CN103414567A - Information monitoring method and system - Google Patents
Information monitoring method and system Download PDFInfo
- Publication number
- CN103414567A CN103414567A CN2013103440475A CN201310344047A CN103414567A CN 103414567 A CN103414567 A CN 103414567A CN 2013103440475 A CN2013103440475 A CN 2013103440475A CN 201310344047 A CN201310344047 A CN 201310344047A CN 103414567 A CN103414567 A CN 103414567A
- Authority
- CN
- China
- Prior art keywords
- information
- packet
- policy
- strategy
- identification information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides an information monitoring method and system. The information monitoring method includes the steps that safety equipment obtains an operation request, identification information, positioning information, a first authentication code and a first information output strategy, according to the first information output strategy, first processing is carried out on a first information data pack to obtain first processing information, and the first processing information and the first information data pack are output, wherein the first information data pack is obtained after second processing is carried out on the first information, the first information at least comprises the identification information, the positioning information and the first authentication information; background monitoring equipment receives the first processing information and the first information data pack and stores the first processing information and the first information data pack. The background monitoring equipment monitors the request information sent by the safety equipment, and accordingly the problems that who sends the request and where the request is sent can be solved, and safety of information acquisition or safety of start operation is improved in a certain degree.
Description
Technical field
The present invention relates to a kind of information security field, relate in particular to a kind of information monitoring method and system.
Background technology
At present, along with the development of network, realize acquisition of information by these means of network, can well meet people's the demand to information resources, and greatly facilitate obtaining information resources.
Yet, along with popularizing by these means of Network Capture information resources, where increasing information can be obtained in any form by anyone, this is inapplicable to some sensitive information, often obtaining of this sensitive information is generally that the publisher of information resources is encrypted this sensitive information, only its manner of decryption of people of authority acquiring is arranged, thereby make it obtain this sensitive information.
Although but adopt being acquired that this kind mode sensitive information can be safer, can't learn it is this information where who obtain in.More brilliant along with hacker's means, the intercepting manner of decryption is easily, it is possible pretending to be the people that authority is arranged to obtain this sensitive information.As can be seen here, the fail safe that does not also have monitor mode more suitably to obtain to improve sensitive information for the approach that obtains sensitive information.
In addition, the unlatching of more existing equipment is random, anyone can open this equipment in any place, the easy like this potential safety hazard that causes information in equipment or equipment itself to be stolen, for example: for automobile, in case stolen, often can't recover, can cause like this car owner's loss.
Therefore, need now a kind of sensitive information resource of can monitoring is that where who obtain in or equipment is the method where who open in, obtain or the situation of opening of device with monitor message.
Summary of the invention
The present invention is intended to solve existing operation or the open operation obtained does not have monitored and one of unsafe problem of causing.
Main purpose of the present invention is to provide a kind of information monitoring method;
Another object of the present invention is to provide a kind of information monitoring system.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
One aspect of the present invention provides a kind of information monitoring method, comprising: safety means obtain operation requests, and, after getting described operation requests, obtain identification information, locating information, the first authentication code and first information output policy; Described safety means, according to described first information output policy, carry out first to first information packet and process, and obtain the first process information, and export described the first process information and described first information packet; Wherein, described first information packet carries out the second processing to the first information and obtains, and the described first information comprises at least: described identification information, described locating information and described the first authentication code; Background monitoring equipment receives described the first process information and described first information packet, and preserves described the first process information and described first information packet.
In addition, described first information output policy is the strategy of output after encrypting; Described first is treated to encryption; Perhaps described first information output policy is the strategy of the rear output of signature; Described first is treated to signature processes.
In addition, the described first information also comprises operation requests.
In addition, described the first authentication code is: random number, time parameter or dynamic password value.
In addition, described background monitoring equipment receives described the first process information and described first information packet, and the step of preserving described the first process information and described first information packet comprises: described background monitoring equipment receives described the first process information and described first information packet, obtains the first authentication policy; Described background monitoring equipment is according to described the first process information of described the first authentication policy checking; Described background monitoring equipment, after described the first process information of checking passes through, is preserved described the first process information and described first information packet.
In addition, described background monitoring equipment receives described the first process information and described first information packet, the step of obtaining the first authentication policy also comprises: described background monitoring equipment obtains the described first information after receiving described the first process information and described first information packet; Described background monitoring equipment obtains the orientation range information that sets in advance and/or pre-stored identification information group; Judge that described locating information is whether in described orientation range information, and/or judge that described identification information is whether in described identification information group; If described locating information is included in described orientation range information, if and/or described identification information in described identification information group, obtain described the first authentication policy.
In addition, when described first information output policy is while encrypting rear export tactful, the deciphering that described the first authentication policy is complementary for the strategy of exporting afterwards with described encryption the strategy of checking, or the encryption that is complementary for the strategy of exporting afterwards with described encryption of described the first authentication policy the strategy of checking; After described first information output policy is for signature during output tactful, the sign test strategy that described the first authentication policy is complementary for the strategy of exporting afterwards with described signature.
One aspect of the present invention also provides another kind of information monitoring method, comprising: safety means obtain operation requests, and, after getting described operation requests, obtain identification information and/or locating information; Described safety means are verified described identification information and/or described locating information, and, after being verified, are obtained the first authentication code and first information output policy; Described safety means, according to described first information output policy, carry out first to first information packet and process, and obtain the first process information, and export described the first process information and described first information packet; Wherein, described first information packet carries out the second processing to the first information and obtains, and the described first information comprises at least: described the first authentication code and described locating information; Background monitoring equipment receives described the first process information and described first information packet, and preserves described the first process information and described first information packet.
In addition, the described step that described identification information and/or locating information are verified comprises: obtain the identification information prestored; Verify whether described identification information is consistent with the described identification information prestored, if described identification information is consistent with the described identification information prestored, verify that described identification information passes through; And/or obtain the orientation range information prestored; Verify whether described locating information is included in the described orientation range information prestored, pass through if described locating information in the described orientation range information prestored, is verified described locating information.
In addition, described after getting described operation requests, the step of obtaining identification information and locating information comprises: in described operation requests, comprise the second process information and described the second information packet; Described the second process information carries out the 3rd processing to described the second information packet and obtains, described the second information packet to the second information carry out the everywhere reason obtain, described the second information comprises at least: described identification information and/or described locating information; After getting described operation requests, according to described the second information packet, described the second process information is verified, and, after being verified, obtained described identification information and/or described locating information according to described the second information packet.
In addition, the described the 3rd be treated to encryption or signature processing.
In addition, described the second information also comprises: the second authentication code.
In addition, described the second authentication code is: random number, time parameter or dynamic password value.
In addition, described first information output policy is the strategy of output after encrypting; Described first is treated to encryption; Perhaps described first information output policy is the strategy of the rear output of signature; Described first is treated to signature processes.
In addition, the described first information also comprises operation requests and/or described identification information.
In addition, described the first authentication code is: random number, time parameter or dynamic password value.
In addition, described background monitoring equipment receives described the first process information and described first information packet, and the step of preserving described the first process information and described first information packet comprises: described background monitoring equipment receives described the first process information and described first information packet, obtains the first authentication policy; Described background monitoring equipment is according to described the first process information of described the first authentication policy checking; Described background monitoring equipment, after described the first process information of checking passes through, is preserved described the first process information and described first information packet.
In addition, when described first information output policy is while encrypting rear export tactful, the deciphering that described the first authentication policy is complementary for the strategy of exporting afterwards with described encryption the strategy of checking, or the encryption that is complementary for the strategy of exporting afterwards with described encryption of described the first authentication policy the strategy of checking; After described first information output policy is for signature during output tactful, the sign test strategy that described the first authentication policy is complementary for the strategy of exporting afterwards with described signature.
The present invention provides a kind of information monitoring system on the other hand, comprising: safety means and background monitoring equipment; Described safety means obtain operation requests, and after getting described operation requests, obtain identification information, locating information, the first authentication code and first information output policy, according to described first information output policy, first information packet is carried out to first to be processed, obtain the first process information, and export described the first process information and described first information packet; Wherein, described first information packet carries out the second processing to the first information and obtains, and the described first information comprises at least: described identification information, described locating information and described the first authentication code; Described background monitoring equipment receives described the first process information and described first information packet, and preserves described the first process information and described first information packet.
In addition, described first information output policy is the strategy of output after encrypting; Described first is treated to encryption; Perhaps described first information output policy is the strategy of the rear output of signature; Described first is treated to signature processes.
In addition, the described first information also comprises operation requests.
In addition, described the first authentication code is: random number, time parameter or dynamic password value.
In addition, described background monitoring equipment is also after receiving described the first process information and described first information packet, obtain the first authentication policy, according to described the first process information of described the first authentication policy checking, and, after described the first process information of checking passes through, preserve described the first process information and described first information packet.
In addition, after described background monitoring equipment receives described the first process information and described first information packet, also obtain the described first information, obtain the orientation range information that sets in advance and/or pre-stored identification information group, judge that described locating information is whether in described orientation range information, and/or judge that described identification information is whether in described identification information group, if described locating information is included in described orientation range information, if and/or described identification information obtains described the first authentication policy in described identification information group.
In addition, when described first information output policy is while encrypting rear export tactful, the deciphering that described the first authentication policy is complementary for the strategy of exporting afterwards with described encryption the strategy of checking, or the encryption that is complementary for the strategy of exporting afterwards with described encryption of described the first authentication policy the strategy of checking; After described first information output policy is for signature during output tactful, the sign test strategy that described the first authentication policy is complementary for the strategy of exporting afterwards with described signature.
The present invention also provides another kind of information monitoring system on the other hand, comprising: safety means and background monitoring equipment; Described safety means obtain operation requests, and after getting described operation requests, obtain identification information and/or locating information, described identification information and/or described locating information are verified, and, after being verified, obtained the first authentication code and first information output policy, according to described first information output policy, first information packet is carried out to first and process, obtain the first process information, and export described the first process information and described first information packet; Wherein, described first information packet carries out the second processing to the first information and obtains, and the described first information comprises at least: described the first authentication code and described locating information; Described background monitoring equipment receives described the first process information and described first information packet, and preserves described the first process information and described first information packet.
In addition, described safety means also obtain the identification information prestored, and verify whether described identification information is consistent with the described identification information prestored, if described identification information is consistent with the described identification information prestored, verify that described identification information passes through; And/or obtain the orientation range information prestored, and verify whether described locating information is included in the described orientation range information prestored, if in the described orientation range information prestored, verifying described locating information, described locating information passes through.
In addition, in described operation requests, comprise the second process information and described the second information packet; Described the second process information carries out the 3rd processing to described the second information packet and obtains, described the second information packet to the second information carry out the everywhere reason obtain, described the second information comprises at least: when described identification information and/or described locating information; Described safety means also, after getting described operation requests, are verified described the second process information according to described the second information packet, and, after being verified, are obtained described identification information and/or described locating information according to described the second information packet.
In addition, the described the 3rd be treated to encryption or signature processing.
In addition, described the second information also comprises: the second authentication code.
In addition, described the second authentication code is: random number, time parameter or dynamic password value.
In addition, described first information output policy is the strategy of output after encrypting; Described first is treated to encryption; Perhaps described first information output policy is the strategy of the rear output of signature; Described first is treated to signature processes.
In addition, the described first information also comprises operation requests and/or described identification information.
In addition, described the first authentication code is: random number, time parameter or dynamic password value.
In addition, described background monitoring equipment is also after receiving described the first process information and described first information packet, obtain the first authentication policy, according to described the first process information of described the first authentication policy checking, and, after described the first process information of checking passes through, preserve described the first process information and described first information packet.
In addition, when described first information output policy is while encrypting rear export tactful, the deciphering that described the first authentication policy is complementary for the strategy of exporting afterwards with described encryption the strategy of checking, or the encryption that is complementary for the strategy of exporting afterwards with described encryption of described the first authentication policy the strategy of checking; After described first information output policy is for signature during output tactful, the sign test strategy that described the first authentication policy is complementary for the strategy of exporting afterwards with described signature.
As seen from the above technical solution provided by the invention, information monitoring method of the present invention and system have been adopted, the solicited message that can be sent by safety means by the background monitoring monitoring of tools, with monitoring, obtain operation requests or open operation request, thereby can learn it is the request where who send in, the fail safe that has improved to a certain extent acquisition of information or open operation.
The accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, in below describing embodiment, the accompanying drawing of required use is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite of not paying creative work, can also obtain other accompanying drawings according to these accompanying drawings.
The flow chart of the information monitoring method that Fig. 1 provides for the embodiment of the present invention 1;
The structural representation of the information monitoring system that Fig. 2 provides for the embodiment of the present invention 1;
The flow chart of the information monitoring method that Fig. 3 provides for the embodiment of the present invention 2;
The structural representation of the information monitoring method that Fig. 4 provides for the embodiment of the present invention 2.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Based on embodiments of the invention, those of ordinary skills, not making under the creative work prerequisite the every other embodiment obtained, belong to protection scope of the present invention.
In description of the invention, it will be appreciated that, term " " center ", " vertically ", " laterally ", " on ", D score, " front ", " afterwards ", " left side ", " right side ", " vertically ", " level ", " top ", " end ", " interior ", orientation or the position relationship of indications such as " outward " are based on orientation shown in the drawings or position relationship, only the present invention for convenience of description and simplified characterization, rather than device or the element of indication or hint indication must have specific orientation, with specific orientation structure and operation, therefore can not be interpreted as limitation of the present invention.In addition, term " first ", " second " be only be used to describing purpose, and can not be interpreted as indication or hint relative importance or quantity or position.
In description of the invention, it should be noted that, unless otherwise clearly defined and limited, term " installation ", " being connected ", " connection " should be done broad understanding, for example, can be to be fixedly connected with, and can be also to removably connect, or connect integratedly; Can be mechanical connection, can be also to be electrically connected to; Can be directly to be connected, also can indirectly be connected by intermediary, can be the connection of two element internals.For the ordinary skill in the art, can concrete condition understand above-mentioned term concrete meaning in the present invention.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.
Embodiment 1
Fig. 1 has shown the flow chart of the information monitoring method of the embodiment of the present invention 1, and referring to Fig. 1, the information monitoring method of the present embodiment comprises:
Step S101, safety means obtain operation requests, and, after getting operation requests, obtain identification information, locating information, the first authentication code and first information output policy;
Concrete, safety means can obtain operation requests, and this operation requests can be the request of obtaining sensitive information, it can be also the request that automobile is opened, certainly, as long as relate to the request that the safe opening operation was obtained or carried out to needs safety, all can be operation requests of the present invention.
Certainly, safety means of the present invention can be bound with controlled device, for example, safety means can be bound with the sensitive information memory device, perhaps with automobile, bind, with controlled device, bind unique relevance that can guarantee controlled device and safety means, the fail safe that improves communication between the two.
Safety means are after getting operation requests, can obtain the identification information with the controlled device of its binding, this identification information can be from the controlled device with its binding, obtaining, can be also to prestore in these safety means, this identification information can be the information that sequence number information etc. possesses the unique identification function.Obtain identification information can convenient and safe equipment and background monitoring equipment according to this identification information, obtain the information relevant to this controlled device.
In addition, in safety means, locating module can be set, from this locating module, obtaining locating information, can be also that locating module is set in controlled device, and safety means are from obtaining locating information controlled device.Above-mentioned locating module can be following any locating module: GPS, AGPS or Big Dipper location etc.If locating module is set in safety means, can improve the speed of obtaining locating information of safety means, if locating module is set in controlled device, can reduce the quantity of module in safety means, reduce flow process, improve the processing speed of safety means.
In addition, safety means also obtain the first authentication code, and this first authentication code can be arranged on the random number that the randomizer in safety means generates; Also can be arranged on the time parameter of the clock generating in safety means; Can also be arranged on the dynamic password value that the dynamic password generation module in safety means generates; Can also be the static password set in advance, the user inputs by the keyboard of safety means, thereby obtains this to the first authentication code, certainly, in order to guarantee the parameter of obtaining difference at every turn, can be after completing and once obtaining, prompting user this static password of resetting; Can also be the dynamic password that the E-token dynamic password card with the binding of this safety means generates, the user inputs by the keyboard of safety means, thereby gets this first authentication code.Certainly, the first authentication code of the present invention is not limited to foregoing, can also be the combination arbitrarily of above-mentioned all kinds of parameters, certainly, so long as the parameter got is not identical at every turn, all can be used as the first authentication code and is acquired.By obtaining this each the first different authentication code, avoid producing because the information sent is identical each all identical situation generation of asking, improve fail safe.
Certainly, safety means also obtain first information output policy, and this first information output policy can, for encrypting the strategy of rear output, can be also the strategy of output after signature.Adopt after encrypting the strategy of exporting to guarantee fail safe and the verifiability of communication; Adopt the strategy of exporting after signature except the fail safe and verifiability that have guaranteed communication, also guaranteed the non repudiation that information sends.
Step S102, safety means, according to first information output policy, carry out first to first information packet and process, and obtain the first process information, and export the first process information and first information packet; Wherein, first information packet carries out the second processing to the first information and obtains, and the first information comprises at least: identification information, locating information and the first authentication code;
Specifically, when first information output policy is while encrypting rear export tactful, first information packet is carried out to the first processing can be: first information packet is encrypted.This encryption can adopt symmetric encipherment algorithm to be encrypted, and also can adopt rivest, shamir, adelman to be encrypted.For example: can be the MAC value of calculating first information packet, can be also the HASH value of calculating first information packet, certainly, can be also the MAC value of intercepting calculating or the part value in the HASH value.
After first information output policy is for signature during output tactful, first information packet is carried out to first and process and can be: the private key that adopts safety means be to the processing of signing of first information packet.
First information packet carries out the second processing to the first information and obtains, and this second processing can be any in following processing:
(1) first information is carried out to the simple interpolation processing of source address and destination address, the plaintext of reserved identities information, locating information and the first authentication code; Now only transmission expressly, facilitates follow-up authentication, simple flow.
(2) at least the first authentication code in the first information is encrypted; After by this cryptographic algorithm, the first authentication code being encrypted, adopt the decipherment algorithm corresponding with this cryptographic algorithm can decrypt the first authentication code.For example: the first authentication code is encrypted, the plaintext of reserved identities information and locating information, or locating information and the first authentication code are encrypted to plaintext of reserved identities information etc. any-mode.Now, the first authentication code is encrypted, can prevents that the first authentication code is cracked in transmitting procedure, improve transmission security.
In addition, the first information can also comprise operation requests, can guarantee follow-up can also the checking operation requests, to guarantee the authenticity of operation requests.
Step S103, background monitoring equipment receives the first process information and first information packet, and preserves the first process information and first information packet.
Concrete, background monitoring equipment can directly be stored the first process information and first information packet after receiving the first process information and first information packet, simplify the flow process of background monitoring equipment.
Background monitoring equipment also can be after receiving the first process information and first information packet, the first process information is verified, and after being verified storage the first process information and first information packet, if checking not by report to the police or controlled device that locking and safety means are bound, thereby store after the authenticity that guarantees the first process information and first information packet source, improve control and monitoring, also improved in the controlled device fail safe of acquisition of information or the fail safe that controlled device is unlocked.
If background monitoring equipment is verified the first process information, can verify in the following way:
Background monitoring equipment receives the first process information and first information packet, obtains the first authentication policy, according to first authentication policy checking the first process information, after checking the first process information passes through, preserves the first process information and first information packet.
Certainly, this first authentication policy should be complementary with first information output policy:
When first information output policy during for output after encrypting tactful, if first information output policy adopts symmetric encipherment algorithm to be encrypted, the first authentication policy for encrypt after the deciphering that is complementary of the strategy of output the strategy of checking; If first information output policy adopts asymmetric arithmetic to be encrypted, the first authentication policy for encrypt after the encryption that is complementary of the strategy of output the strategy of checking.
When first information output policy is while signing rear export tactful, the first authentication policy is the sign test strategy be complementary with the rear strategy of exporting of signing, and for example, PKI and the first information packet of employing safety means carry out sign test to the first process information.After only having background monitoring equipment sign test to pass through, background monitoring device authentication safety means pass through, and only have authenticating security equipment to preserve operation by rear just the execution, improve fail safe.
Concrete, when background monitoring equipment is verified the first process information according to the first authentication policy, can adopt from the first authentication code obtained the first information the first process information is verified; Also can with safety means, hold consultation in advance, the identical authentication code of the first authentication code pre-stored and the safety means transmission, obtain this pre-stored authentication code the first process information verified; Can also with safety means, hold consultation in advance, adopt identical authentication code generating mode to generate authentication code, obtain the authentication code of this generation the first process information is verified.No matter adopt which kind of verification mode, the purpose of the first process information being verified as long as can realize, all can be included in protection scope of the present invention.
In addition, background monitoring equipment receives the first process information and first information packet, while obtaining the first authentication policy, can also comprise the checking to locating information, perhaps to the checking of identification information, or the operation that locating information and identification information are all verified.One of for example can be in the following way realize checking:
Mode one: after background monitoring equipment receives the first process information and first information packet, obtain the first information, and obtain the orientation range information set in advance, judge that locating information is whether in orientation range information, if locating information is included in orientation range information, obtain the first authentication policy.
Mode two: after background monitoring equipment receives the first process information and first information packet, obtain the first information, and obtain pre-stored identification information group, judge that identification information is whether in the identification information group, if identification information, in the identification information group, obtains the first authentication policy.
Mode three: after background monitoring equipment receives the first process information and first information packet, obtain the first information, and obtain the orientation range information that sets in advance and pre-stored identification information group, judge that locating information is whether in orientation range information, and judge that identification information is whether in the identification information group, if locating information is included in orientation range information, and identification information obtains the first authentication policy in the identification information group.
Concrete, after background monitoring equipment receives first process information and first information packet of safety means output, according to the second different modes of processing, can adopt with the second mode of processing coupling and obtain the first information:
(1) be treated to the simple interpolation that the first information is carried out to source address and destination address and process when second, during the plaintext of reserved identities information, locating information and the first authentication code, now, background monitoring equipment obtains and receives first information packet and namely can get the first information, thereby obtains identification information, locating information and the first authentication code; Now simplified and obtained flow process, improved acquisition speed.
(2) be treated to while at least the first authentication code in the first information being encrypted when second, background monitoring equipment can be decrypted the first authentication code after encrypting, and gets this first authentication code; For example: the first information is decrypted, obtains the first authentication code, or the first information is decrypted, get locating information, or the first information is decrypted, get the any-modes such as identification information.At least decrypt the first authentication code, so that follow-up, the first process information is verified.
In addition, background monitoring equipment also will obtain the orientation range information set in advance, thereby guarantee that all kinds of requests of only sending just can be verified and monitor in this orientation range, only in locating information in orientation range information, just carry out follow-up checking to the first process information, simple flow, improve treatment effeciency.
Background monitoring equipment also will obtain pre-stored identification information group, thereby guarantee to only have the request of being sent by controlled device corresponding to the identification information of background monitoring monitoring of tools just can be verified and to monitor, improve fail safe, only at identification information in the identification information group, just carry out follow-up checking to the first process information, simple flow, improve treatment effeciency.
As can be seen here, adopted information monitoring method of the present invention, the solicited message that can be sent by safety means by the background monitoring monitoring of tools, with monitoring, obtain operation requests or open operation request, thereby can learn it is the request where who send in, the fail safe that has improved to a certain extent acquisition of information or open operation.
Fig. 2 has shown the structural representation of the information monitoring system of the embodiment of the present invention 1, at this, only the structure of this information monitoring system is briefly described, certainly, each parts in this information monitoring system can be divided into several modules and carry out different functions, also can complete repertoire by an integrated chip, at this, do not enumerate, the present embodiment is only simply divided this information monitoring system.Referring to Fig. 2, the information monitoring of the present embodiment comprises safety means 10 and background monitoring equipment 20, safety means adopt step S101 as shown in Figure 1 to carry out information output to the method for step S102, background monitoring equipment 20 adopts the method for step S103 as shown in Figure 1 to carry out information monitoring, do not repeat them here, only the function of each parts is briefly described.Wherein:
Safety means 10 obtain operation requests, and after getting operation requests, obtain identification information, locating information, the first authentication code and first information output policy, according to first information output policy, first information packet is carried out to first to be processed, obtain the first process information, and export the first process information and first information packet; Wherein, first information packet carries out the second processing to the first information and obtains, and the first information comprises at least: identification information, locating information and the first authentication code; Wherein, the first information can also comprise operation requests, and the first authentication code can be: random number, time parameter or dynamic password value.
Background monitoring equipment 20 receives the first process information and first information packet, and preserves the first process information and first information packet.
Certainly, first information output policy is the strategy of output after encrypting; First is treated to encryption; Perhaps first information output policy is the strategy of the rear output of signature; First is treated to signature processes.
In addition, background monitoring equipment 20 also, after receiving the first process information and first information packet, can also obtain the first authentication policy, according to first authentication policy checking the first process information, and, after checking the first process information passes through, preserve the first process information and first information packet.
Certainly, background monitoring equipment 20 is also after receiving the first process information and first information packet, can also obtain the first information, obtain the orientation range information that sets in advance and/or pre-stored identification information group, judge that locating information is whether in orientation range information, and/or judge that identification information is whether in the identification information group, if locating information is included in orientation range information, if and/or identification information obtains the first authentication policy in the identification information group.
Now, when first information output policy is while encrypting rear export tactful, the first authentication policy for encrypt after the deciphering that is complementary of the strategy of output the strategy of checking, or the first authentication policy for encrypt after the encryption that is complementary of the strategy of output the strategy of checking; When first information output policy is while signing rear export tactful, the first authentication policy is the sign test strategy be complementary with the rear strategy of exporting of signing.
As can be seen here, adopted information monitoring system of the present invention, the solicited message that can be sent by safety means by the background monitoring monitoring of tools, with monitoring, obtain operation requests or open operation request, thereby can learn it is the request where who send in, the fail safe that has improved to a certain extent acquisition of information or open operation.
Embodiment 2
Fig. 3 has shown the flow chart of the information monitoring method of the embodiment of the present invention 2, and referring to Fig. 3, the information monitoring method of the present embodiment comprises:
Step S301, safety means obtain operation requests, and, after getting operation requests, obtain identification information and/or locating information;
Concrete, safety means can obtain operation requests, and this operation requests can be the request of obtaining sensitive information, it can be also the request that automobile is opened, certainly, as long as relate to the request that the safe opening operation was obtained or carried out to needs safety, all can be operation requests of the present invention.
Certainly, safety means of the present invention can be bound with controlled device, for example, safety means can be bound with the sensitive information memory device, perhaps with automobile, bind, with controlled device, bind unique relevance that can guarantee controlled device and safety means, the fail safe that improves communication between the two.
In addition, safety means, after getting operation requests, can obtain the identification information with the controlled device of its binding, this identification information can be from the controlled device with its binding, obtaining, for example, in operation requests, carry this identification information, thereby got by safety means.This identification information can be the information that sequence number information of controlled device etc. possesses the unique identification function.Obtaining identification information can facilitate follow-up background system server to know which equipment needs the checking of the system server day after tomorrow.
In addition, safety means can also obtain locating information, and this locating information is carried in can operation requests, and the locating module arranged in controlled device generates; Can be also that safety means are from obtaining in the locating module arranged safety means.Above-mentioned locating module can be following any locating module: GPS, AGPS or Big Dipper location etc.If locating module is set in safety means, can improve the speed of obtaining locating information of safety means, if locating module is set in controlled device, can reduce the quantity of module in safety means, reduce flow process, improve the processing speed of safety means.
Certainly, safety means of the present invention can only obtain identification information, also can only obtain locating information, can also obtain two kinds of information of identification information and locating information.No matter obtain single information or two kinds of information are obtained together, follow-up safety means can verify controlled device as long as can guarantee.
In addition, in the present invention, in this step, can also comprise the legitimacy of safety means checking controlled device and the operation of authenticity.For example:
In operation requests, can comprise the second process information and the second information packet, wherein, the second process information carries out the 3rd processing to the second information packet and obtains, the second information packet to the second information carry out the everywhere reason obtain, the second information comprises at least: identification information and/or locating information;
Certainly, the 3rd processing can be that encryption or signature are processed.When the 3rd is treated to encryption, can adopt symmetric encipherment algorithm to be encrypted, also can adopt rivest, shamir, adelman to be encrypted.For example: can be the MAC value of calculating the second information packet, can be also the HASH value of calculating the second information packet, certainly, can be also the MAC value of intercepting calculating or the part value in the HASH value.When the 3rd was treated to signature and processes, the private key that controlled device can adopt controlled device was to the processing of signing of the second information packet.
The everywhere reason can be any in following processing:
(1) the second information is carried out to the simple interpolation processing of source address and destination address, the plaintext of reserved identities information and/or locating information; Now only transmission expressly, facilitates follow-up authentication, simple flow.
(2) identification information in the second information and/or locating information are encrypted; After by this cryptographic algorithm, identification information and/or locating information being encrypted, adopt the decipherment algorithm corresponding with this cryptographic algorithm can decrypt identification information and/or locating information.Now, identification information and/or locating information are encrypted, can prevent that identification information and/or locating information are cracked in transmitting procedure, improve transmission security.
Now, after getting operation requests, safety means can be verified the second process information according to the second information packet, and, after being verified, obtain identification information and/or locating information according to the second information packet.When safety means are verified the second process information, if the 3rd is treated to encryption, now safety devices can be decrypted to verify this second process information to the second process information, also can be encrypted to verify the second process information to the second information packet; If the 3rd is treated to signature, process, now safety means can carry out sign test to verify the second process information to the second process information, for example can adopt the PKI of controlled device and the second information packet to carry out sign test to the second process information.
In addition, safety means can, according to the difference of reason everywhere, obtain identification information and/or locating information by following different modes:
(1) when the 4th is treated to the simple interpolation that the second information is carried out to source address and destination address and processes, during the plaintext of reserved identities information and/or locating information, safety means obtain the second information packet received namely can get the second information, thereby obtains identification information and/or locating information; Now simplified and obtained flow process, improved acquisition speed.
(2) be treated to when the identification information in the second information and/or locating information are encrypted when the 4th, safety means can be decrypted the information after encrypting, get this identification information and/or locating information, now guaranteed the authenticity of identification information and/or locating information.
Certainly, at every turn different in order to guarantee the second information packet, in the second information, can also comprise: the second authentication code.The second authentication code can be: random number, time parameter or dynamic password value, for example:
The second authentication code can be arranged on the random number that the randomizer in controlled device generates; Also can be arranged on the time parameter of the clock generating in controlled device; Can also be arranged on the dynamic password value that the dynamic password generation module in controlled device generates; Can also be the static password set in advance, the user inputs by the keyboard of controlled device, thereby makes controlled device obtain this to the second authentication code, certainly, in order to guarantee the parameter of obtaining difference at every turn, can be after completing and once obtaining, prompting user this static password of resetting; Can also be the dynamic password that the E-token dynamic password card with the binding of this controlled device generates, the user inputs by the keyboard of controlled device, thereby gets this second authentication code.Certainly, the second authentication code of the present invention is not limited to foregoing, can also be the combination arbitrarily of above-mentioned all kinds of parameters, certainly, so long as the parameter got is not identical at every turn, all can be used as the second authentication code and is used by controlled device.By obtaining this each the second different authentication code, avoid producing because the information sent is identical each all identical situation generation of asking, improve fail safe.
Certainly, in the present invention, in order to guarantee the subsequent authentication that adopts signature to process, can in controlled device, store the private key of controlled device, the PKI of safety means, the storage PKI of controlled device and the private key of safety means in safety means, the PKI of storage security equipment etc. in background monitoring equipment.
Step S302, safety means verify identification information and/or locating information, and, after being verified, obtain the first authentication code and first information output policy;
Safety means are after getting identification information and/or locating information, also need identification information and/or locating information are verified, so that safety means are verified controlled device, only after safety means checking controlled device passes through, just can, to backstage system server output information, guarantee the authenticity of operation requests.
In the present invention, safety means can be verified identification information in the following way: obtain the identification information prestored; Whether the checking identification information is consistent with the identification information prestored, if identification information is consistent with the identification information prestored, verifies that identification information passes through.After safety means checking identification information passes through, could determine the authenticity of controlled device, thereby carry out subsequent operation, otherwise the operation that will not carry out follow-up unlatching or obtain.
Safety means can be verified locating information in the following way: obtain the orientation range information prestored; Whether the checking locating information is included in the orientation range information prestored, and passes through if locating information in the orientation range information prestored, is verified locating information.Safety means checking locating information could be determined that controlled device is in the orientation range of permission, thereby can carry out subsequent operation after passing through, otherwise the operation that will not carry out follow-up unlatching or obtain.
In addition, safety means also obtain the first authentication code, and this first authentication code can be arranged on the random number that the randomizer in safety means generates; Also can be arranged on the time parameter of the clock generating in safety means; Can also be arranged on the dynamic password value that the dynamic password generation module in safety means generates; Can also be the static password set in advance, the user inputs by the keyboard of safety means, thereby obtains this to the first authentication code, certainly, in order to guarantee the parameter of obtaining difference at every turn, can be after completing and once obtaining, prompting user this static password of resetting; Can also be the dynamic password that the E-token dynamic password card with the binding of this safety means generates, the user inputs by the keyboard of safety means, thereby gets this first authentication code.Certainly, the first authentication code of the present invention is not limited to foregoing, can also be the combination arbitrarily of above-mentioned all kinds of parameters, certainly, so long as the parameter got is not identical at every turn, all can be used as the first authentication code and is acquired.By obtaining this each the first different authentication code, avoid producing because the information sent is identical each all identical situation generation of asking, improve fail safe.
Certainly, safety means also obtain first information output policy, and this first information output policy can, for encrypting the strategy of rear output, can be also the strategy of output after signature.Adopt after encrypting the strategy of exporting to guarantee fail safe and the verifiability of communication; Adopt the strategy of exporting after signature except the fail safe and verifiability that have guaranteed communication, also guaranteed the non repudiation that information sends.
Step S303, safety means, according to first information output policy, carry out first to first information packet and process, and obtain the first process information, and export the first process information and first information packet; Wherein, first information packet carries out the second processing to the first information and obtains, and the first information comprises at least: the first authentication code and locating information;
Specifically, when first information output policy is while encrypting rear export tactful, first information packet is carried out to the first processing can be: first information packet is encrypted.This encryption can adopt symmetric encipherment algorithm to be encrypted, and also can adopt rivest, shamir, adelman to be encrypted.For example: can be the MAC value of calculating first information packet, can be also the HASH value of calculating first information packet, certainly, can be also the MAC value of intercepting calculating or the part value in the HASH value.
After first information output policy is for signature during output tactful, first information packet is carried out to first and process and can be: the private key that adopts safety means be to the processing of signing of first information packet.
First information packet carries out the second processing to the first information and obtains, and this second processing can be any in following processing:
(1) first information is carried out to the simple interpolation processing of source address and destination address, retain the plaintext of the first authentication code and locating information; Now only transmission expressly, facilitates follow-up authentication, simple flow.
(2) at least the first authentication code in the first information is encrypted; After by this cryptographic algorithm, the first authentication code being encrypted, adopt the decipherment algorithm corresponding with this cryptographic algorithm can decrypt the first authentication code.Now, the first authentication code is encrypted, can prevents that the first authentication code is cracked in transmitting procedure, improve transmission security.
In addition, the first information can also comprise operation requests, can guarantee follow-up can also the checking operation requests, to guarantee the authenticity of operation requests.The first information can also comprise identification information, is the request which equipment is initiated to guarantee that follow-up background system server can be known.Certainly, the first information can comprise any or the arbitrary combination in above-mentioned information.
Step S304, background monitoring equipment receives the first process information and first information packet, and preserves the first process information and first information packet.
Concrete, background monitoring equipment can directly be stored the first process information and first information packet after receiving the first process information and first information packet, simplify the flow process of background monitoring equipment.
Background monitoring equipment also can be after receiving the first process information and first information packet, the first process information is verified, and after being verified storage the first process information and first information packet, if checking not by report to the police or controlled device that locking and safety means are bound, thereby store after the authenticity that guarantees the first process information and first information packet source, improve control and monitoring, also improved in the controlled device fail safe of acquisition of information or the fail safe that controlled device is unlocked.
If background monitoring equipment is verified the first process information, can verify in the following way:
Background monitoring equipment receives the first process information and first information packet, also obtain the first authentication policy, according to first authentication policy checking the first process information, after checking the first process information passes through, preserve the first process information and first information packet.
Certainly, this first authentication policy should be complementary with first information output policy:
When first information output policy during for output after encrypting tactful, if first information output policy adopts symmetric encipherment algorithm to be encrypted, the first authentication policy for encrypt after the deciphering that is complementary of the strategy of output the strategy of checking; If first information output policy adopts asymmetric arithmetic to be encrypted, the first authentication policy for encrypt after the encryption that is complementary of the strategy of output the strategy of checking.
When first information output policy is while signing rear export tactful, the first authentication policy is the sign test strategy be complementary with the rear strategy of exporting of signing, and for example, PKI and the first information packet of employing safety means carry out sign test to the first process information.After only having background monitoring equipment sign test to pass through, background monitoring device authentication safety means pass through, and only have authenticating security equipment to preserve operation by rear just the execution, improve fail safe.
Concrete, when background monitoring equipment is verified the first process information according to the first authentication policy, can adopt from the first authentication code obtained the first information the first process information is verified; Also can with safety means, hold consultation in advance, the identical authentication code of the first authentication code pre-stored and the safety means transmission, obtain this pre-stored authentication code the first process information verified; Can also with safety means, hold consultation in advance, adopt identical authentication code generating mode to generate authentication code, obtain the authentication code of this generation the first process information is verified.No matter adopt which kind of verification mode, the purpose of the first process information being verified as long as can realize, all can be included in protection scope of the present invention.
Concrete, after background monitoring equipment receives first process information and first information packet of safety means output, according to the second different modes of processing, can adopt with the second mode of processing coupling and obtain the first information:
(1) be treated to the simple interpolation that the first information is carried out to source address and destination address and process when second, during the plaintext of reserved identities information, locating information and the first authentication code, now, background monitoring equipment obtains and receives first information packet and namely can get the first information, thereby obtains identification information, locating information and the first authentication code; Now simplified and obtained flow process, improved acquisition speed.
(2) be treated to while at least the first authentication code in the first information being encrypted when second, background monitoring equipment can be decrypted the first authentication code after encrypting, and gets this first authentication code.At least decrypt the first authentication code, so that follow-up, the first process information is verified.
As can be seen here, adopted information monitoring method of the present invention, the solicited message that can be sent by safety means by the background monitoring monitoring of tools, with monitoring, obtain operation requests or open operation request, thereby can learn it is the request where who send in, the fail safe that has improved to a certain extent acquisition of information or open operation.
Fig. 4 has shown the structural representation of the information monitoring system of the embodiment of the present invention 2, at this, only the structure of this information monitoring system is briefly described, certainly, each parts in this information monitoring system can be divided into several modules and carry out different functions, also can complete repertoire by an integrated chip, at this, do not enumerate, the present embodiment is only simply divided this information monitoring system.Referring to Fig. 4, the information monitoring of the present embodiment comprises safety means 30 and background monitoring equipment 40, safety means adopt step S301 as shown in Figure 3 to carry out information output to the method for step S303, background monitoring equipment 40 adopts the method for step S304 as shown in Figure 3 to carry out information monitoring, do not repeat them here, only the function of each parts is briefly described.Wherein:
Safety means 30 obtain operation requests, and after getting operation requests, obtain identification information and/or locating information, identification information and/or locating information are verified, and, after being verified, obtained the first authentication code and first information output policy, according to first information output policy, first information packet is carried out to first and process, obtain the first process information, and export the first process information and first information packet; Wherein, first information packet carries out the second processing to the first information and obtains, and the first information comprises at least: the first authentication code and locating information;
Background monitoring equipment 40 receives the first process information and first information packet, and preserves the first process information and first information packet.
In addition, safety means 30 also obtain the identification information prestored, and whether the checking identification information is consistent with the identification information prestored, if identification information is consistent with the identification information prestored, verifies that identification information passes through; And/or obtain the orientation range information prestored, whether the checking locating information is included in the orientation range information prestored, and passes through if locating information in the orientation range information prestored, is verified locating information.
Wherein, in operation requests, comprise the second process information and the second information packet; The second process information carries out the 3rd processing to the second information packet and obtains, the second information packet to the second information carry out the everywhere reason obtain, the second information comprises at least: when identification information and/or locating information; Safety means 30 also, after getting operation requests, are verified the second process information according to the second information packet, and, after being verified, are obtained identification information and/or locating information according to the second information packet.
Now, the 3rd processing can be that encryption or signature are processed, and the second information can also comprise: the second authentication code, this second authentication code can be: random number, time parameter or dynamic password value.
Certainly, first information output policy is the strategy of output after encrypting; First is treated to encryption; Perhaps first information output policy is the strategy of the rear output of signature; First is treated to signature processes.
In addition, the first information can also comprise operation requests and/or identification information, and the first authentication code can be: random number, time parameter or dynamic password value.
In addition, background monitoring equipment 40 also, after receiving the first process information and first information packet, obtains the first authentication policy, according to first authentication policy checking the first process information, and, after checking the first process information passes through, preserve the first process information and first information packet.
Certainly, when first information output policy is while encrypting rear export tactful, the first authentication policy for encrypt after the deciphering that is complementary of the strategy of output the strategy of checking, or the first authentication policy for encrypt after the encryption that is complementary of the strategy of output the strategy of checking; When first information output policy is while signing rear export tactful, the first authentication policy is the sign test strategy be complementary with the rear strategy of exporting of signing.
As can be seen here, adopted information monitoring system of the present invention, the solicited message that can be sent by safety means by the background monitoring monitoring of tools, with monitoring, obtain operation requests or open operation request, thereby can learn it is the request where who send in, the fail safe that has improved to a certain extent acquisition of information or open operation.
In flow chart or in this any process of otherwise describing or method, describe and can be understood to, mean to comprise one or more module, fragment or part be used to the code of the executable instruction of the step that realizes specific logical function or process, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by opposite order, carry out function, this should be understood by the embodiments of the invention person of ordinary skill in the field.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, a plurality of steps or method can realize with being stored in memory and by software or firmware that suitable instruction execution system is carried out.For example, if realize with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: have for data-signal being realized to the discrete logic of the logic gates of logic function, application-specific integrated circuit (ASIC) with suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that and realize that all or part of step that above-described embodiment method is carried is to come the hardware that instruction is relevant to complete by program, described program can be stored in a kind of computer-readable recording medium, this program, when carrying out, comprises step of embodiment of the method one or a combination set of.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing module, can be also that the independent physics of unit exists, and also can be integrated in a module two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, also can adopt the form of software function module to realize.If described integrated module usings that the form of software function module realizes and during as production marketing independently or use, also can be stored in a computer read/write memory medium.
The above-mentioned storage medium of mentioning can be read-only memory, disk or CD etc.
In the description of this specification, the description of reference term " embodiment ", " some embodiment ", " example ", " concrete example " or " some examples " etc. means to be contained at least one embodiment of the present invention or example in conjunction with specific features, structure, material or the characteristics of this embodiment or example description.In this manual, the schematic statement of above-mentioned term not necessarily referred to identical embodiment or example.And the specific features of description, structure, material or characteristics can be with suitable mode combinations in any one or more embodiment or example.
Although the above has illustrated and has described embodiments of the invention, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, those of ordinary skill in the art is not in the situation that break away from principle of the present invention and aim can change above-described embodiment within the scope of the invention, modification, replacement and modification.Scope of the present invention is by claims and be equal to and limit.
Claims (36)
1. an information monitoring method, is characterized in that, comprising:
Safety means obtain operation requests, and, after getting described operation requests, obtain identification information, locating information, the first authentication code and first information output policy;
Described safety means, according to described first information output policy, carry out first to first information packet and process, and obtain the first process information, and export described the first process information and described first information packet; Wherein, described first information packet carries out the second processing to the first information and obtains, and the described first information comprises at least: described identification information, described locating information and described the first authentication code;
Background monitoring equipment receives described the first process information and described first information packet, and preserves described the first process information and described first information packet.
2. method according to claim 1, is characterized in that,
Described first information output policy is the strategy of output after encrypting;
Described first is treated to encryption; Perhaps
Described first information output policy is the strategy of the rear output of signature;
Described first is treated to signature processes.
3. method according to claim 1 and 2, is characterized in that, the described first information also comprises operation requests.
4. according to the described method of claims 1 to 3 any one, it is characterized in that, described the first authentication code is: random number, time parameter or dynamic password value.
5. according to the described method of claim 1 to 4 any one, it is characterized in that, described background monitoring equipment receives described the first process information and described first information packet, and the step of preserving described the first process information and described first information packet comprises:
Described background monitoring equipment receives described the first process information and described first information packet, obtains the first authentication policy;
Described background monitoring equipment is according to described the first process information of described the first authentication policy checking;
Described background monitoring equipment, after described the first process information of checking passes through, is preserved described the first process information and described first information packet.
6. method according to claim 5, is characterized in that, described background monitoring equipment receives described the first process information and described first information packet, and the step of obtaining the first authentication policy also comprises:
Described background monitoring equipment obtains the described first information after receiving described the first process information and described first information packet;
Described background monitoring equipment obtains the orientation range information that sets in advance and/or pre-stored identification information group;
Judge that described locating information is whether in described orientation range information, and/or judge that described identification information is whether in described identification information group;
If described locating information is included in described orientation range information, if and/or described identification information in described identification information group, obtain described the first authentication policy.
7. according to the described method of claim 5 or 6, it is characterized in that,
When described first information output policy is while encrypting rear export tactful, the deciphering that described the first authentication policy is complementary for the strategy of exporting afterwards with described encryption the strategy of checking, or the encryption that is complementary for the strategy of exporting afterwards with described encryption of described the first authentication policy the strategy of checking;
After described first information output policy is for signature during output tactful, the sign test strategy that described the first authentication policy is complementary for the strategy of exporting afterwards with described signature.
8. an information monitoring method, is characterized in that, comprising:
Safety means obtain operation requests, and, after getting described operation requests, obtain identification information and/or locating information;
Described safety means are verified described identification information and/or described locating information, and, after being verified, are obtained the first authentication code and first information output policy;
Described safety means, according to described first information output policy, carry out first to first information packet and process, and obtain the first process information, and export described the first process information and described first information packet; Wherein, described first information packet carries out the second processing to the first information and obtains, and the described first information comprises at least: described the first authentication code and described locating information;
Background monitoring equipment receives described the first process information and described first information packet, and preserves described the first process information and described first information packet.
9. method according to claim 8, is characterized in that, the described step that described identification information and/or locating information are verified comprises:
Obtain the identification information prestored;
Verify whether described identification information is consistent with the described identification information prestored, if described identification information is consistent with the described identification information prestored, verify that described identification information passes through; And/or
Obtain the orientation range information prestored;
Verify whether described locating information is included in the described orientation range information prestored, pass through if described locating information in the described orientation range information prestored, is verified described locating information.
10. according to claim 8 or claim 9 method, is characterized in that, described after getting described operation requests, the step of obtaining identification information and locating information comprises:
In described operation requests, comprise the second process information and described the second information packet;
Described the second process information carries out the 3rd processing to described the second information packet and obtains, described the second information packet to the second information carry out the everywhere reason obtain, described the second information comprises at least: described identification information and/or described locating information;
After getting described operation requests, according to described the second information packet, described the second process information is verified, and, after being verified, obtained described identification information and/or described locating information according to described the second information packet.
11. method according to claim 10, is characterized in that, the described the 3rd is treated to encryption or signature processing.
12. according to the described method of claim 10 or 11, it is characterized in that, described the second information also comprises: the second authentication code.
13. method according to claim 12, is characterized in that, described the second authentication code is: random number, time parameter or dynamic password value.
14. the described method of according to Claim 8 to 13 any one, is characterized in that,
Described first information output policy is the strategy of output after encrypting;
Described first is treated to encryption; Perhaps
Described first information output policy is the strategy of the rear output of signature;
Described first is treated to signature processes.
15. the described method of according to Claim 8 to 14 any one is characterized in that the described first information also comprises operation requests and/or described identification information.
16. the described method of according to Claim 8 to 15 any one, is characterized in that, described the first authentication code is: random number, time parameter or dynamic password value.
17. the described method of according to Claim 8 to 16 any one, it is characterized in that, described background monitoring equipment receives described the first process information and described first information packet, and the step of preserving described the first process information and described first information packet comprises:
Described background monitoring equipment receives described the first process information and described first information packet, obtains the first authentication policy;
Described background monitoring equipment is according to described the first process information of described the first authentication policy checking;
Described background monitoring equipment, after described the first process information of checking passes through, is preserved described the first process information and described first information packet.
18. method according to claim 17, is characterized in that,
When described first information output policy is while encrypting rear export tactful, the deciphering that described the first authentication policy is complementary for the strategy of exporting afterwards with described encryption the strategy of checking, or the encryption that is complementary for the strategy of exporting afterwards with described encryption of described the first authentication policy the strategy of checking;
After described first information output policy is for signature during output tactful, the sign test strategy that described the first authentication policy is complementary for the strategy of exporting afterwards with described signature.
19. an information monitoring system, is characterized in that, comprising: safety means and background monitoring equipment;
Described safety means obtain operation requests, and after getting described operation requests, obtain identification information, locating information, the first authentication code and first information output policy, according to described first information output policy, first information packet is carried out to first to be processed, obtain the first process information, and export described the first process information and described first information packet; Wherein, described first information packet carries out the second processing to the first information and obtains, and the described first information comprises at least: described identification information, described locating information and described the first authentication code;
Described background monitoring equipment receives described the first process information and described first information packet, and preserves described the first process information and described first information packet.
20. system according to claim 19, is characterized in that,
Described first information output policy is the strategy of output after encrypting;
Described first is treated to encryption; Perhaps
Described first information output policy is the strategy of the rear output of signature;
Described first is treated to signature processes.
21. according to the described system of claim 19 or 20, it is characterized in that, the described first information also comprises operation requests.
22. according to claim 19 to the described system of 21 any one, it is characterized in that, described the first authentication code is: random number, time parameter or dynamic password value.
23. according to claim 19 to the described system of 22 any one, it is characterized in that, described background monitoring equipment is also after receiving described the first process information and described first information packet, obtain the first authentication policy, according to described the first process information of described the first authentication policy checking, and, after described the first process information of checking passes through, preserve described the first process information and described first information packet.
24. system according to claim 23, it is characterized in that, after described background monitoring equipment receives described the first process information and described first information packet, also obtain the described first information, obtain the orientation range information that sets in advance and/or pre-stored identification information group, judge that described locating information is whether in described orientation range information, and/or judge that described identification information is whether in described identification information group, if described locating information is included in described orientation range information, if and/or described identification information is in described identification information group, obtain described the first authentication policy.
25. according to the described system of claim 23 or 24, it is characterized in that,
When described first information output policy is while encrypting rear export tactful, the deciphering that described the first authentication policy is complementary for the strategy of exporting afterwards with described encryption the strategy of checking, or the encryption that is complementary for the strategy of exporting afterwards with described encryption of described the first authentication policy the strategy of checking;
After described first information output policy is for signature during output tactful, the sign test strategy that described the first authentication policy is complementary for the strategy of exporting afterwards with described signature.
26. an information monitoring system, is characterized in that, comprising: safety means and background monitoring equipment;
Described safety means obtain operation requests, and after getting described operation requests, obtain identification information and/or locating information, described identification information and/or described locating information are verified, and, after being verified, obtained the first authentication code and first information output policy, according to described first information output policy, first information packet is carried out to first and process, obtain the first process information, and export described the first process information and described first information packet; Wherein, described first information packet carries out the second processing to the first information and obtains, and the described first information comprises at least: described the first authentication code and described locating information;
Described background monitoring equipment receives described the first process information and described first information packet, and preserves described the first process information and described first information packet.
27. system according to claim 26, it is characterized in that, described safety means also obtain the identification information prestored, verify whether described identification information is consistent with the described identification information prestored, if described identification information is consistent with the described identification information prestored, verify that described identification information passes through; And/or obtain the orientation range information prestored, and verify whether described locating information is included in the described orientation range information prestored, if in the described orientation range information prestored, verifying described locating information, described locating information passes through.
28. according to the described system of claim 26 or 27, it is characterized in that, in described operation requests, comprise the second process information and described the second information packet; Described the second process information carries out the 3rd processing to described the second information packet and obtains, described the second information packet to the second information carry out the everywhere reason obtain, described the second information comprises at least: when described identification information and/or described locating information;
Described safety means also, after getting described operation requests, are verified described the second process information according to described the second information packet, and, after being verified, are obtained described identification information and/or described locating information according to described the second information packet.
29. system according to claim 28, is characterized in that, the described the 3rd is treated to encryption or signature processing.
30. want 28 or 29 described systems according to right, it is characterized in that, described the second information also comprises: the second authentication code.
31. system according to claim 30, is characterized in that, described the second authentication code is: random number, time parameter or dynamic password value.
32. according to the described system of claim 26 to 31 any one, it is characterized in that,
Described first information output policy is the strategy of output after encrypting;
Described first is treated to encryption; Perhaps
Described first information output policy is the strategy of the rear output of signature;
Described first is treated to signature processes.
33. according to the described system of claim 26 to 32 any one, it is characterized in that, the described first information also comprises operation requests and/or described identification information.
34. according to the described system of claim 26 to 33 any one, it is characterized in that, described the first authentication code is: random number, time parameter or dynamic password value.
35. according to the described system of claim 26 to 34 any one, it is characterized in that, described background monitoring equipment is also after receiving described the first process information and described first information packet, obtain the first authentication policy, according to described the first process information of described the first authentication policy checking, and, after described the first process information of checking passes through, preserve described the first process information and described first information packet.
36. system according to claim 35, is characterized in that,
When described first information output policy is while encrypting rear export tactful, the deciphering that described the first authentication policy is complementary for the strategy of exporting afterwards with described encryption the strategy of checking, or the encryption that is complementary for the strategy of exporting afterwards with described encryption of described the first authentication policy the strategy of checking;
After described first information output policy is for signature during output tactful, the sign test strategy that described the first authentication policy is complementary for the strategy of exporting afterwards with described signature.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310344047.5A CN103414567B (en) | 2013-08-08 | 2013-08-08 | Information monitoring method and system |
| PCT/CN2014/083343 WO2015018292A1 (en) | 2013-08-08 | 2014-07-30 | Method and system for information monitoring |
| PCT/CN2014/083335 WO2015018291A1 (en) | 2013-08-08 | 2014-07-30 | Output method and security device, response method and system, and execution method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310344047.5A CN103414567B (en) | 2013-08-08 | 2013-08-08 | Information monitoring method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103414567A true CN103414567A (en) | 2013-11-27 |
| CN103414567B CN103414567B (en) | 2016-09-07 |
Family
ID=49607553
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310344047.5A Active CN103414567B (en) | 2013-08-08 | 2013-08-08 | Information monitoring method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103414567B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015018291A1 (en) * | 2013-08-08 | 2015-02-12 | 天地融科技股份有限公司 | Output method and security device, response method and system, and execution method and system |
| CN107833321A (en) * | 2017-11-01 | 2018-03-23 | 潍柴动力股份有限公司 | A kind of apparatus bound, unbind method, vehicle locking method and relevant device |
| WO2018218535A1 (en) * | 2017-05-31 | 2018-12-06 | 华为技术有限公司 | Information processing method, device and system |
| CN109379190A (en) * | 2018-12-19 | 2019-02-22 | 世纪龙信息网络有限责任公司 | Method for distributing key, device, computer equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1851740A (en) * | 2006-06-02 | 2006-10-25 | 上海华申智能卡应用系统有限公司 | Bank net business processing method based on traditional terminal transaction form |
| CN101626295A (en) * | 2008-07-08 | 2010-01-13 | 中国移动通信集团公司 | Method, device and system for guaranteeing security of network logon |
| WO2012087582A2 (en) * | 2010-12-21 | 2012-06-28 | Intel Corporation | Secure and private location |
| CN102882686A (en) * | 2012-10-09 | 2013-01-16 | 北京深思洛克软件技术股份有限公司 | Authentication method and authentication device |
-
2013
- 2013-08-08 CN CN201310344047.5A patent/CN103414567B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1851740A (en) * | 2006-06-02 | 2006-10-25 | 上海华申智能卡应用系统有限公司 | Bank net business processing method based on traditional terminal transaction form |
| CN101626295A (en) * | 2008-07-08 | 2010-01-13 | 中国移动通信集团公司 | Method, device and system for guaranteeing security of network logon |
| WO2012087582A2 (en) * | 2010-12-21 | 2012-06-28 | Intel Corporation | Secure and private location |
| CN102882686A (en) * | 2012-10-09 | 2013-01-16 | 北京深思洛克软件技术股份有限公司 | Authentication method and authentication device |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015018291A1 (en) * | 2013-08-08 | 2015-02-12 | 天地融科技股份有限公司 | Output method and security device, response method and system, and execution method and system |
| WO2015018292A1 (en) * | 2013-08-08 | 2015-02-12 | 天地融科技股份有限公司 | Method and system for information monitoring |
| WO2018218535A1 (en) * | 2017-05-31 | 2018-12-06 | 华为技术有限公司 | Information processing method, device and system |
| CN110603797A (en) * | 2017-05-31 | 2019-12-20 | 华为技术有限公司 | Information processing method, device and system |
| CN107833321A (en) * | 2017-11-01 | 2018-03-23 | 潍柴动力股份有限公司 | A kind of apparatus bound, unbind method, vehicle locking method and relevant device |
| CN109379190A (en) * | 2018-12-19 | 2019-02-22 | 世纪龙信息网络有限责任公司 | Method for distributing key, device, computer equipment and storage medium |
| CN109379190B (en) * | 2018-12-19 | 2021-09-21 | 世纪龙信息网络有限责任公司 | Key distribution method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103414567B (en) | 2016-09-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102538435B1 (en) | Secure communication between electronic control units in the vehicle | |
| CN109309565B (en) | Security authentication method and device | |
| US8953790B2 (en) | Secure generation of a device root key in the field | |
| EP3001598B1 (en) | Method and system for backing up private key in electronic signature token | |
| CN108632250B (en) | Method and equipment for generating command control session master key and transmitting operation command | |
| EP2866166A1 (en) | Systems and methods for enforcing third party oversight data anonymization | |
| US9716591B2 (en) | Method for setting up a secure connection between clients | |
| CN112528250B (en) | System and method for realizing data privacy and digital identity through block chain | |
| EP3001599B1 (en) | Method and system for backing up private key of electronic signature token | |
| CN108650220B (en) | Method and equipment for issuing and acquiring mobile terminal certificate and automobile end chip certificate | |
| CN110050437A (en) | The device and method of distributed certificate registration | |
| CN103678174A (en) | Data safety method, storage device and data safety system | |
| CN111343613A (en) | Method and apparatus to establish secure low energy wireless communication in a process control system | |
| CN105959648B (en) | A kind of encryption method, device and video monitoring system | |
| KR20140023799A (en) | Method for guarantying the confidentiality and integrity of a data in controller area networks | |
| CN103414567A (en) | Information monitoring method and system | |
| CN110383755A (en) | The network equipment and trusted third party's equipment | |
| CN110611679A (en) | Data transmission method, device, equipment and system | |
| CN105871858A (en) | Method and system for ensuring high data safety | |
| CN103138923A (en) | Method, device and system for internodal authentication | |
| CN105959249A (en) | Method and system for management of electronic device | |
| CN103248490B (en) | A kind of back up the method and system of information in electronic signature token | |
| CN115801232A (en) | Private key protection method, device, equipment and storage medium | |
| CN112995140B (en) | Safety management system and method | |
| CN112702170A (en) | Management method, management system, viewing method and viewing terminal for vehicle data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |