CN105933315B - A kind of network service safe communication means, device and system - Google Patents
A kind of network service safe communication means, device and system Download PDFInfo
- Publication number
- CN105933315B CN105933315B CN201610251351.9A CN201610251351A CN105933315B CN 105933315 B CN105933315 B CN 105933315B CN 201610251351 A CN201610251351 A CN 201610251351A CN 105933315 B CN105933315 B CN 105933315B
- Authority
- CN
- China
- Prior art keywords
- client
- key
- sent
- target data
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims abstract description 44
- 230000005540 biological transmission Effects 0.000 claims abstract description 49
- 230000002093 peripheral effect Effects 0.000 claims description 44
- 238000000034 method Methods 0.000 abstract description 26
- 238000005516 engineering process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 239000010410 layer Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000011229 interlayer Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000000344 soap Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
Abstract
The present invention provides a kind of network service safe communication means, device and system, this method is applied in information server, comprising: setting service agreement configures service agreement between information server and client, and service key is arranged for information server;The registration information that client is sent is received, is registration information configuration access permission;The client key and digital certificate with digital signature are generated for the client;Client key and digital certificate are sent to client;When receiving the access request of client transmission, according to the client key and digital certificate carried in access request, client access authority is determined, and determine target data, target data is encrypted using service key, and encrypted target data is sent to client.Scheme provided by the invention has ensured the safety that information is transmitted between end-to-end.
Description
Technical field
The present invention relates to field of computer technology, in particular to a kind of network service safe communication means, device and system.
Background technique
With the development of Internet technology and application, network-based end-to-end Distributed Application (such as e-commerce, electricity
Sub- government affairs etc.) highly important developing direction is had become, for end-to-end Distributed Application, network service (web
It services) is to realize the basis of information transmission, and realizing the communication of network service safe seems particularly significant.
Currently, the network service safe communication technology is mainly the protection to information is transmitted between various application layers, i.e., to biography
Defeated layer/network inter-layer information transmission protection.But the existing network service safe communication technology cannot ensure between end-to-end
Information transmission safety.
Summary of the invention
The embodiment of the invention provides a kind of network service safe communication means, device and system, ensure between end-to-end
The safety of information transmission.
A kind of network service safe communication means is applied in information server, and service agreement is arranged, and takes for the information
The service agreement is configured between business device and client, and service key is set for the information server, further includes:
The registration information that client is sent is received, and according to characteristic character in registration information, is configured for the registration information
Access authority;
According to the access authority, the client key and digital certificate with digital signature are generated for the client;
The client key and digital certificate are sent to the client;
When receiving the access request that the client is sent, according to the client key carried in the access request and
Digital certificate determines the client access authority, according to the information request in the access authority and the access request, really
Set the goal data, is encrypted using the service key to the target data, and encrypted target data is sent to
The client.
Preferably, described to generate client key and digital certificate for the client, comprising: for identical access authority
Client generates common customer key and public digital certificates.
Preferably, described to generate client key and digital certificate for the client, comprising: according to client in registration information
Identifier and service key generate privately owned client key and privately owned digital certificate for the client.
Preferably, described to generate client key and digital certificate for the client, comprising: according to the service key and
Client identifier, sequence number in access request, random number, time stamp, lifetime last in it is any one or more, for institute
The client for stating peripheral hardware generates temporary subscriber key and temporary digital certificate.
Preferably, after described for client generation client key and digital certificate, described that the client is close
Key and digital certificate are sent to before the client, further comprise: generating corresponding login link for the access authority
Code, and by the login link code encryption into the client key;
The determination client access authority, comprising: login link code is parsed from the client key, it is described
Login link code is linked to the information with access authority.
Preferably, described according to the client key and digital certificate that are carried in the access request, determine the client
Access authority, comprising: parse the digital signature of client in client key and digital certificate using the service key, judge
Whether the digital signature is consistent with the digital signature of information server storage, if it is, determining that the client is visited
Ask permission.
Preferably, the above method further comprises:
It controls the client and obtains the corresponding encryption times stamp of access request from time stamp server;
Receive the access request and the corresponding encryption times stamp of the access request that the client is sent;
Encryption times stamp is decrypted by service key, judges what the timestamp and access request received
Whether the time is consistent, if it is, executing the determination client access authority.
Preferably, after the determining target data, it is described using the service key to the target data into
Before row encryption, further comprise:
The corresponding timestamp of the target data that the time stamp server is sent is received, and utilizes the service key
The corresponding timestamp of the target data is encrypted;
It is described that encrypted target data is sent to the client, comprising: by encrypted target data and target
The corresponding timestamp of data is sent to the client.
A kind of network service safe communication device is applied in information server, comprising:
Service key is arranged for service agreement to be arranged, and for the information server in setting unit;
Configuration unit, for configuring the setting unit setting between the information server and the client of peripheral hardware
Service agreement receives the registration information that the client of peripheral hardware is sent, and according to characteristic character in registration information, believes for the registration
Cease configuration access permission;
Transmission unit is generated, for the access authority according to the configuration of described dispensing unit, is generated for the client of the peripheral hardware
Client key and digital certificate with digital signature, and the client key and digital certificate are sent to the visitor of the peripheral hardware
Family end;
Data transmission unit, for parsing described when receiving the access request of client transmission of the peripheral hardware
What the client key and digital certificate and the generation transmission unit carried in the access request of peripheral hardware was generated and sent has number
The client key of word signature is consistent with digital certificate, determines the client access authority, according to the access authority and described
Information request in access request, determines target data, is encrypted using the service key to the target data, and will
Encrypted target data is sent to the client of the peripheral hardware.
Preferably, the generation transmission unit generates public for the client for the peripheral hardware with identical access authority
Client key and public digital certificates.
Preferably, the generation transmission unit is used for according to client identifier in registration information and service key, for institute
The client for stating peripheral hardware generates privately owned client key and privately owned digital certificate.
Preferably, the generation transmission unit, for according to the client mark in the service key and access request
Know symbol, is during sequence number, random number, time stamp, lifetime last any one or more, generating and face for the client of the peripheral hardware
When client key and temporary digital certificate.
Preferably, above-mentioned apparatus further comprises: control unit, wherein
Described control unit obtains the corresponding encryption of access request for controlling the client from time stamp server
Timestamp, and the corresponding encryption times stamp of the access request is sent to the data transmission unit;
The data transmission unit is further used for receiving access request and the control that the client of the peripheral hardware is sent
The corresponding encryption times stamp of the access request that unit processed is sent;Encryption times stamp is decrypted by service key, is sentenced
Whether the time that the timestamp and the access request of breaking receive is consistent, visits if it is, executing the determination client
Ask permission.
Preferably, the data transmission unit is further used for receiving the number of targets that the time stamp server of peripheral hardware is sent
The corresponding timestamp of the target data is encrypted according to corresponding timestamp, and using the service key, and will encryption
The corresponding timestamp of target data and target data afterwards is sent to the client of the peripheral hardware.
A kind of network service safe communication system includes: the letter with any one of the above network service safe communication device
Cease server, at least one client and time stamp server, wherein
In at least one described client, each client is for the network service safe into the information server
Communication device sends registration information and access request, and receive client key that the network service safe communication device is sent and
Digital certificate and encrypted target data;The timestamp that the time stamp server is sent is received, and to the timestamp
It is encrypted, and encrypted timestamp is sent to the network service safe communication device;
The time stamp server, for respectively to client and the network service safe communication device sending time
Stamp.
The embodiment of the invention provides a kind of network service safe communication means, device and system, this method passes through setting
Service agreement configures the service agreement between information server and client, is realized between end-to-end by the process
Service key is arranged for information server in communication, receives the registration information that client is sent, and according to tagged word in registration information
Symbol is registration information configuration access permission;According to access authority, for the client generate the client key with digital signature and
Digital certificate;Client key and digital certificate are sent to client, letter has been ensured by configuration access permission to a certain extent
The safety of breath;When receiving the access request of client transmission, according to the client key and number carried in access request
Certificate determines client access authority, according to the information request in access authority and access request, determines target data, utilizes
Service key encrypts target data, and encrypted target data is sent to client, i.e., to the data of transmission into
Encryption is gone, so that it is safe for transmitting data between end-to-end (server is to client), to ensure between end-to-end
The safety of information transmission.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention
Some embodiments for those of ordinary skill in the art without creative efforts, can also basis
These attached drawings obtain other attached drawings.
Fig. 1 is a kind of flow chart of network service safe communication means provided by one embodiment of the present invention;
Fig. 2 is a kind of flow chart for network service safe communication means that another embodiment of the present invention provides;
Fig. 3 is the structural representation of framework where a kind of network service safe communication device provided by one embodiment of the present invention
Figure;
Fig. 4 is a kind of structural schematic diagram of network service safe communication device provided by one embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram for network service safe communication device that another embodiment of the present invention provides;
Fig. 6 is a kind of structural schematic diagram of network service safe communication system provided by one embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments, based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
As shown in Figure 1, being applied to information server the embodiment of the invention provides a kind of network service safe communication means
In, this method may comprise steps of:
Step 101: setting service agreement configures service agreement between information server and client, and takes for information
Service key is arranged in business device;
Step 102: receiving the registration information that client is sent, and be registration information according to characteristic character in registration information
Configuration access permission;
Step 103: according to access authority, the client key and digital certificate with digital signature are generated for the client;
Step 104: client key and digital certificate are sent to client;
Step 105: when receiving the access request of client transmission, according to the client key that is carried in access request and
Digital certificate determines client access authority;
Step 106: according to the information request in access authority and access request, determining target data, utilize service key
Target data is encrypted, and encrypted target data is sent to client.
In the embodiment shown in fig. 1, by the way that service agreement is arranged, the clothes are configured between information server and client
Business agreement, realizes the communication between end-to-end by the process, and service key is arranged for information server, receives client hair
The registration information sent, and according to characteristic character in registration information, it is registration information configuration access permission;According to access authority, it is
The client generates the client key and digital certificate with digital signature;Client key and digital certificate are sent to client
End, the safety of information has been ensured by configuration access permission to a certain extent;When the access request for receiving client transmission
When, according to the client key and digital certificate carried in access request, client access authority is determined, according to access authority and visit
It asks the information request in request, determines target data, target data is encrypted using service key, and by encrypted mesh
Mark data are sent to client, i.e., are encrypted to the data of transmission, so that passing between end-to-end (server is to client)
Transmission of data is safe, to ensure the safety that information is transmitted between end-to-end.
In an embodiment of the invention, in order to avoid key and digital certificate impact data transmission efficiency, step
Rapid 103 specific embodiment includes: to generate common customer key and public number with the client of identical access authority
Certificate.
In an embodiment of the invention, in order to increase the safety of key and digital certificate, the specific implementation of step 103
Mode includes: to generate privately owned client key and privately owned according to client identifier in registration information and service key for client
Digital certificate.
In an embodiment of the invention, the safety of key and digital certificate in order to further increase, avoid key and
Digital certificate is cracked, and the specific embodiment of step 103 includes: according to the client mark in service key and access request
Know symbol, be during sequence number, random number, time stamp, lifetime last any one or more, be peripheral hardware client generate it is interim objective
Family key and temporary digital certificate.
In an embodiment of the invention, in order to accurately provide access authority for client, step 103 it
Afterwards, before step 104, further comprise: generating corresponding login link code for access authority, and login link code encryption is arrived
In client key;The specific embodiment of step 105, comprising: login link code, login link code are parsed from client key
It is linked to the information with access authority.
In an embodiment of the invention, in order to guarantee the legitimacy of access authority, the specific embodiment of step 105,
Include: the digital signature for parsing client in client key and digital certificate using service key, whether judges digital signature
It is consistent with the digital signature of information server storage, if it is, determining client access authority.
In an embodiment of the invention, in order to further ensure the legitimacy of access authority, the above method is further wrapped
Include: control client obtains the corresponding encryption times stamp of access request from time stamp server;Receive the visit that client is sent
Ask request and the corresponding encryption times stamp of the access request;Encryption times stamp is decrypted by service key, judges the time
Whether stamp and the time that access request receives are consistent, if so, thening follow the steps 105.
In an embodiment of the invention, in order to avoid timestamp is maliciously tampered, while data are ensured by timestamp
Safety, in step 106, after determining target data, before being encrypted using service key to target data,
Further comprise: receiving time stabs the corresponding timestamp of target data that server is sent, and using service key to number of targets
It is encrypted according to corresponding timestamp;Encrypted target data is sent to client, comprising: by encrypted target data
Timestamp corresponding with target data is sent to client.
To make the object, technical solutions and advantages of the present invention clearer, with reference to the accompanying drawing and specific embodiment to this
Invention is described in further detail.
As shown in Fig. 2, the embodiment of the invention provides a kind of network service safe communication means, Ying Yingyu information server
In, this method may comprise steps of:
Step 201: setting service agreement configures service agreement between information server and client, and takes for information
Service key is arranged in business device;
In this step, in order to realize the communication between end-to-end, the end-to-end of soap protocol etc such as can be set and lead to
Believe agreement, the service key being arranged in the step can determine cryptographic Hash, and encrypt to cryptographic Hash by hash algorithm,
The character string etc. of certain length can also be only generated according to file header and file permission.Service key can be according to client
Demand selects different cipher modes to encrypt data, and can decrypt the information in the client key that client is sent.
Step 202: receiving the registration information that client is sent, and be registration information according to characteristic character in registration information
Configuration access permission;
Registration information may include registration account number and log-in password etc., and the characteristic character in the step can be different stage
Distinctive character etc., such as: for each Students'Management System of school, the student number of student has the spy of grade and institute
Character is levied, the worker number of teaching and administrative staff has the characteristic character etc. of rank, then can configure accordingly according to these characteristic characters
Access authority.
Step 203: according to access authority, the client key and digital certificate with digital signature are generated for the client,
By digital signature storage into information server;
In this step, generating client key and the mode of digital certificate includes: for the client with identical access authority
End generates common customer key and public digital certificates;Alternatively, being according to client identifier in registration information and service key
Client generates privately owned client key and privately owned digital certificate;Alternatively, according to the client in service key and access request
Identifier, sequence number, random number, time stamp, lifetime last in it is any one or more, be peripheral hardware client generate it is interim
Client key and temporary digital certificate.
Step 204: generating corresponding login link code for access authority, and by login link code encryption to client key
In;
The login link code generated by the step can be directly linked to corresponding authority information, can accurately position
Access authority out, meanwhile, authority information also can more quickly be found by login link code, due in subsequent step
In, client needs client key to be sent to information server, then can be by parsing the login link in client key
Code is directly targeted to access authority.
Step 205: client key and digital certificate are sent to client;
Step 206: when client sends access request, control client obtains access request from time stamp server
Corresponding encryption times stamp;
Step 207: receiving the access request and the corresponding encryption times stamp of the access request that client is sent;
Step 208: encryption times stamp being decrypted using service key, the timestamp and access request after judging decryption
Whether the time received is consistent, if so, thening follow the steps 209;Otherwise, step 217 is executed;
The timestamp referred in step 206 to step 208 is the timestamp that access request is sent, can by the timestamp
Accurately know the sending time of access request.And the sending time of time and access request of the access request into information server
Should be unanimous on the whole or in acceptable time difference range, if sending time and the Time Inconsistency received, explanation
It may be trapped and distort in access information transmission process, carrying out encryption to timestamp is that timestamp is prevented to be maliciously tampered,
Influence the accuracy that information server judges access request safety or legitimacy.
Step 209: parsing the digital signature of client in client key and digital certificate using service key, judge number
Whether word signature is consistent with the digital signature of information server storage, if so, thening follow the steps 210, otherwise, executes step
217;
In this step, the double verification for carrying out client key and digital certificate, further ensures the peace of access request
Quan Xing.
Step 210: login link code is parsed from client key, login link code is linked to the letter with access authority
Breath;
Step 211: according to the information request in access request, target data is determined in the information with access authority;
Step 212: receiving time stabs the corresponding timestamp of target data that server is sent;
The timestamp of the step is the timestamp that target data is sent, and receives target data by the timestamp and client
Time compare, if time consistency or within the time difference of permission, illustrate target data safety, if not
Unanimously or not within the time difference of permission, then illustrate that target data was maliciously tampered in transmission process.
Step 213: target data and the corresponding timestamp of target data being encrypted using service key;
The ciphering process is leaking data after preventing target data and timestamp to be trapped.
Step 214: encrypted target data and the corresponding timestamp of target data are sent to client;
Step 215: client receives encrypted target data and the corresponding timestamp of target data;
Step 216: client using client key to encrypted target data and the corresponding timestamp of target data into
Row decryption, and terminate current process;
Step 217: refusing to provide target data for access request.
Cryptographic operation is realized in entire data or access request transmission process, moreover, client can possess certainly
Oneself private key, the private key that information server can possess according to client are decrypted access request using service public key, and
Target data is encrypted, realize and has ensured that network service safe communicates.
As shown in Figure 3, Figure 4, the embodiment of the invention provides a kind of network service safe communication devices.Installation practice can
Can also be realized by way of hardware or software and hardware combining by software realization.For hardware view, such as Fig. 3 institute
Show, is a kind of hardware structure diagram of equipment where network service safe communication device provided in an embodiment of the present invention, in addition to Fig. 3 institute
Except the processor, memory, network interface and the nonvolatile memory that show, the equipment in embodiment where device is usually also
It may include other hardware, such as be responsible for the forwarding chip of processing message.Taking software implementation as an example, as shown in figure 4, as one
Device on a logical meaning is to be referred to computer program corresponding in nonvolatile memory by the CPU of equipment where it
It enables and is read into memory what operation was formed.Network service safe communication device provided in this embodiment is applied to information server
In, comprising:
Service key is arranged for service agreement to be arranged, and for the information server in setting unit 401;
Configuration unit 402, the clothes being arranged for configuring setting unit 401 between information server and the client of peripheral hardware
Business agreement receives the registration information that the client of peripheral hardware is sent, and according to characteristic character in registration information, configures for registration information
Access authority;
Transmission unit 403 is generated, the access authority for configuring according to configuration unit 402 is raw for the client of the peripheral hardware
At client key and digital certificate with digital signature, and client key and digital certificate are sent to the client of peripheral hardware;
Data transmission unit 404, for parsing peripheral hardware when receiving the access request of client transmission of peripheral hardware
What the client key and digital certificate and generation transmission unit 403 carried in access request was generated and sent has digital signature
Client key is consistent with digital certificate, determines client access authority, according to the information request in access authority and access request,
It determines target data, target data is encrypted using service key, and encrypted target data is sent to peripheral hardware
Client.
In an alternative embodiment of the invention, transmission unit 403 is generated, for the visitor for the peripheral hardware with identical access authority
Family end generates common customer key and public digital certificates.
In still another embodiment of the process, generate transmission unit 403, for according to client identifier in registration information and
Service key is that the client of peripheral hardware generates privately owned client key and privately owned digital certificate.
In an alternative embodiment of the invention, transmission unit 403 is generated, for according in service key and access request
Client identifier, sequence number, random number, time stamp, lifetime last in it is any one or more, be that the client of peripheral hardware is raw
At temporary subscriber key and temporary digital certificate.
As shown in figure 5, in still another embodiment of the process, above-mentioned apparatus further comprises: control unit 501, wherein
Control unit 501 obtains the corresponding encryption times of access request for controlling client from time stamp server
Stamp, and the corresponding encryption times stamp of access request is sent to data transmission unit 404;
Data transmission unit 404 is further used for receiving access request and control unit 501 that the client of peripheral hardware is sent
The corresponding encryption times stamp of the access request of transmission;By service key to encryption times stamp be decrypted, judge timestamp with
Whether the time that access request receives is consistent, determines client access authority if it is, executing.
In an alternative embodiment of the invention, data transmission unit 404 are further used for receiving the time stamp server of peripheral hardware
The corresponding timestamp of the target data of transmission, and the corresponding timestamp of target data is encrypted using service key, and will
Encrypted target data and the corresponding timestamp of target data are sent to the client of peripheral hardware.
As shown in fig. 6, the embodiment of the present invention provides a kind of network service safe communication system, comprising: have above-mentioned any
A kind of information server 601 of network service safe communication device 6011, at least one client 602 and time stamp server
603, wherein
In at least one client, network service safe of each client 602 for into information server 601 is logical
T unit 6011 sends registration information and access request, and receives the client key of the transmission of network service safe communication device 6011
With digital certificate and encrypted target data;Receiving time stabs the timestamp that server is sent, and adds to timestamp
It is close, and encrypted timestamp is sent to network service safe communication device 6011;
Time stamp server 603, for respectively to 6011 sending time of client 602 and network service safe communication device
Stamp.
The contents such as information exchange, the implementation procedure between each unit or equipment in above-mentioned apparatus or system, due to this
Inventive method embodiment is based on same design, and for details, please refer to the description in the embodiment of the method for the present invention, no longer superfluous herein
It states.
According to above scheme, various embodiments of the present invention are at least had the following beneficial effects:
1. configuring the service agreement between information server and client by setting service agreement, passing through the process
The communication between end-to-end is realized, service key is set for information server, receives the registration information that client is sent, and root
It is registration information configuration access permission according to characteristic character in registration information;According to access authority, generating for the client has number
The client key and digital certificate of word signature;Client key and digital certificate are sent to client, pass through configuration access permission
The safety of information has been ensured to a certain extent;When receiving the access request of client transmission, taken according in access request
The client key and digital certificate of band, determine client access authority, according to the information request in access authority and access request,
It determines target data, target data is encrypted using service key, and encrypted target data is sent to client,
The data of transmission are encrypted, so that it is safe that data are transmitted between end-to-end (server is to client), thus
The safety that information is transmitted between end-to-end is ensured.
2. the embodiment of the present invention carries out verifying multiple test by verifying timestamp, to client key and digital certificate
Card mode further improves information biography to verify the validity of client to ensure the safety and legitimacy of access request
The safety of defeated process, in addition, client encrypted access request and information server encrypt target data, realize it is end-to-end it
Between secured session.
3. by generating corresponding login link code for access authority, and by login link code encryption into client key;
So, when receiving access request, login link code is parsed from client key, login link code is linked to access right
The information of limit without being searched according to access authority there is the information of permission to effectively improve on the basis of secure access
Access efficiency.
4. be the client generate the mode of client key and digital certificate can be for for the visitor with identical access authority
Family end generates common customer key and public digital certificates;Or it according to client identifier in registration information and services close
Key generates privately owned client key and privately owned digital certificate for client;It can be according in service key and access request
Client identifier, sequence number, random number, time stamp, lifetime last in it is any one or more, be the client of peripheral hardware
Temporary subscriber key and temporary digital certificate are generated, for that can be selected according to their own needs, there is flexibility, simultaneously
It ensure that the safety of client key and digital certificate.
It should be noted that, in this document, such as first and second etc relational terms are used merely to an entity
Or operation is distinguished with another entity or operation, is existed without necessarily requiring or implying between these entities or operation
Any actual relationship or order.Moreover, the terms "include", "comprise" or its any other variant be intended to it is non-
It is exclusive to include, so that the process, method, article or equipment for including a series of elements not only includes those elements,
It but also including other elements that are not explicitly listed, or further include solid by this process, method, article or equipment
Some elements.In the absence of more restrictions, the element limited by sentence " including one ", is not arranged
Except there is also other identical factors in the process, method, article or apparatus that includes the element.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, the program
When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light
In the various media that can store program code such as disk.
Finally, it should be noted that the foregoing is merely presently preferred embodiments of the present invention, it is merely to illustrate skill of the invention
Art scheme, is not intended to limit the scope of the present invention.Any modification for being made all within the spirits and principles of the present invention,
Equivalent replacement, improvement etc., are included within the scope of protection of the present invention.
Claims (3)
1. a kind of network service safe communication means, which is characterized in that be applied in information server, service agreement is arranged, is
The service agreement is configured between the information server and client, and service key is set for the information server, also
Include:
The registration information that client is sent is received, and is the registration information configuration access according to characteristic character in registration information
Permission;
According to the access authority, the client key and digital certificate with digital signature are generated for the client;
The client key and digital certificate are sent to the client;
When receiving the access request that the client is sent, according to the client key and number carried in the access request
Certificate determines the client access authority, according to the information request in the access authority and the access request, determines mesh
Data are marked, the target data is encrypted using the service key, and encrypted target data are sent to described
Client;
It is described to generate client key and digital certificate for the client, comprising:
To generate common customer key and public digital certificates with the client of identical access authority;
Alternatively,
According to client identifier in registration information and service key, privately owned client key and privately owned number are generated for the client
Word certificate;
Alternatively,
It is gone through according to the client identifier in the service key and access request, sequence number, random number, time stamp, lifetime
When in it is any one or more, be that the client of peripheral hardware generates temporary subscriber key and temporary digital certificate;
It is described generate client key and digital certificate for the client after, described by the client key and digital certificate
It is sent to before the client, further comprises: generating corresponding login link code for the access authority, and by the note
Volume concatenation code is encrypted into the client key;
The determination client access authority, comprising: login link code, the registration are parsed from the client key
Concatenation code is linked to the information with access authority;
And/or
It is described that the client access authority is determined according to the client key and digital certificate that carry in the access request, packet
It includes: parsing the digital signature of client in client key and digital certificate using the service key, judge the number label
Whether name is consistent with the digital signature of information server storage, if it is, determining the client access authority;
Further comprise:
It controls the client and obtains the corresponding encryption times stamp of access request from time stamp server;
Receive the access request and the corresponding encryption times stamp of the access request that the client is sent;
Encryption times stamp is decrypted by service key, judges the time that the timestamp and access request receive
It is whether consistent, if it is, executing the determination client access authority;
After the determining target data, it is described the target data is encrypted using the service key before,
Further comprise:
The corresponding timestamp of the target data that the time stamp server is sent is received, and using the service key to institute
The corresponding timestamp of target data is stated to be encrypted;
It is described that encrypted target data is sent to the client, comprising: by encrypted target data and target data
Corresponding timestamp is sent to the client.
2. a kind of network service safe communication device, which is characterized in that be applied in information server, comprising:
Service key is arranged for service agreement to be arranged, and for the information server in setting unit;
Configuration unit, for configuring the service of the setting unit setting between the information server and the client of peripheral hardware
Agreement receives the registration information that the client of peripheral hardware is sent, and according to characteristic character in registration information, matches for the registration information
Set access authority;
Transmission unit is generated, for the access authority according to the configuration of described dispensing unit, is had for the client generation of the peripheral hardware
The client key and digital certificate of digital signature, and client key and digital certificate are sent to the client of the peripheral hardware;
Data transmission unit, for parsing the peripheral hardware when receiving the access request of client transmission of the peripheral hardware
Access request in the client key that carries and digital certificate and the generation transmission unit generate and send there are number label
The client key of name is consistent with digital certificate, the client access authority is determined, according to the access authority and the access
Information request in request, determines target data, is encrypted using the service key to the target data, and will encryption
Target data afterwards is sent to the client of the peripheral hardware;
Generation transmission unit is stated, is used for:
Common customer key and public digital certificates are generated for the client of the peripheral hardware with identical access authority;
Alternatively,
According to client identifier in registration information and service key, be the peripheral hardware client generate privately owned client key and
Privately owned digital certificate;
Alternatively,
It is gone through according to the client identifier in the service key and access request, sequence number, random number, time stamp, lifetime
When in it is any one or more, be that the client of the peripheral hardware generates temporary subscriber key and temporary digital certificate;
Further comprise: control unit, wherein
Described control unit obtains the corresponding encryption times of access request for controlling the client from time stamp server
Stamp, and the corresponding encryption times stamp of the access request is sent to the data transmission unit;
The data transmission unit is further used for receiving the access request and control list that the client of the peripheral hardware is sent
The corresponding encryption times stamp of the access request that member is sent;Encryption times stamp is decrypted by service key, judges institute
Whether consistent, if it is, executing the determination client access right if stating the time that timestamp and access request receive
Limit;
The data transmission unit, is further used for:
The corresponding timestamp of target data that the time stamp server of peripheral hardware is sent is received, and using the service key to described
The corresponding timestamp of target data is encrypted, and encrypted target data and the corresponding timestamp of target data are sent to
The client of the peripheral hardware.
3. a kind of network service safe communication system characterized by comprising have the peace of network service described in claim 2
The information server of all-pass T unit, at least one client and time stamp server, wherein
In at least one described client, each client is for the network service safe communication into the information server
Device sends registration information and access request, and receives client key and number that the network service safe communication device is sent
Certificate and encrypted target data;The timestamp that the time stamp server is sent is received, and the timestamp is carried out
Encryption, and encrypted timestamp is sent to the network service safe communication device;
The time stamp server, for being stabbed respectively to client and the network service safe communication device sending time.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610251351.9A CN105933315B (en) | 2016-04-21 | 2016-04-21 | A kind of network service safe communication means, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610251351.9A CN105933315B (en) | 2016-04-21 | 2016-04-21 | A kind of network service safe communication means, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105933315A CN105933315A (en) | 2016-09-07 |
CN105933315B true CN105933315B (en) | 2019-08-30 |
Family
ID=56839814
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610251351.9A Active CN105933315B (en) | 2016-04-21 | 2016-04-21 | A kind of network service safe communication means, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105933315B (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107979467B (en) * | 2016-10-21 | 2020-07-21 | 中国移动通信有限公司研究院 | Verification method and device |
CN108092937B (en) * | 2016-11-23 | 2021-04-20 | 厦门雅迅网络股份有限公司 | Method and system for preventing unauthorized access of Web system |
CN107509186A (en) * | 2017-08-15 | 2017-12-22 | 上海与德科技有限公司 | The binding method and device of a kind of communicating number |
CN110798434B (en) * | 2018-08-03 | 2022-04-08 | Emc Ip控股有限公司 | Computer system, method performed by computing device, and storage medium |
CN109274488A (en) * | 2018-09-04 | 2019-01-25 | 广州众诺电子技术有限公司 | Integrated circuit burning program method, storage medium and system |
WO2020098941A1 (en) * | 2018-11-15 | 2020-05-22 | Huawei Technologies Co., Ltd. | Automatic digital identification system integrated between consumer devices and backend services |
US20200242213A1 (en) * | 2019-01-28 | 2020-07-30 | Blackberry Limited | Method and system for digital rights management |
CN110855624A (en) * | 2019-10-18 | 2020-02-28 | 平安科技(深圳)有限公司 | Safety verification method based on web interface and related equipment |
CN111242590A (en) * | 2020-01-06 | 2020-06-05 | 深圳壹账通智能科技有限公司 | ACS system-based data processing method, system and storage medium |
CN111241355B (en) * | 2020-01-08 | 2023-06-16 | 浪潮通信信息系统有限公司 | Message forwarding method and server |
CN111800426A (en) * | 2020-07-07 | 2020-10-20 | 腾讯科技(深圳)有限公司 | Method, device, equipment and medium for accessing native code interface in application program |
CN113490212A (en) * | 2021-06-18 | 2021-10-08 | 新华三技术有限公司 | Key distribution method, communication equipment and storage medium |
CN114745192A (en) * | 2022-04-24 | 2022-07-12 | 深圳市乐凡信息科技有限公司 | Communication method, system, device and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1354936A (en) * | 2000-04-14 | 2002-06-19 | 韩国稀客股份有限公司 | Method and apparatus for protecting file system based on digital signature |
CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
CN104348870A (en) * | 2013-08-02 | 2015-02-11 | 航天信息股份有限公司 | Data management method and system of cloud storage system based on trusted timestamp |
-
2016
- 2016-04-21 CN CN201610251351.9A patent/CN105933315B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1354936A (en) * | 2000-04-14 | 2002-06-19 | 韩国稀客股份有限公司 | Method and apparatus for protecting file system based on digital signature |
CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
CN104348870A (en) * | 2013-08-02 | 2015-02-11 | 航天信息股份有限公司 | Data management method and system of cloud storage system based on trusted timestamp |
Also Published As
Publication number | Publication date |
---|---|
CN105933315A (en) | 2016-09-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105933315B (en) | A kind of network service safe communication means, device and system | |
CN106357396B (en) | Digital signature method and system and quantum key card | |
CN105103488B (en) | By the policy Enforcement of associated data | |
CN104980477B (en) | Data access control method and system under cloud storage environment | |
CN108235805A (en) | Account unifying method and device and storage medium | |
CN105681470B (en) | Communication means, server based on hypertext transfer protocol, terminal | |
CN104394172B (en) | Single-sign-on apparatus and method | |
CN106060078B (en) | User information encryption method, register method and verification method applied to cloud platform | |
US10257171B2 (en) | Server public key pinning by URL | |
JP2022515467A (en) | Key security management systems and methods, media, and computer programs | |
US9197610B1 (en) | Packet authentication and encryption in virtual networks | |
JP5602165B2 (en) | Method and apparatus for protecting network communications | |
CN110401629A (en) | A kind of method and relevant apparatus of activation authorization | |
CN111080299B (en) | Anti-repudiation method for transaction information, client and server | |
CN104574176A (en) | USBKEY-based secure online tax declaration method | |
CN106470103B (en) | Method and system for sending encrypted URL request by client | |
CN102025748B (en) | Method, device and system for acquiring user name of Kerberos authentication mode | |
CN106657002A (en) | Novel crash-proof base correlation time multi-password identity authentication method | |
CN114168913A (en) | Crowd-sourcing result evaluation and reward distribution method, system and medium based on intelligent contracts | |
CN110188545A (en) | A kind of data ciphering method and device based on chain database | |
CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
US20190305940A1 (en) | Group shareable credentials | |
Liu et al. | Building an IPv6 address generation and traceback system with NIDTGA in address driven network | |
US20210035018A1 (en) | Apparatus for verifying integrity of AI learning data and method therefor | |
Huang et al. | Mutual authentications to parties with QR-code applications in mobile systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |