also include other parameters. The other parameters may also be different depending on the type of transaction. For example, the transaction type may be a transfer, and the other parameters may include transfer into account, transfer out of account, transfer finance. For another example, the transaction type may include querying a balance, and the other parameter may include querying an account.
In some embodiments, the user may operate on the client. Responding to the operation of a user, the client can acquire the access domain name allocated to the client by the external connection equipment; transaction parameters may be obtained; the first transaction request may be constructed based on the access domain name and the transaction parameters; the first transaction request may be sent to an external device. The external device may receive a first transaction request.
For example, the client may encapsulate the access domain name and the transaction parameter according to the HTTPS (HyperText Transfer Protocol over Secure Socket Layer) protocol, resulting in the first transaction request. Through the HTTPS protocol, the security of the client for accessing the external device can be improved. Of course, the client may also use other protocols to construct the first transaction request.
In some embodiments, the client may send the first transaction request to the external device after the authentication of the external device passes and the authentication of the client passes. Ciphertext data for accessing a domain name and a transaction parameter may be included in the first transaction request. Ciphertext data of the transaction parameters may be obtained by encrypting the transaction parameters with the service key. Specifically, the user may operate on the client. Responding to the operation of a user, the client can acquire the access domain name allocated to the client by the external connection equipment; transaction parameters may be obtained; encrypting the transaction parameters through the service key to obtain ciphertext data of the transaction parameters; the first transaction request may be constructed from ciphertext data of the access domain name and the transaction parameter; the first transaction request may be sent to an external device. For example, the client may encapsulate ciphertext data of the access domain name and the transaction parameter according to the HTTPS (HyperText Transfer Protocol over Secure Socket Layer) protocol, to obtain the first transaction request.
Alternatively, signature data for accessing the domain name may be included in the first transaction request. The signature data of the access domain name can be obtained by encrypting the access domain name by the private key of the client. Specifically, the user may operate on the client. Responding to the operation of a user, the client can acquire the access domain name allocated to the client by the external connection equipment; the access domain name can be signed through the private key of the self to obtain signature data; transaction parameters may be obtained; encrypting the transaction parameters through the service key to obtain ciphertext data of the transaction parameters; the first transaction request may be constructed from the access domain name, the signature data of the access domain name, and the ciphertext data of the transaction parameter; the first transaction request may be sent to an external device.
Step 23: and determining the target channel identification according to the access domain name.
In some embodiments, the external device may parse the first transaction request to obtain the access domain name. The extrapolating device may provide a set of channel identifications. The set of channel identifications may include at least one channel identification, each channel identification corresponding to at least one access domain name. The external connection device can match the access domain name in the channel identifier set to obtain the target channel identifier.
In some embodiments, signature data for accessing the domain name may also be included in the first transaction request. The external device can obtain signature data of the access domain name by analyzing the first transaction data. The external device can decrypt the signature data of the access domain name according to the public key of the client; if the decryption result is the same as the access domain name in the first transaction request, the access domain name is not tampered, and the access domain name can be matched in the channel identifier set to obtain the target channel identifier.
Step 24: and constructing a second transaction request according to the transaction parameters.
In some embodiments, the external device may obtain the transaction parameters via the first transaction request. Specifically, the first transaction request may directly include a transaction parameter. The external device may parse the first transaction request to obtain a transaction parameter. Alternatively, the first transaction request may include ciphertext data of the transaction parameter. The external device can analyze the first transaction request to obtain ciphertext data of the transaction parameters; the ciphertext data of the transaction parameters can be decrypted according to the service key to obtain the transaction parameters. The external device may identify a protocol type of the first transaction request; whether the protocol type of the first transaction request is the same as the protocol type supported by the channel host or not can be judged; if the transaction parameters are different, the transaction parameters can be packaged according to the protocol types supported by the channel host computer, and a second transaction request is obtained. For example, the protocol type of the first transaction request may be HTTPS, and the protocol type supported by the channel host may be HTTP (Hypertext Transfer Protocol). The external device can analyze the first transaction request according to the HTTPS protocol to obtain transaction parameters; the transaction parameters may be encapsulated according to the HTTP protocol, and a second transaction request may be constructed.
Step 25: and sending a second transaction request to the channel host corresponding to the target access channel.
In some embodiments, the external device may send the second transaction request to the channel host corresponding to the target channel identification so that the channel host corresponding to the target channel identification is able to process the second transaction request. In one aspect, the second transaction request and the first transaction request include the same transaction parameters. Whereby the second transaction request and the first transaction request may request that the same transaction operation be performed. The channel host corresponding to the target channel identifier processes the second transaction request, which is equivalent to processing the first transaction request. Thus, the external client can request the channel host to process data without knowing the communication address (such as IP address, domain name, etc.) of the channel host, and the processing result is obtained. The communication address of the channel host can be hidden to the external client, and leakage of the communication address of the channel host is avoided. On the other hand, the channel host has a corresponding relationship with the channel identifier. Each channel host of the financial institution can process the transaction request from the specific access channel, thereby realizing the transaction access control at the level of the access channel. This improves the data security of the financial institution.
In some embodiments, the financial institution has multiple channel hosts. Each channel host may correspond to a channel identifier and may be configured to process a transaction request from an access channel identified by the channel identifier. Each channel host specifically may include a routing device and a plurality of service processing devices. Each transaction processing device may correspond to one or more transaction codes for processing a second transaction request of a corresponding one or more transaction types. The routing device is used for routing the second transaction request to the corresponding service processing device according to the transaction code in the second transaction request. Through the corresponding relation between the business processing equipment and the transaction codes, transaction requests of different transaction types can be distinguished and isolated, so that the data security of a financial institution is further improved.
The external connection device may select a target channel host corresponding to the target channel identifier from the plurality of channel hosts, and may send a second transaction request to the target channel host. In practical applications, each channel host of the plurality of channel hosts may have a device identification. The device identification is used to identify the channel host, and may include, for example, the name of the channel host, the encoding of the channel host, and the like. The alien device may construct a device identification set. The set of device identifications may include a plurality of device identifications, each device identification may correspond to a channel identification. The external connection equipment can match the target channel identifier in the equipment identifier set to obtain a target equipment identifier; a second transaction request may be sent to the target channel host identified by the target device identification. The target channel host may receive a second transaction request; the second transaction request can be processed to obtain a processing result; the processing results may be sent to an external device. The external connection equipment can receive the processing result; the processing results may be sent to the client. The client may receive the processing results. Or the external equipment can encrypt the processing result through the service key to obtain ciphertext data of the processing result; ciphertext data of the processing result may be sent to the client. The client can receive ciphertext data of the processing result; the ciphertext data of the processing result can be decrypted according to the service key to obtain the processing result. The safety of the processing result in the transmission process is improved.
The out-connection device may specifically send a second transaction request to the routing device in the target channel host. The routing device may receive a second transaction request; the second transaction request can be analyzed to obtain a transaction code; the second transaction request may be routed to a transaction processing device corresponding to the transaction code. The business processing equipment corresponding to the transaction code can receive a second transaction request; the second transaction request can be processed according to the transaction parameters to obtain a transaction processing result; the processing result may be sent to the routing device. The processing results may include account balances queried, transfer results, and the like. The routing device may receive the processing result and may feed back the processing result to the external device. The external device may receive the processing result and may feed back the processing result to the client.
The transaction request processing method of the embodiment of the specification can allocate an access domain name for the client, wherein the access domain name is used for accessing the external equipment; a first transaction request sent by a client can be received, wherein the first transaction request comprises an access domain name and transaction parameters; the access domain name can be matched in a channel identifier set to obtain a target channel identifier, the channel identifier set comprises at least one channel identifier, each channel identifier corresponds to the access domain name, and the target channel identifier is used for identifying a target access channel; the second transaction request may be constructed from the transaction parameters; a second transaction request may be sent to a channel host corresponding to the target access channel. Thus, the external client can request the channel host to process data without knowing the communication address of the channel host, and a processing result is obtained. Therefore, the communication address of the channel host can be hidden at the external client, the leakage of the communication address of the channel host is avoided, and the data security of the financial institution is improved. In addition, by distributing the access domain name for the client, and further utilizing the corresponding relation between the access domain name and the channel identifier, the target access channel corresponding to the transaction request of the client can be determined, and thus the second transaction request is sent to the channel host corresponding to the target access channel. Each channel host of the financial institution can process the transaction requests from the specific access channels, and can distinguish and isolate the transaction requests of different access channels, so that the transaction access control of the access channel level is realized, and the data security of the financial institution is improved.
Please refer to fig. 4. The embodiment of the specification also provides a transaction request processing device, which comprises the following units.
A distribution unit 31, configured to distribute an access domain name for a client, where the access domain name is used to access an external device;
a receiving unit 32, configured to receive a first transaction request sent by a client, where the first transaction request includes an access domain name and a transaction parameter;
a matching unit 33, configured to match the access domain name in a channel identifier set, to obtain a target channel identifier, where the channel identifier set includes at least one channel identifier, each channel identifier corresponds to the access domain name, and the target channel identifier is used to identify a target access channel;
a construction unit 34, configured to construct a second transaction request according to the transaction parameters;
a sending unit 35, configured to send a second transaction request to the channel host corresponding to the target access channel.
The embodiment of the specification also provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the transaction request processing method when executing the computer program.
The embodiments of the present specification also provide a computer-readable storage medium storing a computer program that when executed by a processor implements the transaction request processing method described above.
Embodiments of the present specification also provide a computer program product comprising a computer program which, when executed by a processor, implements the transaction request processing method described above.
Those skilled in the art will appreciate that the present description may be provided as a method, system, or computer program product. The description may thus take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present description is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. The computer may be a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Each functional unit in the embodiments of the present disclosure may be integrated in one processing unit, or each functional unit may exist alone physically, or two or more functional units may be integrated in one processing unit.
Those skilled in the art will appreciate that the descriptions of various embodiments are provided herein with respect to each of the embodiments, and that reference may be made to the relevant descriptions of other embodiments for parts of one embodiment that are not described in detail. In addition, it will be appreciated that those skilled in the art, upon reading the present specification, may conceive of any combination of some or all of the embodiments set forth herein without any inventive effort, and that such combination is within the scope of the disclosure and protection of the present specification.
Although the present specification is depicted by way of example, it will be appreciated by those skilled in the art that the above examples are merely intended to aid in understanding the core ideas of the present specification. Those skilled in the art will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover such modifications and variations as fall within the true spirit of this present description.

Claims (10)

1. A transaction request processing method, applied to an external connection device, the method comprising:
distributing an access domain name for the client, wherein the access domain name is used for accessing the external equipment;
receiving a first transaction request sent by a client, wherein the first transaction request comprises an access domain name and transaction parameters;
matching the access domain name in a channel identifier set to obtain target channel identifiers, wherein the channel identifier set comprises at least one channel identifier, each channel identifier corresponds to the access domain name, and the target channel identifier is used for identifying a target access channel;
constructing a second transaction request according to the transaction parameters;
and sending a second transaction request to the channel host corresponding to the target access channel.
2. The method of claim 1, wherein the step of assigning the access domain name comprises:
and distributing access domain names to a plurality of clients of the tenant, wherein the access domain names distributed by different clients are different.
3. The method of claim 1, wherein the step of assigning the access domain name comprises:
receiving an access domain name allocation request sent by a client, wherein the access domain name allocation request comprises a client identifier and a tenant identifier, the client identifier is used for identifying the client, and the tenant identifier is used for identifying the tenant to which the client belongs;
generating an access domain name according to the client identifier and the tenant identifier;
determining an access channel of a client, wherein the access channel corresponds to a channel identifier;
establishing a corresponding relation between the access domain name and the channel identifier;
and feeding back the access domain name to the client.
4. The method of claim 1, wherein the first transaction request includes signature data for accessing a domain name; the step of matching the access domain name in the channel identification set comprises the following steps:
decrypting the signature data of the access domain name according to the public key of the client;
and if the decryption result is the same as the access domain name in the first transaction request, matching the access domain name in the channel identification set.
5. The method according to claim 1, wherein the method further comprises:
receiving a connection request sent by a client, wherein the connection request comprises an access domain name;
in response to a received connection request, encrypting the random number according to a private key of the random number to obtain first ciphertext data;
the method comprises the steps of sending a first digital certificate and first ciphertext data to a client so that when an access domain name in the first digital certificate is the same as an access domain name in a connection request, decrypting the first ciphertext data according to a public key of external equipment in the first digital certificate to obtain a random number, generating a symmetric key, encrypting the random number according to the symmetric key, and encrypting ciphertext data of the symmetric key and the random number according to the public key of the external equipment in the first digital certificate to obtain second ciphertext data and third ciphertext data;
receiving a second digital certificate, second ciphertext data and third ciphertext data sent by a client;
when the access domain name in the second digital certificate is the same as the access domain name in the connection request, decrypting the second ciphertext data and the third ciphertext data according to the private key of the second digital certificate to obtain ciphertext data of the symmetric key and the random number, and decrypting the ciphertext data of the random number according to the symmetric key to judge whether the decryption result is the same as the generated random number;
and when the decryption result is the same as the generated random number, determining the symmetric key as the service key.
6. The method of claim 5, wherein the first transaction request includes ciphertext data for accessing a domain name and a transaction parameter; accordingly, the method further comprises:
and decrypting the ciphertext data of the transaction parameters according to the service key to obtain the transaction parameters.
7. The method of claim 1, wherein the step of constructing the second transaction request comprises:
packaging the transaction parameters according to the protocol type supported by the channel host to obtain a second transaction request;
the second transaction request and the first transaction request are for requesting to perform the same transaction operation.
8. The method of claim 1, wherein the transaction parameters include a transaction code, the transaction code representing a transaction type; the step of sending the second transaction request includes:
selecting a target channel host corresponding to a target channel identifier from a plurality of channel hosts, wherein each channel host corresponds to the channel identifier, and comprises a routing device and a plurality of service processing devices, and each service processing device corresponds to a transaction code;
and sending the second transaction request to the routing device in the target channel host, so that the routing device in the target channel host routes the second transaction request to the service processing device corresponding to the transaction code.
9. A transaction request processing apparatus for use with an external device, the apparatus comprising:
the distribution unit is used for distributing an access domain name for the client, wherein the access domain name is used for accessing the external equipment;
the receiving unit is used for receiving a first transaction request sent by the client, wherein the first transaction request comprises an access domain name and a transaction parameter;
the matching unit is used for matching the access domain name in a channel identifier set to obtain target channel identifiers, the channel identifier set comprises at least one channel identifier, each channel identifier corresponds to the access domain name, and the target channel identifier is used for identifying a target access channel;
the construction unit is used for constructing a second transaction request according to the transaction parameters;
and the sending unit is used for sending a second transaction request to the channel host corresponding to the target access channel.
10. A computer device, comprising:
a processor; a memory for storing processor-executable instructions;
the processor implements the method of any of claims 1-8 by executing the instructions.
CN202311244718.0A 2023-09-25 2023-09-25 Transaction request processing method and device and computer equipment Pending CN117176457A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311244718.0A CN117176457A (en) 2023-09-25 2023-09-25 Transaction request processing method and device and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311244718.0A CN117176457A (en) 2023-09-25 2023-09-25 Transaction request processing method and device and computer equipment

Publications (1)

Publication Number Publication Date
CN117176457A true CN117176457A (en) 2023-12-05

Family

ID=88931778

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311244718.0A Pending CN117176457A (en) 2023-09-25 2023-09-25 Transaction request processing method and device and computer equipment

Country Status (1)

Country Link
CN (1) CN117176457A (en)

Similar Documents

Publication Publication Date Title
CN111429254B (en) Business data processing method and device and readable storage medium
US9736146B2 (en) Embedded extrinsic source for digital certificate validation
Zissis et al. Addressing cloud computing security issues
US9219722B2 (en) Unclonable ID based chip-to-chip communication
CN107181714B (en) Verification method and device based on service code and generation method and device of service code
CN105871786B (en) A kind of verification method of user information, device and system
Patil et al. Data security over cloud
JP2018501567A (en) Device verification method and equipment
RU2676896C2 (en) Method and system related to authentication of users for accessing data networks
CN109981287B (en) Code signing method and storage medium thereof
CN111131336B (en) Resource access method, device, equipment and storage medium under multi-party authorization scene
CN112560072B (en) Key management method, device, medium and equipment based on block chain
CN110708162B (en) Resource acquisition method and device, computer readable medium and electronic equipment
CN111275419A (en) Block chain wallet signature right confirming method, device and system
CN111522809A (en) Data processing method, system and equipment
CN114666168A (en) Decentralized identity certificate verification method and device, and electronic equipment
CN110942382A (en) Electronic contract generating method and device, computer equipment and storage medium
WO2021005474A1 (en) Computer-implemented system and method for facilitating transactions associated with a blockchain using a network identifier for participating entities
CN109670289B (en) Method and system for identifying legality of background server
CN107645474B (en) Method and device for logging in open platform
CN112887087B (en) Data management method and device, electronic equipment and readable storage medium
US20100005311A1 (en) Electronic-data authentication method, Elctronic-data authentication program, and electronic-data, authentication system
CN113129008A (en) Data processing method and device, computer readable medium and electronic equipment
CN110601836B (en) Key acquisition method, device, server and medium
CN110955909B (en) Personal data protection method and block link point

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination