CN103414567B

CN103414567B - Information monitoring method and system

Info

Publication number: CN103414567B
Application number: CN201310344047.5A
Authority: CN
Inventors: 李东声
Original assignee: Tendyron Technology Co Ltd
Current assignee: Tendyron Technology Co Ltd
Priority date: 2013-08-08
Filing date: 2013-08-08
Publication date: 2016-09-07
Anticipated expiration: 2033-08-08
Also published as: CN103414567A

Abstract

The present invention provides a kind of information monitoring method and system, wherein information monitoring method includes: safety means obtain operation requests, and obtain identification information, location information, the first authentication code and first information output policy, according to first information output policy, first information packet is carried out the first process, obtain the first process information, and export the first process information and first information packet；Wherein, first information packet carries out the second process to the first information and obtains, and the first information at least includes: identification information, location information and the first authentication code；Background monitoring equipment receives the first process information and first information packet, and preserves the first process information and first information packet.The solicited message sent by safety means by background monitoring monitoring of tools, such that it is able to learning is whom in the request where sent, is improve acquisition of information to a certain extent or opens the security of operation.

Description

Information monitoring method and system

Technical field

The present invention relates to a kind of information security field, particularly relate to a kind of information monitoring method and system.

Background technology

At present, along with the development of network, realize acquisition of information by these means of network, can well meet people to letter The demand of breath resource, and greatly facilitate the acquisition to information resources.

But, along with popularizing by network acquisition information these means of resource, increasing information can be by anyone at what Ground obtains in any form, and this is the most inapplicable to some sensitive information, and the acquisition of the most this sensitive information is usually information resources Publisher this sensitive information is encrypted, only give its manner of decryption of people having permission acquisition, thus make it obtain this sensitivity and believe Breath.

Although but use what this kind of mode sensitive information can be safer to be acquired, but cannot learn is that who am in where obtaining This information taken.The most brilliant along with hacker's means, intercepting manner of decryption is easily, pretends to be the people having permission to obtain this Sensitive information is possible.As can be seen here, the approach for acquisition sensitive information does not also have more suitably monitor mode quick to improve The security of sense acquisition of information.

It addition, the unlatching of more existing equipment is random, anyone can open this equipment in any place, so holds Easily cause the information in equipment or potential safety hazard that equipment itself is stolen, such as: for automobile, the most stolen, past Toward recovering, the loss of car owner so can be caused.

Therefore, needing one can monitor sensitive information resource now is whom in where obtaining or equipment is that who am in where opening The method opened, to monitor the situation of acquisition of information or opening of device.

Summary of the invention

Present invention seek to address that one of unsafe problem that existing acquisition operates or unlatching operation is not monitored and causes.

A kind of information monitoring method of offer is provided；

Another object of the present invention is to provide a kind of information monitoring system.

For reaching above-mentioned purpose, technical scheme is specifically achieved in that

One aspect of the present invention provides a kind of information monitoring method, including: safety means obtain operation requests, and getting After stating operation requests, obtain identification information, location information, the first authentication code and first information output policy；Described safety sets Standby according to described first information output policy, first information packet is carried out the first process, it is thus achieved that first processes information, and defeated Go out described first process information and described first information packet；Wherein, described first information packet is to enter the first information Row the second process obtains, and the described first information at least includes: described identification information, described location information and described first are recognized Card code；Background monitoring equipment receives described first and processes information and described first information packet, and preserves described first process Information and described first information packet.

Additionally, described first information output policy be encryption after output strategy；Described first is processed as encryption；Or institute State first information output policy be signature after output strategy；Described first is processed as signature processes.

Additionally, the described first information also includes operation requests.

Additionally, described first authentication code is: random number, time parameter or dynamic password value.

Additionally, described background monitoring equipment receives described first processes information and described first information packet, and preserve described The step of the first process information and described first information packet includes: described background monitoring equipment receives described first and processes letter Breath and described first information packet, obtain the first authentication policy；Described background monitoring equipment is according to described first authentication policy Verify described first process information；Described background monitoring equipment, after verifying that described first process information is passed through, preserves described first Process information and described first information packet.

Additionally, described background monitoring equipment receives described first processes information and described first information packet, obtain first and test The step of card strategy also includes: after described background monitoring equipment receives described first process information and described first information packet, Obtain the described first information；Described background monitoring equipment obtains the orientation range information pre-set and/or the mark prestored letter Breath group；Judge that described location information, whether in described orientation range information, and/or judges that whether described identification information is at described mark In knowledge information group；If described location information is included in described orientation range information, if and/or described identification information is described In identification information group, then obtain described first authentication policy.

Additionally, when described first information output policy be encryption after output tactful time, described first authentication policy is for add with described The deciphering that matches of strategy of output after close the strategy verified, or described first authentication policy be with described encryption after output Encryption that strategy matches the strategy verified；When output tactful after described first information output policy is signature, described the One authentication policy be with described signature after the sign test strategy that matches of strategy of output.

One aspect of the present invention additionally provides another kind of information monitoring method, including: safety means obtain operation requests, and are obtaining After described operation requests, obtain identification information and/or location information；Described safety means are to described identification information and/or described fixed Position information is verified, and after being verified, obtains the first authentication code and first information output policy；Described safety means According to described first information output policy, first information packet is carried out the first process, it is thus achieved that first processes information, and exports Described first processes information and described first information packet；Wherein, described first information packet is to carry out the first information Second process obtains, and the described first information at least includes: described first authentication code and described location information；Background monitoring sets Standby reception described first processes information and described first information packet, and preserves described first process information and described first Information packet.

Additionally, the described step verifying described identification information and/or location information includes: obtain the identification information prestored； Verify that described identification information is the most consistent with the described identification information prestored, if described identification information and the described mark prestored letter Breath is consistent, then verify that described identification information passes through；And/or obtain the orientation range information prestored；Whether verify described location information In the orientation range information prestored described in being included in, if described location information is in the described orientation range information prestored, then test Demonstrate,prove described location information to pass through.

Additionally, described after getting described operation requests, the step obtaining identification information and location information includes: described behaviour The second process information and described second information packet is comprised in asking；Described second process information is to described second information Packet carries out what the 3rd process obtained, and described second information packet carries out fourth process to the second information and obtains, described Second information at least includes: described identification information and/or described location information；After getting described operation requests, according to described Described second process information is verified by the second information packet, and after being verified, according to described second information packet Obtain described identification information and/or described location information.

Additionally, the described 3rd is processed as encryption or signature process.

Additionally, described second information also includes: the second authentication code.

Additionally, described second authentication code is: random number, time parameter or dynamic password value.

Additionally, the described first information also includes operation requests and/or described identification information.

Another aspect of the present invention provides a kind of information monitoring system, including: safety means and background monitoring equipment；Described peace Full equipment obtains operation requests, and after getting described operation requests, obtains identification information, location information, the first authentication code And first information output policy, according to described first information output policy, first information packet is carried out the first process, obtains Obtain the first process information, and export described first process information and described first information packet；Wherein, the described first information Packet carries out the second process to the first information and obtains, and the described first information at least includes: described identification information, described fixed Position information and described first authentication code；Described background monitoring equipment receives described first and processes information and described first information number According to bag, and preserve described first process information and described first information packet.

Additionally, the described first information also includes operation requests.

Additionally, described background monitoring equipment is also after receiving described first process information and described first information packet, obtain First authentication policy, processes information according to described first authentication policy checking described first, and processes information in checking described first By rear, preserve described first process information and described first information packet.

Additionally, after described background monitoring equipment receives described first process information and described first information packet, also obtain institute State the first information, obtain the orientation range information pre-set and/or the identification information group prestored, it is judged that described location information Whether in described orientation range information, and/or judge described identification information whether in described identification information group, if described fixed Position information be included in described orientation range information, if and/or described identification information is in described identification information group, then obtain institute State the first authentication policy.

Another aspect of the present invention additionally provides another kind of information monitoring system, including: safety means and background monitoring equipment；Institute State safety means and obtain operation requests, and after getting described operation requests, obtain identification information and/or location information, to institute State identification information and/or described location information is verified, and after being verified, obtain the first authentication code and the first information is defeated Go out strategy, according to described first information output policy, first information packet carried out the first process, it is thus achieved that first processes information, And export described first process information and described first information packet；Wherein, described first information packet is to the first letter Breath carries out what the second process obtained, and the described first information at least includes: described first authentication code and described location information；Described Background monitoring equipment receives described first and processes information and described first information packet, and preserve described first process information with And described first information packet.

Additionally, described safety means also obtain the identification information prestored, verify described identification information whether with the described mark prestored Information is consistent, if described identification information is consistent with the described identification information prestored, then verifies that described identification information passes through；And/or Obtain the orientation range information that prestores, verify described location information described in whether being included in the orientation range information that prestores, if Described location information in the described orientation range information prestored, then verifies that described location information is passed through.

Additionally, when described operation requests comprises the second process information and described second information packet；Described second processes letter Breath carries out the 3rd process to described second information packet and obtains, and described second information packet is that the second information carries out Four process obtain, and described second information at least includes: when described identification information and/or described location information；Described safety means Also after getting described operation requests, according to described second information packet, described second process information is verified, and After being verified, obtain described identification information and/or described location information according to described second information packet.

As seen from the above technical solution provided by the invention, have employed information monitoring method and the system of the present invention, Ke Yiyou The solicited message that background monitoring monitoring of tools is sent by safety means, obtains operation requests with monitoring or opens operation requests, Such that it is able to learning is whom in the request where sent, improves acquisition of information to a certain extent or open the safety of operation Property.

Accompanying drawing explanation

In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, the required accompanying drawing used in embodiment being described below It is briefly described, it should be apparent that, the accompanying drawing in describing below is only some embodiments of the present invention, for this area From the point of view of those of ordinary skill, on the premise of not paying creative work, it is also possible to obtain other accompanying drawings according to these accompanying drawings.

The flow chart of the information monitoring method that Fig. 1 provides for the embodiment of the present invention 1；

The structural representation of the information monitoring system that Fig. 2 provides for the embodiment of the present invention 1；

The flow chart of the information monitoring method that Fig. 3 provides for the embodiment of the present invention 2；

The structural representation of the information monitoring method that Fig. 4 provides for the embodiment of the present invention 2.

Detailed description of the invention

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, Obviously, described embodiment is only a part of embodiment of the present invention rather than whole embodiments.Reality based on the present invention Execute example, the every other embodiment that those of ordinary skill in the art are obtained under not making creative work premise, broadly fall into Protection scope of the present invention.

In describing the invention, it is to be understood that term " " center ", " longitudinally ", " laterally ", " on ", D score, " front ", Orientation or the position relationship of the instruction such as " afterwards ", "left", "right", " vertically ", " level ", " top ", " end ", " interior ", " outward " are base In orientation shown in the drawings or position relationship, it is for only for ease of the description present invention and simplifies description rather than instruction or hint institute The device that refers to or element must have specific orientation, with specific azimuth configuration and operation, therefore it is not intended that to the present invention Restriction.Additionally, term " first ", " second " are only used for describing purpose, and it is not intended that instruction or hint relative importance Or quantity or position.

In describing the invention, it should be noted that unless otherwise clearly defined and limited, term " install ", " being connected ", " connect " and should be interpreted broadly, connect for example, it may be fixing, it is also possible to be to removably connect, or be integrally connected；Permissible It is to be mechanically connected, it is also possible to be electrical connection；Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary, can be two The connection of individual element internal.For the ordinary skill in the art, can understand that above-mentioned term is in the present invention with concrete condition In concrete meaning.

Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.

Embodiment 1

Fig. 1 illustrates the flow chart of the information monitoring method of the embodiment of the present invention 1, sees Fig. 1, the information monitoring of the present embodiment Method, including:

Step S101, safety means obtain operation requests, and after getting operation requests, obtain identification information, location information, First authentication code and first information output policy；

Concrete, safety means can obtain operation requests, and this operation requests can be to obtain the request of sensitive information, it is also possible to Being the request of automobile unlatching, certainly, as long as involving a need to the request that safety obtains or performs safe opening operation, can be all The operation requests of the present invention.

Certainly, the safety means of the present invention can be bound with controlled device, and such as, safety means can be believed with sensitivity Breath storage device is bound, or binds with automobile, carries out binding with controlled device and can ensure that controlled device and safety The unique association of equipment, improves the security of information transmission therebetween.

Safety means, after getting operation requests, can obtain the identification information of the controlled device bound with it, this identification information Can be to obtain from the controlled device bound with it, it is also possible to being to prestore in these safety means, this identification information can be sequence Row information etc. possesses the information of unique identification function.Obtaining identification information can be with convenient and safe equipment and background monitoring equipment root The information relevant to this controlled device is obtained according to this identification information.

It addition, locating module can be arranged in safety means, from this locating module, obtain location information, it is also possible to be controlled Arranging locating module in equipment, safety means obtain location information from controlled device.Above-mentioned locating module can be following appointing A kind of locating module: GPS, AGPS or Big Dipper location etc..If arranging locating module in safety means, peace can be improved The speed obtaining location information of full equipment, if arranging locating module, it is possible to reduce module in safety means in controlled device Quantity, reduce flow process, improve safety means processing speed.

Additionally, safety means also obtain the first authentication code, the random number that this first authentication code can be provided in safety means is sent out The random number that raw device generates；The time parameter that the clock can also being provided in safety means produces；Can also is that and be arranged on peace The dynamic password value that dynamic password generation module in full equipment generates；Can also is that the static password pre-set, user passes through The keyboard of safety means inputs, thus obtains and be somebody's turn to do to the first authentication code, certainly, in order to ensure that the parameter obtained is different every time, User can be pointed out to reset this static password after completing once to obtain；Can also is that the dynamic password bound with these safety means The dynamic password that board generates, user is inputted by the keyboard of safety means, thus gets this first authentication code.Certainly, First authentication code of the present invention is not limited to foregoing, it is also possible to be the arbitrary combination of above-mentioned all kinds of parameter, certainly, only If the parameter got differs every time, all can be acquired as the first authentication code.By obtain this most different first Authentication code, it is to avoid the information owing to sending is identical and produces the situation that request is the most identical every time and occurs, and improves security.

Certainly, safety means also obtain first information output policy, this first information output policy can be encryption after output plan Slightly, it is also possible to be the strategy of output after signature.After using encryption, the strategy of output ensure that security that information transmits and can test Card property；Use in addition to the security transmit except ensure that information of strategy and the verifiability of output after signature, it is ensured that believe The non repudiation that breath sends.

Step S102, safety means, according to first information output policy, carry out the first process to first information packet, it is thus achieved that the One processes information, and exports the first process information and first information packet；Wherein, first information packet is to the first letter Breath carries out what the second process obtained, and the first information at least includes: identification information, location information and the first authentication code；

Concrete, when output tactful after first information output policy is encryption, first information packet is carried out the first process Can be: first information packet is encrypted.This encryption can use symmetric encipherment algorithm to be encrypted, it is also possible to Employing rivest, shamir, adelman is encrypted.Such as: can be the MAC value calculating first information packet, it is also possible to be meter Calculate the HASH value of first information packet, it is of course also possible to be to intercept the part in the MAC value or HASH value calculated Value.

When first information output policy be signature after output tactful time, first information packet carries out the first process can be: The private key using safety means carries out signature process to first information packet.

First information packet carries out the second process to the first information and obtains, and this second process can be appointing in following process A kind of:

(1) first information is carried out source address and destination address simple interpolation process, retain identification information, location information and The plaintext of the first authentication code；The most only transmit in plain text, facilitate follow-up certification, simple flow.

(2) at least the first authentication code in the first information is encrypted；By this AES, the first authentication code is encrypted After, use the decipherment algorithm corresponding with this AES can decrypt the first authentication code.Such as: the first authentication code is added Close, retain identification information and the plaintext of location information, or location information and the first authentication code are encrypted, retain mark The plaintext of knowledge information etc. any-mode.Now, the first authentication code is encrypted, is possible to prevent the first authentication code being transmitted across Journey is cracked, improves transmission security.

Additionally, the first information can also include operation requests, it is ensured that follow-up operation requests can also be verified, to protect The authenticity of card operation requests.

Step S103, background monitoring equipment receives the first process information and first information packet, and preserves the first process information And first information packet.

Concrete, background monitoring equipment can be after receiving the first process information and first information packet, directly by first Process information and first information packet store, and simplify the flow process of background monitoring equipment.

First process information can also be entered after receiving the first process information and first information packet by background monitoring equipment Row checking, and after being verified, store the first process information and first information packet, if checking is not passed through, report The controlled device that alert or locking is bound with safety means, thus ensureing the first process information and first information packet source Authenticity after store, improve control and monitoring, also improve security or the controlled device of acquisition of information in controlled device The security being unlocked.

If the first process information is verified by background monitoring equipment, then can verify in the following way:

Background monitoring equipment receives the first process information and first information packet, obtains the first authentication policy, tests according to first Card policy validation first processes information, after checking the first process information is passed through, preserves the first process information and first information number According to bag.

Certainly, this first authentication policy should match with first information output policy:

When first information output policy be encryption after output tactful time, if first information output policy use symmetric encipherment algorithm Be encrypted, then the first authentication policy be with encryption after the deciphering that matches of strategy of output the strategy verified；If the first letter Breath output policy uses asymmetric arithmetic to be encrypted, then the encryption that the first authentication policy is and after encryption, the strategy of output matches And the strategy verified.

When first information output policy be signature after output tactful time, the first authentication policy be with signature after output strategy phase The sign test strategy joined, such as, uses the PKI of safety means and first information packet that the first process information is carried out sign test. After only background monitoring equipment sign test is passed through, then background monitoring device authentication safety means pass through, and only checking safety means pass through Rear just execution preserves operation, improves security.

Concrete, when the first process information is verified by background monitoring equipment according to the first authentication policy, can use from first First process information is verified by the first authentication code obtained in information；Can also hold consultation with safety means in advance, in advance Store the authentication code identical with the first authentication code that safety means send, obtain this authentication code prestored to the first process information Verify；Can also hold consultation with safety means in advance, use identical authentication code generating mode to generate authentication code, obtain First process information is verified by the authentication code of this generation.No matter use which kind of verification mode, as long as being capable of at first Reason information carries out the purpose verified, all may be embodied in protection scope of the present invention.

It addition, background monitoring equipment receives the first process information and first information packet, when obtaining the first authentication policy, also The checking to location information, or the checking to identification information can be included, or location information and identification information are all tested The operation of card.Such as can one of in the following way realize checking:

Mode one: after background monitoring equipment receives the first process information and first information packet, obtains the first information, and Obtain the orientation range information pre-set, it is judged that location information is whether in orientation range information, if location information is included in In orientation range information, then obtain the first authentication policy.

Mode two: after background monitoring equipment receives the first process information and first information packet, obtains the first information, and Obtain the identification information group prestored, it is judged that identification information is whether in identification information group, if identification information is at identification information In group, then obtain the first authentication policy.

Mode three: after background monitoring equipment receives the first process information and first information packet, obtains the first information, and Obtain the orientation range information pre-set and the identification information group prestored, it is judged that whether location information is in orientation range information In, and judge that identification information, whether in identification information group, if location information is included in orientation range information, and identifies Information in identification information group, then obtains the first authentication policy.

Concrete, after background monitoring equipment receives the first process information and the first information packet of safety means output, root According to the second different modes processed, can by use mate with the second process in the way of obtain the first information:

(1) process when the second simple interpolation being processed as the first information is carried out source address and destination address, reservation identification information, During the plaintext of location information and the first authentication code, now, background monitoring equipment obtains that to receive first information packet the most permissible Get the first information, thus obtain identification information, location information and the first authentication code；Now simplify acquisition flow process, carry High acquisition speed.

(2) when second is processed as at least being encrypted the first authentication code in the first information, background monitoring equipment can be to adding The first authentication code after close is decrypted, and gets this first authentication code；Such as: the first information is decrypted, it is thus achieved that first Authentication code, or the first information is decrypted, get location information, or the first information is decrypted, get mark The any-modes such as knowledge information.At least decrypt the first authentication code, in order to follow-up first process information is verified.

It addition, background monitoring equipment also to obtain the orientation range information pre-set, thus ensure only in this orientation range All kinds of requests sent just can be verified and monitor, and only in location information in orientation range information, just carries out follow-up to the One checking processing information, simple flow, improves treatment effeciency.

Background monitoring equipment also to obtain the identification information group prestored, thus ensures only by the mark of background monitoring monitoring of tools The request that controlled device corresponding to knowledge information sends just can be verified and monitor, and improves security, only at identification information at mark In knowledge information group, just carry out the follow-up checking processing information to first, simple flow, improve treatment effeciency.

As can be seen here, have employed the information monitoring method of the present invention, can be sent by safety means by background monitoring monitoring of tools Solicited message, obtain operation requests with monitoring or open operation requests, such that it is able to learning is whom in where sent please Ask, improve acquisition of information to a certain extent or open the security of operation.

Fig. 2 illustrates the structural representation of the information monitoring system of the embodiment of the present invention 1, at this only to this information monitoring system Structure is briefly described, and certainly, each parts in this information monitoring system can be divided into several modules and perform not Same function, it is also possible to being completed repertoire by an integrated chip, numerous to list herein, this information is only supervised by the present embodiment Ore-controlling Role simply divides.Seeing Fig. 2, the information monitoring of the present embodiment includes safety means 10 and background monitoring equipment 20, the method for safety means employing step S101 as shown in Figure 1 to step S102 carries out information output, background monitoring equipment 20 use the method for step S103 as shown in Figure 1 to carry out information monitoring, do not repeat them here, only enter the function of each parts Row simple declaration.Wherein:

Safety means 10 obtain operation requests, and after getting operation requests, obtain identification information, location information, first recognize Card code and first information output policy, according to first information output policy, carry out the first process to first information packet, obtain Obtain the first process information, and export the first process information and first information packet；Wherein, first information packet is to One information carries out what the second process obtained, and the first information at least includes: identification information, location information and the first authentication code；Its In, the first information can also include operation requests, and the first authentication code can be: random number, time parameter or dynamic password value.

Background monitoring equipment 20 receives the first process information and first information packet, and preserves the first process information and first Information packet.

Certainly, the strategy of output after first information output policy is encryption；First is processed as encryption；Or the first information is defeated Go out strategy for the strategy of output after signature；First is processed as signature processes.

It addition, background monitoring equipment 20 is also after receiving the first process information and first information packet, it is also possible to obtain first Authentication policy, according to first authentication policy checking the first process information, and after checking the first process information is passed through, preserves first Process information and first information packet.

Certainly, background monitoring equipment 20 is also after receiving the first process information and first information packet, it is also possible to obtain first Information, obtains the orientation range information pre-set and/or the identification information group prestored, it is judged that whether location information is in location In range information, and/or judge identification information whether in identification information group, if location information is included in orientation range information, If and/or identification information is in identification information group, then obtaining the first authentication policy.

Now, when first information output policy be encryption after output tactful time, the first authentication policy be with encryption after output plan The deciphering slightly matched the strategy verified, or the first authentication policy be with encryption after the encryption that matches of strategy of output testing The strategy of card；When first information output policy be signature after output tactful time, the first authentication policy be with signature after output plan The sign test strategy slightly matched.

As can be seen here, have employed the information monitoring system of the present invention, can be sent by safety means by background monitoring monitoring of tools Solicited message, obtain operation requests with monitoring or open operation requests, such that it is able to learning is whom in where sent please Ask, improve acquisition of information to a certain extent or open the security of operation.

Embodiment 2

Fig. 3 illustrates the flow chart of the information monitoring method of the embodiment of the present invention 2, sees Fig. 3, the information monitoring of the present embodiment Method, including:

Step S301, safety means obtain operation requests, and after getting operation requests, obtain identification information and/or location letter Breath；

Additionally, safety means are after getting operation requests, the identification information of the controlled device bound with it can be obtained, this mark Knowledge information can be to obtain from the controlled device bound with it, such as, carries this identification information, thus pacified in operation requests Full equipment gets.This identification information can be the information that the sequence number information etc. of controlled device possesses unique identification function.Obtain Identification information can facilitate follow-up background system server to know, and which equipment needs the checking of the system server day after tomorrow.

It addition, safety means can also obtain location information, this location information can be to carry in operation requests, by controlled device The locating module of middle setting generates；Can also be that the locating module that arranges from safety means of safety means obtains.Above-mentioned Locating module can be any one locating module following: GPS, AGPS or Big Dipper location etc..If set in safety means Put locating module, the speed obtaining location information of safety means can be improved, if arranging locating module in controlled device, The quantity of module in safety means can be reduced, reduce flow process, improve the processing speed of safety means.

Certainly, the safety means of the present invention can only obtain identification information, it is also possible to only obtains location information, it is also possible to obtain mark Knowledge information and location two kinds of information of information.Either obtain single information or two kinds of information obtain, together as long as can ensure that Controlled device can be verified by Subsequent secure equipment.

It addition, in the present invention, this step can also include legitimacy and the operation of authenticity of safety means checking controlled device. Such as:

Can comprise the second process information and the second information packet in operation requests, wherein, the second process information is to second Information packet carries out what the 3rd process obtained, and the second information packet carries out fourth process to the second information and obtains, and second Information at least includes: identification information and/or location information；

Certainly, the 3rd process can be encryption or signature process.When the 3rd is processed as encryption, it is right to use AES is claimed to be encrypted, it would however also be possible to employ rivest, shamir, adelman is encrypted.Such as: can be to calculate the second Information Number MAC value according to bag, it is also possible to be the HASH value calculating the second information packet, it is of course also possible to be to intercept the MAC calculated Partial value in value or HASH value.When the 3rd is processed as signature process, controlled device can use the private key of controlled device Second information packet is carried out signature process.

Fourth process can be any one in following process:

(1) the simple interpolation that the second information carries out source address and destination address processes, and retains identification information and/or location information Plaintext；The most only transmit in plain text, facilitate follow-up certification, simple flow.

(2) identification information in the second information and/or location information are encrypted；By this AES to identification information and/ Or after location information is encrypted, use the decipherment algorithm corresponding with this AES can decrypt identification information and/or location letter Breath.Now, identification information and/or location information are encrypted, are possible to prevent identification information and/or location information in transmitting procedure In be cracked, improve transmission security.

Now, after getting operation requests, the second process information can be tested by safety means according to the second information packet Card, and after being verified, obtain identification information and/or location information according to the second information packet.Safety means are at second When reason information is verified, if the 3rd is processed as encryption, now the second process information can be decrypted by safety devices To verify this second process information, it is possible to be encrypted the second information packet to verify the second process information；If at the 3rd Reason is signature process, and now safety means can carry out sign test to verify the second process information to the second process information, the most permissible The PKI and the second information packet that use controlled device carry out sign test to the second process information.

It addition, safety means can obtain identification information and/or location letter according to the difference of fourth process by following different modes Breath:

(1) when fourth process is the simple interpolation process that the second information carries out source address and destination address, identification information is retained And/or during the plaintext of location information, safety means obtain the second information packet of receiving i.e. can get the second information, from And obtain identification information and/or location information；Now simplify acquisition flow process, improve acquisition speed.

(2) when fourth process is to be encrypted the identification information in the second information and/or location information, safety means are permissible Information after encryption is decrypted, gets this identification information and/or location information, now ensure that identification information and/or location The authenticity of information.

Certainly, the most different in order to ensure the second information packet, the second information can also include: the second authentication code.Second Authentication code can be: random number, time parameter or dynamic password value, such as:

The random number that the randomizer that second authentication code can be provided in controlled device generates；Can also be provided in by The time parameter that clock in control equipment produces；Can also is that the dynamic password generation module being arranged in controlled device generates dynamic State password value；Can also is that the static password pre-set, user is inputted by the keyboard of controlled device, thus makes controlled Equipment obtains should be to the second authentication code, certainly, in order to ensure that the parameter that obtains is different every time, can after completing once to obtain, Prompting user resets this static password；Can also is that the dynamic password that the E-token dynamic password card bound with this controlled device generates, user Inputted by the keyboard of controlled device, thus get this second authentication code.Certainly, second authentication code of the present invention is not It is confined to foregoing, it is also possible to be the arbitrary combination of above-mentioned all kinds of parameter, certainly, as long as the parameter got is not every time Identical, all can be used by controlled device as the second authentication code.By obtaining this second the most different authentication code, it is to avoid Information owing to sending is identical and produces the situation that request is the most identical every time and occurs, and improves security.

Certainly, in the present invention, in order to ensure the subsequent authentication using signature to process, controlled device can be stored in controlled device Private key, the PKI of safety means, safety means store the PKI of controlled device and the private key of safety means, on backstage Monitoring device stores the PKI etc. of safety means.

Step S302, identification information and/or location information are verified, and after being verified, are obtained first and recognize by safety means Card code and first information output policy；

Safety means are after getting identification information and/or location information, in addition it is also necessary to test identification information and/or location information Card, in order to controlled device is verified by safety means, only after safety means checking controlled device passes through, just can be to backstage System server output information, it is ensured that the authenticity of operation requests.

In the present invention, safety means can verify identification information in the following way: obtains the identification information prestored；Checking mark Information is the most consistent with the identification information prestored, if identification information is consistent with the identification information prestored, then checking identification information leads to Cross.After safety means checking identification information passes through, just can determine that the authenticity of controlled device, thus perform subsequent operation, otherwise Not perform the operation of follow-up unlatching or acquisition.

Safety means can verify location information in the following way: obtains the orientation range information prestored；Checking location information is No it is included in the orientation range information prestored, if location information is in the orientation range information prestored, then checking location information Pass through.After safety means checking location information is passed through, just can determine that controlled device is in the orientation range of permission, such that it is able to Perform subsequent operation, the most not perform the operation of follow-up unlatching or acquisition.

Step S303, safety means, according to first information output policy, carry out the first process to first information packet, it is thus achieved that the One processes information, and exports the first process information and first information packet；Wherein, first information packet is to the first letter Breath carries out what the second process obtained, and the first information at least includes: the first authentication code and location information；

(1) the simple interpolation that the first information carries out source address and destination address processes, and retains the first authentication code and location information Plaintext；The most only transmit in plain text, facilitate follow-up certification, simple flow.

(2) at least the first authentication code in the first information is encrypted；By this AES, the first authentication code is encrypted After, use the decipherment algorithm corresponding with this AES can decrypt the first authentication code.Now, the first authentication code is added Close, it is possible to prevent the first authentication code to be cracked in transmitting procedure, improves transmission security.

Additionally, the first information can also include operation requests, it is ensured that follow-up operation requests can also be verified, to protect The authenticity of card operation requests.The first information can also include identification information, to ensure that follow-up background system server can be known It it is the request of which equipment initiation.Certainly, any one during the first information can include above-mentioned information or any combination.

Step S304, background monitoring equipment receives the first process information and first information packet, and preserves the first process information And first information packet.

Background monitoring equipment receives the first process information and first information packet, also obtains the first authentication policy, according to first Authentication policy checking the first process information, after checking the first process information is passed through, preserves first process information and the first information Packet.

(2) when second is processed as at least being encrypted the first authentication code in the first information, background monitoring equipment can be to adding The first authentication code after close is decrypted, and gets this first authentication code.At least decrypt the first authentication code, in order to follow-up to One process information is verified.

Fig. 4 illustrates the structural representation of the information monitoring system of the embodiment of the present invention 2, at this only to this information monitoring system Structure is briefly described, and certainly, each parts in this information monitoring system can be divided into several modules and perform not Same function, it is also possible to being completed repertoire by an integrated chip, numerous to list herein, this information is only supervised by the present embodiment Ore-controlling Role simply divides.Seeing Fig. 4, the information monitoring of the present embodiment includes safety means 30 and background monitoring equipment 40, the method for safety means employing step S301 as shown in Figure 3 to step S303 carries out information output, background monitoring equipment 40 use the method for step S304 as shown in Figure 3 to carry out information monitoring, do not repeat them here, only enter the function of each parts Row simple declaration.Wherein:

Safety means 30 obtain operation requests, and after getting operation requests, obtain identification information and/or location information, right Identification information and/or location information are verified, and after being verified, obtain the first authentication code and first information output policy, According to first information output policy, first information packet is carried out the first process, it is thus achieved that first processes information, and exports first Process information and first information packet；Wherein, first information packet carries out the second process to the first information and obtains, The first information at least includes: the first authentication code and location information；

Background monitoring equipment 40 receives the first process information and first information packet, and preserves the first process information and first Information packet.

It addition, safety means 30 also obtain the identification information prestored, checking identification information is the most consistent with the identification information prestored, If identification information is consistent with the identification information prestored, then checking identification information passes through；And/or obtain the orientation range information prestored, Whether checking location information is included in the orientation range information prestored, if location information is in the orientation range information prestored, Then checking location information is passed through.

Wherein, when operation requests comprises the second process information and the second information packet；Second process information is to the second letter Breath packet carries out what the 3rd process obtained, and the second information packet carries out fourth process to the second information and obtains, the second letter Breath at least includes: when identification information and/or location information；Safety means 30 are also after getting operation requests, according to the second letter Second process information is verified by breath packet, and after being verified, according to the second information packet obtain identification information and/ Or location information.

Now, the 3rd process can be encryption or signature process, and the second information can also include: the second authentication code, should Second authentication code can be: random number, time parameter or dynamic password value.

It addition, the first information can also include operation requests and/or identification information, the first authentication code can be: random number, time Parameter or dynamic password value.

Additionally, background monitoring equipment 40 is also after receiving the first process information and first information packet, obtain the first checking plan Slightly, according to first authentication policy checking the first process information, and after checking the first process information is passed through, the first process letter is preserved Breath and first information packet.

Certainly, when first information output policy be encryption after output tactful time, the first authentication policy be with encryption after output plan The deciphering slightly matched the strategy verified, or the first authentication policy be with encryption after the encryption that matches of strategy of output testing The strategy of card；When first information output policy be signature after output tactful time, the first authentication policy be with signature after output plan The sign test strategy slightly matched.

Any process described otherwise above or method describe and are construed as in flow chart or at this, represent include one or The module of code, fragment or the part of the executable instruction of the more steps for realizing specific logical function or process, and The scope of the preferred embodiment of the present invention includes other realization, wherein can not be by order that is shown or that discuss, including root According to involved function by basic mode simultaneously or in the opposite order, performing function, this should be by embodiments of the invention institute Belong to those skilled in the art to be understood.

Should be appreciated that each several part of the present invention can realize by hardware, software, firmware or combinations thereof.In above-mentioned enforcement In mode, multiple steps or method can be with storing the software or firmware that in memory and be performed by suitable instruction execution system Realize.Such as, if realized with hardware, with the most the same, available following technology well known in the art In any one or their combination realize: have and patrol for the discrete of logic gates that data-signal is realized logic function Collect circuit, there is the special IC of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate Array (FPGA) etc..

Those skilled in the art are appreciated that it is permissible for realizing all or part of step that above-described embodiment method carries Instructing relevant hardware by program to complete, described program can be stored in a kind of computer-readable recording medium, this journey Sequence upon execution, including one or a combination set of the step of embodiment of the method.

Additionally, each functional unit in each embodiment of the present invention can be integrated in a processing module, it is also possible to be each Unit is individually physically present, it is also possible to two or more unit are integrated in a module.Above-mentioned integrated module is the most permissible The form using hardware realizes, it would however also be possible to employ the form of software function module realizes.If described integrated module is with software merit Can the form of module realize and as independent production marketing or when using, it is also possible to be stored in the storage of embodied on computer readable and be situated between In matter.

Storage medium mentioned above can be read-only storage, disk or CD etc..

In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " concrete example ", Or specific features, structure, material or the feature that the description of " some examples " etc. means to combine this embodiment or example describes comprises In at least one embodiment or example of the present invention.In this manual, the schematic representation to above-mentioned term not necessarily refers to It is identical embodiment or example.And, the specific features of description, structure, material or feature can at any one or Multiple embodiments or example combine in an appropriate manner.

Although above it has been shown and described that embodiments of the invention, it is to be understood that above-described embodiment is exemplary, Being not considered as limiting the invention, those of ordinary skill in the art is in the case of without departing from the principle of the present invention and objective Above-described embodiment can be changed within the scope of the invention, revise, replace and modification.The scope of the present invention is by appended power Profit requires and equivalent limits.

Claims

1. an information monitoring method, it is characterised in that including:

Safety means obtain operation requests, and after getting described operation requests, obtain identification information, location information, first Authentication code and first information output policy, wherein, described safety means are bound with controlled device, and described identification information is Identification information with the controlled device that described safety means are bound；

Described safety means, according to described first information output policy, carry out the first process to first information packet, it is thus achieved that first Process information, and export described first process information and described first information packet；Wherein, described first information packet The first information being carried out the second process obtain, the described first information at least includes: described identification information, described location information And described first authentication code；

Background monitoring equipment receives described first and processes information and described first information packet, and preserves described first process letter Breath and described first information packet.

Method the most according to claim 1, it is characterised in that

Described first information output policy be encryption after output strategy；

Described first is processed as encryption；Or

Described first information output policy be signature after output strategy；

Described first is processed as signature processes.

Method the most according to claim 1, it is characterised in that the described first information also includes operation requests.

Method the most according to claim 1, it is characterised in that described first authentication code is: random number, time parameter or Person's dynamic password value.

5. according to the method described in any one of Claims 1-4, it is characterised in that described background monitoring equipment receives described the One processes information and described first information packet, and preserves described first process information and described first information packet Step includes:

Described background monitoring equipment receives described first and processes information and described first information packet, obtains the first authentication policy；

Described background monitoring equipment processes information according to described first authentication policy checking described first；

Described background monitoring equipment, after verifying that described first process information passes through, preserves described first process information and described the One information packet.

Method the most according to claim 5, it is characterised in that described background monitoring equipment receives described first and processes information And described first information packet, the step obtaining the first authentication policy also includes:

After described background monitoring equipment receives described first process information and described first information packet, obtain described first letter Breath；

Described background monitoring equipment obtains the orientation range information pre-set and/or the identification information group prestored；

Judge that described location information, whether in described orientation range information, and/or judges that whether described identification information is in described mark In information group；

If described location information is included in described orientation range information, if and/or described identification information is at described identification information In group, then obtain described first authentication policy.

Method the most according to claim 5, it is characterised in that

When described first information output policy be encryption after output tactful time, described first authentication policy be with described encryption after defeated Deciphering that the strategy gone out matches the strategy verified, or described first authentication policy be with described encryption after the tactful phase of output The encryption mated the strategy verified；

When described first information output policy be signature after output tactful time, described first authentication policy be with described signature after defeated The sign test strategy that the strategy gone out matches.

8. an information monitoring method, it is characterised in that including:

Safety means obtain operation requests, and after getting described operation requests, obtain identification information and/or location information, its In, described safety means are bound with controlled device, and described identification information is the controlled device bound with described safety means Identification information；

Described identification information and/or described location information are verified by described safety means, and after being verified, obtain first Authentication code and first information output policy；

Described safety means, according to described first information output policy, carry out the first process to first information packet, it is thus achieved that first Process information, and export described first process information and described first information packet；Wherein, described first information packet The first information being carried out the second process obtain, the described first information at least includes: described first authentication code and described location Information；

Method the most according to claim 8, it is characterised in that described described identification information and/or location information are carried out The step of checking includes:

Obtain the identification information prestored；

Verify that described identification information is the most consistent with the described identification information prestored, if described identification information and the described mark prestored Knowledge information is consistent, then verify that described identification information passes through；And/or

Obtain the orientation range information prestored；

Verify described location information described in whether being included in the orientation range information that prestores, if described location information is described pre- In the orientation range information deposited, then verify that described location information is passed through.

The most according to claim 8 or claim 9, method, it is characterised in that described after getting described operation requests, obtain The step taking identification information and location information includes:

Described operation requests comprises the second process information and the second information packet；

Described second process information carries out the 3rd process to described second information packet and obtains, described second information packet Second information being carried out fourth process obtain, described second information at least includes: described identification information and/or described location letter Breath；

After getting described operation requests, according to described second information packet, described second process information is verified, and After being verified, obtain described identification information and/or described location information according to described second information packet.

11. methods according to claim 10, it is characterised in that the described 3rd is processed as encryption or signature process.

12. methods according to claim 10, it is characterised in that described second information also includes: the second authentication code.

13. methods according to claim 12, it is characterised in that described second authentication code is: random number, time parameter Or dynamic password value.

14. methods according to claim 8, it is characterised in that

Described first is processed as encryption；Or

Described first information output policy be signature after output strategy；

Described first is processed as signature processes.

15. methods according to claim 8, it is characterised in that the described first information also includes operation requests and/or described Identification information.

16. methods according to claim 8, it is characterised in that described first authentication code is: random number, time parameter Or dynamic password value.

17. according to Claim 8, the method described in 9,11 to 16 any one, it is characterised in that described background monitoring equipment Receive described first process information and described first information packet, and preserve described first process information and described first letter The step of breath packet includes:

18. methods according to claim 17, it is characterised in that

19. 1 kinds of information monitoring systems, it is characterised in that including: safety means and background monitoring equipment；

Described safety means obtain operation requests, and after getting described operation requests, obtain identification information, location information, First authentication code and first information output policy, according to described first information output policy, carry out to first information packet One processes, it is thus achieved that first processes information, and exports described first process information and described first information packet；Wherein, institute Stating the first information packet first information is carried out the second process to obtain, the described first information at least includes: described mark letter Breath, described location information and described first authentication code, wherein, described safety means are bound with controlled device, described mark Knowledge information is the identification information of the controlled device bound with described safety means；

Described background monitoring equipment receives described first and processes information and described first information packet, and preserves at described first Reason information and described first information packet.

20. systems according to claim 19, it is characterised in that

Described first is processed as encryption；Or

Described first information output policy be signature after output strategy；

Described first is processed as signature processes.

21. systems according to claim 19, it is characterised in that the described first information also includes operation requests.

22. systems according to claim 19, it is characterised in that described first authentication code is: random number, time parameter Or dynamic password value.

23. according to the system described in any one of claim 19 to 22, it is characterised in that described background monitoring equipment is also connecing After receiving described first process information and described first information packet, obtain the first authentication policy, according to described first checking plan Slightly verify described first process information, and after verifying that described first process information is passed through, preserve described first process information and Described first information packet.

24. systems according to claim 23, it is characterised in that described background monitoring equipment receives described first and processes letter After breath and described first information packet, also obtain the described first information, obtain the orientation range information pre-set and/or pre- The identification information group first stored, it is judged that whether described location information is in described orientation range information, and/or judges described mark letter Whether breath is in described identification information group, if described location information is included in described orientation range information, if and/or described Identification information in described identification information group, then obtains described first authentication policy.

25. systems according to claim 23, it is characterised in that

26. 1 kinds of information monitoring systems, it is characterised in that including: safety means and background monitoring equipment；

Described safety means obtain operation requests, and after getting described operation requests, obtain identification information and/or location information, Described identification information and/or described location information are verified, and after being verified, obtains the first authentication code and the first letter Breath output policy, according to described first information output policy, carries out the first process to first information packet, it is thus achieved that first processes Information, and export described first process information and described first information packet；Wherein, described first information packet is right The first information carries out what the second process obtained, and the described first information at least includes: described first authentication code and described location information, Wherein, described safety means are bound with controlled device, and described identification information is the controlled device bound with described safety means Identification information；

27. systems according to claim 26, it is characterised in that described safety means also obtain the identification information prestored, Verify that described identification information is the most consistent with the described identification information prestored, if described identification information and the described mark prestored letter Breath is consistent, then verify that described identification information passes through；And/or obtain the orientation range information prestored, whether verify described location information In the orientation range information prestored described in being included in, if described location information is in the described orientation range information prestored, then test Demonstrate,prove described location information to pass through.

28. according to the system described in claim 26 or 27, it is characterised in that when comprising the second process in described operation requests Information and the second information packet；Described second process information carries out the 3rd process to described second information packet and obtains, Described second information packet carries out fourth process to the second information and obtains, and described second information at least includes: described mark When information and/or described location information；

Described safety means, also after getting described operation requests, process letter according to described second information packet to described second Breath is verified, and after being verified, obtains described identification information and/or described location letter according to described second information packet Breath.

29. systems according to claim 28, it is characterised in that the described 3rd is processed as encryption or signature process.

30. want the system described in 28 according to right, it is characterised in that described second information also includes: the second authentication code.

31. systems according to claim 30, it is characterised in that described second authentication code is: random number, time parameter Or dynamic password value.

32. systems according to claim 26, it is characterised in that

Described first is processed as encryption；Or

Described first information output policy be signature after output strategy；

Described first is processed as signature processes.

33. systems according to claim 26, it is characterised in that the described first information also includes operation requests and/or institute State identification information.

34. systems according to claim 26, it is characterised in that described first authentication code is: random number, time parameter Or dynamic password value.

35. according to the system described in any one of claim 26,27,29 to 34, it is characterised in that described background monitoring sets Standby also receive described first process information and described first information packet after, obtain the first authentication policy, according to described the One authentication policy checking described first processes information, and after verifying that described first process information is passed through, preserves described first and process Information and described first information packet.

36. systems according to claim 35, it is characterised in that