WO2017080381A1 - Procédé pour traiter des données inter domaine, premier serveur et second serveur - Google Patents

Procédé pour traiter des données inter domaine, premier serveur et second serveur Download PDF

Info

Publication number
WO2017080381A1
WO2017080381A1 PCT/CN2016/104053 CN2016104053W WO2017080381A1 WO 2017080381 A1 WO2017080381 A1 WO 2017080381A1 CN 2016104053 W CN2016104053 W CN 2016104053W WO 2017080381 A1 WO2017080381 A1 WO 2017080381A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
user
digital object
identifier
data operation
Prior art date
Application number
PCT/CN2016/104053
Other languages
English (en)
Chinese (zh)
Inventor
何健飞
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017080381A1 publication Critical patent/WO2017080381A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method for processing cross-domain data, a first server, and a second server.
  • information obtained by users through the Internet or published data belongs to private data that other users cannot obtain.
  • Users can share data through some service providers that provide information distribution.
  • the data generated by the user is controlled by the service provider that is capable of data sharing.
  • the service provider uses the control of the data or information published by the user to form the autonomous domain of the service provider. Inter-access is prohibited between the autonomous domains of different service providers, that is, users belonging to the first service provider cannot access data of other users in the autonomous domain of the second service provider.
  • the present invention provides a method for processing cross-domain data, a first server, and a second server, which are capable of processing data between users belonging to different service providers.
  • a first aspect provides a method for processing cross-domain data, the method comprising: receiving, by a first server, a first data operation request sent by a user, where the first server is configured to provide an access service to a user, where The first data operation request is for requesting processing of the digital object, the first data operation request including the token of the user and the identifier of the digital object; the first server operates according to the first data operation request Determining the identifier of the digital object, determining that the target domain of the first data operation request is an autonomous domain of the second server; the first server deleting the first number Obtaining a second data operation request according to the token of the user included in the operation request, the second data operation request includes an identifier of the digital object; and the first server sends the second data operation to a second server request.
  • the first data operation request further includes an identifier of the user
  • the method further includes: the first server operating according to the first data Determining an identifier of the digital object that is included, determining that a target domain of the first data operation request is an autonomous domain of the first server; the first server according to a correspondence, a token of the user, and the user And determining that the user has passed the authentication, where the correspondence includes the token of the user and the identifier of the user; the first server obtains the operation authority of the digital object according to the identifier of the user, the number
  • the object operation authority is an operation authority of the first server to a digital object related to the user; the first server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  • the method further includes: the first server receiving an access request sent by the user, the access request is used to request to obtain a token, and the access request includes an identifier of the user; Determining, by the user, the user belongs to an autonomous domain of the first server; the first server authenticates the user; and the first server determines that the user sends an authentication to the user after passing the authentication The token of the user corresponding to the identifier of the user.
  • the first server authenticates the user, and the authentication method can be, but is not limited to, decrypting the user's digital signature through the user's public key to complete the authentication.
  • the method further includes: the first server receiving an access request sent by the user, the access request is used to request to obtain a token, and the access request includes an identifier of the user; An identifier of the user, determining that the user does not belong to an autonomous domain of the first server; the first server requests a third server to authenticate the user; the first server determines After the user authenticates by the third server, the user sends a token of the user corresponding to the identifier of the user to the user.
  • the digital object is stored in the fourth server The virtual digital object, the first server processing the digital object according to the digital object operation authority and the identifier of the digital object, comprising: the first server acquiring a location pointer according to the identifier of the digital object The location pointer is used to indicate that the fourth server stores an address of the digital object; the first server acquires the digital object from the fourth server according to the location pointer; the first server is configured according to the The digital object operates the authority to process the digital object.
  • the digital object can be a virtual digital object stored on the fourth server.
  • the virtual digital object has a unique identifier.
  • the content of the virtual digital object is not actually stored in the first server, but is a location pointer for indicating that the first server obtains the address of the content of the virtual digital object.
  • the identifier of the digital object includes the digital object group identifier; the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, including: the first server operating authority and the The digital object group identifier is processed for each member of the digital object group identifier.
  • a method for processing cross-domain data comprising: receiving, by a second server, a data operation request sent by a first server, the data operation request for requesting processing of a digital object,
  • the data operation request includes an identifier of the digital object and an identifier of the user, the autonomous domain of the second server is a target domain of the data operation request, and the second server requests the third server to authenticate the user;
  • the second server determines that the user is authenticated by the third server, obtains a digital object operation authority according to the identifier of the user in the data operation request, where the digital object operation authority is the second server. Pair with the user An operation authority of the associated digital object; the second server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  • the third server is a server for authenticating the user, and the third server is a domain corresponding to the user, and is a domain in which the user can obtain the user identifier by registering, that is, the registration domain allocates the user identifier to the user.
  • the second server obtains the registration domain of the user according to the identifier of the user, and obtains the address of the third server corresponding to the registration domain, for example, the IP address of the third server.
  • the second server may request the third server to authenticate the user.
  • the method further includes: the second server determining After the user authenticates by the third server, the user sends a token of the user corresponding to the identifier of the user to the user.
  • the digital object is a virtual digital object stored in a fourth server, the second Processing, by the server, the digital object according to the digital object operation authority and the identifier of the digital object, the second server acquiring a location pointer according to the identifier of the digital object, where the location pointer is used to represent the location
  • the fourth server stores an address of the digital object; the second server acquires the digital object from the fourth server according to the location pointer; and the second server operates the authority according to the digital object
  • the digital object is processed.
  • a first server configured to provide an access service to a user
  • the first server includes: a receiving unit, configured to receive a first data operation request sent by a user, where a first data operation request for requesting processing of the digital object, the first data operation request including the token of the user and an identifier of the digital object; and a determining unit, configured to include, according to the first data operation request The identifier of the digital object, the target domain of the first data operation request is determined to be an autonomous domain of the second server, and the execution unit is configured to delete the token of the user included in the first data operation request, and obtain a second data operation request, the second data operation request includes an identifier of the digital object, and a sending unit, configured to send the second data operation request to the second server.
  • the first data operation request further includes an identifier of the user
  • the determining unit is further configured to be included according to the first data operation request Determining, by the identifier of the digital object, that the target domain of the first data operation request is an autonomous domain of the first server
  • the first server further includes: an obtaining unit, configured to use, according to the correspondence, the user's order a card and an identifier of the user, after determining that the user has passed the authentication, obtaining a digital object operation authority according to the identifier of the user, where the correspondence includes the token of the user and the identifier of the user, the number
  • the object operation authority is an operation authority of the first server to the digital object related to the user
  • the execution unit is further configured to: according to the digital object operation authority and the identifier of the digital object, the digital object Process it.
  • the receiving unit is further configured to receive an access request sent by the user, where The access request is used to request to obtain a token, and the access request includes an identifier of the user, and the determining unit is further configured to determine, according to the identifier of the user, that the user belongs to the first server.
  • the execution unit is further configured to authenticate the user, and the sending unit is further configured to: after the user passes the authentication, send the user that is corresponding to the identifier of the user to the user. Token.
  • the receiving unit is further configured to receive an access request sent by the user, where The access request is used to request to obtain a token, and the access request includes an identifier of the user, and the determining unit is further configured to determine, according to the identifier of the user, that the user does not belong to the first server.
  • An execution unit configured to request a third server to authenticate the user, where the sending unit is further configured to: after determining that the user is authenticated by the third server, send the user to the user The token of the user corresponding to the identifier of the user.
  • the digital object is stored in the fourth server a virtual digital object; the execution unit, specifically configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores the number An address of the object; acquiring the digital object from the fourth server according to the location pointer; processing the digital object according to the digital object operation authority.
  • the identifier of the digital object is included; and the executing unit is configured to process each member in the digital object group identifier according to the digital object operation authority and the digital object group identifier.
  • a second server includes: a receiving unit, configured to receive a data operation request sent by the first server, where the data operation request is used to request processing of the digital object,
  • the data operation request includes an identifier of the digital object, and an identifier of the user, the autonomous domain of the second server is a target domain of the data operation request, and an execution unit is configured to request the third server to authenticate the user;
  • a obtaining unit configured to determine, after the user is authenticated by the third server, obtain a digital object operation authority according to the identifier of the user in the digital operation request, where the digital object operation authority is the second server pair The operation authority of the digital object related to the user;
  • the execution unit is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
  • the second server further includes: a sending unit, configured to determine, after the user is authenticated by the third server, the user Sending a token of the user corresponding to the identity of the user.
  • the digital object is a virtual digital object stored in a fourth server
  • the execution unit Specifically, the method is configured to obtain a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and obtain, according to the location pointer, a location from the fourth server. a digital object; processing the digital object according to the digital object operation authority.
  • a fifth aspect provides a first server, where the first server is configured to provide an access service to a user, where the first server includes: an interface, a processor, and a memory storing the program code.
  • the processor reads the instruction corresponding to the program code from the memory, and performs the following operations according to the read instruction:
  • the processor is further configured to:
  • the digital object operation authority is an operation authority of the first server to a digital object related to the user
  • the digital object is processed according to the digital object operation authority and the identifier of the digital object.
  • the processor is further configured to:
  • an access request sent by the user where the access request is used to request to obtain a token, where the access request includes an identifier of the user; and determining the user according to the identifier of the user
  • An autonomous domain that belongs to the first server authenticates the user; and after determining that the user passes the authentication, sends the token of the user corresponding to the identifier of the user to the user through the interface.
  • the processor is further configured to:
  • the token of the user corresponding to the identifier of the user is sent to the user through the interface.
  • the digital object is stored in the fourth server Virtual digital object;
  • the processor is configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and according to the location pointer, from the The four servers acquire the digital object; the digital object is processed according to the digital object operation authority.
  • the identifier of the digital object is included; the processor is specifically configured to process, by the first server, each member in the digital object group identifier according to the digital object operation authority and the digital object group identifier.
  • a second server includes an interface, a processor, and a memory storing the program code, and the processor reads an instruction corresponding to the program code from the memory, and performs the following operations:
  • the digital object is processed according to the digital object operation authority and the identifier of the digital object.
  • the processor is further configured to determine, after the user is authenticated by the third server, Sending a token of the user corresponding to the identity of the user.
  • the digital object is a virtual digital object stored in a fourth server, where the processor Specifically, the method is configured to obtain a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores an address of the digital object, and obtain, according to the location pointer, a location from the fourth server.
  • the digital object processes the digital object according to the digital object operation authority.
  • the first server receives the first data operation request sent by the user, and determines that the target domain of the first data operation request is the autonomous domain of the second server according to the identifier of the digital object included in the first data operation request.
  • a server deletes the token of the user included in the first data operation request, obtains a second data operation request, and the first server sends a second data operation request to the second server.
  • the first server After determining that the user requesting data processing is not the server in the autonomous domain of the first server, the first server sends an operation request to the second server corresponding to the target domain of the user, and the operation request of the second server to the user By processing, it is possible to process data between users belonging to different service providers.
  • FIG. 1 is a flowchart of a method for processing cross-domain data according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic structural diagram of a digital object according to Embodiment 1 of the present invention.
  • FIG. 3 is a flowchart of a method for processing cross-domain data according to Embodiment 1 of the present invention.
  • FIG. 4 is a flowchart of a method for processing cross-domain data according to Embodiment 2 of the present invention.
  • FIG. 5 is a schematic diagram of a first server according to Embodiment 3 of the present invention.
  • FIG. 6 is a schematic diagram of a second server according to Embodiment 3 of the present invention.
  • FIG. 7 is a schematic diagram of a first server according to Embodiment 3 of the present invention.
  • FIG. 8 is a schematic diagram of a second server according to Embodiment 3 of the present invention.
  • the technical solution proposed by the present invention is Receiving, by the server, the first data operation request sent by the user, determining, according to the identifier of the digital object included in the first data operation request, the target domain of the first data operation request is an autonomous domain of the second server, and the first server deletes the first data operation
  • the token of the included user is requested to obtain a second data operation request, and the first server sends a second data operation request to the second server.
  • the first server After determining that the user requesting data processing is not the server in the autonomous domain of the first server, the first server sends the operation request to the second server corresponding to the target domain of the user, and the second server processes the operation request of the user. It is possible to process data between users belonging to different service providers.
  • the domain is divided into different domains, including an access domain, a registration domain, a target domain, and a forwarding domain.
  • the access domain is the first domain connected when the user accesses the digital object. If the user does not have roaming access, the access domain and the registration domain of the user are the same domain. If the roaming access occurs, the roaming access can be obtained through the obtained access domain.
  • the registration domain is the domain in which the user can obtain the user ID by registering, that is, the registration domain assigns the user ID to the user.
  • the process of creating and exiting a user in a domain determined by each domain
  • the implementation may be created or exited, for example, by a web portal of a different service provider, or by a client program of the domain or the like.
  • a digital object corresponding to the user is generated in the domain, and the digital object may include some information used by the user for authentication, for example, but may include, but not limited to, a public key.
  • the target domain refers to the target involved in an operation, that is, the domain in which the digital object to be operated is located, for example, a server that stores the digital object to be operated.
  • Forwarding a domain means that when an operation request is received, the domain is neither an access domain nor a target domain. It is only used to send the received data operation request to the target domain, or forward the received access request to the registration domain.
  • the data operation request may be any operation for requesting creation, deletion, modification, and reading of the digital object, which is not exemplified herein.
  • the various types of domains described above are logical classifications that are distinguished from a single operational perspective of a single user.
  • the functions of the various types of domains described above are implemented simultaneously to implement various operations on different digital objects for different users.
  • a first embodiment of the present invention provides a method for processing cross-domain data. As shown in FIG. 1 , the specific processing flow of the method is as follows:
  • the user sends a first data operation request.
  • the first data operation request is used to request processing of the digital object, and the first data operation request includes the token of the user and the identifier of the digital object.
  • the processing of digital objects can be, but is not limited to, including operations such as creating, deleting, and reading digital objects.
  • FIG. 2 it is a schematic diagram of a digital object composition according to an embodiment of the present invention.
  • the digital object includes an identifier of the digital object, and an attribute of the digital object corresponding to the identifier of the digital object.
  • the identification of the digital object uniquely identifies the digital object.
  • Each digital object can have one or more attributes, and the attributes of the digital object can be constructed by a key-value pair.
  • the functional type of the key can be used to represent various permissions of the digital object, which can be the size of the digital object.
  • the permission may be an access right, a processing right, or the like.
  • Each data operation request for a digital object corresponds to A permission.
  • the value may be a user identifier that identifies the user's authority to perform a corresponding operation on the digital object.
  • the identifier of the digital object is AAAA
  • the key-value pair corresponding to AAAA is the access right-user A
  • the user whose user identifier is user A can access the digital object.
  • the value can also be an operation right, such as reading, deleting, or modifying permissions.
  • the attribute corresponding to the identifier of the digital object may also be the size of the digital object corresponding to the identifier of the digital object, and the size of the digital object may be identified by a key. For example, if a key is a size and the corresponding value is 1024 (the default is byte), the size of the digital object corresponding to the identifier of the digital object is 1024 bytes.
  • the value of the key in the attribute corresponding to the identifier of the digital object may also be the identifier of another digital object.
  • the identifier of the digital object is AAAA, and its corresponding value is BBBB.
  • some of the keys corresponding to the identifiers of the digital objects may be set to be unique, so as to avoid the problem of misunderstanding when interworking between different service domains.
  • Some of the keys can be set to be generic, and some of the keys can be set to be defined by a specific application. This key- and value-based approach defines the properties of the digital object, providing flexibility and extensibility.
  • the identifier of the digital object can be represented by a domain name, and the domain name to which the digital object belongs can be determined by the domain name. For example, if the identifier of the digital object is: URI: AAAAA.com/pic1, it can be determined that the registration domain of the digital object pic1 is AAAAA.com.
  • the first data operation request is used to delete the digital object for the user as an example. This example will continue to be used later.
  • the user sends a first data operation request to the first server, the first data operation request for requesting deletion of the digital object whose digital object is identified as AAAA.
  • the first server receives the first data operation request sent by the user.
  • the first server is configured to provide an access service to the user, and the first server corresponds to the access domain.
  • the first server determines, according to the identifier of the digital object included in the first data operation request, whether the target domain of the first data operation request is an autonomous domain of the first server, and if the determination result is no, Execute 14, if the judgment result is yes, execute 17.
  • the first server obtains an identifier of the digital object in the first data operation request, and determines, according to the identifier of the digital object, whether the target domain of the first data operation request is an autonomous domain of the first server.
  • the first server obtains the identifier of the digital object as AAAA, and determines, according to the AAAA, whether the target domain of the first data operation request is an autonomous domain of the first server.
  • the first server determines, according to the identifier of the digital object included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the second server, and the first server obtains the identifier of the digital object in the first data operation request. And determining, according to the identifier of the digital object, that the target domain of the received first data operation request is an autonomous domain of the second server, and executing 15.
  • the first server determines that the digital object AAAA is stored in the autonomous domain of the second server based on the identifier AAAA of the digital object.
  • the first server deletes the token of the user included in the first data operation request, and obtains a second data operation request.
  • the second data manipulation request includes an identification of the digital object.
  • the second data operation request includes AAAA.
  • the first server deletes the token of the user included in the first data operation request, and can better protect the privacy data between the user and the user, thereby improving the security of the data access.
  • the second data operation request may further include an identifier of the user, where the identifier of the user corresponds to the token of the user.
  • the second data operation request includes AAAA-BBB.
  • the first server sends a second data operation request to the second server.
  • the first server receives the first data operation request, and when the first server sends the second data operation request to the second server, may maintain an upstream (ie, the first) based on the session ID defined in the handle system protocol. Server) The correspondence between the session ID and the downstream (ie, the second server) session ID. After receiving the response message from the downstream, it can be forwarded to the corresponding upstream until it is returned to the user who sent the first data operation request.
  • the first server determines, according to the identifier of the digital object included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the first server, and the first server is based on the correspondence, the token of the user, and the identifier of the user. , to determine that the user has passed the certification.
  • the correspondence includes the token of the authenticated user and the identity of the authenticated user.
  • the first server determines that the correspondence includes the user's token and the user's identity, and determines that the user has passed the authentication.
  • the user When the user first registers, the user is provided with a registered server, for example, the server is the first server, and the first server corresponds to the registration domain, and the first server allocates the identity and user of the authenticated user to the registered user.
  • the token correspondingly, stores the correspondence between the identity of the authenticated user and the token of the user in the registration domain.
  • the first server when determining whether the user is a user who passes the authentication, the first server according to the correspondence between the identifier of the user obtained in the first data operation request and the token of the user, and the identifier of the authenticated user and the user of the user are maintained. The correspondence between the tokens is compared. If the comparison results are consistent, it is determined that the user passes the authentication. Otherwise, it is determined that the user has not passed the authentication.
  • the first server obtains the operation authority of the digital object according to the identifier of the user.
  • the digital object operation authority is the operation authority of the first server to the digital object related to the user.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  • the target domain of the first data operation request is an autonomous domain of the first server, and the first server acquires the token in the received first data operation request, according to the stored token and the user identifier.
  • the first server acquires the token in the received first data operation request, according to the stored token and the user identifier.
  • the first server processes the digital object according to the first data operation request.
  • the first server refuses to process the digital object according to the first data operation request.
  • the digital object may also be a virtual digital object stored at the fourth server.
  • the virtual digital object has a unique identifier.
  • the content of the virtual digital object is not actually stored in the first server, but is a location pointer indicating where the first server can obtain the content of the virtual digital object.
  • the virtual digital object may be the address of any one of the servers, and the address of the server may be an IP address, a MAC address, or the like.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, including:
  • the first server acquires a location pointer according to the identifier of the digital object, and the first server acquires the digital object from the fourth server according to the location pointer, and the first server processes the digital object according to the operation authority of the digital object.
  • the location pointer is used to indicate that the fourth server stores the address of the digital object.
  • the method may further include:
  • the user sends an access request.
  • the user can send an access request through a web portal or a client program, and the access request is used to request to obtain a token, and the access request includes the identifier of the user.
  • the access request is described as an example of a login request, and the login request will continue to be used later.
  • the login request contains the ID of the user.
  • the ID of the user is exemplified by the user ID.
  • the first server receives an access request sent by the user.
  • the first server determines, according to the identifier of the user, whether the user belongs to the autonomous domain of the first server. If the determination result is yes, execute 33, and if the determination result is negative, perform 35.
  • the first server determines, according to the user ID, whether the user is an autonomous domain belonging to the first server, for example, when the user ID of the autonomous domain of the first server is represented by a domain name, for example, URI: AAAAA.com/jeffrey, The domain of the user jeffrey is determined to be AAAAA.com.
  • the first server determines, according to the identifier of the user, that the user belongs to an autonomous domain of the first server, and the first server authenticates the user.
  • the first server authenticates the user, and the authentication method can be, but is not limited to, decrypting the user's digital signature through the user's public key to complete the authentication.
  • the user can be authenticated using the procedure defined in RFC3651.
  • the processing flow is as follows: the first server sends a challenge to the user; the user receives the challenge; the client-side client program or other program for access The user's private key encrypts the challenge to form a digital signature and returns it to the first server.
  • the first server receives the digital signature sent by the user side.
  • the first server decrypts the received digital signature by using the user's public key, and compares the decrypted challenge with the transmitted challenge. If they are consistent, the user is considered to be authenticated, and vice versa, the user does not pass the authentication.
  • the first server determines, after the user passes the authentication, sends a token of the user corresponding to the identifier of the user to the user.
  • the first server sends a token bound to the user to the user, and the message sent by the user carrying the token will be trusted by the first server as a message from the user.
  • a specific embodiment is an extended handle system protocol: a new response symbol (ResponseCode): RC_Login, in the body of the message, carrying a token (Token), the token can be a fixed-length random string.
  • ResponseCode a new response symbol
  • RC_Login a token
  • the token can be a fixed-length random string.
  • the first server determines, according to the identifier of the user, that the user does not belong to the autonomous domain of the first server, and the first server requests the third server to authenticate the user.
  • the third server receives the authentication request sent by the first server.
  • the third server authenticates the user.
  • the third server is a server for authenticating the user, and the third server corresponds to the registration domain of the user, and is a domain in which the user can obtain the user identifier by registering, that is, the registration domain allocates the user identifier to the user.
  • the first server determines, according to the identifier of the user, that the user does not belong to the autonomous domain of the first server, and the first server obtains the registration domain of the user according to the user ID (user ID), and obtains the address of the third server corresponding to the registration domain, for example, Three server IP addresses, etc.
  • the first server requests the third server to authenticate the user, wherein an embodiment of the third server authenticating the user may be an extension implementation based on the RFC3652 handle protocol.
  • the specific processing flow is as follows: The third server sends a challenge challenge to the user. The user receives the challenge.
  • the client side client program or other program for access encrypts the challenge using the user's private key to form a digital signature and returns it to the third server.
  • the extended handle system protocol is based on the challenge-response verification-request and challenge-response verification-response processes defined in Section 3.5.3 of RFC3652.
  • the message operator OC_Code challenge-response auth-request is added, except in the message body.
  • the user ID is carried and sent to the third server through the handle protocol.
  • the third server receives the digital signature sent by the user side.
  • the third server decrypts the received digital signature by using the user's public key, and compares the decrypted challenge with the transmitted challenge. If they are consistent, the user is considered to be authenticated, and vice versa, the user does not pass the authentication.
  • the third server sends the authentication result to the first server.
  • the third server carries the authentication result to the first server by using the newly added message operator OC_Code: challenge-response auth-response.
  • the first server receives the authentication result sent by the third server.
  • the first server determines, after the user authenticates by the third server, sends a token of the user corresponding to the identifier of the user to the user.
  • the first server sends a token bound to the user to the user, and the subsequent message sent by the user carries the token, and the first server may use the token in the message carrying the token and the message carrying the token.
  • the identity of the user in the user to authenticate the user.
  • the digital object may be a single digital object or a group digital object.
  • the digital object group has a unique ID
  • the digital object group includes a member list, which may be specific data in the member list, or may be an identifier of another one or more digital objects.
  • the operations on the digital object include various operations on the content of the digital object itself and the attributes of the digital object, which may include, but are not limited to, operations of creating, deleting, and reading digital objects.
  • Row operations include the user performing operations on the records in the digital object, such as adding, deleting, modifying, and viewing.
  • the first server When the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the user involved is the user group, the first server performs the identifier of the user in each of the received first data operation requests. It is identified that, if it is the identifier of the user group, the first server obtains the IDs of all member users in the user group and corresponding information, such as the communication address of the member, and sends an authentication message to each member user.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the digital object involved is a digital object group, all operations on the digital object group are implemented to the digital object group. Among the members. For example, if a group of digital objects is being read, the first server will read each member of the group of digital objects.
  • the identity of the user group is BBB
  • the members of the user group include B1, B2, and B3.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object. If the user involved is a user group, in this case, the first server pair needs to separately belong to the members B1, B2, and B3 of the user group.
  • the authentication is performed and the authentication messages are sent to B1, B2, and B3, respectively. It is assumed that B1 and B2 are authenticated and B3 is not authenticated.
  • the member of the user group contains the member B3 that fails the authentication, the user group corresponding to the BBB of the user group is not authenticated. Otherwise, all members of the user group B1.
  • the identity of the digital object group is CCCC and the members of the digital object group include C1, C2, and C3.
  • the first server processes the digital object according to the digital object operation authority and the identifier of the digital object. If the digital object involved is the digital object group CCCC, all operations on the digital object group are implemented to the digital object group. Among the members. For example, if the CCCC is read, the first server will read C1, C2, and C3, respectively.
  • the second embodiment of the present invention provides a method for processing cross-domain data.
  • the server distinguishes, as shown in FIG. 4, the processing flow is as follows:
  • the first server sends a data operation request.
  • the second server receives a data operation request sent by the first server.
  • the data operation request is for requesting processing of the digital object, and the data operation request includes the identifier of the digital object and the identifier of the user.
  • the autonomous domain of the second server is the target domain of the data operation request.
  • the second server obtains the identity of the user in the data operation request.
  • the second server requests the third server to authenticate the user.
  • the third server receives a request sent by the second server to authenticate the user.
  • the third server authenticates the user.
  • the third server is a server for authenticating the user, and the third server corresponds to the registration domain of the user, and is a domain in which the user can obtain the user identifier by registering, that is, the registration domain allocates the user identifier to the user.
  • the second server receives the data operation request, and uses the user ID of the user in the data operation request to obtain the registration domain to which the user's identity belongs, thereby obtaining the information of the third server, such as the IP address of the third server. .
  • the second server uses the handle system protocol to complete the following process: the second server returns a challenge to the user.
  • the user side encrypts the challenge using the user's private key to form a digital signature, and sends the constructed digital signature to the second server.
  • the second server receives the digital signature.
  • the second server sends the received digital signature to the third server.
  • the extended handle system protocol based on the challenge-response verification-request and challenge-response verification-response processes defined by RFC3652, newly added the message operator OC_Code: challenge-response auth-request, except for the current challenge-response verification- in the message body
  • the user ID and the App ID are passed through the handle protocol.
  • the third server receives the digital signature.
  • the third server decrypts the received digital signature with the public key of the user, and checks with the challenge.
  • the third server sends the authentication result to the second server.
  • the third server carries the authentication result by the newly added message operator OC_Code: challenge-response auth-response and sends it to the second server.
  • the second server receives the authentication result sent by the third server.
  • the second server may obtain the public key of the user by querying the identifier of the user for the next use, but if the digital signature after the decryption of the public key is invalid, the user key may be changed. The second server still needs to authenticate the user through the third server.
  • the second server determines that the user obtains the digital object operation authority according to the identifier of the user after the third server is authenticated.
  • the digital object operation authority is an operation authority of the second server to the digital object related to the user.
  • the second server processes the digital object according to the digital object operation authority and the identifier of the digital object.
  • the digital object includes an identifier of the digital object, and an attribute of the digital object corresponding to the identifier of the digital object.
  • the identification of the digital object uniquely identifies the digital object.
  • Each digital object can have one or more attributes, and the attributes of the digital object can be constructed by a key-value pair.
  • the extended field may also be used to represent the approved user, and the value in the extended field may be the identifier of one or more approved users.
  • the identifier of the approval user is used to indicate that when the digital object needs to be operated, the approval user permission corresponding to the identifier of the approval user is required.
  • the second server obtains the operation authority of the digital object, that is, checks the permission control attribute of the digital object, checks whether the user has the authority to perform the operation, and if the second object obtains the digital object operation authority, the user has performed the operation.
  • the second server will send an approval application message before the operation of the digital object, and carry the corresponding in the approval application message.
  • the operation request information for example, the identifier of the user who applied for the operation, the approval application message may be sent to the extension field of the digital object, and the identification of the approval user corresponds to the approval user.
  • the second server obtains the approval consent message sent by the approval user, and the second server determines the operation authority of the digital object and the identifier of the digital object.
  • Digital objects are processed. If the user does not have permission to perform the operation, or does not get the consent of the approved user, the second server refuses to operate on the digital object.
  • the identifier of the first user is UE1
  • the identifier of the second user is UE2
  • the identifier of the digital object is AAAA.
  • the UE2 is included, and the UE1 sends a request to modify the digital object AAAA.
  • the data operation request, Z when the UE1 authentication is passed, the second server determines that the UE1 can modify the digital object AAAA, but the precondition for modifying the digital object AAAA needs to obtain the approval of the UE2, that is, after obtaining the permission of the UE2, The digital object AAAA can be modified.
  • the second server sends an approval application message for requesting the approval of the UE2.
  • the approval application message may include the identifier UE1 of the first user, and when the second user receives the approval application message, the first user is allowed to use the number.
  • the approval approval message is returned, and the second server performs modification on the digital object AAAA when receiving the approval consent message.
  • the method further includes:
  • the second server After determining the user's authentication by the third server, the second server sends a token of the user corresponding to the identifier of the user to the user.
  • the digital object may be a virtual digital object stored in the fourth server, and the second server processes the digital object according to the digital object operation authority and the identifier of the digital object, including: the second server acquires the location pointer according to the identifier of the digital object, The second server acquires the digital object from the fourth server according to the location pointer, and the second server processes the digital object according to the digital object operation authority.
  • the location pointer is used to indicate that the fourth server stores the address of the digital object.
  • the digital object may be a single digital object or a group digital object.
  • the digital object group has a unique ID
  • the digital object group has a member list
  • the member list may be specific data or an identifier of another digital object.
  • the operation of the digital object includes various operations on the content of the digital object itself and the attributes of the digital object, and may include, but is not limited to, operations such as creating, deleting, and reading the digital object.
  • operations on the digital object include the user performing operations on the records in the digital object, such as adding, deleting, modifying, and viewing.
  • the second server processes the digital object according to the digital object operation authority and the identifier of the digital object
  • the second server identifies the identifier of the user in each data operation request received, If it is the identifier of the user group, the second server obtains the ID of all member users in the user group and corresponding information, such as the communication address of the member, and sends an authentication message to each member user.
  • the second server processes the digital object according to the digital object operation authority and the identifier of the digital object, if the digital object involved is a digital object group, all operations on the digital object group are implemented to the digital object group.
  • the members For example, if a group of digital objects is being read, the second server will read each member of the group of digital objects.
  • the third server of the present invention provides a first server. As shown in FIG. 5, the first server is configured to provide an access service to a user, where the first server includes:
  • the receiving unit 501 is configured to receive a first data operation request sent by the user, where the first data operation request is used to request processing on the digital object, where the first data operation request includes the user's token and the number The identity of the object.
  • the determining unit 502 is configured to determine, according to the identifier of the digital object that is included in the first data operation request, that the target domain of the first data operation request is an autonomous domain of the second server.
  • the executing unit 503 is configured to delete the token of the user included in the first data operation request, and obtain a second data operation request, where the second data operation request includes an identifier of the digital object.
  • the sending unit 504 is configured to send the second data operation request to the second server.
  • the first data operation request further includes an identifier of the user, and the determining unit is further configured to determine a target domain of the first data operation request according to the identifier of the digital object included in the first data operation request. Is the autonomous domain of the first server.
  • the first server further includes: an obtaining unit, configured to determine, according to the correspondence, the token of the user, and the identifier of the user, that the user has obtained the digital object operation authority according to the identifier of the user after the user has passed the authentication,
  • the correspondence relationship includes a token of the user and an identifier of the user, and the digital object operation authority is an operation authority of the first server to a digital object related to the user.
  • the execution unit is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
  • the receiving unit 501 is further configured to receive an access request sent by the user, where the access request is used to request to obtain a token, and the access request includes an identifier of the user; the determining unit 502, And is further configured to determine, according to the identifier of the user, that the user belongs to an autonomous domain of the first server; the executing unit 503 is further configured to perform authentication on the user; and the sending unit is further configured to determine After the user passes the authentication, the user's token corresponding to the identifier of the user is sent to the user.
  • the receiving unit 501 is further configured to receive an access request sent by the user, where the access request is used to request to obtain a token, and the access request includes an identifier of the user; the determining unit 502 And determining, according to the identifier of the user, that the user does not belong to the autonomous domain of the first server; the executing unit 503 is further configured to request the third server to authenticate the user; And determining, after the user is authenticated by the third server, sending a token of the user corresponding to the identifier of the user to the user.
  • the digital object is a virtual digital object stored in the fourth server; the executing unit 503 is specifically configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to represent the fourth
  • the server stores an address of the digital object; the digital object is acquired from the fourth server according to the location pointer; and the number is determined according to the digital object operation authority Word objects are processed.
  • the identifier of the digital object includes a digital object group identifier; the executing unit 503 is specifically configured to: each of the digital object group identifiers according to the digital object operation authority and the digital object group identifier Members handle it.
  • each unit component included in the first server may be separately disposed in different devices, or may be collectively disposed in the same device, and the first server includes a receiving unit, a determining unit, an executing unit, and
  • the first server includes a receiving unit, a determining unit, an executing unit, and
  • the sending unit refers to the detailed description of the method for processing the cross-domain data in the foregoing Embodiment 1, and the third embodiment of the present invention is not described again.
  • the third embodiment of the present invention further provides a second server.
  • the second server includes:
  • the receiving unit 601 is configured to receive a data operation request sent by the first server, where the data operation request is used to request processing on the digital object, where the data operation request includes an identifier of the digital object, and an identifier of the user,
  • the autonomous domain of the second server is the target domain of the data operation request.
  • the executing unit 603 is configured to request the third server to authenticate the user.
  • the obtaining unit 602 is configured to determine, after the user is authenticated by the third server, the digital object operation authority according to the identifier of the user in the operation request, where the digital object operation authority is the second server pair The operational authority of the user-related digital object.
  • the executing unit 603 is further configured to process the digital object according to the digital object operation authority and the identifier of the digital object.
  • the device further includes: a sending unit, configured to: after the user is authenticated by the third server, send a token of the user corresponding to the identifier of the user to the user.
  • the digital object is a virtual digital object stored in a fourth server, and the execution unit is configured to acquire a location pointer according to the identifier of the digital object, where the location pointer is used to indicate that the fourth server stores the An address of the digital object; acquiring the digital object from the fourth server according to the location pointer; processing the digital object according to the digital object operation authority.
  • the units included in the second server may be separately disposed in different devices, or may be collectively disposed in the same device.
  • the receiving unit, the obtaining unit, the executing unit, and the sending unit the second embodiment of the present invention is not described in detail in the third embodiment of the present invention.
  • the embodiment of the present invention further provides a first server, as shown in FIG. 7, whose structural composition is as follows:
  • the first server includes an interface 701, a memory 702, and a processor 703.
  • the interface 701, the memory 702, and the processor 703 are connected by a bus and transmit data through the bus.
  • the processor 703 reads an instruction from the program stored in the memory 702 and performs the following operations:
  • a first data operation request sent by a user where the first server is configured to provide an access service to the user, and the first data operation request is used to request processing of the digital object, where the first The data operation request includes the token of the user and an identifier of the digital object;
  • the second data operation request is sent to the second server through the interface 701.
  • the interface 701 is configured to perform the function of transmitting the first data operation request in 11 and 12 in the first embodiment.
  • the processor 703 is configured to perform all the functions in the above-mentioned 13 to 19. Specifically, the specific implementation principles of the interface 701 and the processor 703 in the first server are described in detail in the foregoing Embodiment 1, and details are not described herein again.
  • the third embodiment of the present invention also proposes a second server, such as the structure shown in FIG.
  • the second server includes an interface 801, a memory 802, and a processor 803.
  • the processor 803 included in the second server can read out an instruction from a program stored in the memory 802, and performs the following operations:
  • a data operation request sent by the first server where the data operation request is used to request processing, the data operation request includes an identifier of the digital object and an identifier of the user,
  • the autonomous domain of the second server is the target domain of the data operation request;
  • the third server After determining that the user is authenticated by the third server, obtaining a digital object operation authority according to the identifier of the user in the operation request, where the digital object operation authority is a number related to the user by the second server The operation authority of the object;
  • the digital object is processed according to the digital object operation authority and the identifier of the digital object.
  • the interface may be one or more of the following: a network interface controller (NIC) providing a wired interface, such as an Ethernet NIC,
  • the Ethernet NIC can provide a copper wire and/or fiber interface;
  • a NIC that provides a wireless interface such as a wireless local area network (WLAN) NIC.
  • WLAN wireless local area network
  • the memory may be a volatile memory such as a random-access memory (RAM) or a non-volatile memory such as a flash memory or a hard disk ( Hard disk drive (HDD) or solid-state drive (SSD); or a combination of the above types of memory
  • RAM random-access memory
  • HDD Hard disk drive
  • SSD solid-state drive
  • the processor can be a central processing unit (CPU) or a combination of a CPU and a hardware chip.
  • the signal processor can also be a network processor (NP). Either a combination of CPU and NP, or a combination of NP and hardware chips.
  • the hardware chip may be a combination of one or more of the following: an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), and a complex programmable logic device (complex) Programmable logic device, CPLD).
  • ASIC application-specific integrated circuit
  • FPGA field-programmable gate array
  • CPLD complex programmable logic device
  • embodiments of the present invention can be provided as a method, apparatus (device), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, read-only optical disks, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, read-only optical disks, optical storage, etc.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé pour traiter des données inter domaine, un premier serveur et un second serveur. Le procédé comprend les opérations suivantes : un premier serveur reçoit une première requête d'utilisation de données envoyée par un utilisateur, et détermine un domaine cible de la première requête d'utilisation de données comme domaine autonome d'un second serveur selon un identifiant d'objet numérique inclus dans la première requête d'utilisation de données ; le premier serveur supprime un jeton d'utilisateur inclus dans la première requête d'utilisation de données pour obtenir une seconde requête d'utilisation de données ; et le premier serveur envoie la seconde requête d'utilisation de données au second serveur. La présente invention peut parvenir à un traitement de données entre des utilisateurs appartenant à différents fournisseurs de service.
PCT/CN2016/104053 2015-11-10 2016-10-31 Procédé pour traiter des données inter domaine, premier serveur et second serveur WO2017080381A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510760330.5 2015-11-10
CN201510760330.5A CN106685901B (zh) 2015-11-10 2015-11-10 用于处理跨域数据的方法、第一服务器及第二服务器

Publications (1)

Publication Number Publication Date
WO2017080381A1 true WO2017080381A1 (fr) 2017-05-18

Family

ID=58694572

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/104053 WO2017080381A1 (fr) 2015-11-10 2016-10-31 Procédé pour traiter des données inter domaine, premier serveur et second serveur

Country Status (2)

Country Link
CN (1) CN106685901B (fr)
WO (1) WO2017080381A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431966A (zh) * 2020-02-21 2020-07-17 视联动力信息技术股份有限公司 一种业务请求处理方法、装置、电子设备及存储介质
CN116150793A (zh) * 2023-03-17 2023-05-23 北京信源电子信息技术有限公司 基于DOA的handle标识解析技术的数据保护方法及系统

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935336B (zh) * 2020-08-18 2023-05-30 下一代互联网关键技术和评测北京市工程研究中心有限公司 基于IPv6的网络治理方法及系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350710A (zh) * 2007-07-16 2009-01-21 华为技术有限公司 一种网络系统、权限颁发服务器、权限颁发及执行的方法
US20090132713A1 (en) * 2007-11-20 2009-05-21 Microsoft Corporation Single-roundtrip exchange for cross-domain data access
US20090254745A1 (en) * 2008-04-07 2009-10-08 Ravi Ganesan Efficient security for mashups
CN102195957A (zh) * 2010-03-19 2011-09-21 华为技术有限公司 一种资源共享方法、装置及系统
CN104216907A (zh) * 2013-06-02 2014-12-17 上海贝尔股份有限公司 一种用于提供数据库访问控制的方法、装置与系统
CN104410711A (zh) * 2014-12-15 2015-03-11 北京国双科技有限公司 客户端跨域请求网络资源的方法和装置

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7539191B1 (en) * 2002-12-12 2009-05-26 Packet Design, Inc. System and method for securing route processors against attack
CN100353713C (zh) * 2005-12-26 2007-12-05 北京航空航天大学 可信的远程服务热部署方法
CN100493089C (zh) * 2005-12-26 2009-05-27 北京航空航天大学 基于服务与底层资源分离的服务计算系统
CN104735055B (zh) * 2015-02-12 2018-09-21 河南理工大学 一种基于信任度的跨域安全访问控制方法

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350710A (zh) * 2007-07-16 2009-01-21 华为技术有限公司 一种网络系统、权限颁发服务器、权限颁发及执行的方法
US20090132713A1 (en) * 2007-11-20 2009-05-21 Microsoft Corporation Single-roundtrip exchange for cross-domain data access
US20090254745A1 (en) * 2008-04-07 2009-10-08 Ravi Ganesan Efficient security for mashups
CN102195957A (zh) * 2010-03-19 2011-09-21 华为技术有限公司 一种资源共享方法、装置及系统
CN104216907A (zh) * 2013-06-02 2014-12-17 上海贝尔股份有限公司 一种用于提供数据库访问控制的方法、装置与系统
CN104410711A (zh) * 2014-12-15 2015-03-11 北京国双科技有限公司 客户端跨域请求网络资源的方法和装置

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431966A (zh) * 2020-02-21 2020-07-17 视联动力信息技术股份有限公司 一种业务请求处理方法、装置、电子设备及存储介质
CN116150793A (zh) * 2023-03-17 2023-05-23 北京信源电子信息技术有限公司 基于DOA的handle标识解析技术的数据保护方法及系统
CN116150793B (zh) * 2023-03-17 2023-10-24 北京信源电子信息技术有限公司 基于DOA的handle标识解析技术的数据保护方法及系统

Also Published As

Publication number Publication date
CN106685901A (zh) 2017-05-17
CN106685901B (zh) 2020-06-02

Similar Documents

Publication Publication Date Title
US10805085B1 (en) PKI-based user authentication for web services using blockchain
EP2625643B1 (fr) Méthodes et systèmes de mise en oeuvre et gestion de communications sécurisées cryptographiquement à travers de réseaux insécures entre un terminal virtuel sécurisé et un système distant
US9838870B2 (en) Apparatus and method for authenticating network devices
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
US11196561B2 (en) Authorized data sharing using smart contracts
WO2017161706A1 (fr) Procédé de commande d'accès à une ressource de réseau dans un réseau local, dispositif et équipement de passerelle
US11829502B2 (en) Data sharing via distributed ledgers
US9942200B1 (en) End user authentication using a virtual private network
JP6940240B2 (ja) 証明書取得方法、認証方法及びネットワークデバイス
JP2008141581A (ja) 秘密情報アクセス認証システム及びその方法
WO2020062667A1 (fr) Procédé de gestion d'actifs de données, dispositif de gestion d'actifs de données et support lisible par ordinateur
US11394698B2 (en) Multi-party computation (MPC) based authorization
KR20150053912A (ko) 서버에 클라이언트를 등록하기 위한 방법 및 디바이스들
WO2022173882A1 (fr) Protocole de réseau sécurisé et système de transit pour protéger l'aptitude à la distribution et à l'attribution de communications
WO2017080381A1 (fr) Procédé pour traiter des données inter domaine, premier serveur et second serveur
US10740478B2 (en) Performing an operation on a data storage
WO2023279782A1 (fr) Procédé de contrôle d'accès, système de contrôle d'accès et dispositif associé
CN112307116A (zh) 基于区块链的数据访问控制方法、装置及设备
WO2019138399A1 (fr) Procédé et programme informatique pour l'échange de communications sécurisées entre entités homologues
WO2022227799A1 (fr) Procédé et appareil d'enregistrement de dispositifs, dispositif informatique et support de stockage
EP3942770B1 (fr) Modules de plate-forme de confiance enchaînés (tpm) en tant que bus sécurisé de pré-placement des capacités de dispositif
WO2016082363A1 (fr) Procédé et appareil de gestion de données d'utilisateur
KR102639244B1 (ko) Sso에 기반한 통합 인증 솔루션을 제공하는 방법, 서버및 시스템
JP2018067327A (ja) プライベートデータを保護するセキュアプロキシ
GB2610072A (en) Data sharing via distributed ledgers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16863558

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16863558

Country of ref document: EP

Kind code of ref document: A1