CN105933315B - A kind of network service safe communication means, device and system - Google Patents

A kind of network service safe communication means, device and system Download PDF

Info

Publication number
CN105933315B
CN105933315B CN201610251351.9A CN201610251351A CN105933315B CN 105933315 B CN105933315 B CN 105933315B CN 201610251351 A CN201610251351 A CN 201610251351A CN 105933315 B CN105933315 B CN 105933315B
Authority
CN
China
Prior art keywords
client
key
sent
target data
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610251351.9A
Other languages
Chinese (zh)
Other versions
CN105933315A (en
Inventor
仇伟民
戴鸿君
于治楼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Group Co Ltd
Original Assignee
Inspur Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Group Co Ltd filed Critical Inspur Group Co Ltd
Priority to CN201610251351.9A priority Critical patent/CN105933315B/en
Publication of CN105933315A publication Critical patent/CN105933315A/en
Application granted granted Critical
Publication of CN105933315B publication Critical patent/CN105933315B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Abstract

The present invention provides a kind of network service safe communication means, device and system, this method is applied in information server, comprising: setting service agreement configures service agreement between information server and client, and service key is arranged for information server;The registration information that client is sent is received, is registration information configuration access permission;The client key and digital certificate with digital signature are generated for the client;Client key and digital certificate are sent to client;When receiving the access request of client transmission, according to the client key and digital certificate carried in access request, client access authority is determined, and determine target data, target data is encrypted using service key, and encrypted target data is sent to client.Scheme provided by the invention has ensured the safety that information is transmitted between end-to-end.

Description

A kind of network service safe communication means, device and system
Technical field
The present invention relates to field of computer technology, in particular to a kind of network service safe communication means, device and system.
Background technique
With the development of Internet technology and application, network-based end-to-end Distributed Application (such as e-commerce, electricity Sub- government affairs etc.) highly important developing direction is had become, for end-to-end Distributed Application, network service (web It services) is to realize the basis of information transmission, and realizing the communication of network service safe seems particularly significant.
Currently, the network service safe communication technology is mainly the protection to information is transmitted between various application layers, i.e., to biography Defeated layer/network inter-layer information transmission protection.But the existing network service safe communication technology cannot ensure between end-to-end Information transmission safety.
Summary of the invention
The embodiment of the invention provides a kind of network service safe communication means, device and system, ensure between end-to-end The safety of information transmission.
A kind of network service safe communication means is applied in information server, and service agreement is arranged, and takes for the information The service agreement is configured between business device and client, and service key is set for the information server, further includes:
The registration information that client is sent is received, and according to characteristic character in registration information, is configured for the registration information Access authority;
According to the access authority, the client key and digital certificate with digital signature are generated for the client;
The client key and digital certificate are sent to the client;
When receiving the access request that the client is sent, according to the client key carried in the access request and Digital certificate determines the client access authority, according to the information request in the access authority and the access request, really Set the goal data, is encrypted using the service key to the target data, and encrypted target data is sent to The client.
Preferably, described to generate client key and digital certificate for the client, comprising: for identical access authority Client generates common customer key and public digital certificates.
Preferably, described to generate client key and digital certificate for the client, comprising: according to client in registration information Identifier and service key generate privately owned client key and privately owned digital certificate for the client.
Preferably, described to generate client key and digital certificate for the client, comprising: according to the service key and Client identifier, sequence number in access request, random number, time stamp, lifetime last in it is any one or more, for institute The client for stating peripheral hardware generates temporary subscriber key and temporary digital certificate.
Preferably, after described for client generation client key and digital certificate, described that the client is close Key and digital certificate are sent to before the client, further comprise: generating corresponding login link for the access authority Code, and by the login link code encryption into the client key;
The determination client access authority, comprising: login link code is parsed from the client key, it is described Login link code is linked to the information with access authority.
Preferably, described according to the client key and digital certificate that are carried in the access request, determine the client Access authority, comprising: parse the digital signature of client in client key and digital certificate using the service key, judge Whether the digital signature is consistent with the digital signature of information server storage, if it is, determining that the client is visited Ask permission.
Preferably, the above method further comprises:
It controls the client and obtains the corresponding encryption times stamp of access request from time stamp server;
Receive the access request and the corresponding encryption times stamp of the access request that the client is sent;
Encryption times stamp is decrypted by service key, judges what the timestamp and access request received Whether the time is consistent, if it is, executing the determination client access authority.
Preferably, after the determining target data, it is described using the service key to the target data into Before row encryption, further comprise:
The corresponding timestamp of the target data that the time stamp server is sent is received, and utilizes the service key The corresponding timestamp of the target data is encrypted;
It is described that encrypted target data is sent to the client, comprising: by encrypted target data and target The corresponding timestamp of data is sent to the client.
A kind of network service safe communication device is applied in information server, comprising:
Service key is arranged for service agreement to be arranged, and for the information server in setting unit;
Configuration unit, for configuring the setting unit setting between the information server and the client of peripheral hardware Service agreement receives the registration information that the client of peripheral hardware is sent, and according to characteristic character in registration information, believes for the registration Cease configuration access permission;
Transmission unit is generated, for the access authority according to the configuration of described dispensing unit, is generated for the client of the peripheral hardware Client key and digital certificate with digital signature, and the client key and digital certificate are sent to the visitor of the peripheral hardware Family end;
Data transmission unit, for parsing described when receiving the access request of client transmission of the peripheral hardware What the client key and digital certificate and the generation transmission unit carried in the access request of peripheral hardware was generated and sent has number The client key of word signature is consistent with digital certificate, determines the client access authority, according to the access authority and described Information request in access request, determines target data, is encrypted using the service key to the target data, and will Encrypted target data is sent to the client of the peripheral hardware.
Preferably, the generation transmission unit generates public for the client for the peripheral hardware with identical access authority Client key and public digital certificates.
Preferably, the generation transmission unit is used for according to client identifier in registration information and service key, for institute The client for stating peripheral hardware generates privately owned client key and privately owned digital certificate.
Preferably, the generation transmission unit, for according to the client mark in the service key and access request Know symbol, is during sequence number, random number, time stamp, lifetime last any one or more, generating and face for the client of the peripheral hardware When client key and temporary digital certificate.
Preferably, above-mentioned apparatus further comprises: control unit, wherein
Described control unit obtains the corresponding encryption of access request for controlling the client from time stamp server Timestamp, and the corresponding encryption times stamp of the access request is sent to the data transmission unit;
The data transmission unit is further used for receiving access request and the control that the client of the peripheral hardware is sent The corresponding encryption times stamp of the access request that unit processed is sent;Encryption times stamp is decrypted by service key, is sentenced Whether the time that the timestamp and the access request of breaking receive is consistent, visits if it is, executing the determination client Ask permission.
Preferably, the data transmission unit is further used for receiving the number of targets that the time stamp server of peripheral hardware is sent The corresponding timestamp of the target data is encrypted according to corresponding timestamp, and using the service key, and will encryption The corresponding timestamp of target data and target data afterwards is sent to the client of the peripheral hardware.
A kind of network service safe communication system includes: the letter with any one of the above network service safe communication device Cease server, at least one client and time stamp server, wherein
In at least one described client, each client is for the network service safe into the information server Communication device sends registration information and access request, and receive client key that the network service safe communication device is sent and Digital certificate and encrypted target data;The timestamp that the time stamp server is sent is received, and to the timestamp It is encrypted, and encrypted timestamp is sent to the network service safe communication device;
The time stamp server, for respectively to client and the network service safe communication device sending time Stamp.
The embodiment of the invention provides a kind of network service safe communication means, device and system, this method passes through setting Service agreement configures the service agreement between information server and client, is realized between end-to-end by the process Service key is arranged for information server in communication, receives the registration information that client is sent, and according to tagged word in registration information Symbol is registration information configuration access permission;According to access authority, for the client generate the client key with digital signature and Digital certificate;Client key and digital certificate are sent to client, letter has been ensured by configuration access permission to a certain extent The safety of breath;When receiving the access request of client transmission, according to the client key and number carried in access request Certificate determines client access authority, according to the information request in access authority and access request, determines target data, utilizes Service key encrypts target data, and encrypted target data is sent to client, i.e., to the data of transmission into Encryption is gone, so that it is safe for transmitting data between end-to-end (server is to client), to ensure between end-to-end The safety of information transmission.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention Some embodiments for those of ordinary skill in the art without creative efforts, can also basis These attached drawings obtain other attached drawings.
Fig. 1 is a kind of flow chart of network service safe communication means provided by one embodiment of the present invention;
Fig. 2 is a kind of flow chart for network service safe communication means that another embodiment of the present invention provides;
Fig. 3 is the structural representation of framework where a kind of network service safe communication device provided by one embodiment of the present invention Figure;
Fig. 4 is a kind of structural schematic diagram of network service safe communication device provided by one embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram for network service safe communication device that another embodiment of the present invention provides;
Fig. 6 is a kind of structural schematic diagram of network service safe communication system provided by one embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments, based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
As shown in Figure 1, being applied to information server the embodiment of the invention provides a kind of network service safe communication means In, this method may comprise steps of:
Step 101: setting service agreement configures service agreement between information server and client, and takes for information Service key is arranged in business device;
Step 102: receiving the registration information that client is sent, and be registration information according to characteristic character in registration information Configuration access permission;
Step 103: according to access authority, the client key and digital certificate with digital signature are generated for the client;
Step 104: client key and digital certificate are sent to client;
Step 105: when receiving the access request of client transmission, according to the client key that is carried in access request and Digital certificate determines client access authority;
Step 106: according to the information request in access authority and access request, determining target data, utilize service key Target data is encrypted, and encrypted target data is sent to client.
In the embodiment shown in fig. 1, by the way that service agreement is arranged, the clothes are configured between information server and client Business agreement, realizes the communication between end-to-end by the process, and service key is arranged for information server, receives client hair The registration information sent, and according to characteristic character in registration information, it is registration information configuration access permission;According to access authority, it is The client generates the client key and digital certificate with digital signature;Client key and digital certificate are sent to client End, the safety of information has been ensured by configuration access permission to a certain extent;When the access request for receiving client transmission When, according to the client key and digital certificate carried in access request, client access authority is determined, according to access authority and visit It asks the information request in request, determines target data, target data is encrypted using service key, and by encrypted mesh Mark data are sent to client, i.e., are encrypted to the data of transmission, so that passing between end-to-end (server is to client) Transmission of data is safe, to ensure the safety that information is transmitted between end-to-end.
In an embodiment of the invention, in order to avoid key and digital certificate impact data transmission efficiency, step Rapid 103 specific embodiment includes: to generate common customer key and public number with the client of identical access authority Certificate.
In an embodiment of the invention, in order to increase the safety of key and digital certificate, the specific implementation of step 103 Mode includes: to generate privately owned client key and privately owned according to client identifier in registration information and service key for client Digital certificate.
In an embodiment of the invention, the safety of key and digital certificate in order to further increase, avoid key and Digital certificate is cracked, and the specific embodiment of step 103 includes: according to the client mark in service key and access request Know symbol, be during sequence number, random number, time stamp, lifetime last any one or more, be peripheral hardware client generate it is interim objective Family key and temporary digital certificate.
In an embodiment of the invention, in order to accurately provide access authority for client, step 103 it Afterwards, before step 104, further comprise: generating corresponding login link code for access authority, and login link code encryption is arrived In client key;The specific embodiment of step 105, comprising: login link code, login link code are parsed from client key It is linked to the information with access authority.
In an embodiment of the invention, in order to guarantee the legitimacy of access authority, the specific embodiment of step 105, Include: the digital signature for parsing client in client key and digital certificate using service key, whether judges digital signature It is consistent with the digital signature of information server storage, if it is, determining client access authority.
In an embodiment of the invention, in order to further ensure the legitimacy of access authority, the above method is further wrapped Include: control client obtains the corresponding encryption times stamp of access request from time stamp server;Receive the visit that client is sent Ask request and the corresponding encryption times stamp of the access request;Encryption times stamp is decrypted by service key, judges the time Whether stamp and the time that access request receives are consistent, if so, thening follow the steps 105.
In an embodiment of the invention, in order to avoid timestamp is maliciously tampered, while data are ensured by timestamp Safety, in step 106, after determining target data, before being encrypted using service key to target data, Further comprise: receiving time stabs the corresponding timestamp of target data that server is sent, and using service key to number of targets It is encrypted according to corresponding timestamp;Encrypted target data is sent to client, comprising: by encrypted target data Timestamp corresponding with target data is sent to client.
To make the object, technical solutions and advantages of the present invention clearer, with reference to the accompanying drawing and specific embodiment to this Invention is described in further detail.
As shown in Fig. 2, the embodiment of the invention provides a kind of network service safe communication means, Ying Yingyu information server In, this method may comprise steps of:
Step 201: setting service agreement configures service agreement between information server and client, and takes for information Service key is arranged in business device;
In this step, in order to realize the communication between end-to-end, the end-to-end of soap protocol etc such as can be set and lead to Believe agreement, the service key being arranged in the step can determine cryptographic Hash, and encrypt to cryptographic Hash by hash algorithm, The character string etc. of certain length can also be only generated according to file header and file permission.Service key can be according to client Demand selects different cipher modes to encrypt data, and can decrypt the information in the client key that client is sent.
Step 202: receiving the registration information that client is sent, and be registration information according to characteristic character in registration information Configuration access permission;
Registration information may include registration account number and log-in password etc., and the characteristic character in the step can be different stage Distinctive character etc., such as: for each Students'Management System of school, the student number of student has the spy of grade and institute Character is levied, the worker number of teaching and administrative staff has the characteristic character etc. of rank, then can configure accordingly according to these characteristic characters Access authority.
Step 203: according to access authority, the client key and digital certificate with digital signature are generated for the client, By digital signature storage into information server;
In this step, generating client key and the mode of digital certificate includes: for the client with identical access authority End generates common customer key and public digital certificates;Alternatively, being according to client identifier in registration information and service key Client generates privately owned client key and privately owned digital certificate;Alternatively, according to the client in service key and access request Identifier, sequence number, random number, time stamp, lifetime last in it is any one or more, be peripheral hardware client generate it is interim Client key and temporary digital certificate.
Step 204: generating corresponding login link code for access authority, and by login link code encryption to client key In;
The login link code generated by the step can be directly linked to corresponding authority information, can accurately position Access authority out, meanwhile, authority information also can more quickly be found by login link code, due in subsequent step In, client needs client key to be sent to information server, then can be by parsing the login link in client key Code is directly targeted to access authority.
Step 205: client key and digital certificate are sent to client;
Step 206: when client sends access request, control client obtains access request from time stamp server Corresponding encryption times stamp;
Step 207: receiving the access request and the corresponding encryption times stamp of the access request that client is sent;
Step 208: encryption times stamp being decrypted using service key, the timestamp and access request after judging decryption Whether the time received is consistent, if so, thening follow the steps 209;Otherwise, step 217 is executed;
The timestamp referred in step 206 to step 208 is the timestamp that access request is sent, can by the timestamp Accurately know the sending time of access request.And the sending time of time and access request of the access request into information server Should be unanimous on the whole or in acceptable time difference range, if sending time and the Time Inconsistency received, explanation It may be trapped and distort in access information transmission process, carrying out encryption to timestamp is that timestamp is prevented to be maliciously tampered, Influence the accuracy that information server judges access request safety or legitimacy.
Step 209: parsing the digital signature of client in client key and digital certificate using service key, judge number Whether word signature is consistent with the digital signature of information server storage, if so, thening follow the steps 210, otherwise, executes step 217;
In this step, the double verification for carrying out client key and digital certificate, further ensures the peace of access request Quan Xing.
Step 210: login link code is parsed from client key, login link code is linked to the letter with access authority Breath;
Step 211: according to the information request in access request, target data is determined in the information with access authority;
Step 212: receiving time stabs the corresponding timestamp of target data that server is sent;
The timestamp of the step is the timestamp that target data is sent, and receives target data by the timestamp and client Time compare, if time consistency or within the time difference of permission, illustrate target data safety, if not Unanimously or not within the time difference of permission, then illustrate that target data was maliciously tampered in transmission process.
Step 213: target data and the corresponding timestamp of target data being encrypted using service key;
The ciphering process is leaking data after preventing target data and timestamp to be trapped.
Step 214: encrypted target data and the corresponding timestamp of target data are sent to client;
Step 215: client receives encrypted target data and the corresponding timestamp of target data;
Step 216: client using client key to encrypted target data and the corresponding timestamp of target data into Row decryption, and terminate current process;
Step 217: refusing to provide target data for access request.
Cryptographic operation is realized in entire data or access request transmission process, moreover, client can possess certainly Oneself private key, the private key that information server can possess according to client are decrypted access request using service public key, and Target data is encrypted, realize and has ensured that network service safe communicates.
As shown in Figure 3, Figure 4, the embodiment of the invention provides a kind of network service safe communication devices.Installation practice can Can also be realized by way of hardware or software and hardware combining by software realization.For hardware view, such as Fig. 3 institute Show, is a kind of hardware structure diagram of equipment where network service safe communication device provided in an embodiment of the present invention, in addition to Fig. 3 institute Except the processor, memory, network interface and the nonvolatile memory that show, the equipment in embodiment where device is usually also It may include other hardware, such as be responsible for the forwarding chip of processing message.Taking software implementation as an example, as shown in figure 4, as one Device on a logical meaning is to be referred to computer program corresponding in nonvolatile memory by the CPU of equipment where it It enables and is read into memory what operation was formed.Network service safe communication device provided in this embodiment is applied to information server In, comprising:
Service key is arranged for service agreement to be arranged, and for the information server in setting unit 401;
Configuration unit 402, the clothes being arranged for configuring setting unit 401 between information server and the client of peripheral hardware Business agreement receives the registration information that the client of peripheral hardware is sent, and according to characteristic character in registration information, configures for registration information Access authority;
Transmission unit 403 is generated, the access authority for configuring according to configuration unit 402 is raw for the client of the peripheral hardware At client key and digital certificate with digital signature, and client key and digital certificate are sent to the client of peripheral hardware;
Data transmission unit 404, for parsing peripheral hardware when receiving the access request of client transmission of peripheral hardware What the client key and digital certificate and generation transmission unit 403 carried in access request was generated and sent has digital signature Client key is consistent with digital certificate, determines client access authority, according to the information request in access authority and access request, It determines target data, target data is encrypted using service key, and encrypted target data is sent to peripheral hardware Client.
In an alternative embodiment of the invention, transmission unit 403 is generated, for the visitor for the peripheral hardware with identical access authority Family end generates common customer key and public digital certificates.
In still another embodiment of the process, generate transmission unit 403, for according to client identifier in registration information and Service key is that the client of peripheral hardware generates privately owned client key and privately owned digital certificate.
In an alternative embodiment of the invention, transmission unit 403 is generated, for according in service key and access request Client identifier, sequence number, random number, time stamp, lifetime last in it is any one or more, be that the client of peripheral hardware is raw At temporary subscriber key and temporary digital certificate.
As shown in figure 5, in still another embodiment of the process, above-mentioned apparatus further comprises: control unit 501, wherein
Control unit 501 obtains the corresponding encryption times of access request for controlling client from time stamp server Stamp, and the corresponding encryption times stamp of access request is sent to data transmission unit 404;
Data transmission unit 404 is further used for receiving access request and control unit 501 that the client of peripheral hardware is sent The corresponding encryption times stamp of the access request of transmission;By service key to encryption times stamp be decrypted, judge timestamp with Whether the time that access request receives is consistent, determines client access authority if it is, executing.
In an alternative embodiment of the invention, data transmission unit 404 are further used for receiving the time stamp server of peripheral hardware The corresponding timestamp of the target data of transmission, and the corresponding timestamp of target data is encrypted using service key, and will Encrypted target data and the corresponding timestamp of target data are sent to the client of peripheral hardware.
As shown in fig. 6, the embodiment of the present invention provides a kind of network service safe communication system, comprising: have above-mentioned any A kind of information server 601 of network service safe communication device 6011, at least one client 602 and time stamp server 603, wherein
In at least one client, network service safe of each client 602 for into information server 601 is logical T unit 6011 sends registration information and access request, and receives the client key of the transmission of network service safe communication device 6011 With digital certificate and encrypted target data;Receiving time stabs the timestamp that server is sent, and adds to timestamp It is close, and encrypted timestamp is sent to network service safe communication device 6011;
Time stamp server 603, for respectively to 6011 sending time of client 602 and network service safe communication device Stamp.
The contents such as information exchange, the implementation procedure between each unit or equipment in above-mentioned apparatus or system, due to this Inventive method embodiment is based on same design, and for details, please refer to the description in the embodiment of the method for the present invention, no longer superfluous herein It states.
According to above scheme, various embodiments of the present invention are at least had the following beneficial effects:
1. configuring the service agreement between information server and client by setting service agreement, passing through the process The communication between end-to-end is realized, service key is set for information server, receives the registration information that client is sent, and root It is registration information configuration access permission according to characteristic character in registration information;According to access authority, generating for the client has number The client key and digital certificate of word signature;Client key and digital certificate are sent to client, pass through configuration access permission The safety of information has been ensured to a certain extent;When receiving the access request of client transmission, taken according in access request The client key and digital certificate of band, determine client access authority, according to the information request in access authority and access request, It determines target data, target data is encrypted using service key, and encrypted target data is sent to client, The data of transmission are encrypted, so that it is safe that data are transmitted between end-to-end (server is to client), thus The safety that information is transmitted between end-to-end is ensured.
2. the embodiment of the present invention carries out verifying multiple test by verifying timestamp, to client key and digital certificate Card mode further improves information biography to verify the validity of client to ensure the safety and legitimacy of access request The safety of defeated process, in addition, client encrypted access request and information server encrypt target data, realize it is end-to-end it Between secured session.
3. by generating corresponding login link code for access authority, and by login link code encryption into client key; So, when receiving access request, login link code is parsed from client key, login link code is linked to access right The information of limit without being searched according to access authority there is the information of permission to effectively improve on the basis of secure access Access efficiency.
4. be the client generate the mode of client key and digital certificate can be for for the visitor with identical access authority Family end generates common customer key and public digital certificates;Or it according to client identifier in registration information and services close Key generates privately owned client key and privately owned digital certificate for client;It can be according in service key and access request Client identifier, sequence number, random number, time stamp, lifetime last in it is any one or more, be the client of peripheral hardware Temporary subscriber key and temporary digital certificate are generated, for that can be selected according to their own needs, there is flexibility, simultaneously It ensure that the safety of client key and digital certificate.
It should be noted that, in this document, such as first and second etc relational terms are used merely to an entity Or operation is distinguished with another entity or operation, is existed without necessarily requiring or implying between these entities or operation Any actual relationship or order.Moreover, the terms "include", "comprise" or its any other variant be intended to it is non- It is exclusive to include, so that the process, method, article or equipment for including a series of elements not only includes those elements, It but also including other elements that are not explicitly listed, or further include solid by this process, method, article or equipment Some elements.In the absence of more restrictions, the element limited by sentence " including one ", is not arranged Except there is also other identical factors in the process, method, article or apparatus that includes the element.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, the program When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light In the various media that can store program code such as disk.
Finally, it should be noted that the foregoing is merely presently preferred embodiments of the present invention, it is merely to illustrate skill of the invention Art scheme, is not intended to limit the scope of the present invention.Any modification for being made all within the spirits and principles of the present invention, Equivalent replacement, improvement etc., are included within the scope of protection of the present invention.

Claims (3)

1. a kind of network service safe communication means, which is characterized in that be applied in information server, service agreement is arranged, is The service agreement is configured between the information server and client, and service key is set for the information server, also Include:
The registration information that client is sent is received, and is the registration information configuration access according to characteristic character in registration information Permission;
According to the access authority, the client key and digital certificate with digital signature are generated for the client;
The client key and digital certificate are sent to the client;
When receiving the access request that the client is sent, according to the client key and number carried in the access request Certificate determines the client access authority, according to the information request in the access authority and the access request, determines mesh Data are marked, the target data is encrypted using the service key, and encrypted target data are sent to described Client;
It is described to generate client key and digital certificate for the client, comprising:
To generate common customer key and public digital certificates with the client of identical access authority;
Alternatively,
According to client identifier in registration information and service key, privately owned client key and privately owned number are generated for the client Word certificate;
Alternatively,
It is gone through according to the client identifier in the service key and access request, sequence number, random number, time stamp, lifetime When in it is any one or more, be that the client of peripheral hardware generates temporary subscriber key and temporary digital certificate;
It is described generate client key and digital certificate for the client after, described by the client key and digital certificate It is sent to before the client, further comprises: generating corresponding login link code for the access authority, and by the note Volume concatenation code is encrypted into the client key;
The determination client access authority, comprising: login link code, the registration are parsed from the client key Concatenation code is linked to the information with access authority;
And/or
It is described that the client access authority is determined according to the client key and digital certificate that carry in the access request, packet It includes: parsing the digital signature of client in client key and digital certificate using the service key, judge the number label Whether name is consistent with the digital signature of information server storage, if it is, determining the client access authority;
Further comprise:
It controls the client and obtains the corresponding encryption times stamp of access request from time stamp server;
Receive the access request and the corresponding encryption times stamp of the access request that the client is sent;
Encryption times stamp is decrypted by service key, judges the time that the timestamp and access request receive It is whether consistent, if it is, executing the determination client access authority;
After the determining target data, it is described the target data is encrypted using the service key before, Further comprise:
The corresponding timestamp of the target data that the time stamp server is sent is received, and using the service key to institute The corresponding timestamp of target data is stated to be encrypted;
It is described that encrypted target data is sent to the client, comprising: by encrypted target data and target data Corresponding timestamp is sent to the client.
2. a kind of network service safe communication device, which is characterized in that be applied in information server, comprising:
Service key is arranged for service agreement to be arranged, and for the information server in setting unit;
Configuration unit, for configuring the service of the setting unit setting between the information server and the client of peripheral hardware Agreement receives the registration information that the client of peripheral hardware is sent, and according to characteristic character in registration information, matches for the registration information Set access authority;
Transmission unit is generated, for the access authority according to the configuration of described dispensing unit, is had for the client generation of the peripheral hardware The client key and digital certificate of digital signature, and client key and digital certificate are sent to the client of the peripheral hardware;
Data transmission unit, for parsing the peripheral hardware when receiving the access request of client transmission of the peripheral hardware Access request in the client key that carries and digital certificate and the generation transmission unit generate and send there are number label The client key of name is consistent with digital certificate, the client access authority is determined, according to the access authority and the access Information request in request, determines target data, is encrypted using the service key to the target data, and will encryption Target data afterwards is sent to the client of the peripheral hardware;
Generation transmission unit is stated, is used for:
Common customer key and public digital certificates are generated for the client of the peripheral hardware with identical access authority;
Alternatively,
According to client identifier in registration information and service key, be the peripheral hardware client generate privately owned client key and Privately owned digital certificate;
Alternatively,
It is gone through according to the client identifier in the service key and access request, sequence number, random number, time stamp, lifetime When in it is any one or more, be that the client of the peripheral hardware generates temporary subscriber key and temporary digital certificate;
Further comprise: control unit, wherein
Described control unit obtains the corresponding encryption times of access request for controlling the client from time stamp server Stamp, and the corresponding encryption times stamp of the access request is sent to the data transmission unit;
The data transmission unit is further used for receiving the access request and control list that the client of the peripheral hardware is sent The corresponding encryption times stamp of the access request that member is sent;Encryption times stamp is decrypted by service key, judges institute Whether consistent, if it is, executing the determination client access right if stating the time that timestamp and access request receive Limit;
The data transmission unit, is further used for:
The corresponding timestamp of target data that the time stamp server of peripheral hardware is sent is received, and using the service key to described The corresponding timestamp of target data is encrypted, and encrypted target data and the corresponding timestamp of target data are sent to The client of the peripheral hardware.
3. a kind of network service safe communication system characterized by comprising have the peace of network service described in claim 2 The information server of all-pass T unit, at least one client and time stamp server, wherein
In at least one described client, each client is for the network service safe communication into the information server Device sends registration information and access request, and receives client key and number that the network service safe communication device is sent Certificate and encrypted target data;The timestamp that the time stamp server is sent is received, and the timestamp is carried out Encryption, and encrypted timestamp is sent to the network service safe communication device;
The time stamp server, for being stabbed respectively to client and the network service safe communication device sending time.
CN201610251351.9A 2016-04-21 2016-04-21 A kind of network service safe communication means, device and system Active CN105933315B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610251351.9A CN105933315B (en) 2016-04-21 2016-04-21 A kind of network service safe communication means, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610251351.9A CN105933315B (en) 2016-04-21 2016-04-21 A kind of network service safe communication means, device and system

Publications (2)

Publication Number Publication Date
CN105933315A CN105933315A (en) 2016-09-07
CN105933315B true CN105933315B (en) 2019-08-30

Family

ID=56839814

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610251351.9A Active CN105933315B (en) 2016-04-21 2016-04-21 A kind of network service safe communication means, device and system

Country Status (1)

Country Link
CN (1) CN105933315B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979467B (en) * 2016-10-21 2020-07-21 中国移动通信有限公司研究院 Verification method and device
CN108092937B (en) * 2016-11-23 2021-04-20 厦门雅迅网络股份有限公司 Method and system for preventing unauthorized access of Web system
CN107509186A (en) * 2017-08-15 2017-12-22 上海与德科技有限公司 The binding method and device of a kind of communicating number
CN110798434B (en) * 2018-08-03 2022-04-08 Emc Ip控股有限公司 Computer system, method performed by computing device, and storage medium
CN109274488A (en) * 2018-09-04 2019-01-25 广州众诺电子技术有限公司 Integrated circuit burning program method, storage medium and system
WO2020098941A1 (en) * 2018-11-15 2020-05-22 Huawei Technologies Co., Ltd. Automatic digital identification system integrated between consumer devices and backend services
US20200242213A1 (en) * 2019-01-28 2020-07-30 Blackberry Limited Method and system for digital rights management
CN110855624A (en) * 2019-10-18 2020-02-28 平安科技(深圳)有限公司 Safety verification method based on web interface and related equipment
CN111242590A (en) * 2020-01-06 2020-06-05 深圳壹账通智能科技有限公司 ACS system-based data processing method, system and storage medium
CN111241355B (en) * 2020-01-08 2023-06-16 浪潮通信信息系统有限公司 Message forwarding method and server
CN111800426A (en) * 2020-07-07 2020-10-20 腾讯科技(深圳)有限公司 Method, device, equipment and medium for accessing native code interface in application program
CN113490212A (en) * 2021-06-18 2021-10-08 新华三技术有限公司 Key distribution method, communication equipment and storage medium
CN114745192A (en) * 2022-04-24 2022-07-12 深圳市乐凡信息科技有限公司 Communication method, system, device and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1354936A (en) * 2000-04-14 2002-06-19 韩国稀客股份有限公司 Method and apparatus for protecting file system based on digital signature
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN104348870A (en) * 2013-08-02 2015-02-11 航天信息股份有限公司 Data management method and system of cloud storage system based on trusted timestamp

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1354936A (en) * 2000-04-14 2002-06-19 韩国稀客股份有限公司 Method and apparatus for protecting file system based on digital signature
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN104348870A (en) * 2013-08-02 2015-02-11 航天信息股份有限公司 Data management method and system of cloud storage system based on trusted timestamp

Also Published As

Publication number Publication date
CN105933315A (en) 2016-09-07

Similar Documents

Publication Publication Date Title
CN105933315B (en) A kind of network service safe communication means, device and system
CN106357396B (en) Digital signature method and system and quantum key card
CN105103488B (en) By the policy Enforcement of associated data
CN104980477B (en) Data access control method and system under cloud storage environment
CN108235805A (en) Account unifying method and device and storage medium
CN105681470B (en) Communication means, server based on hypertext transfer protocol, terminal
CN104394172B (en) Single-sign-on apparatus and method
CN106060078B (en) User information encryption method, register method and verification method applied to cloud platform
US10257171B2 (en) Server public key pinning by URL
JP2022515467A (en) Key security management systems and methods, media, and computer programs
US9197610B1 (en) Packet authentication and encryption in virtual networks
JP5602165B2 (en) Method and apparatus for protecting network communications
CN110401629A (en) A kind of method and relevant apparatus of activation authorization
CN111080299B (en) Anti-repudiation method for transaction information, client and server
CN104574176A (en) USBKEY-based secure online tax declaration method
CN106470103B (en) Method and system for sending encrypted URL request by client
CN102025748B (en) Method, device and system for acquiring user name of Kerberos authentication mode
CN106657002A (en) Novel crash-proof base correlation time multi-password identity authentication method
CN114168913A (en) Crowd-sourcing result evaluation and reward distribution method, system and medium based on intelligent contracts
CN110188545A (en) A kind of data ciphering method and device based on chain database
CN109495458A (en) A kind of method, system and the associated component of data transmission
US20190305940A1 (en) Group shareable credentials
Liu et al. Building an IPv6 address generation and traceback system with NIDTGA in address driven network
US20210035018A1 (en) Apparatus for verifying integrity of AI learning data and method therefor
Huang et al. Mutual authentications to parties with QR-code applications in mobile systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant