CN104717223B - Data access method and device - Google Patents
Data access method and device Download PDFInfo
- Publication number
- CN104717223B CN104717223B CN201510138114.7A CN201510138114A CN104717223B CN 104717223 B CN104717223 B CN 104717223B CN 201510138114 A CN201510138114 A CN 201510138114A CN 104717223 B CN104717223 B CN 104717223B
- Authority
- CN
- China
- Prior art keywords
- terminal device
- data
- access request
- data access
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The disclosure is directed to a kind of data access method and device, to improve the degree of protection when data are accessed.The described method includes:When receiving the data access request from terminal device, the corresponding user identifier of the data access request is authenticated;In the user identifier certification by rear, the network site where the terminal device is authenticated;In the network site certification where the terminal device by rear, the device identification to the terminal device is authenticated, if the device identification certification passes through, it is allowed to which the terminal device accesses data corresponding with the data access request.Disclosed technique scheme can prevent attacker to access the data with Sensitive Attributes well, greatly improve the degree of protection when data are accessed.
Description
Technical field
This disclosure relates to Internet technical field, more particularly to a kind of data access method and device.
Background technology
More fierce with the competition of internet industry, information security issue is also more severe, what each enterprise was possessed
Sensitive data (for example, the financial statement of company, management tactics etc.) also becomes the object of attack of attacker, and sensitive data is
The specific people of company is provided to, and needs particularly to protect sensitive data, so as to prevent from being obtained by attacker
.In correlation technique, when attacker obtains the username and password with access sensitive data authority, attacker can lead to
Cross in the internal lan of the affiliated company of sensitive data and determine an equipment with agency service, when attacker is in outside access
During sensitive data, access request can be sent to the equipment with agency service, it is then quick from this equipment to being stored with
The server of sense data, which is sent, to be needed to access the access request of the sensitive data, and in that case, server will be considered that the visit
Ask that request comes from internal lan, allow for attacker's access sensitive data, cause sensitive data by success attack.
The content of the invention
To overcome problem present in correlation technique, the embodiment of the present disclosure provides a kind of data access method and device, uses
To improve the degree of protection when data are accessed.
According to the first aspect of the embodiment of the present disclosure, there is provided a kind of data access method, using on the server, including:
When receiving the data access request from terminal device, user identifier corresponding to the data access request
It is authenticated;
In the user identifier certification by rear, the network site where the terminal device is authenticated;
In the network site certification where the terminal device by rear, the device identification to the terminal device is recognized
Card, if the device identification certification passes through, it is allowed to which the terminal device accesses data corresponding with the data access request.
In one embodiment, the user identifier to the data access request is authenticated, it may include:
User right list is determined according to the data access request, the user right list includes multiple user's marks
Knowledge and multiple and different access rights corresponding with the multiple user identifier;
The user identifier is determined whether there is in the multiple user identifier;
If there is the user identifier, determine whether the user identifier has and access the data access request correspondence
Data authority;
If there is no the user identifier, safety instruction is carried out to the data access request, and forbid the terminal
Equipment accesses data corresponding with the data access request.
In one embodiment, the network site to where the terminal device is authenticated, it may include:
Determine the network ip address of the terminal device;
Determine whether the network ip address is IP address in LAN where the server;
If the IP address in the LAN, determine that the location-authentication of the terminal device passes through;
If not the IP address in the LAN, safety instruction is carried out to the data access request, and forbid institute
State terminal device and access data corresponding with the data access request.
In one embodiment, the device identification to the terminal device is authenticated, it may include:
Determine the device identification of the terminal device whether in device registry;
If the device identification in the device registry, determines that the device identification certification of the terminal device is led to
Cross;
If the device identification carries out safety instruction not in the device registry, to the data access request,
And the terminal device is forbidden to access data corresponding with the data access request.
In one embodiment, whether the device identification for determining the terminal device is in device registry, it may include:
Determine the identity type of the device identification of the terminal device;
If the identity type is medium access control MAC Address, determined in the first list in device registry
With the presence or absence of the MAC Address;
If the identity type is mobile device international identity code IMEI, in the second list in device registry really
Surely it whether there is the IMEI.
In one embodiment, the method may also include:
In the LAN where the terminal device accesses the server, local entoilage is distributed for the terminal device
Location;
The device identification of the lan address and the terminal device is bound.
In one embodiment, the method may also include:
The data accessed the data access request are identified, and are determining what the data access request was accessed
When data are sensitive data, described the step of being authenticated to the corresponding user identifier of the data access request is performed.
According to the second aspect of the embodiment of the present disclosure, there is provided a kind of data access device, using on the server, including:
First authentication module, is configured as when receiving the data access request from terminal device, to the data
The corresponding user identifier of access request is authenticated;
Second authentication module, is configured as in first authentication module to the user identifier certification by rear, to institute
Network site where stating terminal device is authenticated;
3rd authentication module, is configured as recognizing the network site where the terminal device in second authentication module
After card passes through, the device identification to the terminal device is authenticated, if the device identification certification passes through, it is allowed to the end
End equipment accesses data corresponding with the data access request.
In one embodiment, first authentication module may include:
First determination sub-module, is configured as determining user right list, the user according to the data access request
Permissions list includes multiple user identifiers and multiple and different access rights corresponding with the multiple user identifier;
Second determination sub-module, is configured as in the multiple user identifier that first determination sub-module determines really
Surely it whether there is the user identifier;
3rd determination sub-module, determines there are the user identifier, really if being configured as second determination sub-module
The fixed user identifier has the authority for accessing the corresponding data of the data access request;
First prompting submodule, if being configured as second determination sub-module determines that the user identifier is not present,
Safety instruction is carried out to the data access request, and it is corresponding with the data access request to forbid the terminal device to access
Data.
In one embodiment, second authentication module may include:
4th determination sub-module, is configured to determine that the network ip address of the terminal device;
5th determination sub-module, is configured to determine that whether is the network ip address that the 4th determination sub-module determines
For the IP address in the LAN where the server;
6th determination sub-module, if being configured as the 5th determination sub-module determines that the network ip address is described
IP address in LAN, determines that the location-authentication of the terminal device passes through;
Second prompting submodule, if being configured as the 5th determination sub-module determines that the network ip address is not institute
The IP address in LAN is stated, safety instruction is carried out to the data access request, and forbids the terminal device access and institute
State the corresponding data of data access request.
In one embodiment, the 3rd authentication module may include:
Whether the 7th determination sub-module, be configured to determine that the device identification of the terminal device in device registry;
8th determination sub-module, if being configured as the 7th determination sub-module determines that the device identification is set described
In standby registration table, determine that the device identification certification of the terminal device passes through;
3rd prompting submodule, determines the device identification not described if being configured as the 7th determination sub-module
In device registry, safety instruction is carried out to the data access request, and forbid the terminal device to access and the data
The corresponding data of access request.
In one embodiment, the 7th determination sub-module may include:
9th determination sub-module, is configured to determine that the identity type of the device identification of the terminal device;
Tenth determination sub-module, if being configured as the 9th determination sub-module determines that the identity type is visited for medium
Ask control MAC Address, the MAC Address is determined whether there is in the first list in device registry;
11st determination sub-module, determines the identity type for movement if being configured as the 9th determination sub-module
Equipment international identity code IMEI, determines whether there is the IMEI in the second list in device registry.
In one embodiment, described device may also include:
Address assignment module, is configured as in the LAN where the terminal device accesses the server, for institute
State terminal device distribution lan address;
Address binding module, is configured as being tied up the device identification of the lan address and the terminal device
It is fixed.
In one embodiment, described device may also include:
Data identification module, is configured as that the data that the data access request is accessed are identified, in definite institute
When to state data that data access request is accessed be sensitive data, first authentication module performs described to the data access
The step of asking corresponding user identifier to be authenticated.
According to the third aspect of the embodiment of the present disclosure, there is provided a kind of data access device, including:
Processor;
For storing the memory of processor-executable instruction;
Wherein, the processor is configured as:
When receiving the data access request from terminal device, user identifier corresponding to the data access request
It is authenticated;
In the user identifier certification by rear, the network site where the terminal device is authenticated;
In the network site certification where the terminal device by rear, the device identification to the terminal device is recognized
Card, if the device identification certification passes through, it is allowed to which the terminal device accesses data corresponding with the data access request.
The technical scheme provided by this disclosed embodiment can include the following benefits:By to from terminal device
The certification of the user identifier of data access request, the certification of the network site of terminal device and the device identification of terminal device
Certification, when above three certification by after, just allow terminal device to access corresponding with data access request data, can be fine
Ground prevents attacker from accessing the corresponding data of data access request, substantially increases the degree of protection when data are accessed.
It should be appreciated that the general description and following detailed description of the above are only exemplary and explanatory, not
The disclosure can be limited.
Brief description of the drawings
Attached drawing herein is merged in specification and forms the part of this specification, shows the implementation for meeting the present invention
Example, and for explaining the principle of the present invention together with specification.
Fig. 1 is the flow chart of the data access method according to an exemplary embodiment.
Fig. 2 is the flow chart of the data access method according to an exemplary embodiment one.
Fig. 3 A are the flow charts of the data access method according to an exemplary embodiment two.
Fig. 3 B are the flow charts of the step S304 according to an exemplary embodiment two.
Fig. 4 is the flow chart of the data access method according to an exemplary embodiment three.
Fig. 5 is a kind of block diagram of data access device according to an exemplary embodiment.
Fig. 6 A are the block diagrams of another data access device according to an exemplary embodiment.
Fig. 6 B are the block diagrams of the 7th determination sub-module according to an exemplary embodiment.
Fig. 7 is the block diagram of another data access device according to an exemplary embodiment.
Fig. 8 is a kind of block diagram suitable for data access device according to an exemplary embodiment.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During attached drawing, unless otherwise indicated, the same numbers in different attached drawings represent the same or similar key element.Following exemplary embodiment
Described in embodiment do not represent and the consistent all embodiments of the present invention.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects being described in detail in claims, of the invention.
Fig. 1 is the flow chart of the data access method according to an exemplary embodiment, which can be with
Using on the server, as shown in Figure 1, the data access method comprises the following steps S101-S103:
In step S101, when receiving the data access request from terminal device, data access request is corresponded to
User identifier be authenticated.
In one embodiment, the data stored on server can be directed to the different access rights of different user settings,
For example, for the financial staff of enterprise, the financial statement on server can be accessed, for the sales force of enterprise, Ke Yifang
Ask the sales data on server, for the senior executive of enterprise, can both access the financial statement on server, and can also visit
Ask sales data, i.e. data access request can be according to the different and different of user identifier.In one embodiment, can pass through
User identifier represents different user rights, by being authenticated to user identifier, it may be determined that the user identify whether into
One step accesses the data that the data access request asks to access.It will be appreciated by persons skilled in the art that above-mentioned be stored in
On server and set the data of access rights and be properly termed as sensitive data.
In step s 102, in user identifier certification by rear, the network site where terminal device is authenticated.
In one embodiment, the network site where terminal device can be parsed from data access request, it is real one
Apply in example, network site can be the network ip address of terminal device, by determining whether the network ip address is server institute
LAN in IP address determine the network site of terminal device.
In step s 103, in the network site certification where terminal device by rear, the device identification to terminal device
It is authenticated, if device identification certification passes through, it is allowed to which terminal device accesses data corresponding with data access request.
In one embodiment, it can be recorded by device identification of the device registry to terminal device, implemented one
Both medium access control (Media Access Control, referred to as MAC) address column can have been included in example, in device registry
Table, can also include mobile device international identity code (International Mobile Equipment Identity, abbreviation
For IMEI) list, it will be appreciated by those skilled in the art that thing, above-mentioned MAC Address and IMEI are only the equipment to terminal device
The exemplary illustration carried out is identified, the disclosure is not limited the specific name of device identification, as long as can pass through device identification
The identity of terminal device is distinguished.Correspondingly, terminal device both can be PC equipment, or mobile equipment.
In the present embodiment, pass through the certification of the user identifier to the data access request from terminal device, terminal device
Network site certification and terminal device device identification certification, when above three certification by after, just allow terminal
Equipment accesses data corresponding with data access request, and user's mark of the authority with access sensitive data has been stolen in attacker
Knowledge and password, alternatively, attacker has stolen the user identifier and password of the authority with access sensitive data, utilize server institute
Equipment in a local network sets agency service, attempts access sensitive data, alternatively, attacker not only stolen it is quick with accessing
Feel the user identifier and password of the authority of data, also stolen under above-mentioned three kinds of situations such as the terminal device with access rights,
Attacker can be prevented to access the corresponding data of data access request well, substantially increase the protection when data are accessed
Degree.
In one embodiment, the user identifier of data access request is authenticated, it may include:
User right list is determined according to data access request, user right list include multiple user identifiers and with
The corresponding multiple and different access rights of multiple user identifiers;
User identifier is determined whether there is in multiple user identifiers;
If there is user identifier, determine that user identifier has the authority for accessing the corresponding data of the data access request;
If there is no user identifier, safety instruction is carried out to data access request, and forbids terminal device to access and count
According to the corresponding data of access request.
In one embodiment, the network site where terminal device is authenticated, it may include:
Determine the network ip address of terminal device;
Determine whether network ip address is IP address in LAN where server;
If the IP address in LAN, determine that the location-authentication of terminal device passes through;
If not the IP address in LAN, safety instruction is carried out to data access request, and forbid terminal device to visit
Ask data corresponding with data access request.
In one embodiment, the device identification to terminal device is authenticated, it may include:
Determine the device identification of terminal device whether in device registry;
If device identification in device registry, determines that the device identification certification of terminal device passes through;
If device identification carries out safety instruction not in device registry, to data access request, and forbids terminal to set
It is standby to access data corresponding with data access request.
In one embodiment, determine the device identification of terminal device whether in device registry, it may include:
Determine the identity type of the device identification of terminal device;
If identity type is medium access control MAC Address, determine whether in the first list in device registry
There are MAC Address;
If identity type is mobile device international identity code IMEI, determined in the second list in device registry be
It is no that there are IMEI.
In one embodiment, method may also include:
In the LAN where terminal device access server, lan address is distributed for terminal device;
The device identification of lan address and terminal device is bound.
In one embodiment, method may also include:
The data accessed data access request are identified, and are determining that the data that data access request is accessed are quick
When feeling data, the step of being authenticated to the corresponding user identifier of data access request is performed.
Specifically how how to be protected when data are accessed, refer to following embodiment.
So far, the above method that the embodiment of the present disclosure provides, attacker can be prevented to access well has Sensitive Attributes
Data, substantially increase the degree of protection when data are accessed.
The technical solution of embodiment of the present disclosure offer is provided with specific embodiment below.
Fig. 2 is the flow chart of the data access method according to an exemplary embodiment one;The present embodiment utilizes this public affairs
The above method of embodiment offer is provided, is carried out exemplified by how being authenticated to the network site of user identifier and terminal device
Exemplary illustration, as shown in Fig. 2, including the following steps:
In step s 201, it is true according to data access request when receiving the data access request from terminal device
Determine user right list, user right list includes multiple user identifiers and corresponding with multiple user identifiers multiple and different
Access rights.
In one embodiment, the access rights of user right list records different user mark, for example, in user right
In list, the access rights of user Boby are the sales data that can be accessed on server, and the access rights of user Tony are can
To access the financial statement on server, the access rights of user Simon be can both access sales data on server or
The financial statement on server can be accessed.
In step S202, user identifier is determined whether there is in multiple user identifiers, if there is user identifier, is held
Row step S203, if there is no user identifier, performs step S209.
For example, user Sunny have sent the data access request for accessing sales data by terminal device to server, lead to
Cross and determine user Sunny after inquiry in user right list not in user right list, if user Boby passes through end
End equipment have sent the data access request for accessing financial statement to server, by true after being inquired about in user right list
User Boby is determined in user right list.
In step S203, if there is user identifier, determine whether user identifier has and access the data access request
The authority of corresponding data, if with the authority for accessing the corresponding data of the data access request, performs step S204, if
Without the authority for accessing the corresponding data of the data access request, step S209 is performed.
Although for example, user Boby is in user right list, since Boby only has the authority for accessing sales data,
Therefore Boby is without the authority for accessing financial statement.
In step S204, the network ip address of terminal device is determined.
In one embodiment, can be that terminal device distributes when the LAN where terminal device is linked into server
IP address in LAN, and record terminal device and the IP address for its distribution.
In step S205, determine whether network ip address is IP address in LAN where server, if
IP address in LAN, performs step S206, if not the IP address in LAN, performs step S209.
In step S206, if the IP address in LAN, determine that terminal device passes through location-authentication.
In step S207, in the network site certification where terminal device by rear, the definite equipment to terminal device
Identify whether certification by if device identification certification is by performing step S208, if certification is not by performing step
S209。
In one embodiment, if terminal device is PC machine, portable computer or tablet computer, device identification can be with
For MAC Address, in another embodiment, if terminal device is mobile equipment, device identification can be IMEI.
Step S208, it is allowed to which terminal device accesses data corresponding with data access request, and flow terminates.
In step S209, safety instruction is carried out to data access request, and forbids terminal device access and data access
Ask corresponding data.
In one embodiment, when user identifier, device location, device identification at least one of certification it is unverified by when,
The network address that this relevant user identifier of data access request, terminal device can be currently located, terminal device
The relevant informations such as device identification are prompted, for example, above-mentioned relevant information is sent to related responsible organization, so as to above-mentioned different
Often occur as being monitored.
In the present embodiment, determine that user identifier has by user's permissions list and access the corresponding number of the data access request
According to authority, by determine network ip address be server where LAN in IP address and the equipment to terminal device
Mark has access rights, it is ensured that following condition is needed to have to data access:The user of terminal device has access rights, terminal
Equipment needs to be connected in the LAN where server, and terminal device is also needed to the authority for accessing data, herein
Under situation, attacker has been substantially prevented from it and has accessed the corresponding data of data access request, substantially increased when data are accessed
Degree of protection.
Fig. 3 A are the flow charts of the data access method according to an exemplary embodiment two, and Fig. 3 B are according to an example
The flow chart of step S304 shown in property embodiment two;The present embodiment utilizes the above method that the embodiment of the present disclosure provides, with such as
What device identification to terminal device is illustrative exemplified by being authenticated, and as shown in Figure 3A, includes the following steps:
In step S301, when receiving the data access request from terminal device, data access request is visited
The data asked are identified.
In one embodiment, nonsensitive data and sensitive data can be divided into the data stored on server, and to quick
Sense data are identified, when user attempts to access the data on server, if the Data Identification accessed is sensitive data,
Then need to be authenticated user identifier, network site and device identification by the disclosure.
In step s 302, please to data access when the data for determining that data access request is accessed are sensitive data
The user right of corresponding user identifier is asked to be authenticated.
The description of step S302 may be referred to the description of above-mentioned steps S101, and details are not described herein.
In step S303, in user identifier certification by rear, the network site where terminal device is authenticated.
The description of step S303 may be referred to the description of above-mentioned steps S102, and details are not described herein.
In step s 304, the device identification of terminal device is determined whether in device registry, if in facility registration
In table, step S305 is performed, if not in device registry, performs step S306.
The description of step S304 may be referred to the description of following Fig. 3 B illustrated embodiments, and this will not be detailed here.
In step S305, if device identification in device registry, determines that the device identification certification of terminal device is led to
Cross, it is allowed to which terminal device accesses data corresponding with data access request.
In step S306, if device identification carries out safety instruction not in device registry, to data access request,
And terminal device is forbidden to access data corresponding with data access request.
The description of step S306 may be referred to the description of above-mentioned steps S208, and details are not described herein.
As shown in Figure 3B, it is the flow charts of step S304 in one embodiment, includes the following steps:
In step S311, the identity type of the device identification of terminal device is determined, if identity type is MAC Address,
Step S312 is performed, if identity type is IMEI, performs step S313.
In step S312, if identity type is MAC Address, determine whether in the first list in device registry
There are MAC Address.
In step S313, if identity type is IMEI, determine whether to deposit in the second list in device registry
In IMEI.
In one embodiment, first list can record the MAC of the PC equipment in the LAN being registered in where server
Address, second list can record the IMEI of the mobile equipment in the LAN being registered in where server, if from first row
The MAC Address of terminal device recorded in table is deleted, then forbids the terminal device to access the data on server.
It will be appreciated by persons skilled in the art that first list and second list are only for the different types of terminal of differentiation
The corresponding device identification of equipment, the sequence of " first ", " second " can not form the limitation to the disclosure.In addition, in the disclosure
State MAC Address and IMEI be only terminal device device identification exemplary illustration, the limitation to the disclosure can not be formed, only
It can represent that the address information of the device identification of terminal device is included in the embodiments of the present disclosure.
In the present embodiment, the identity type of the device identification by determining terminal device, it is possible to achieve to various inhomogeneities
The device identification of the terminal device of type is authenticated, can both support further types of terminal device to the data on server into
Row accesses, additionally it is possible to has been substantially prevented from attacker by accessing the corresponding data of data access request, has substantially increased in data
Degree of protection when accessed, in this case, has been substantially prevented from attacker and has accessed the corresponding data of data access request, significantly
Improve the degree of protection when data are accessed.
Fig. 4 is one of flow chart of data access method according to an exemplary embodiment three;The present embodiment utilizes
The above method that the embodiment of the present disclosure provides, how to realize that the device identification of network ip address and terminal device is bound
Example is illustrative, as shown in figure 4, including the following steps:
In step S401, in the LAN where terminal device access server, LAN is distributed for terminal device
Address.
In step S402, the device identification of lan address and terminal device is bound.
Illustrative by taking device identification is MAC Address as an example, the LAN where server can pass through dynamic
Terminal of the host configuration (Dynamic Host Configuration Protocol, referred to as DHCP) to access network
Equipment distribution lan address (for example, IP address in LAN), is distributed by recording each IP address in LAN
Which terminal device has been given, the MAC Address of the IP address in LAN and terminal device is provided with binding relationship.In user
In the case of having already been through location-authentication, terminal device can be determined whether there is by the IP address in the LAN
MAC Address.
In the present embodiment, by the way that the device identification of lan address and terminal device is bound, when attacker is from public affairs
Altogether during data on the Internet access service device, even if attacker by the data on in-company network access server,
If terminal device used in attacker is not bound mutually with its IP address, attacker still haves no right to access on server
Sensitive data, so as to substantially increase the degree of protection when data are accessed.
To sum up, the embodiment of the present disclosure can effectively prevent attacker in the following way to the sensitive data on server
Attack:
First, attacker has stolen user identifier and corresponding password with access rights, pass through user identifier and phase
The password answered is attempted to access the sensitive data on server by public internet, in this case, due to disclosure needs pair
Terminal device used in attacker carries out location-authentication, and terminal device is in the LAN where server, therefore
Attacker can not have access to the sensitive data on server;
Second, attacker has been stolen with user identifier and the corresponding password that limit is visited is accessed, by where server
LAN in equipment set agency service, attempt access server on sensitive data, in this case, due to the disclosure
The certification of the terminal device progress device identification to attacker is needed, and terminal device used in attacker cannot be by this public affairs
The device authentication opened, therefore attacker can not access the sensitive data on server, so as to reach the number on protection server
According to the purpose not being stolen.
Third, attacker has not only stolen user identifier and corresponding password with access rights, but also steal
Device identification has the terminal device of access rights, in this case, if attacker is accessed on server from public internet
Sensitive data, due to that be able to not can not be had access to by the certification of device location, attacker by embodiment of the disclosure
Sensitive data on server.
Fig. 5 is a kind of block diagram of data access device according to an exemplary embodiment, as shown in figure 5, data are visited
Ask that device includes:
First authentication module 51, is configured as when receiving the data access request from terminal device, and data are visited
Ask that the user right for asking corresponding user identifier is authenticated;
Second authentication module 52, is configured as in the first authentication module 51 setting terminal by rear user identifier certification
The network site at standby place is authenticated;
3rd authentication module 53, is configured as leading to the network site certification where terminal device in the second authentication module 52
Later, the device identification to terminal device is authenticated, if device identification certification passes through, it is allowed to which terminal device accesses and data
The corresponding data of access request.
Fig. 6 A are the block diagrams of another data access device according to an exemplary embodiment, above-mentioned such as Fig. 5 institutes
On the basis of showing embodiment, the first authentication module 51 may include:
First determination sub-module 511, is configured as determining user right list, user right row according to data access request
Table includes multiple user identifiers and multiple and different access rights corresponding with multiple user identifiers;
Second determination sub-module 512, is configured as determining in multiple user identifiers that the first determination sub-module 511 determines
With the presence or absence of user identifier;
3rd determination sub-module 513, determines there are user identifier if being configured as the second determination sub-module 512, determines
The corresponding access rights of user identifier;
First prompting submodule 514, if being configured as the second determination sub-module 512 determines that user identifier is not present, right
Data access request carries out safety instruction, and forbids terminal device to access data corresponding with data access request.
In one embodiment, the second authentication module 52 may include:
4th determination sub-module 521, is configured to determine that the network ip address of terminal device;
5th determination sub-module 522, be configured to determine that the definite network ip address of the 4th determination sub-module 521 whether be
The IP address in LAN where server;
6th determination sub-module 523, if being configured as the 5th determination sub-module 522 determines that network ip address is LAN
Interior IP address, determines that the location-authentication of terminal device passes through;
Second prompting submodule 524, if being configured as the 5th determination sub-module 522 determines that network ip address is not local
IP address in net, safety instruction is carried out to data access request, and it is corresponding to data access request to forbid terminal device to access
Data.
In one embodiment, the 3rd authentication module 53 may include:
Whether the 7th determination sub-module 531, be configured to determine that the device identification of terminal device in device registry;
8th determination sub-module 532, determines device identification in facility registration if being configured as the 7th determination sub-module 531
In table, determine that the device identification certification of terminal device passes through;
3rd prompting submodule 533, if being configured as the 7th determination sub-module 531 determines that device identification is not noted in equipment
In volume table, safety instruction is carried out to data access request, and forbid terminal device to access data corresponding with data access request.
As shown in Figure 6B, in one embodiment, the 7th determination sub-module 531 may include:
9th determination sub-module 5311, is configured to determine that the identity type of the device identification of terminal device;
Tenth determination sub-module 5312, if being configured as the 9th determination sub-module 5311 determines that identity type is visited for medium
Ask control MAC Address, MAC Address is determined whether there is in the first list in device registry;
11st determination sub-module 5313, determines identity type for movement if being configured as the 9th determination sub-module 5311
Equipment international identity code IMEI, determines whether there is IMEI in the second list in device registry.
Fig. 7 is the block diagram of another data access device according to an exemplary embodiment, above-mentioned such as Fig. 5 or figure
On the basis of 6 illustrated embodiments, device may also include:
Address assignment module 54, is configured as in the LAN where terminal device access server, is terminal device
Distribute lan address;
Address binding module 55, is configured as setting for the lan address that distributes address assignment module 54 and terminal device
Standby mark is bound.
In one embodiment, device may also include:
Data identification module 56, the data for being configured as accessing data access request are identified, in definite data
When the data that access request is accessed are sensitive data, the first authentication module 51, which performs, is receiving the data from terminal device
The step of access request.
On the device in above-described embodiment, wherein modules perform the concrete mode of operation in related this method
Embodiment in be described in detail, explanation will be not set forth in detail herein.
Fig. 8 is a kind of indicator light for being suitable for control and being installed on smart machine according to an exemplary embodiment
The block diagram of device.For example, device 800 may be provided as a smart mobile phone or tablet computer.With reference to Fig. 8, device 800 includes
Processing component 822, it further comprises one or more processors, and as the memory resource representated by memory 832, uses
Can be by the instruction of the execution of processing component 822, such as application program in storage.The application program stored in memory 832 can be with
Including it is one or more each correspond to the module of one group of instruction.Refer in addition, processing component 822 is configured as execution
Order, to perform above-mentioned data access method.
Device 800 can also include the power management that a power supply module 828 is configured as executive device 800, and one has
Line or radio network interface 850 are configured as device 800 being connected to network, and input and output (I/O) interface 858.Dress
Putting 800 can operate based on the operating system for being stored in memory 832, such as Windows ServerTM, Mac OS XTM,
UnixTM, LinuxTM, FreeBSDTM or similar.
Those skilled in the art will readily occur to the disclosure its after considering specification and putting into practice disclosure disclosed herein
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the disclosure, these modifications, purposes or
Person's adaptive change follows the general principle of the disclosure and including the undocumented common knowledge in the art of the disclosure
Or conventional techniques.Description and embodiments are considered only as exemplary, and the true scope and spirit of the disclosure are by following
Claim is pointed out.
It should be appreciated that the present disclosure is not limited to the precise structures that have been described above and shown in the drawings, and
And various modifications and changes may be made without departing from the scope thereof.The scope of the present disclosure is only limited by appended claim.
Claims (13)
- A kind of 1. data access method, using on the server, it is characterised in that the described method includes:When receiving the data access request from terminal device, the corresponding user identifier of the data access request is carried out Certification;In the user identifier certification by rear, the network site where the terminal device is authenticated;In the network site certification where the terminal device by rear, the device identification to the terminal device is authenticated, If the device identification certification passes through, it is allowed to which the terminal device accesses data corresponding with the data access request;Wherein, the network site to where the terminal device is authenticated, including:Determine the network ip address of the terminal device;Determine whether the network ip address is IP address in LAN where the server;If the IP address in the LAN, determine that the terminal device passes through location-authentication;If not the IP address in the LAN, safety instruction is carried out to the data access request, and forbid the end End equipment accesses data corresponding with the data access request.
- 2. according to the method described in claim 1, it is characterized in that, the user identifier to the data access request carries out Certification, including:User right list is determined according to the data access request, the user right list include multiple user identifiers with And multiple and different access rights corresponding with the multiple user identifier;The user identifier is determined whether there is in the multiple user identifier;If there is the user identifier, determine that the user identifier has and access the corresponding data of the data access request Authority;If there is no the user identifier, safety instruction is carried out to the data access request, and forbid the terminal device Access data corresponding with the data access request.
- 3. according to the method described in claim 1, it is characterized in that, the device identification to the terminal device is recognized Card, including:Determine the device identification of the terminal device whether in device registry;If the device identification in the device registry, determines that the device identification certification of the terminal device passes through;If the device identification carries out safety instruction not in the device registry, to the data access request, and prohibits Only the terminal device accesses data corresponding with the data access request.
- 4. according to the method described in claim 3, it is characterized in that, it is described determine the terminal device device identification whether In device registry, including:Determine the identity type of the device identification of the terminal device;If the identity type is medium access control MAC Address, determine whether in the first list in device registry There are the MAC Address;If the identity type is mobile device international identity code IMEI, determined in the second list in device registry be It is no that there are the IMEI.
- 5. according to the method described in claim 1, it is characterized in that, the method further includes:In the LAN where the terminal device accesses the server, lan address is distributed for the terminal device;The device identification of the lan address and the terminal device is bound.
- 6. according to the method described in claim 1, it is characterized in that, the method further includes:The data for asking to access to the data access request are identified, and are determining what the data access request was accessed When data are sensitive data, described the step of being authenticated to the corresponding user identifier of the data access request is performed.
- 7. a kind of data access device, using on the server, it is characterised in that described device includes:First authentication module, is configured as when receiving the data access request from terminal device, to the data access Corresponding user identifier is asked to be authenticated;Second authentication module, was configured as in first authentication module to the user identifier certification by rear, to the end Network site where end equipment is authenticated;3rd authentication module, is configured as leading to the network site certification where the terminal device in second authentication module Later, the device identification to the terminal device is authenticated, if the device identification certification passes through, it is allowed to which the terminal is set It is standby to access data corresponding with the data access request;Wherein, second authentication module includes:4th determination sub-module, is configured to determine that the network ip address of the terminal device;5th determination sub-module, is configured to determine that whether the network ip address that the 4th determination sub-module determines is institute State the IP address in the LAN where server;6th determination sub-module, if being configured as the 5th determination sub-module determines that the network ip address is the local IP address in net, determines that the location-authentication of the terminal device passes through;Second prompting submodule, if being configured as the 5th determination sub-module determines that the network ip address is not the office IP address in the net of domain, safety instruction is carried out to the data access request, and forbids the terminal device to access and the number According to the corresponding data of access request.
- 8. device according to claim 7, it is characterised in that first authentication module includes:First determination sub-module, is configured as determining user right list, the user right according to the data access request List includes multiple user identifiers and multiple and different access rights corresponding with the multiple user identifier;Second determination sub-module, be configured as determining in the multiple user identifier that first determination sub-module determines be It is no that there are the user identifier;3rd determination sub-module, determines, there are the user identifier, to determine institute if being configured as second determination sub-module Stating user identifier has the authority for accessing the corresponding data of the data access request;First prompting submodule, if being configured as second determination sub-module determines that the user identifier is not present, to institute State data access request and carry out safety instruction, and forbid the terminal device to access count corresponding with the data access request According to.
- 9. device according to claim 7, it is characterised in that the 3rd authentication module includes:Whether the 7th determination sub-module, be configured to determine that the device identification of the terminal device in device registry;8th determination sub-module, if being configured as the 7th determination sub-module determines that the device identification is noted in the equipment In volume table, determine that the device identification certification of the terminal device passes through;3rd prompting submodule, determines the device identification not in the equipment if being configured as the 7th determination sub-module In registration table, safety instruction is carried out to the data access request, and forbid the terminal device to access and the data access Ask corresponding data.
- 10. device according to claim 9, it is characterised in that the 7th determination sub-module includes:9th determination sub-module, is configured to determine that the identity type of the device identification of the terminal device;Tenth determination sub-module, if being configured as the 9th determination sub-module determines that the identity type is medium access control MAC Address processed, determines whether there is the MAC Address in the first list in device registry;11st determination sub-module, if being configured as the 9th determination sub-module determines that the identity type is mobile equipment International identity code IMEI, determines whether there is the IMEI in the second list in device registry.
- 11. device according to claim 7, it is characterised in that described device further includes:Address assignment module, is configured as in the LAN where the terminal device accesses the server, is the end End equipment distributes lan address;Address binding module, is configured as being bound the device identification of the lan address and the terminal device.
- 12. device according to claim 7, it is characterised in that described device further includes:Data identification module, is configured as that the data that the data access request is accessed are identified, in the definite number When the data accessed according to access request are sensitive data, first authentication module performs described to the data access request The step of corresponding user identifier is authenticated.
- 13. a kind of data access device, using on the server, it is characterised in that described device includes:Processor;For storing the memory of processor-executable instruction;Wherein, the processor is configured as:When receiving the data access request from terminal device, the corresponding user identifier of the data access request is carried out Certification;In the user identifier certification by rear, the network site where the terminal device is authenticated;In the network site certification where the terminal device by rear, the device identification to the terminal device is authenticated, If the device identification certification passes through, it is allowed to which the terminal device accesses data corresponding with the data access request;Wherein, the network site to where the terminal device is authenticated, including:Determine the network ip address of the terminal device;Determine whether the network ip address is IP address in LAN where the server;If the IP address in the LAN, determine that the terminal device passes through location-authentication;If not the IP address in the LAN, safety instruction is carried out to the data access request, and forbid the end End equipment accesses data corresponding with the data access request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510138114.7A CN104717223B (en) | 2015-03-26 | 2015-03-26 | Data access method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510138114.7A CN104717223B (en) | 2015-03-26 | 2015-03-26 | Data access method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104717223A CN104717223A (en) | 2015-06-17 |
CN104717223B true CN104717223B (en) | 2018-05-08 |
Family
ID=53416184
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510138114.7A Active CN104717223B (en) | 2015-03-26 | 2015-03-26 | Data access method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104717223B (en) |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105391686A (en) * | 2015-10-15 | 2016-03-09 | 桂林电子科技大学 | Data access method and data access device |
US10609042B2 (en) * | 2016-02-15 | 2020-03-31 | Cisco Technology, Inc. | Digital data asset protection policy using dynamic network attributes |
CN107317792B (en) * | 2016-03-30 | 2020-10-30 | 阿里巴巴集团控股有限公司 | Method and equipment for realizing access control in virtual private network |
CN107517176A (en) * | 2016-06-15 | 2017-12-26 | 杭州昕派科技有限公司 | File security delivery system and method based on Bluetooth beacon |
CN106375332A (en) * | 2016-09-23 | 2017-02-01 | 北京巨龟科技有限责任公司 | Network safe browsing method and device |
CN107948125A (en) * | 2016-10-13 | 2018-04-20 | 腾讯科技(深圳)有限公司 | A kind of processing method and processing device of network attack |
CN107465688B (en) * | 2017-09-04 | 2020-09-11 | 广西电网有限责任公司电力科学研究院 | Method for identifying network application permission of state monitoring and evaluating system |
CN107911340B (en) * | 2017-10-25 | 2020-08-28 | 平安普惠企业管理有限公司 | Login verification method, device and equipment of application program and storage medium |
CN108881309A (en) * | 2018-08-14 | 2018-11-23 | 北京奇虎科技有限公司 | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform |
CN110071932B (en) * | 2019-04-29 | 2021-10-08 | 云深互联(北京)科技有限公司 | Safety access system and method |
CN110232292A (en) * | 2019-05-06 | 2019-09-13 | 平安科技(深圳)有限公司 | Data access authority authentication method, server and storage medium |
CN111181831B (en) * | 2019-06-10 | 2021-08-06 | 腾讯科技(深圳)有限公司 | Communication data processing method and device, storage medium and electronic device |
CN110768972B (en) * | 2019-10-17 | 2022-02-18 | 中国联合网络通信集团有限公司 | Security verification method and router |
CN111666578B (en) * | 2020-06-08 | 2023-06-30 | 北京百度网讯科技有限公司 | Data management method, device, electronic equipment and computer readable storage medium |
CN111953664B (en) * | 2020-07-27 | 2022-07-08 | 新浪网技术(中国)有限公司 | User request verification method and system based on variable security level |
CN114036223A (en) * | 2020-11-13 | 2022-02-11 | 武汉联影医疗科技有限公司 | Medical information management method, system, apparatus, computer device and storage medium |
CN114915498B (en) * | 2022-07-14 | 2022-09-27 | 国网思极网安科技(北京)有限公司 | Safety access gateway based on secret key protection |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101355564A (en) * | 2008-09-19 | 2009-01-28 | 广东南方信息安全产业基地有限公司 | Method for implementing credible LAN and internet |
CN101375626A (en) * | 2006-01-31 | 2009-02-25 | 微软公司 | Determining the network location of a user device based on transmitter fingerprints |
CN101789906A (en) * | 2010-02-24 | 2010-07-28 | 杭州华三通信技术有限公司 | Method and system for access authentication of user |
CN101980233A (en) * | 2010-10-15 | 2011-02-23 | 上海聚力传媒技术有限公司 | Method and equipment for authenticating service based on equipment identifier |
CN102421097A (en) * | 2010-09-27 | 2012-04-18 | 中国移动通信集团公司 | User authorization method, device and system |
CN102916949A (en) * | 2012-10-11 | 2013-02-06 | 北京东土科技股份有限公司 | Web authentication method and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9172686B2 (en) * | 2007-09-28 | 2015-10-27 | Alcatel Lucent | Facilitating heterogeneous authentication for allowing network access |
-
2015
- 2015-03-26 CN CN201510138114.7A patent/CN104717223B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101375626A (en) * | 2006-01-31 | 2009-02-25 | 微软公司 | Determining the network location of a user device based on transmitter fingerprints |
CN101355564A (en) * | 2008-09-19 | 2009-01-28 | 广东南方信息安全产业基地有限公司 | Method for implementing credible LAN and internet |
CN101789906A (en) * | 2010-02-24 | 2010-07-28 | 杭州华三通信技术有限公司 | Method and system for access authentication of user |
CN102421097A (en) * | 2010-09-27 | 2012-04-18 | 中国移动通信集团公司 | User authorization method, device and system |
CN101980233A (en) * | 2010-10-15 | 2011-02-23 | 上海聚力传媒技术有限公司 | Method and equipment for authenticating service based on equipment identifier |
CN102916949A (en) * | 2012-10-11 | 2013-02-06 | 北京东土科技股份有限公司 | Web authentication method and device |
Non-Patent Citations (1)
Title |
---|
校园网网络用户安全身份认证体系分析;张毅,高东怀,许卫中,许浩;《医院数字化》;20080430;第29卷(第4期);第42-44页 * |
Also Published As
Publication number | Publication date |
---|---|
CN104717223A (en) | 2015-06-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104717223B (en) | Data access method and device | |
JP6426189B2 (en) | System and method for biometric protocol standard | |
CN104683336B (en) | A kind of Android private data guard method and system based on security domain | |
US8832796B2 (en) | Wireless communication terminal, method for protecting data in wireless communication terminal, program for having wireless communication terminal protect data, and recording medium storing the program | |
CN104823196B (en) | Hardware based device authentication | |
CN100568212C (en) | Shielding system and partition method | |
US6938167B2 (en) | Using trusted communication channel to combat user name/password theft | |
CN104813328A (en) | Trusted container | |
US11856015B2 (en) | Anomalous action security assessor | |
CN101355556A (en) | Authentication information processing device, authentication information processing method, storage medium, and data signal | |
EP4242891A2 (en) | Systems and methods for securing login access | |
KR101441581B1 (en) | Multi-layer security apparatus and multi-layer security method for cloud computing environment | |
KR20160055130A (en) | Method and system related to authentication of users for accessing data networks | |
US9516059B1 (en) | Using mock tokens to protect against malicious activity | |
CN113992414B (en) | Data access method, device and equipment | |
US20200036525A1 (en) | Method for determining approval for access to gate through network, and server and computer-readable recording media using the same | |
KR101263423B1 (en) | Log in confirmation service implementation method for mobile terminal | |
CN101324913B (en) | Method and apparatus for protecting computer file | |
KR101212509B1 (en) | System and method for service control | |
CN108205630A (en) | Resource access method and device based on SeLinux under a kind of multi-user | |
WO2017153990A1 (en) | System and method for device authentication using hardware and software identifiers | |
CN106250758A (en) | A kind of storage device connection control method and system | |
CN109981611A (en) | A kind of safety defense method and device of multi-platform account | |
CN105743883B (en) | A kind of the identity attribute acquisition methods and device of network application | |
CN112291786A (en) | Wireless access point control method, computer device, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |