CN105933315A - Network service security communication method, device and system - Google Patents
Network service security communication method, device and system Download PDFInfo
- Publication number
- CN105933315A CN105933315A CN201610251351.9A CN201610251351A CN105933315A CN 105933315 A CN105933315 A CN 105933315A CN 201610251351 A CN201610251351 A CN 201610251351A CN 105933315 A CN105933315 A CN 105933315A
- Authority
- CN
- China
- Prior art keywords
- client
- key
- target data
- service
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a network service security communication method, device and system. The method is applied to an information server. The method comprises the steps that a service protocol is set, the service protocol is configured between the information server and a client side and a service secret key is set for the information server; registration information transmitted by the client side is received, and an access permission is configured for the registration information; a client secret key and a digital certificate having a digital signature are generated for the client side; the client secret key and the digital certificate are transmitted to the client side; and when an access request transmitted by the client side is received, the access permission of the client side is determined according to the client secret key and the digital certificate carried in the access request and target data are determined, and the target data are encrypted by utilizing the service secret key and the encrypted target data are transmitted to the client side. According to the scheme, the security of end-to-end information transmission can be guaranteed.
Description
Technical field
The present invention relates to field of computer technology, particularly to a kind of network service safety communicating method, dress
Put and system.
Background technology
Along with the development of Internet technology Yu application, network end-to-end Distributed Application is (such as electricity
Son commercial affairs, E-Government etc.) become highly important developing direction, distributed answer for end-to-end
For with, network service (web services) is the basis realizing information transmission, and realizes network service
Secure communication seems particularly significant.
At present, network service safety communication technology is mainly the protection transmitting information between various application layers,
The i.e. protection to transport layer/network inter-layer information transmission.But, existing network service safety communication technology
Can not ensure end-to-end between information transmission safety.
Summary of the invention
Embodiments provide a kind of network service safety communicating method, device and system, ensure end
The safety of information transmission between opposite end.
A kind of network service safety communicating method, is applied in information server, arranges service agreement, for
Configure described service agreement between described information server and client, and be that described information server is arranged
Service key, also includes:
Receive the log-on message that client sends, and according to characteristic character in log-on message, for described registration
Information configuration access rights;
According to described access rights, generate client key and the numeral card with digital signature for this client
Book;
Described client key and digital certificate are sent to described client;
When receiving the access request that described client sends, according to the visitor carried in described access request
Family key and digital certificate, determine described client access authority, according to described access rights and described visit
Ask the information request in request, determine target data, utilize described service key that described target data is entered
Row encryption, and the target data after encryption is sent to described client.
Preferably, described generate client key and digital certificate for this client, including: identical for having
The client of access rights generates common customer key and public digital certificates.
Preferably, described generate client key and digital certificate for this client, including: according to registration letter
Client identifier and service key in breath, generate privately owned client key and privately owned numeral for described client
Certificate.
Preferably, described generate client key and digital certificate for this client, including: according to described clothes
Client identifier in business key and access request, serial number, random number, time stamp, vital stage are gone through
Any one or more in time, the client for described peripheral hardware generates temporary subscriber key and temporary digital
Certificate.
Preferably, described generate client key and digital certificate for this client after, described by institute
State client key and before digital certificate is sent to described client, farther include: for described access right
Limit generates corresponding login link code, and by described login link code encryption to described client key;
Described determine described client access authority, including: from described client key, parse registration chain
Connecing code, described login link code is linked to the information with access rights.
Preferably, described according to the client key carried in described access request and digital certificate, determine institute
State client access authority, including: utilize described service key to parse in client key and digital certificate
The digital signature of client, it is judged that the numeral label whether described digital signature stores with described information server
Name is consistent, if it is, determine described client access authority.
Preferably, said method farther includes:
Control described client from time stamp server, obtain the encryption times stamp that access request is corresponding;
Receive the access request of described client transmission and the encryption times stamp that this access request is corresponding;
By service key, described encryption times stamp is decrypted, it is judged that described timestamp and access request
Whether the time received is consistent, if it is, perform described to determine described client access authority.
Preferably, described determine target data after, utilize described service key to described mesh described
Before mark data are encrypted, farther include:
Receive the timestamp that the described target data of described time stamp server transmission is corresponding, and utilize described
The timestamp that described target data is corresponding is encrypted by service key;
Described will encryption after target data be sent to described client, including: will encryption after number of targets
It is sent to described client according to the timestamp corresponding with target data.
A kind of network service secure communication device, is applied in information server, including:
Unit is set, is used for arranging service agreement, and service key is set for described information server;
Dispensing unit, for described arranging list for configuring between described information server and the client of peripheral hardware
The service agreement that unit is arranged, receives the log-on message that the client of peripheral hardware sends, and according in log-on message
Characteristic character, for described log-on message configuration access authority;
Generate transmitting element, for the access rights configured according to described dispensing unit, for the visitor of this peripheral hardware
Family end generates client key and the digital certificate with digital signature, and by described client key and numeral card
Book is sent to the client of described peripheral hardware;
Data transmission unit, when the access request sent when the client receiving described peripheral hardware, solves
Separate out the client key carried in the access request of described peripheral hardware and digital certificate and described generation transmitting element
The client key with digital signature generated and send is consistent with digital certificate, determines that described client is visited
Ask authority, according to the information request in described access rights and described access request, determine target data,
Utilize described service key that described target data is encrypted, and the target data after encryption is sent to
The client of described peripheral hardware.
Preferably, described generation transmitting element, for the client of the peripheral hardware for having identical access rights
Generate common customer key and public digital certificates.
Preferably, described generation transmitting element, for according to client identifier in log-on message and service
Key, the client for described peripheral hardware generates privately owned client key and privately owned digital certificate.
Preferably, described generation transmitting element, for according in described service key and access request
Client identifier, serial number, random number, time stamp, vital stage last in any one or more,
Client for described peripheral hardware generates temporary subscriber key and temporary digital certificate.
Preferably, said apparatus farther includes: control unit, wherein,
Described control unit, is used for controlling described client and obtains access request pair from time stamp server
The encryption times stamp answered, and encryption times stamp corresponding for described access request is sent to the transmission of described data
Unit;
Described data transmission unit, is further used for receiving the access request that the client of described peripheral hardware sends
And the encryption times stamp that the access request that sends of described control unit is corresponding;Added described by service key
Close timestamp is decrypted, it is judged that the time that described timestamp receives with access request is the most consistent, as
Fruit is, then perform described to determine described client access authority.
Preferably, described data transmission unit, the time stamp server being further used for receiving peripheral hardware sends
Timestamp corresponding to target data, and utilize the time that described service key is corresponding to described target data
Stamp is encrypted, and the target data timestamp corresponding with target data after encryption is sent to described outside
If client.
A kind of network service safe communication system includes: have any one network service secure communication above-mentioned
The information server of device, at least one client and time stamp server, wherein,
In at least one client described, each client is for the network in described information server
Service safe communicator sends log-on message and access request, and receives described network service secure communication
Device send client key and digital certificate and encryption after target data;Receive described timestamp clothes
The timestamp that business device sends, and described timestamp is encrypted, and the timestamp after encryption is sent to
Described network service secure communication device;
Described time stamp server, for sending out to client and described network service secure communication device respectively
Send timestamp.
Embodiments provide a kind of network service safety communicating method, device and system, the method
By arranging service agreement, for configuring this service agreement between information server and client, by this mistake
Journey achieve end-to-end between communication, service key is set for information server, receives client and send
Log-on message, and according to characteristic character in log-on message, for log-on message configuration access authority;According to
Access rights, generate client key and the digital certificate with digital signature for this client;Client is close
Key and digital certificate are sent to client, have been ensured the peace of information to a certain extent by configuration access authority
Quan Xing;When receiving the access request that client sends, according to the client key carried in access request
And digital certificate, determine client access authority, according to the information request in access rights and access request,
Determine target data, utilize service key that target data is encrypted, and by the target data after encryption
It is sent to client, i.e. the data of transmission is encrypted so that end-to-end (server is to client)
Between transmit data be safe, thus ensured end-to-end between information transmission safety.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to reality
Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below,
Accompanying drawing in description is some embodiments of the present invention, for those of ordinary skill in the art, not
On the premise of paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of a kind of network service safety communicating method that one embodiment of the invention provides;
Fig. 2 is the flow chart of a kind of network service safety communicating method that another embodiment of the present invention provides;
Fig. 3 is a kind of network service secure communication device place framework that one embodiment of the invention provides
Structural representation;
Fig. 4 is the structural representation of a kind of network service secure communication device that one embodiment of the invention provides
Figure;
Fig. 5 is that the structure of a kind of network service secure communication device that another embodiment of the present invention provides is shown
It is intended to;
Fig. 6 is the structural representation of a kind of network service safe communication system that one embodiment of the invention provides
Figure.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with this
Accompanying drawing in bright embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention,
Obviously, described embodiment is a part of embodiment of the present invention rather than whole embodiments, based on
Embodiment in the present invention, those of ordinary skill in the art are institute on the premise of not making creative work
The every other embodiment obtained, broadly falls into the scope of protection of the invention.
As it is shown in figure 1, embodiments provide a kind of network service safety communicating method, it is applied to
In information server, the method may comprise steps of:
Step 101: service agreement is set, for configuration service agreement between information server and client,
And service key is set for information server;
Step 102: receive the log-on message that client sends, and according to characteristic character in log-on message,
For log-on message configuration access authority;
Step 103: according to access rights, generate for this client have digital signature client key and
Digital certificate;
Step 104: client key and digital certificate are sent to client;
Step 105: when receiving the access request that client sends, according to carry in access request
Client key and digital certificate, determine client access authority;
Step 106: according to the information request in access rights and access request, determines target data, profit
With service key, target data is encrypted, and the target data after encryption is sent to client.
In the embodiment shown in fig. 1, by arranging service agreement, for information server and client it
Between configure this service agreement, by this process achieve end-to-end between communication, set for information server
Put service key, receive the log-on message that client sends, and according to characteristic character in log-on message, for
Log-on message configuration access authority;According to access rights, generate the visitor with digital signature for this client
Family key and digital certificate;Client key and digital certificate are sent to client, are weighed by configuration access
Limit has ensured the safety of information to a certain extent;When receiving the access request that client sends, root
According to the client key carried in access request and digital certificate, determine client access authority, according to access
Information request in authority and access request, determines target data, utilizes service key to enter target data
Row encryption, and the target data after encryption is sent to client, i.e. the data of transmission are encrypted,
Make between end-to-end (server is to client) transmit data be safe, thus ensured end-to-end it
Between information transmission safety.
In an embodiment of the invention, in order to avoid key and digital certificate, data transmission efficiency is caused
Impact, the detailed description of the invention of step 103 includes: generate public affairs for having the client of identical access rights
Client key and public digital certificates altogether.
In an embodiment of the invention, in order to increase the safety of key and digital certificate, step 103
Detailed description of the invention include: according to client identifier in log-on message and service key, for client
Generate privately owned client key and privately owned digital certificate.
In an embodiment of the invention, in order to increase the safety of key and digital certificate further, keep away
Exempting from key and digital certificate is cracked, the detailed description of the invention of step 103 includes: according to service key with
And client identifier in access request, serial number, random number, time stamp, vital stage last in appoint
Anticipating one or more, the client for peripheral hardware generates temporary subscriber key and temporary digital certificate.
In an embodiment of the invention, in order to provide access rights for client accurately, in step
After rapid 103, before step 104, farther include: generate corresponding login link for access rights
Code, and by login link code encryption to client key;The detailed description of the invention of step 105, including:
Parsing login link code from client key, login link code is linked to the information with access rights.
In an embodiment of the invention, in order to ensure the legitimacy of access rights, step 105 concrete
Embodiment, including: utilize service key to parse the numeral of client in client key and digital certificate
Signature, it is judged that digital signature is the most consistent with the digital signature of information server storage, if it is, really
Determine client access authority.
In an embodiment of the invention, in order to be further ensured that the legitimacy of access rights, said method
Farther include: control client from time stamp server, obtain the encryption times stamp that access request is corresponding;
Receive the access request of client transmission and the encryption times stamp that this access request is corresponding;Pass through service key
Encryption times stamp is decrypted, it is judged that the time that timestamp receives with access request is the most consistent, as
Fruit is, then perform step 105.
In an embodiment of the invention, in order to avoid timestamp is maliciously tampered, pass through timestamp simultaneously
Ensure the safety of data, in step 106, after determining target data, utilize service key
Before target data is encrypted, farther include: receive the target data that time stamp server sends
Corresponding timestamp, and utilize service key that the timestamp that target data is corresponding is encrypted;Will encryption
After target data be sent to client, including: will encryption after target data corresponding with target data
Timestamp is sent to client.
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with the accompanying drawings and specifically real
The present invention is described in further detail to execute example.
As in figure 2 it is shown, embodiments provide a kind of network service safety communicating method, Ying Yingyu
In information server, the method may comprise steps of:
Step 201: service agreement is set, for configuration service agreement between information server and client,
And service key is set for information server;
In this step, in order to realize end-to-end between communication, can arrange such as soap protocol etc
End to end communication agreement, in this step arrange service key can pass through hash algorithm, determine Hash
Value, and cryptographic Hash is encrypted, it is also possible to only generate certain length according to file header and file permission
Character string etc..Service key can select different cipher modes to data according to the demand of client
It is encrypted, it is possible to the information in the client key that deciphering client sends.
Step 202: receive the log-on message that client sends, and according to characteristic character in log-on message,
For log-on message configuration access authority;
Log-on message can comprise registration account number and log-in password etc., and the characteristic character in this step can be
The distinctive character of different stage etc., such as: for each Students'Management System of school, student's
Student number has the characteristic character of grade and institute, worker number characteristic character with rank of teaching and administrative staff etc.,
So can configure corresponding access rights according to these characteristic characters.
Step 203: according to access rights, generate for this client have digital signature client key and
Digital certificate, stores digital signature in information server;
In this step, the mode generating client key and digital certificate includes: for having identical access right
The client of limit generates common customer key and public digital certificates;Or, according to client in log-on message
End identifier and service key, generate privately owned client key and privately owned digital certificate for client;Or,
According to the client identifier in service key and access request, serial number, random number, time stamp, life
The life phase last in any one or more, the client for peripheral hardware generates temporary subscriber key and nonce
Word certificate.
Step 204: generate corresponding login link code for access rights, and login link code encryption is arrived
In client key;
The login link code generated by this step can be directly linked to the authority information of correspondence, it is possible to accurate
True orients access rights, meanwhile, also is able to more quickly find authority by login link code
Information, owing to, in subsequent step, client needs client key to be sent to information server, then may be used
To be directly targeted to access rights by parsing the login link code in client key.
Step 205: client key and digital certificate are sent to client;
Step 206: when client sends access request, controls client and obtains from time stamp server
Take the encryption times stamp that access request is corresponding;
Step 207: receive the access request of client transmission and the encryption times stamp that this access request is corresponding;
Step 208: utilize service key that encryption times stamp is decrypted, it is judged that the timestamp after deciphering
The time received with access request is the most consistent, if it is, perform step 209;Otherwise, perform
Step 217;
Step 206 is to the timestamp that the timestamp mentioned in step 208 is that access request sends, by this
Timestamp can accurately know the transmission time of access request.And access request in information server time
Between should be unanimous on the whole or in acceptable time difference range with the transmission time of access request, if
Transmission time and the Time Inconsistency received, explanation may be trapped in accessing message transmitting procedure and usurp
Changing, being encrypted timestamp is to prevent timestamp to be maliciously tampered, and affects information server and judges to visit
Ask the accuracy of request safety or legitimacy.
Step 209: utilize service key to parse the numeral label of client in client key and digital certificate
Name, it is judged that digital signature is the most consistent with the digital signature of information server storage, if it is, perform
Step 210, otherwise, performs step 217;
In this step, carry out the double verification of client key and digital certificate, further ensure access
The safety of request.
Step 210: parse login link code from client key, login link code is linked to have visit
Ask the information of authority;
Step 211: according to the information request in access request, determine in the information have access rights
Target data;
Step 212: receive the timestamp that the target data of time stamp server transmission is corresponding;
The timestamp of this step is the timestamp that target data sends, and is received with client by this timestamp
The time of target data contrasts, if time consistency or allow time difference in the range of, then say
Bright target data safety, if inconsistent or not allow time difference in the range of, then number of targets is described
It was maliciously tampered according in transmitting procedure.
Step 213: utilize service key that the timestamp that target data is corresponding with target data is encrypted;
This ciphering process be prevent target data and timestamp to be trapped after, leaking data.
Step 214: timestamp corresponding with target data for the target data after encryption is sent to client;
Step 215: client receives the timestamp that the target data after encryption is corresponding with target data;
Step 216: client utilizes client key corresponding with target data to the target data after encryption
Timestamp is decrypted, and terminates current process;
Step 217: refuse to provide target data for access request.
Cryptographic operation is all achieved in whole data or access request transmitting procedure, and, client can
To have the private key of oneself, the private key that information server can have according to client, utilize service PKI
Access request is decrypted, and target data is encrypted, it is achieved and ensured network service safety
Communication.
As shown in Figure 3, Figure 4, a kind of network service secure communication device is embodiments provided.
Device embodiment can be realized by software, it is also possible to realizes by the way of hardware or software and hardware combining.
For hardware view, as it is shown on figure 3, the network service secure communication dress provided for the embodiment of the present invention
Put a kind of hardware structure diagram of place equipment, except the processor shown in Fig. 3, internal memory, network interface,
And outside nonvolatile memory, in embodiment, the equipment at device place generally can also include that other are hard
Part, such as the forwarding chip etc. of responsible process message.As a example by implemented in software, as shown in Figure 4, as
Device on one logical meaning, is that the CPU by its place equipment is by corresponding in nonvolatile memory
Computer program instructions read in internal memory run formed.The network service safety that the present embodiment provides
Communicator, is applied in information server, including:
Unit 401 is set, is used for arranging service agreement, and service key is set for described information server;
Dispensing unit 402, for arranging unit 401 for configuration between information server and the client of peripheral hardware
The service agreement arranged, receives the log-on message that the client of peripheral hardware sends, and according to special in log-on message
Levy character, for log-on message configuration access authority;
Generate transmitting element 403, for the access rights according to dispensing unit 402 configuration, for this peripheral hardware
Client generate there is client key and the digital certificate of digital signature, and by client key and numeral card
Book is sent to the client of peripheral hardware;
Data transmission unit 404, when the access request sent when the client receiving peripheral hardware, solves
Separate out the client key carried in the access request of peripheral hardware and digital certificate generates with generation transmitting element 403
Consistent with digital certificate with the client key with digital signature sent, determine client access authority,
According to the information request in access rights and access request, determine target data, utilize service key to mesh
Mark data are encrypted, and the target data after encryption is sent to the client of peripheral hardware.
In an alternative embodiment of the invention, generate transmitting element 403, for for having identical access rights
The client of peripheral hardware generate common customer key and public digital certificates.
In still another embodiment of the process, generate transmitting element 403, for according to client in log-on message
End identifier and service key, the client for peripheral hardware generates privately owned client key and privately owned digital certificate.
In an alternative embodiment of the invention, generate transmitting element 403, for according to service key and visit
Ask the client identifier in request, serial number, random number, time stamp, vital stage last in any one
Individual or multiple, the client for peripheral hardware generates temporary subscriber key and temporary digital certificate.
As it is shown in figure 5, in still another embodiment of the process, said apparatus farther includes: control unit
501, wherein,
Control unit 501, for controlling client, to obtain access request from time stamp server corresponding
Encryption times stabs, and encryption times stamp corresponding for access request is sent to data transmission unit 404;
Data transmission unit 404, is further used for receiving access request and the control of the client transmission of peripheral hardware
The encryption times that the access request of unit 501 processed transmission is corresponding stabs;By service key, encryption times is stabbed
It is decrypted, it is judged that the time that timestamp receives with access request is the most consistent, if it is, perform
Determine client access authority.
In an alternative embodiment of the invention, data transmission unit 404, be further used for receive peripheral hardware time
Between stab timestamp corresponding to target data that server sends, and utilize service key corresponding to target data
Timestamp be encrypted, and the target data timestamp corresponding with target data after encryption is sent to
The client of peripheral hardware.
As shown in Figure 6, the embodiment of the present invention provides a kind of network service safe communication system, including: tool
There are the information server 601 of any one network service secure communication device 6011 above-mentioned, at least one visitor
Family end 602 and time stamp server 603, wherein,
In at least one client, each client 602 is for the network in information server 601
Service safe communicator 6011 sends log-on message and access request, and receives network service secure communication
Device 6011 send client key and digital certificate and encryption after target data;Reception timestamp takes
The timestamp that business device sends, and timestamp is encrypted, and the timestamp after encryption is sent to network
Service safe communicator 6011;
Time stamp server 603, for respectively to client 602 and network service secure communication device 6011
Send timestamp.
The contents such as the information between said apparatus or intrasystem each unit or equipment is mutual, execution process,
Due to the inventive method embodiment based on same design, particular content can be found in the inventive method embodiment
In narration, here is omitted.
According to such scheme, various embodiments of the present invention, at least have the advantages that
1. by arranging service agreement, for configuring this service agreement between information server and client, logical
Cross this process achieve end-to-end between communication, service key is set for information server, receives client
The log-on message that end sends, and according to characteristic character in log-on message, for log-on message configuration access authority;
According to access rights, generate client key and the digital certificate with digital signature for this client;By visitor
Family key and digital certificate are sent to client, have ensured information to a certain extent by configuration access authority
Safety;When receiving the access request that client sends, according to the client carried in access request
Key and digital certificate, determine client access authority, according to the information in access rights and access request
Request, determines target data, utilizes service key to be encrypted target data, and by the mesh after encryption
Mark data are sent to client, are i.e. encrypted the data of transmission so that end-to-end (server is to visitor
Family end) between transmit data be safe, thus ensured end-to-end between information transmission safety.
2. the embodiment of the present invention is by verifying timestamp, test client key and digital certificate
Card multiple-authentication mode verifies the effectiveness of client, to ensure safety and the legitimacy of access request,
Further increase the safety of message transmitting procedure, it addition, the request of client encrypted access and information take
Business device encryption target data, it is achieved that the secured session between end-to-end.
3. by generating corresponding login link code for access rights, and by login link code encryption to client
In key;So, when receiving access request, from client key, parse login link code, registration
Concatenation code is linked to the information with access rights, and without searching the letter with authority according to access rights
Breath, on the basis of secure access, is effectively improved access efficiency.
4. the mode for this client generation client key and digital certificate can be for having identical access right
The client of limit generates common customer key and public digital certificates;Can also be according to visitor in log-on message
Family end identifier and service key, generate privately owned client key and privately owned digital certificate for client;Also may be used
With for according to the client identifier in service key and access request, serial number, random number, time stamp,
Vital stage last in any one or more, generate temporary subscriber key and interim for the client of peripheral hardware
Digital certificate, for selecting according to the demand of oneself, has motility, ensure that visitor simultaneously
Family key and the safety of digital certificate.
It should be noted that in this article, the relational terms of such as first and second etc be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply this
Relation or the order of any this reality is there is between a little entities or operation.And, term " includes ",
" comprise " or its any other variant is intended to comprising of nonexcludability, so that include that one is
The process of row key element, method, article or equipment not only include those key elements, but also include the brightest
Other key elements really listed, or also include intrinsic for this process, method, article or equipment
Key element.In the case of there is no more restriction, statement " include one " and limit
Key element, it is not excluded that there is also another in including the process of described key element, method, article or equipment
Outer same factor.
One of ordinary skill in the art will appreciate that: realize all or part of step of said method embodiment
Can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in embodied on computer readable
Storage medium in, this program upon execution, performs to include the step of said method embodiment;And it is aforementioned
Storage medium include: various Jie that can store program code such as ROM, RAM, magnetic disc or CD
In matter.
Last it should be understood that the foregoing is only presently preferred embodiments of the present invention, it is merely to illustrate this
The technical scheme of invention, is not intended to limit protection scope of the present invention.All spirit in the present invention and former
Any modification, equivalent substitution and improvement etc. done within then, are all contained in protection scope of the present invention.
Claims (10)
1. a network service safety communicating method, it is characterised in that be applied in information server, if
Put service agreement, for configuring described service agreement between described information server and client, and be described
Information server arranges service key, also includes:
Receive the log-on message that client sends, and according to characteristic character in log-on message, for described registration
Information configuration access rights;
According to described access rights, generate client key and the numeral card with digital signature for this client
Book;
Described client key and digital certificate are sent to described client;
When receiving the access request that described client sends, according to the visitor carried in described access request
Family key and digital certificate, determine described client access authority, according to described access rights and described visit
Ask the information request in request, determine target data, utilize described service key that described target data is entered
Row encryption, and the target data after encryption is sent to described client.
Method the most according to claim 1, it is characterised in that described for this client generation client
Key and digital certificate, including:
Common customer key and public digital certificates is generated for having the client of identical access rights;
Or,
According to client identifier in log-on message and service key, generate privately owned client for described client
Key and privately owned digital certificate;
Or,
According to the client identifier in described service key and access request, serial number, random number,
Time stamp, vital stage last in any one or more, for described peripheral hardware client generate temporary subscriber
Key and temporary digital certificate.
Method the most according to claim 1, it is characterised in that
Described generate client key and digital certificate for this client after, described by close for described client
Before key and digital certificate are sent to described client, farther include: it is right to generate for described access rights
The login link code answered, and by described login link code encryption to described client key;
Described determine described client access authority, including: from described client key, parse registration chain
Connecing code, described login link code is linked to the information with access rights;
And/or,
Described according to the client key carried in described access request and digital certificate, determine described client
Access rights, including: utilize described service key to parse client in client key and digital certificate
Digital signature, it is judged that described digital signature is the most consistent with the digital signature that described information server stores,
If it is, determine described client access authority.
Method the most according to claim 1, it is characterised in that farther include:
Control described client from time stamp server, obtain the encryption times stamp that access request is corresponding;
Receive the access request of described client transmission and the encryption times stamp that this access request is corresponding;
By service key, described encryption times stamp is decrypted, it is judged that described timestamp and access request
Whether the time received is consistent, if it is, perform described to determine described client access authority.
Method the most according to claim 4, it is characterised in that described determine target data after,
Described utilize described service key that described target data is encrypted before, farther include:
Receive the timestamp that the described target data of described time stamp server transmission is corresponding, and utilize described
The timestamp that described target data is corresponding is encrypted by service key;
Described will encryption after target data be sent to described client, including: will encryption after number of targets
It is sent to described client according to the timestamp corresponding with target data.
6. a network service secure communication device, it is characterised in that be applied in information server, bag
Include:
Unit is set, is used for arranging service agreement, and service key is set for described information server;
Dispensing unit, for described arranging list for configuring between described information server and the client of peripheral hardware
The service agreement that unit is arranged, receives the log-on message that the client of peripheral hardware sends, and according in log-on message
Characteristic character, for described log-on message configuration access authority;
Generate transmitting element, for the access rights configured according to described dispensing unit, for the visitor of this peripheral hardware
Family end generates client key and the digital certificate with digital signature, and by described client key and numeral card
Book is sent to the client of described peripheral hardware;
Data transmission unit, when the access request sent when the client receiving described peripheral hardware, solves
Separate out the client key carried in the access request of described peripheral hardware and digital certificate and described generation transmitting element
The client key with digital signature generated and send is consistent with digital certificate, determines that described client is visited
Ask authority, according to the information request in described access rights and described access request, determine target data,
Utilize described service key that described target data is encrypted, and the target data after encryption is sent to
The client of described peripheral hardware.
Device the most according to claim 6, it is characterised in that described generation transmitting element, is used for:
Common customer key and public digital certificates is generated for having the client of the peripheral hardware of identical access rights;
Or,
According to client identifier in log-on message and service key, the client for described peripheral hardware generates private
There are client key and privately owned digital certificate;
Or,
According to the client identifier in described service key and access request, serial number, random number,
Time stamp, vital stage last in any one or more, for described peripheral hardware client generate temporary subscriber
Key and temporary digital certificate.
Device the most according to claim 6, it is characterised in that farther include: control unit,
Wherein,
Described control unit, is used for controlling described client and obtains access request pair from time stamp server
The encryption times stamp answered, and encryption times stamp corresponding for described access request is sent to the transmission of described data
Unit;
Described data transmission unit, is further used for receiving the access request that the client of described peripheral hardware sends
And the encryption times stamp that the access request that sends of described control unit is corresponding;Added described by service key
Close timestamp is decrypted, it is judged that the time that described timestamp receives with access request is the most consistent, as
Fruit is, then perform described to determine described client access authority.
Device the most according to claim 8, it is characterised in that described data transmission unit, enters one
Step is used for:
Receive timestamp corresponding to target data that the time stamp server of peripheral hardware sends, and utilize described clothes
Timestamp corresponding to target data described in business double secret key is encrypted, and by the target data after encryption and mesh
Mark timestamp corresponding to data and be sent to the client of described peripheral hardware.
10. a network service safe communication system, it is characterised in that including: there is claim 6
To 9 arbitrary described information servers of network service secure communication device, at least one client and time
Between stab server, wherein,
In at least one client described, each client is for the network in described information server
Service safe communicator sends log-on message and access request, and receives described network service secure communication
Device send client key and digital certificate and encryption after target data;Receive described timestamp clothes
The timestamp that business device sends, and described timestamp is encrypted, and the timestamp after encryption is sent to
Described network service secure communication device;
Described time stamp server, for sending out to client and described network service secure communication device respectively
Send timestamp.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610251351.9A CN105933315B (en) | 2016-04-21 | 2016-04-21 | A kind of network service safe communication means, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610251351.9A CN105933315B (en) | 2016-04-21 | 2016-04-21 | A kind of network service safe communication means, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105933315A true CN105933315A (en) | 2016-09-07 |
CN105933315B CN105933315B (en) | 2019-08-30 |
Family
ID=56839814
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610251351.9A Active CN105933315B (en) | 2016-04-21 | 2016-04-21 | A kind of network service safe communication means, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105933315B (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107509186A (en) * | 2017-08-15 | 2017-12-22 | 上海与德科技有限公司 | The binding method and device of a kind of communicating number |
CN107979467A (en) * | 2016-10-21 | 2018-05-01 | 中国移动通信有限公司研究院 | Verification method and device |
CN108092937A (en) * | 2016-11-23 | 2018-05-29 | 厦门雅迅网络股份有限公司 | Prevent the method and system of Web system unauthorized access |
CN109274488A (en) * | 2018-09-04 | 2019-01-25 | 广州众诺电子技术有限公司 | Integrated circuit burning program method, storage medium and system |
CN110798434A (en) * | 2018-08-03 | 2020-02-14 | Emc Ip控股有限公司 | Access management to instances on a cloud |
CN110855624A (en) * | 2019-10-18 | 2020-02-28 | 平安科技(深圳)有限公司 | Safety verification method based on web interface and related equipment |
CN111242590A (en) * | 2020-01-06 | 2020-06-05 | 深圳壹账通智能科技有限公司 | ACS system-based data processing method, system and storage medium |
CN111241355A (en) * | 2020-01-08 | 2020-06-05 | 浪潮天元通信信息系统有限公司 | Message forwarding method and server |
WO2020154791A1 (en) * | 2019-01-28 | 2020-08-06 | Blackberry Limited | Method and system for digital rights management |
CN111800426A (en) * | 2020-07-07 | 2020-10-20 | 腾讯科技(深圳)有限公司 | Method, device, equipment and medium for accessing native code interface in application program |
CN112997537A (en) * | 2018-11-15 | 2021-06-18 | 华为技术有限公司 | Automatic digital identification system integrated between consumer device and back-end service |
CN113490212A (en) * | 2021-06-18 | 2021-10-08 | 新华三技术有限公司 | Key distribution method, communication equipment and storage medium |
CN114745192A (en) * | 2022-04-24 | 2022-07-12 | 深圳市乐凡信息科技有限公司 | Communication method, system, device and medium |
CN114745192B (en) * | 2022-04-24 | 2024-05-31 | 深圳市乐凡信息科技有限公司 | Communication method, system, equipment and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1354936A (en) * | 2000-04-14 | 2002-06-19 | 韩国稀客股份有限公司 | Method and apparatus for protecting file system based on digital signature |
CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
CN104348870A (en) * | 2013-08-02 | 2015-02-11 | 航天信息股份有限公司 | Data management method and system of cloud storage system based on trusted timestamp |
-
2016
- 2016-04-21 CN CN201610251351.9A patent/CN105933315B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1354936A (en) * | 2000-04-14 | 2002-06-19 | 韩国稀客股份有限公司 | Method and apparatus for protecting file system based on digital signature |
CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
CN104348870A (en) * | 2013-08-02 | 2015-02-11 | 航天信息股份有限公司 | Data management method and system of cloud storage system based on trusted timestamp |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107979467B (en) * | 2016-10-21 | 2020-07-21 | 中国移动通信有限公司研究院 | Verification method and device |
CN107979467A (en) * | 2016-10-21 | 2018-05-01 | 中国移动通信有限公司研究院 | Verification method and device |
CN108092937A (en) * | 2016-11-23 | 2018-05-29 | 厦门雅迅网络股份有限公司 | Prevent the method and system of Web system unauthorized access |
CN108092937B (en) * | 2016-11-23 | 2021-04-20 | 厦门雅迅网络股份有限公司 | Method and system for preventing unauthorized access of Web system |
CN107509186A (en) * | 2017-08-15 | 2017-12-22 | 上海与德科技有限公司 | The binding method and device of a kind of communicating number |
CN110798434A (en) * | 2018-08-03 | 2020-02-14 | Emc Ip控股有限公司 | Access management to instances on a cloud |
CN110798434B (en) * | 2018-08-03 | 2022-04-08 | Emc Ip控股有限公司 | Computer system, method performed by computing device, and storage medium |
CN109274488A (en) * | 2018-09-04 | 2019-01-25 | 广州众诺电子技术有限公司 | Integrated circuit burning program method, storage medium and system |
CN112997537B (en) * | 2018-11-15 | 2022-10-18 | 华为云计算技术有限公司 | Automatic digital identification system integrated between consumer device and back-end service |
CN112997537A (en) * | 2018-11-15 | 2021-06-18 | 华为技术有限公司 | Automatic digital identification system integrated between consumer device and back-end service |
WO2020154791A1 (en) * | 2019-01-28 | 2020-08-06 | Blackberry Limited | Method and system for digital rights management |
CN110855624A (en) * | 2019-10-18 | 2020-02-28 | 平安科技(深圳)有限公司 | Safety verification method based on web interface and related equipment |
CN111242590A (en) * | 2020-01-06 | 2020-06-05 | 深圳壹账通智能科技有限公司 | ACS system-based data processing method, system and storage medium |
CN111241355A (en) * | 2020-01-08 | 2020-06-05 | 浪潮天元通信信息系统有限公司 | Message forwarding method and server |
CN111241355B (en) * | 2020-01-08 | 2023-06-16 | 浪潮通信信息系统有限公司 | Message forwarding method and server |
CN111800426A (en) * | 2020-07-07 | 2020-10-20 | 腾讯科技(深圳)有限公司 | Method, device, equipment and medium for accessing native code interface in application program |
CN113490212A (en) * | 2021-06-18 | 2021-10-08 | 新华三技术有限公司 | Key distribution method, communication equipment and storage medium |
CN114745192A (en) * | 2022-04-24 | 2022-07-12 | 深圳市乐凡信息科技有限公司 | Communication method, system, device and medium |
CN114745192B (en) * | 2022-04-24 | 2024-05-31 | 深圳市乐凡信息科技有限公司 | Communication method, system, equipment and medium |
Also Published As
Publication number | Publication date |
---|---|
CN105933315B (en) | 2019-08-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105933315A (en) | Network service security communication method, device and system | |
Sookhak et al. | Security and privacy of smart cities: a survey, research issues and challenges | |
Shehada et al. | BROSMAP: A novel broadcast based secure mobile agent protocol for distributed service applications | |
CN105103488B (en) | By the policy Enforcement of associated data | |
van Oorschot | Computer Security and the Internet | |
US20180336554A1 (en) | Secure electronic transaction authentication | |
CN102647461B (en) | Communication means based on HTTP, server, terminal | |
CN108235805A (en) | Account unifying method and device and storage medium | |
CN106302502A (en) | A kind of secure access authentication method, user terminal and service end | |
CN110351228A (en) | Remote entry method, device and system | |
CN109600366A (en) | The method and device of protection user data privacy based on block chain | |
CN106060078B (en) | User information encryption method, register method and verification method applied to cloud platform | |
US9230114B1 (en) | Remote verification of file protections for cloud data storage | |
CN104394172A (en) | Single sign-on device and method | |
CN104574176A (en) | USBKEY-based secure online tax declaration method | |
CN106161444A (en) | Secure storage method of data and subscriber equipment | |
CN106790045A (en) | One kind is based on cloud environment distributed virtual machine broker architecture and data integrity support method | |
CN109981287A (en) | A kind of code signature method and its storage medium | |
US8346742B1 (en) | Remote verification of file protections for cloud data storage | |
CN106533681B (en) | A kind of attribute method of proof and system that support section is shown | |
CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
CN107196965B (en) | Secure network real name registration method | |
Szymoniak et al. | On some time aspects in security protocols analysis | |
CN102629928A (en) | Implementation method for safety link of internet lottery ticket system based on public key | |
Mengjun et al. | Privacy-preserving distributed location proof generating system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |