CN105933315A - Network service security communication method, device and system - Google Patents

Network service security communication method, device and system Download PDF

Info

Publication number
CN105933315A
CN105933315A CN201610251351.9A CN201610251351A CN105933315A CN 105933315 A CN105933315 A CN 105933315A CN 201610251351 A CN201610251351 A CN 201610251351A CN 105933315 A CN105933315 A CN 105933315A
Authority
CN
China
Prior art keywords
client
key
target data
service
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610251351.9A
Other languages
Chinese (zh)
Other versions
CN105933315B (en
Inventor
仇伟民
戴鸿君
于治楼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Group Co Ltd
Original Assignee
Inspur Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Group Co Ltd filed Critical Inspur Group Co Ltd
Priority to CN201610251351.9A priority Critical patent/CN105933315B/en
Publication of CN105933315A publication Critical patent/CN105933315A/en
Application granted granted Critical
Publication of CN105933315B publication Critical patent/CN105933315B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a network service security communication method, device and system. The method is applied to an information server. The method comprises the steps that a service protocol is set, the service protocol is configured between the information server and a client side and a service secret key is set for the information server; registration information transmitted by the client side is received, and an access permission is configured for the registration information; a client secret key and a digital certificate having a digital signature are generated for the client side; the client secret key and the digital certificate are transmitted to the client side; and when an access request transmitted by the client side is received, the access permission of the client side is determined according to the client secret key and the digital certificate carried in the access request and target data are determined, and the target data are encrypted by utilizing the service secret key and the encrypted target data are transmitted to the client side. According to the scheme, the security of end-to-end information transmission can be guaranteed.

Description

A kind of network service safety communicating method, device and system
Technical field
The present invention relates to field of computer technology, particularly to a kind of network service safety communicating method, dress Put and system.
Background technology
Along with the development of Internet technology Yu application, network end-to-end Distributed Application is (such as electricity Son commercial affairs, E-Government etc.) become highly important developing direction, distributed answer for end-to-end For with, network service (web services) is the basis realizing information transmission, and realizes network service Secure communication seems particularly significant.
At present, network service safety communication technology is mainly the protection transmitting information between various application layers, The i.e. protection to transport layer/network inter-layer information transmission.But, existing network service safety communication technology Can not ensure end-to-end between information transmission safety.
Summary of the invention
Embodiments provide a kind of network service safety communicating method, device and system, ensure end The safety of information transmission between opposite end.
A kind of network service safety communicating method, is applied in information server, arranges service agreement, for Configure described service agreement between described information server and client, and be that described information server is arranged Service key, also includes:
Receive the log-on message that client sends, and according to characteristic character in log-on message, for described registration Information configuration access rights;
According to described access rights, generate client key and the numeral card with digital signature for this client Book;
Described client key and digital certificate are sent to described client;
When receiving the access request that described client sends, according to the visitor carried in described access request Family key and digital certificate, determine described client access authority, according to described access rights and described visit Ask the information request in request, determine target data, utilize described service key that described target data is entered Row encryption, and the target data after encryption is sent to described client.
Preferably, described generate client key and digital certificate for this client, including: identical for having The client of access rights generates common customer key and public digital certificates.
Preferably, described generate client key and digital certificate for this client, including: according to registration letter Client identifier and service key in breath, generate privately owned client key and privately owned numeral for described client Certificate.
Preferably, described generate client key and digital certificate for this client, including: according to described clothes Client identifier in business key and access request, serial number, random number, time stamp, vital stage are gone through Any one or more in time, the client for described peripheral hardware generates temporary subscriber key and temporary digital Certificate.
Preferably, described generate client key and digital certificate for this client after, described by institute State client key and before digital certificate is sent to described client, farther include: for described access right Limit generates corresponding login link code, and by described login link code encryption to described client key;
Described determine described client access authority, including: from described client key, parse registration chain Connecing code, described login link code is linked to the information with access rights.
Preferably, described according to the client key carried in described access request and digital certificate, determine institute State client access authority, including: utilize described service key to parse in client key and digital certificate The digital signature of client, it is judged that the numeral label whether described digital signature stores with described information server Name is consistent, if it is, determine described client access authority.
Preferably, said method farther includes:
Control described client from time stamp server, obtain the encryption times stamp that access request is corresponding;
Receive the access request of described client transmission and the encryption times stamp that this access request is corresponding;
By service key, described encryption times stamp is decrypted, it is judged that described timestamp and access request Whether the time received is consistent, if it is, perform described to determine described client access authority.
Preferably, described determine target data after, utilize described service key to described mesh described Before mark data are encrypted, farther include:
Receive the timestamp that the described target data of described time stamp server transmission is corresponding, and utilize described The timestamp that described target data is corresponding is encrypted by service key;
Described will encryption after target data be sent to described client, including: will encryption after number of targets It is sent to described client according to the timestamp corresponding with target data.
A kind of network service secure communication device, is applied in information server, including:
Unit is set, is used for arranging service agreement, and service key is set for described information server;
Dispensing unit, for described arranging list for configuring between described information server and the client of peripheral hardware The service agreement that unit is arranged, receives the log-on message that the client of peripheral hardware sends, and according in log-on message Characteristic character, for described log-on message configuration access authority;
Generate transmitting element, for the access rights configured according to described dispensing unit, for the visitor of this peripheral hardware Family end generates client key and the digital certificate with digital signature, and by described client key and numeral card Book is sent to the client of described peripheral hardware;
Data transmission unit, when the access request sent when the client receiving described peripheral hardware, solves Separate out the client key carried in the access request of described peripheral hardware and digital certificate and described generation transmitting element The client key with digital signature generated and send is consistent with digital certificate, determines that described client is visited Ask authority, according to the information request in described access rights and described access request, determine target data, Utilize described service key that described target data is encrypted, and the target data after encryption is sent to The client of described peripheral hardware.
Preferably, described generation transmitting element, for the client of the peripheral hardware for having identical access rights Generate common customer key and public digital certificates.
Preferably, described generation transmitting element, for according to client identifier in log-on message and service Key, the client for described peripheral hardware generates privately owned client key and privately owned digital certificate.
Preferably, described generation transmitting element, for according in described service key and access request Client identifier, serial number, random number, time stamp, vital stage last in any one or more, Client for described peripheral hardware generates temporary subscriber key and temporary digital certificate.
Preferably, said apparatus farther includes: control unit, wherein,
Described control unit, is used for controlling described client and obtains access request pair from time stamp server The encryption times stamp answered, and encryption times stamp corresponding for described access request is sent to the transmission of described data Unit;
Described data transmission unit, is further used for receiving the access request that the client of described peripheral hardware sends And the encryption times stamp that the access request that sends of described control unit is corresponding;Added described by service key Close timestamp is decrypted, it is judged that the time that described timestamp receives with access request is the most consistent, as Fruit is, then perform described to determine described client access authority.
Preferably, described data transmission unit, the time stamp server being further used for receiving peripheral hardware sends Timestamp corresponding to target data, and utilize the time that described service key is corresponding to described target data Stamp is encrypted, and the target data timestamp corresponding with target data after encryption is sent to described outside If client.
A kind of network service safe communication system includes: have any one network service secure communication above-mentioned The information server of device, at least one client and time stamp server, wherein,
In at least one client described, each client is for the network in described information server Service safe communicator sends log-on message and access request, and receives described network service secure communication Device send client key and digital certificate and encryption after target data;Receive described timestamp clothes The timestamp that business device sends, and described timestamp is encrypted, and the timestamp after encryption is sent to Described network service secure communication device;
Described time stamp server, for sending out to client and described network service secure communication device respectively Send timestamp.
Embodiments provide a kind of network service safety communicating method, device and system, the method By arranging service agreement, for configuring this service agreement between information server and client, by this mistake Journey achieve end-to-end between communication, service key is set for information server, receives client and send Log-on message, and according to characteristic character in log-on message, for log-on message configuration access authority;According to Access rights, generate client key and the digital certificate with digital signature for this client;Client is close Key and digital certificate are sent to client, have been ensured the peace of information to a certain extent by configuration access authority Quan Xing;When receiving the access request that client sends, according to the client key carried in access request And digital certificate, determine client access authority, according to the information request in access rights and access request, Determine target data, utilize service key that target data is encrypted, and by the target data after encryption It is sent to client, i.e. the data of transmission is encrypted so that end-to-end (server is to client) Between transmit data be safe, thus ensured end-to-end between information transmission safety.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to reality Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below, Accompanying drawing in description is some embodiments of the present invention, for those of ordinary skill in the art, not On the premise of paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of a kind of network service safety communicating method that one embodiment of the invention provides;
Fig. 2 is the flow chart of a kind of network service safety communicating method that another embodiment of the present invention provides;
Fig. 3 is a kind of network service secure communication device place framework that one embodiment of the invention provides Structural representation;
Fig. 4 is the structural representation of a kind of network service secure communication device that one embodiment of the invention provides Figure;
Fig. 5 is that the structure of a kind of network service secure communication device that another embodiment of the present invention provides is shown It is intended to;
Fig. 6 is the structural representation of a kind of network service safe communication system that one embodiment of the invention provides Figure.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with this Accompanying drawing in bright embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention, Obviously, described embodiment is a part of embodiment of the present invention rather than whole embodiments, based on Embodiment in the present invention, those of ordinary skill in the art are institute on the premise of not making creative work The every other embodiment obtained, broadly falls into the scope of protection of the invention.
As it is shown in figure 1, embodiments provide a kind of network service safety communicating method, it is applied to In information server, the method may comprise steps of:
Step 101: service agreement is set, for configuration service agreement between information server and client, And service key is set for information server;
Step 102: receive the log-on message that client sends, and according to characteristic character in log-on message, For log-on message configuration access authority;
Step 103: according to access rights, generate for this client have digital signature client key and Digital certificate;
Step 104: client key and digital certificate are sent to client;
Step 105: when receiving the access request that client sends, according to carry in access request Client key and digital certificate, determine client access authority;
Step 106: according to the information request in access rights and access request, determines target data, profit With service key, target data is encrypted, and the target data after encryption is sent to client.
In the embodiment shown in fig. 1, by arranging service agreement, for information server and client it Between configure this service agreement, by this process achieve end-to-end between communication, set for information server Put service key, receive the log-on message that client sends, and according to characteristic character in log-on message, for Log-on message configuration access authority;According to access rights, generate the visitor with digital signature for this client Family key and digital certificate;Client key and digital certificate are sent to client, are weighed by configuration access Limit has ensured the safety of information to a certain extent;When receiving the access request that client sends, root According to the client key carried in access request and digital certificate, determine client access authority, according to access Information request in authority and access request, determines target data, utilizes service key to enter target data Row encryption, and the target data after encryption is sent to client, i.e. the data of transmission are encrypted, Make between end-to-end (server is to client) transmit data be safe, thus ensured end-to-end it Between information transmission safety.
In an embodiment of the invention, in order to avoid key and digital certificate, data transmission efficiency is caused Impact, the detailed description of the invention of step 103 includes: generate public affairs for having the client of identical access rights Client key and public digital certificates altogether.
In an embodiment of the invention, in order to increase the safety of key and digital certificate, step 103 Detailed description of the invention include: according to client identifier in log-on message and service key, for client Generate privately owned client key and privately owned digital certificate.
In an embodiment of the invention, in order to increase the safety of key and digital certificate further, keep away Exempting from key and digital certificate is cracked, the detailed description of the invention of step 103 includes: according to service key with And client identifier in access request, serial number, random number, time stamp, vital stage last in appoint Anticipating one or more, the client for peripheral hardware generates temporary subscriber key and temporary digital certificate.
In an embodiment of the invention, in order to provide access rights for client accurately, in step After rapid 103, before step 104, farther include: generate corresponding login link for access rights Code, and by login link code encryption to client key;The detailed description of the invention of step 105, including: Parsing login link code from client key, login link code is linked to the information with access rights.
In an embodiment of the invention, in order to ensure the legitimacy of access rights, step 105 concrete Embodiment, including: utilize service key to parse the numeral of client in client key and digital certificate Signature, it is judged that digital signature is the most consistent with the digital signature of information server storage, if it is, really Determine client access authority.
In an embodiment of the invention, in order to be further ensured that the legitimacy of access rights, said method Farther include: control client from time stamp server, obtain the encryption times stamp that access request is corresponding; Receive the access request of client transmission and the encryption times stamp that this access request is corresponding;Pass through service key Encryption times stamp is decrypted, it is judged that the time that timestamp receives with access request is the most consistent, as Fruit is, then perform step 105.
In an embodiment of the invention, in order to avoid timestamp is maliciously tampered, pass through timestamp simultaneously Ensure the safety of data, in step 106, after determining target data, utilize service key Before target data is encrypted, farther include: receive the target data that time stamp server sends Corresponding timestamp, and utilize service key that the timestamp that target data is corresponding is encrypted;Will encryption After target data be sent to client, including: will encryption after target data corresponding with target data Timestamp is sent to client.
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with the accompanying drawings and specifically real The present invention is described in further detail to execute example.
As in figure 2 it is shown, embodiments provide a kind of network service safety communicating method, Ying Yingyu In information server, the method may comprise steps of:
Step 201: service agreement is set, for configuration service agreement between information server and client, And service key is set for information server;
In this step, in order to realize end-to-end between communication, can arrange such as soap protocol etc End to end communication agreement, in this step arrange service key can pass through hash algorithm, determine Hash Value, and cryptographic Hash is encrypted, it is also possible to only generate certain length according to file header and file permission Character string etc..Service key can select different cipher modes to data according to the demand of client It is encrypted, it is possible to the information in the client key that deciphering client sends.
Step 202: receive the log-on message that client sends, and according to characteristic character in log-on message, For log-on message configuration access authority;
Log-on message can comprise registration account number and log-in password etc., and the characteristic character in this step can be The distinctive character of different stage etc., such as: for each Students'Management System of school, student's Student number has the characteristic character of grade and institute, worker number characteristic character with rank of teaching and administrative staff etc., So can configure corresponding access rights according to these characteristic characters.
Step 203: according to access rights, generate for this client have digital signature client key and Digital certificate, stores digital signature in information server;
In this step, the mode generating client key and digital certificate includes: for having identical access right The client of limit generates common customer key and public digital certificates;Or, according to client in log-on message End identifier and service key, generate privately owned client key and privately owned digital certificate for client;Or, According to the client identifier in service key and access request, serial number, random number, time stamp, life The life phase last in any one or more, the client for peripheral hardware generates temporary subscriber key and nonce Word certificate.
Step 204: generate corresponding login link code for access rights, and login link code encryption is arrived In client key;
The login link code generated by this step can be directly linked to the authority information of correspondence, it is possible to accurate True orients access rights, meanwhile, also is able to more quickly find authority by login link code Information, owing to, in subsequent step, client needs client key to be sent to information server, then may be used To be directly targeted to access rights by parsing the login link code in client key.
Step 205: client key and digital certificate are sent to client;
Step 206: when client sends access request, controls client and obtains from time stamp server Take the encryption times stamp that access request is corresponding;
Step 207: receive the access request of client transmission and the encryption times stamp that this access request is corresponding;
Step 208: utilize service key that encryption times stamp is decrypted, it is judged that the timestamp after deciphering The time received with access request is the most consistent, if it is, perform step 209;Otherwise, perform Step 217;
Step 206 is to the timestamp that the timestamp mentioned in step 208 is that access request sends, by this Timestamp can accurately know the transmission time of access request.And access request in information server time Between should be unanimous on the whole or in acceptable time difference range with the transmission time of access request, if Transmission time and the Time Inconsistency received, explanation may be trapped in accessing message transmitting procedure and usurp Changing, being encrypted timestamp is to prevent timestamp to be maliciously tampered, and affects information server and judges to visit Ask the accuracy of request safety or legitimacy.
Step 209: utilize service key to parse the numeral label of client in client key and digital certificate Name, it is judged that digital signature is the most consistent with the digital signature of information server storage, if it is, perform Step 210, otherwise, performs step 217;
In this step, carry out the double verification of client key and digital certificate, further ensure access The safety of request.
Step 210: parse login link code from client key, login link code is linked to have visit Ask the information of authority;
Step 211: according to the information request in access request, determine in the information have access rights Target data;
Step 212: receive the timestamp that the target data of time stamp server transmission is corresponding;
The timestamp of this step is the timestamp that target data sends, and is received with client by this timestamp The time of target data contrasts, if time consistency or allow time difference in the range of, then say Bright target data safety, if inconsistent or not allow time difference in the range of, then number of targets is described It was maliciously tampered according in transmitting procedure.
Step 213: utilize service key that the timestamp that target data is corresponding with target data is encrypted;
This ciphering process be prevent target data and timestamp to be trapped after, leaking data.
Step 214: timestamp corresponding with target data for the target data after encryption is sent to client;
Step 215: client receives the timestamp that the target data after encryption is corresponding with target data;
Step 216: client utilizes client key corresponding with target data to the target data after encryption Timestamp is decrypted, and terminates current process;
Step 217: refuse to provide target data for access request.
Cryptographic operation is all achieved in whole data or access request transmitting procedure, and, client can To have the private key of oneself, the private key that information server can have according to client, utilize service PKI Access request is decrypted, and target data is encrypted, it is achieved and ensured network service safety Communication.
As shown in Figure 3, Figure 4, a kind of network service secure communication device is embodiments provided. Device embodiment can be realized by software, it is also possible to realizes by the way of hardware or software and hardware combining. For hardware view, as it is shown on figure 3, the network service secure communication dress provided for the embodiment of the present invention Put a kind of hardware structure diagram of place equipment, except the processor shown in Fig. 3, internal memory, network interface, And outside nonvolatile memory, in embodiment, the equipment at device place generally can also include that other are hard Part, such as the forwarding chip etc. of responsible process message.As a example by implemented in software, as shown in Figure 4, as Device on one logical meaning, is that the CPU by its place equipment is by corresponding in nonvolatile memory Computer program instructions read in internal memory run formed.The network service safety that the present embodiment provides Communicator, is applied in information server, including:
Unit 401 is set, is used for arranging service agreement, and service key is set for described information server;
Dispensing unit 402, for arranging unit 401 for configuration between information server and the client of peripheral hardware The service agreement arranged, receives the log-on message that the client of peripheral hardware sends, and according to special in log-on message Levy character, for log-on message configuration access authority;
Generate transmitting element 403, for the access rights according to dispensing unit 402 configuration, for this peripheral hardware Client generate there is client key and the digital certificate of digital signature, and by client key and numeral card Book is sent to the client of peripheral hardware;
Data transmission unit 404, when the access request sent when the client receiving peripheral hardware, solves Separate out the client key carried in the access request of peripheral hardware and digital certificate generates with generation transmitting element 403 Consistent with digital certificate with the client key with digital signature sent, determine client access authority, According to the information request in access rights and access request, determine target data, utilize service key to mesh Mark data are encrypted, and the target data after encryption is sent to the client of peripheral hardware.
In an alternative embodiment of the invention, generate transmitting element 403, for for having identical access rights The client of peripheral hardware generate common customer key and public digital certificates.
In still another embodiment of the process, generate transmitting element 403, for according to client in log-on message End identifier and service key, the client for peripheral hardware generates privately owned client key and privately owned digital certificate.
In an alternative embodiment of the invention, generate transmitting element 403, for according to service key and visit Ask the client identifier in request, serial number, random number, time stamp, vital stage last in any one Individual or multiple, the client for peripheral hardware generates temporary subscriber key and temporary digital certificate.
As it is shown in figure 5, in still another embodiment of the process, said apparatus farther includes: control unit 501, wherein,
Control unit 501, for controlling client, to obtain access request from time stamp server corresponding Encryption times stabs, and encryption times stamp corresponding for access request is sent to data transmission unit 404;
Data transmission unit 404, is further used for receiving access request and the control of the client transmission of peripheral hardware The encryption times that the access request of unit 501 processed transmission is corresponding stabs;By service key, encryption times is stabbed It is decrypted, it is judged that the time that timestamp receives with access request is the most consistent, if it is, perform Determine client access authority.
In an alternative embodiment of the invention, data transmission unit 404, be further used for receive peripheral hardware time Between stab timestamp corresponding to target data that server sends, and utilize service key corresponding to target data Timestamp be encrypted, and the target data timestamp corresponding with target data after encryption is sent to The client of peripheral hardware.
As shown in Figure 6, the embodiment of the present invention provides a kind of network service safe communication system, including: tool There are the information server 601 of any one network service secure communication device 6011 above-mentioned, at least one visitor Family end 602 and time stamp server 603, wherein,
In at least one client, each client 602 is for the network in information server 601 Service safe communicator 6011 sends log-on message and access request, and receives network service secure communication Device 6011 send client key and digital certificate and encryption after target data;Reception timestamp takes The timestamp that business device sends, and timestamp is encrypted, and the timestamp after encryption is sent to network Service safe communicator 6011;
Time stamp server 603, for respectively to client 602 and network service secure communication device 6011 Send timestamp.
The contents such as the information between said apparatus or intrasystem each unit or equipment is mutual, execution process, Due to the inventive method embodiment based on same design, particular content can be found in the inventive method embodiment In narration, here is omitted.
According to such scheme, various embodiments of the present invention, at least have the advantages that
1. by arranging service agreement, for configuring this service agreement between information server and client, logical Cross this process achieve end-to-end between communication, service key is set for information server, receives client The log-on message that end sends, and according to characteristic character in log-on message, for log-on message configuration access authority; According to access rights, generate client key and the digital certificate with digital signature for this client;By visitor Family key and digital certificate are sent to client, have ensured information to a certain extent by configuration access authority Safety;When receiving the access request that client sends, according to the client carried in access request Key and digital certificate, determine client access authority, according to the information in access rights and access request Request, determines target data, utilizes service key to be encrypted target data, and by the mesh after encryption Mark data are sent to client, are i.e. encrypted the data of transmission so that end-to-end (server is to visitor Family end) between transmit data be safe, thus ensured end-to-end between information transmission safety.
2. the embodiment of the present invention is by verifying timestamp, test client key and digital certificate Card multiple-authentication mode verifies the effectiveness of client, to ensure safety and the legitimacy of access request, Further increase the safety of message transmitting procedure, it addition, the request of client encrypted access and information take Business device encryption target data, it is achieved that the secured session between end-to-end.
3. by generating corresponding login link code for access rights, and by login link code encryption to client In key;So, when receiving access request, from client key, parse login link code, registration Concatenation code is linked to the information with access rights, and without searching the letter with authority according to access rights Breath, on the basis of secure access, is effectively improved access efficiency.
4. the mode for this client generation client key and digital certificate can be for having identical access right The client of limit generates common customer key and public digital certificates;Can also be according to visitor in log-on message Family end identifier and service key, generate privately owned client key and privately owned digital certificate for client;Also may be used With for according to the client identifier in service key and access request, serial number, random number, time stamp, Vital stage last in any one or more, generate temporary subscriber key and interim for the client of peripheral hardware Digital certificate, for selecting according to the demand of oneself, has motility, ensure that visitor simultaneously Family key and the safety of digital certificate.
It should be noted that in this article, the relational terms of such as first and second etc be used merely to by One entity or operation separate with another entity or operating space, and not necessarily require or imply this Relation or the order of any this reality is there is between a little entities or operation.And, term " includes ", " comprise " or its any other variant is intended to comprising of nonexcludability, so that include that one is The process of row key element, method, article or equipment not only include those key elements, but also include the brightest Other key elements really listed, or also include intrinsic for this process, method, article or equipment Key element.In the case of there is no more restriction, statement " include one " and limit Key element, it is not excluded that there is also another in including the process of described key element, method, article or equipment Outer same factor.
One of ordinary skill in the art will appreciate that: realize all or part of step of said method embodiment Can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in embodied on computer readable Storage medium in, this program upon execution, performs to include the step of said method embodiment;And it is aforementioned Storage medium include: various Jie that can store program code such as ROM, RAM, magnetic disc or CD In matter.
Last it should be understood that the foregoing is only presently preferred embodiments of the present invention, it is merely to illustrate this The technical scheme of invention, is not intended to limit protection scope of the present invention.All spirit in the present invention and former Any modification, equivalent substitution and improvement etc. done within then, are all contained in protection scope of the present invention.

Claims (10)

1. a network service safety communicating method, it is characterised in that be applied in information server, if Put service agreement, for configuring described service agreement between described information server and client, and be described Information server arranges service key, also includes:
Receive the log-on message that client sends, and according to characteristic character in log-on message, for described registration Information configuration access rights;
According to described access rights, generate client key and the numeral card with digital signature for this client Book;
Described client key and digital certificate are sent to described client;
When receiving the access request that described client sends, according to the visitor carried in described access request Family key and digital certificate, determine described client access authority, according to described access rights and described visit Ask the information request in request, determine target data, utilize described service key that described target data is entered Row encryption, and the target data after encryption is sent to described client.
Method the most according to claim 1, it is characterised in that described for this client generation client Key and digital certificate, including:
Common customer key and public digital certificates is generated for having the client of identical access rights;
Or,
According to client identifier in log-on message and service key, generate privately owned client for described client Key and privately owned digital certificate;
Or,
According to the client identifier in described service key and access request, serial number, random number, Time stamp, vital stage last in any one or more, for described peripheral hardware client generate temporary subscriber Key and temporary digital certificate.
Method the most according to claim 1, it is characterised in that
Described generate client key and digital certificate for this client after, described by close for described client Before key and digital certificate are sent to described client, farther include: it is right to generate for described access rights The login link code answered, and by described login link code encryption to described client key;
Described determine described client access authority, including: from described client key, parse registration chain Connecing code, described login link code is linked to the information with access rights;
And/or,
Described according to the client key carried in described access request and digital certificate, determine described client Access rights, including: utilize described service key to parse client in client key and digital certificate Digital signature, it is judged that described digital signature is the most consistent with the digital signature that described information server stores, If it is, determine described client access authority.
Method the most according to claim 1, it is characterised in that farther include:
Control described client from time stamp server, obtain the encryption times stamp that access request is corresponding;
Receive the access request of described client transmission and the encryption times stamp that this access request is corresponding;
By service key, described encryption times stamp is decrypted, it is judged that described timestamp and access request Whether the time received is consistent, if it is, perform described to determine described client access authority.
Method the most according to claim 4, it is characterised in that described determine target data after, Described utilize described service key that described target data is encrypted before, farther include:
Receive the timestamp that the described target data of described time stamp server transmission is corresponding, and utilize described The timestamp that described target data is corresponding is encrypted by service key;
Described will encryption after target data be sent to described client, including: will encryption after number of targets It is sent to described client according to the timestamp corresponding with target data.
6. a network service secure communication device, it is characterised in that be applied in information server, bag Include:
Unit is set, is used for arranging service agreement, and service key is set for described information server;
Dispensing unit, for described arranging list for configuring between described information server and the client of peripheral hardware The service agreement that unit is arranged, receives the log-on message that the client of peripheral hardware sends, and according in log-on message Characteristic character, for described log-on message configuration access authority;
Generate transmitting element, for the access rights configured according to described dispensing unit, for the visitor of this peripheral hardware Family end generates client key and the digital certificate with digital signature, and by described client key and numeral card Book is sent to the client of described peripheral hardware;
Data transmission unit, when the access request sent when the client receiving described peripheral hardware, solves Separate out the client key carried in the access request of described peripheral hardware and digital certificate and described generation transmitting element The client key with digital signature generated and send is consistent with digital certificate, determines that described client is visited Ask authority, according to the information request in described access rights and described access request, determine target data, Utilize described service key that described target data is encrypted, and the target data after encryption is sent to The client of described peripheral hardware.
Device the most according to claim 6, it is characterised in that described generation transmitting element, is used for:
Common customer key and public digital certificates is generated for having the client of the peripheral hardware of identical access rights;
Or,
According to client identifier in log-on message and service key, the client for described peripheral hardware generates private There are client key and privately owned digital certificate;
Or,
According to the client identifier in described service key and access request, serial number, random number, Time stamp, vital stage last in any one or more, for described peripheral hardware client generate temporary subscriber Key and temporary digital certificate.
Device the most according to claim 6, it is characterised in that farther include: control unit, Wherein,
Described control unit, is used for controlling described client and obtains access request pair from time stamp server The encryption times stamp answered, and encryption times stamp corresponding for described access request is sent to the transmission of described data Unit;
Described data transmission unit, is further used for receiving the access request that the client of described peripheral hardware sends And the encryption times stamp that the access request that sends of described control unit is corresponding;Added described by service key Close timestamp is decrypted, it is judged that the time that described timestamp receives with access request is the most consistent, as Fruit is, then perform described to determine described client access authority.
Device the most according to claim 8, it is characterised in that described data transmission unit, enters one Step is used for:
Receive timestamp corresponding to target data that the time stamp server of peripheral hardware sends, and utilize described clothes Timestamp corresponding to target data described in business double secret key is encrypted, and by the target data after encryption and mesh Mark timestamp corresponding to data and be sent to the client of described peripheral hardware.
10. a network service safe communication system, it is characterised in that including: there is claim 6 To 9 arbitrary described information servers of network service secure communication device, at least one client and time Between stab server, wherein,
In at least one client described, each client is for the network in described information server Service safe communicator sends log-on message and access request, and receives described network service secure communication Device send client key and digital certificate and encryption after target data;Receive described timestamp clothes The timestamp that business device sends, and described timestamp is encrypted, and the timestamp after encryption is sent to Described network service secure communication device;
Described time stamp server, for sending out to client and described network service secure communication device respectively Send timestamp.
CN201610251351.9A 2016-04-21 2016-04-21 A kind of network service safe communication means, device and system Active CN105933315B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610251351.9A CN105933315B (en) 2016-04-21 2016-04-21 A kind of network service safe communication means, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610251351.9A CN105933315B (en) 2016-04-21 2016-04-21 A kind of network service safe communication means, device and system

Publications (2)

Publication Number Publication Date
CN105933315A true CN105933315A (en) 2016-09-07
CN105933315B CN105933315B (en) 2019-08-30

Family

ID=56839814

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610251351.9A Active CN105933315B (en) 2016-04-21 2016-04-21 A kind of network service safe communication means, device and system

Country Status (1)

Country Link
CN (1) CN105933315B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107509186A (en) * 2017-08-15 2017-12-22 上海与德科技有限公司 The binding method and device of a kind of communicating number
CN107979467A (en) * 2016-10-21 2018-05-01 中国移动通信有限公司研究院 Verification method and device
CN108092937A (en) * 2016-11-23 2018-05-29 厦门雅迅网络股份有限公司 Prevent the method and system of Web system unauthorized access
CN109274488A (en) * 2018-09-04 2019-01-25 广州众诺电子技术有限公司 Integrated circuit burning program method, storage medium and system
CN110798434A (en) * 2018-08-03 2020-02-14 Emc Ip控股有限公司 Access management to instances on a cloud
CN110855624A (en) * 2019-10-18 2020-02-28 平安科技(深圳)有限公司 Safety verification method based on web interface and related equipment
CN111242590A (en) * 2020-01-06 2020-06-05 深圳壹账通智能科技有限公司 ACS system-based data processing method, system and storage medium
CN111241355A (en) * 2020-01-08 2020-06-05 浪潮天元通信信息系统有限公司 Message forwarding method and server
WO2020154791A1 (en) * 2019-01-28 2020-08-06 Blackberry Limited Method and system for digital rights management
CN111800426A (en) * 2020-07-07 2020-10-20 腾讯科技(深圳)有限公司 Method, device, equipment and medium for accessing native code interface in application program
CN112997537A (en) * 2018-11-15 2021-06-18 华为技术有限公司 Automatic digital identification system integrated between consumer device and back-end service
CN113490212A (en) * 2021-06-18 2021-10-08 新华三技术有限公司 Key distribution method, communication equipment and storage medium
CN114745192A (en) * 2022-04-24 2022-07-12 深圳市乐凡信息科技有限公司 Communication method, system, device and medium
CN114745192B (en) * 2022-04-24 2024-05-31 深圳市乐凡信息科技有限公司 Communication method, system, equipment and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1354936A (en) * 2000-04-14 2002-06-19 韩国稀客股份有限公司 Method and apparatus for protecting file system based on digital signature
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN104348870A (en) * 2013-08-02 2015-02-11 航天信息股份有限公司 Data management method and system of cloud storage system based on trusted timestamp

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1354936A (en) * 2000-04-14 2002-06-19 韩国稀客股份有限公司 Method and apparatus for protecting file system based on digital signature
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN104348870A (en) * 2013-08-02 2015-02-11 航天信息股份有限公司 Data management method and system of cloud storage system based on trusted timestamp

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979467B (en) * 2016-10-21 2020-07-21 中国移动通信有限公司研究院 Verification method and device
CN107979467A (en) * 2016-10-21 2018-05-01 中国移动通信有限公司研究院 Verification method and device
CN108092937A (en) * 2016-11-23 2018-05-29 厦门雅迅网络股份有限公司 Prevent the method and system of Web system unauthorized access
CN108092937B (en) * 2016-11-23 2021-04-20 厦门雅迅网络股份有限公司 Method and system for preventing unauthorized access of Web system
CN107509186A (en) * 2017-08-15 2017-12-22 上海与德科技有限公司 The binding method and device of a kind of communicating number
CN110798434A (en) * 2018-08-03 2020-02-14 Emc Ip控股有限公司 Access management to instances on a cloud
CN110798434B (en) * 2018-08-03 2022-04-08 Emc Ip控股有限公司 Computer system, method performed by computing device, and storage medium
CN109274488A (en) * 2018-09-04 2019-01-25 广州众诺电子技术有限公司 Integrated circuit burning program method, storage medium and system
CN112997537B (en) * 2018-11-15 2022-10-18 华为云计算技术有限公司 Automatic digital identification system integrated between consumer device and back-end service
CN112997537A (en) * 2018-11-15 2021-06-18 华为技术有限公司 Automatic digital identification system integrated between consumer device and back-end service
WO2020154791A1 (en) * 2019-01-28 2020-08-06 Blackberry Limited Method and system for digital rights management
CN110855624A (en) * 2019-10-18 2020-02-28 平安科技(深圳)有限公司 Safety verification method based on web interface and related equipment
CN111242590A (en) * 2020-01-06 2020-06-05 深圳壹账通智能科技有限公司 ACS system-based data processing method, system and storage medium
CN111241355A (en) * 2020-01-08 2020-06-05 浪潮天元通信信息系统有限公司 Message forwarding method and server
CN111241355B (en) * 2020-01-08 2023-06-16 浪潮通信信息系统有限公司 Message forwarding method and server
CN111800426A (en) * 2020-07-07 2020-10-20 腾讯科技(深圳)有限公司 Method, device, equipment and medium for accessing native code interface in application program
CN113490212A (en) * 2021-06-18 2021-10-08 新华三技术有限公司 Key distribution method, communication equipment and storage medium
CN114745192A (en) * 2022-04-24 2022-07-12 深圳市乐凡信息科技有限公司 Communication method, system, device and medium
CN114745192B (en) * 2022-04-24 2024-05-31 深圳市乐凡信息科技有限公司 Communication method, system, equipment and medium

Also Published As

Publication number Publication date
CN105933315B (en) 2019-08-30

Similar Documents

Publication Publication Date Title
CN105933315A (en) Network service security communication method, device and system
Sookhak et al. Security and privacy of smart cities: a survey, research issues and challenges
Shehada et al. BROSMAP: A novel broadcast based secure mobile agent protocol for distributed service applications
CN105103488B (en) By the policy Enforcement of associated data
van Oorschot Computer Security and the Internet
US20180336554A1 (en) Secure electronic transaction authentication
CN102647461B (en) Communication means based on HTTP, server, terminal
CN108235805A (en) Account unifying method and device and storage medium
CN106302502A (en) A kind of secure access authentication method, user terminal and service end
CN110351228A (en) Remote entry method, device and system
CN109600366A (en) The method and device of protection user data privacy based on block chain
CN106060078B (en) User information encryption method, register method and verification method applied to cloud platform
US9230114B1 (en) Remote verification of file protections for cloud data storage
CN104394172A (en) Single sign-on device and method
CN104574176A (en) USBKEY-based secure online tax declaration method
CN106161444A (en) Secure storage method of data and subscriber equipment
CN106790045A (en) One kind is based on cloud environment distributed virtual machine broker architecture and data integrity support method
CN109981287A (en) A kind of code signature method and its storage medium
US8346742B1 (en) Remote verification of file protections for cloud data storage
CN106533681B (en) A kind of attribute method of proof and system that support section is shown
CN109495458A (en) A kind of method, system and the associated component of data transmission
CN107196965B (en) Secure network real name registration method
Szymoniak et al. On some time aspects in security protocols analysis
CN102629928A (en) Implementation method for safety link of internet lottery ticket system based on public key
Mengjun et al. Privacy-preserving distributed location proof generating system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant