CN106815525B - Data transmission method and device - Google Patents
Data transmission method and device Download PDFInfo
- Publication number
- CN106815525B CN106815525B CN201611143647.5A CN201611143647A CN106815525B CN 106815525 B CN106815525 B CN 106815525B CN 201611143647 A CN201611143647 A CN 201611143647A CN 106815525 B CN106815525 B CN 106815525B
- Authority
- CN
- China
- Prior art keywords
- application
- data
- request
- check code
- data transmission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a data transmission method and a device, wherein the method comprises the following steps: in response to receiving a data request issued by a requesting application, checking whether the requesting application and a target application that will process the data request are trusted; in response to the requesting application and the target application both being trusted, sending the data request to the target application; responding to the target application return permission session, generating a unique check code and sending the unique check code, the request application information and the target application information to an application authorization center and an application data transmission system; the application authorization center respectively adds the application data transmission system into sandboxes of the request application and the target application according to the received request application information, the received target application information and the unique check code; and the application data transmission system transmits data according to the stored unique check code. The invention can solve the problem of data transmission among processes and protect the safety of application private data.
Description
Technical Field
The present application relates to the field of electrical digital data processing, and more particularly, to a data transfer method and apparatus.
Background
At present, in order to ensure the security of application data, a system provides a sandbox for each application program, and stores the private data of the application in a special sandbox, so as to achieve the purpose of protecting the security of the application data. Thus, inter-process data transfer can be very difficult, but data interaction between applications is necessary in actual development. The common way in the market today is to provide a process (super-privileged application) with global access to application sandboxes to break through the private data of the application data to solve the problem of data exchange between processes. However, once the super-right application is broken, all the application data of the whole system can be read, which greatly destroys the security of the whole system and also destroys the security of the sandbox, which is very dangerous.
Disclosure of Invention
In order to overcome the defects in the prior art, the technical problem to be solved by the invention is to provide a data transmission method and a data transmission device, which not only solve the problem of data transmission among processes, but also protect the safety of application private data.
In order to solve the above technical problem, the data transmission method of the present invention includes:
in response to receiving a data request issued by a requesting application, checking whether the requesting application and a target application that will process the data request are trusted;
in response to the requesting application and the target application both being trusted, sending the data request to the target application;
responding to the target application return permission session, generating a unique check code and sending the unique check code, the request application information and the target application information to an application authorization center and an application data transmission system;
the application authorization center respectively adds the application data transmission system into sandboxes of the request application and the target application according to the received request application information, the received target application information and the unique check code;
and the application data transmission system transmits data according to the stored unique check code.
As an improvement of the method of the present invention, the step of the application data delivery system performing data delivery according to the unique check code stored therein includes: checking whether the unique check codes provided by the request application and the target application are consistent with the unique check code stored by the application data transmission system; and responding to the consistency between the unique check codes provided by the request application and the target application and the valid unique check codes stored by the application data transmission system, and transmitting data.
As another improvement of the method of the present invention, the method further comprises: and after finishing the data transmission operation, the application data transmission system sets the unique check code as invalid or deletes the unique check code.
As a further improvement of the method of the present invention, the method further comprises: the application data delivery system informs the application authority that the data delivery operation corresponding to the unique check code is completed after the data delivery operation is completed; and the application authorization center removes the authority of the application data transmission system from the sandbox authority of the request application and the target application after receiving the notification.
To solve the above technical problem, a data transfer apparatus according to the present invention includes:
the checking module is used for responding to the received data request sent by the request application, and checking whether the request application and the target application which is to process the data request are credible;
a forwarding module, configured to send the data request to the target application in response to that the requesting application and the target application are both trusted;
the check code generating and sending module is used for responding to the target application and returning the allowed session, generating a unique check code and sending the unique check code, the request application information and the target application information to the application authorization center and the application data transmission system;
the authorization module is used for enabling the application authorization center to respectively add the application data transmission system into sandboxes of the request application and the target application according to the received request application information, the received target application information and the received unique check code;
and the data processing module is used for enabling the application data transmission system to transmit data according to the stored unique check code.
To solve the above technical problem, the tangible computer readable medium of the present invention includes computer program code for executing the data transfer method of the present invention.
To solve the above technical problem, the present invention provides an apparatus, comprising at least one processor; and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least some of the steps of the data transfer method of the present invention.
According to the invention, the data storage object agreed between the communication processes is taken while the validity of the transmitted data application is verified, and then the data is copied from one process private data space to another data process space according to the dynamic authorization, so that the problem of insecurity caused by the existence of super-authority application is solved, and the security of the application private data is ensured by the strategy that the application data can only be accessed by an authorization system.
Other features and advantages of the present invention will become more apparent from the detailed description of the embodiments of the present invention when taken in conjunction with the accompanying drawings.
Drawings
FIG. 1 is a flow chart of an embodiment of a method according to the present invention.
Fig. 2 is a flow chart of another embodiment of a method according to the present invention.
FIG. 3 is a schematic diagram of an embodiment of a system according to the present invention.
Fig. 4 is a schematic structural diagram of another embodiment of the system according to the present invention.
For the sake of clarity, the figures are schematic and simplified drawings, which only show details which are necessary for understanding the invention and other details are omitted.
Detailed Description
Embodiments and examples of the present invention will be described in detail below with reference to the accompanying drawings.
The scope of applicability of the present invention will become apparent from the detailed description given hereinafter. It should be understood, however, that the detailed description and the specific examples, while indicating preferred embodiments of the invention, are given by way of illustration only.
For convenience of the following description, definitions of some terms are given below.
The sandbox refers to the running environment of each application program, and the sandbox saves all data needed and generated by the running of the application program, and the data cannot be accessed by the outside world.
Fig. 1 shows a flow chart of an embodiment of a data transfer method according to the invention. The steps of the data transmission method between the two applications a and B will be specifically described with reference to the flowchart shown in fig. 1.
In step S102, in response to receiving a data request, such as a data read or transmission request, sent by a requesting application a, the application negotiation center checks whether the requesting application a and a target application B that will process the data request are trusted and legitimate. The determination as to whether it is authentic, legitimate, can be determined by a signature, a unique identification number uid, or the like. For example, an application is considered a trusted, legitimate application as long as the application satisfies one or more of the following conditions: 1) the application signature certificate inquired through the application name signs the system application; 2) inquiring that the installation source of the application is an application store through the name of the application; 3) the application name is used to inquire that the unique identification number uid is in the system uid interval, such as 0-20000. Of course, other determinations may be made as appropriate.
In step S104, the application negotiation center accepts the data request for the legitimate application a and application B processes, and sends the data request to the application B process. If the application B is not operated, the process B can be started and then a corresponding request is sent to the process B; or directly returning negotiation failure to the A process, and ending the processing.
In step S106, it is determined whether the negotiation is successful. If the B-process returns to allow the session, indicating that the negotiation is successful, the process proceeds to step S108. Otherwise, the process proceeds to step S120.
In step S108, the application negotiation center generates a unique check code to indicate that the data transmission session channel is successful, so as to facilitate the subsequent data transmission operation authentication. The unique check code may be generated, for example, based on the uid and the current time of the two applications. Other generation means may be employed as appropriate. And the application negotiation center sends the check code and the uid of the A, B process to the application authorization center and the application data transmission system, and simultaneously feeds back the unique check code to the A, B process.
In step S110, when the application authority receives A, B the uid of the process and the unique check code issued by the application negotiation center, the application data delivery systems are respectively added to the sandboxes of the process A, B, so that they have the right to access A, B the sandboxed data.
In step S112, the application data delivery system takes the check code issued by the negotiation center to store, and starts data processing according to the check code.
In step S120, the process ends.
The invention copies data from one process to another process through the verification of the validity and the legality of data access and the security authentication of data operation related application, thereby solving the problem of data transmission among the processes and protecting the security of application private data.
According to an embodiment of the present invention, the step S112 includes: when the application data delivery system is used for data delivery, it is first checked A, B whether the check code provided by the application is consistent with a valid check code stored in itself. And if the data are consistent, performing data processing operation. Otherwise, the data transmission is not performed, and the process is ended.
Fig. 2 shows a flow chart of another embodiment of a data transfer method according to the present invention, which comprises, in addition to the steps of the method shown in fig. 1, after step S112:
in step S202, the application data delivery system sets the unique check code to invalid after completing the data delivery operation. Alternatively, the unique check code may be deleted after the data transfer operation is completed using the data transfer system.
In step S204, the application data delivery system notifies the application authorization center that the data operation corresponding to the check code is completed.
In step S206, the application authorization center receives the data operation completion event sent by the application data delivery system, and removes the authority of the application data delivery system from the sandbox authority of the A, B application, so as to avoid the attack of invalid check code.
Fig. 3 shows a schematic structural diagram of an embodiment of a data transfer device according to the present invention, the device comprising: a checking module 310, configured to, in response to receiving a data request issued by a requesting application, check whether the requesting application and a target application that will process the data request are trusted; a forwarding module 320, configured to send the data request to the target application in response to that the requesting application and the target application are both trusted; the check code generating and sending module 330 is configured to generate a unique check code in response to the target application returning an allowed session, and send the unique check code, the request application information and the target application information to the application authorization center and the application data transmission system; the authorization module 340 is configured to enable the application authorization center to add the application data delivery system into sandboxes of the request application and the target application respectively according to the received request application information, target application information, and unique check code; and a data processing module 350, configured to enable the application data delivery system to perform data delivery according to the unique check code stored in the application data delivery system. The inspection module 310 may include one or more of: a first determining submodule for determining whether a signed certificate of an application is signed by a system application; a second determination sub-module for determining whether the application is from an application store; and a third determination submodule for determining whether the unique identification uid of the application is within the system uid interval.
According to one embodiment of the apparatus of the present invention, the data processing module 350 includes: a check submodule 352, configured to check whether the unique check codes provided by the request application and the target application are consistent with the unique check code stored in the application data delivery system itself; the data transfer submodule 354 is configured to perform data transfer in response to that the unique check codes provided by the requesting application and the target application are consistent with the valid unique check code stored in the application data transfer system.
Fig. 4 shows a schematic structural diagram of another embodiment of the data transfer device according to the present invention, which includes, in addition to all the modules shown in fig. 3: a setting module 410, configured to enable the application data delivery system to set the unique check code as invalid or deleted after completing the data delivery operation; a notification module 420, configured to enable the application data delivery system to notify the application authority that the data delivery operation corresponding to the unique check code is completed after the data delivery operation is completed; a removing module 430, configured to enable the application authority to remove the permissions of the application data delivery system from the sandbox permissions of the requesting application and the target application after receiving the notification.
The particular features, structures, or characteristics of the various embodiments described herein may be combined as suitable in one or more embodiments of the invention. Additionally, in some cases, the order of steps depicted in the flowcharts and/or in the pipelined process may be modified, as appropriate, and need not be performed exactly in the order depicted. In addition, various aspects of the invention may be implemented using software, hardware, firmware, or a combination thereof, and/or other computer implemented modules or devices that perform the described functions. Software implementations of the present invention may include executable code stored in a computer readable medium and executed by one or more processors. The computer readable medium may include a computer hard drive, ROM, RAM, flash memory, portable computer storage media such as CD-ROM, DVD-ROM, flash drives, and/or other devices, for example, having a Universal Serial Bus (USB) interface, and/or any other suitable tangible or non-transitory computer readable medium or computer memory on which executable code may be stored and executed by a processor. The present invention may be used in conjunction with any suitable operating system.
As used herein, the singular forms "a", "an" and "the" include plural references (i.e., have the meaning "at least one"), unless the context clearly dictates otherwise. It will be further understood that the terms "has," "includes" and/or "including," when used in this specification, specify the presence of stated features, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, elements, components, and/or groups thereof. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
The foregoing describes some preferred embodiments of the present invention, but it should be emphasized that the invention is not limited to these embodiments, but can be implemented in other ways within the scope of the inventive subject matter. Various changes and modifications of the present invention can be made by those skilled in the art without departing from the spirit and scope of the present invention, and these changes and modifications still fall within the scope of the present invention.
Claims (10)
1. A method of data transfer, the method comprising:
in response to receiving a data request issued by a requesting application, checking whether the requesting application and a target application that will process the data request are trusted;
in response to the requesting application and the target application both being trusted, sending the data request to the target application;
responding to the target application return permission session, generating a unique check code and sending the unique check code, the request application information and the target application information to an application authorization center and an application data transmission system;
the application authorization center respectively adds the application data transmission system into sandboxes of the request application and the target application according to the received request application information, the received target application information and the unique check code;
and the application data transmission system transmits data according to the stored unique check code.
2. The method of claim 1, wherein the step of the application data delivery system performing data delivery based on the unique check code stored therein comprises:
checking whether the unique check codes provided by the request application and the target application are consistent with the effective unique check code stored by the application data transmission system;
and responding to the consistency between the unique check codes provided by the request application and the target application and the valid unique check codes stored by the application data transmission system, and transmitting data.
3. The method of claim 1, further comprising:
and after finishing the data transmission operation, the application data transmission system sets the unique check code as invalid or deletes the unique check code.
4. The method of claim 3, further comprising:
the application data delivery system informs the application authority that the data delivery operation corresponding to the unique check code is completed after the data delivery operation is completed;
and the application authorization center removes the authority of the application data transmission system from the sandbox authority of the request application and the target application after receiving the notification.
5. The method according to any of claims 1-4, wherein said step of checking whether the requesting application and a target application handling the data request are trusted in response to receiving the data request from the requesting application comprises:
determining whether a signed certificate of an application is signed for a system application; and/or
Determining whether the application is from an application store; and/or
It is determined whether the unique identification uid of the application is within the system uid interval.
6. A data transfer apparatus, the apparatus comprising:
the checking module is used for responding to the received data request sent by the request application, and checking whether the request application and the target application which is to process the data request are credible;
a forwarding module, configured to send the data request to the target application in response to that the requesting application and the target application are both trusted;
the check code generating and sending module is used for responding to the target application and returning the allowed session, generating a unique check code and sending the unique check code, the request application information and the target application information to the application authorization center and the application data transmission system;
the authorization module is used for enabling the application authorization center to respectively add the application data transmission system into sandboxes of the request application and the target application according to the received request application information, the received target application information and the received unique check code;
and the data processing module is used for enabling the application data transmission system to transmit data according to the stored unique check code.
7. The apparatus of claim 6, wherein the data processing module comprises:
the check submodule is used for checking whether the unique check codes provided by the request application and the target application are consistent with the effective unique check codes stored by the application data transmission system;
and the data transmission submodule is used for responding that the unique check codes provided by the request application and the target application are consistent with the effective unique check code stored by the application data transmission system, and transmitting data.
8. The apparatus of claim 6, further comprising:
and the setting module is used for enabling the application data transmission system to set the unique check code as invalid or deleted after finishing the data transmission operation.
9. The apparatus of claim 8, further comprising:
a notification module, configured to enable the application data delivery system to notify the application authority that the data delivery operation corresponding to the unique check code is completed after the data delivery operation is completed;
a removal module, configured to enable the application authority to remove the permissions of the application data delivery system from the sandbox permissions of the requesting application and the target application after receiving the notification.
10. The apparatus of any of claims 6-9, wherein the inspection module comprises:
a first determining submodule for determining whether a signed certificate of an application is signed by a system application; and/or
A second determination sub-module for determining whether the application is from an application store; and/or
A third determination submodule for determining whether the unique identification uid of the application is within the system uid interval.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611143647.5A CN106815525B (en) | 2016-12-13 | 2016-12-13 | Data transmission method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611143647.5A CN106815525B (en) | 2016-12-13 | 2016-12-13 | Data transmission method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106815525A CN106815525A (en) | 2017-06-09 |
| CN106815525B true CN106815525B (en) | 2020-03-31 |
Family
ID=59108988
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611143647.5A Active CN106815525B (en) | 2016-12-13 | 2016-12-13 | Data transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106815525B (en) |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7370351B1 (en) * | 2001-03-22 | 2008-05-06 | Novell, Inc. | Cross domain authentication and security services using proxies for HTTP access |
| WO2005043360A1 (en) * | 2003-10-21 | 2005-05-12 | Green Border Technologies | Systems and methods for secure client applications |
| US7908653B2 (en) * | 2004-06-29 | 2011-03-15 | Intel Corporation | Method of improving computer security through sandboxing |
| KR101743122B1 (en) * | 2009-11-27 | 2017-06-15 | 구글 인코포레이티드 | Client-server input method editor architecture |
| US8943550B2 (en) * | 2010-05-28 | 2015-01-27 | Apple Inc. | File system access for one or more sandboxed applications |
| US9473562B2 (en) * | 2013-09-12 | 2016-10-18 | Apple Inc. | Mediated data exchange for sandboxed applications |
-
2016
- 2016-12-13 CN CN201611143647.5A patent/CN106815525B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN106815525A (en) | 2017-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210091963A1 (en) | System and method for managing installation of an application package requiring high-risk permission access | |
| CN106534160B (en) | Identity authentication method and system based on block chain | |
| CN108124491B (en) | Diagnostic joint upgrading verification method and device of diagnostic equipment and diagnostic joint | |
| US20170223539A1 (en) | Authentication method, wireless router and computer storage medium | |
| CN105471815A (en) | Internet-of-things data security method and Internet-of-things data security device based on security authentication | |
| US20170215074A1 (en) | Firmware integrity verification method performed in virtualization system | |
| CN107784206A (en) | Method for protecting software and device and software verification method and device | |
| CN109196507B (en) | Method and apparatus for providing cryptographic security functions for operation of a device | |
| CN107026730B (en) | Data processing method, device and system | |
| WO2018179293A1 (en) | Verification information adding device, verification device, information management system, method, and program | |
| CN106815525B (en) | Data transmission method and device | |
| CN109699030B (en) | Unmanned aerial vehicle authentication method, device, equipment and computer readable storage medium | |
| CN104283678A (en) | Application authentication method and device | |
| CN114297597B (en) | Account management method, system, equipment and computer readable storage medium | |
| CN115563588A (en) | Software offline authentication method and device, electronic equipment and storage medium | |
| CN106878233A (en) | The read method of secure data, security server, terminal and system | |
| US9135449B2 (en) | Apparatus and method for managing USIM data using mobile trusted module | |
| CN102833296A (en) | Method and equipment for constructing safe computing environment | |
| CN112422292B (en) | Network security protection method, system, equipment and storage medium | |
| CN116033415A (en) | Reference station data transmission method and device, reference station, server and medium | |
| KR20220124940A (en) | Digital sign-based system information block message transmission/reception method and apparatus | |
| CN111177799B (en) | Security protection method, system, computer device and computer-readable storage medium | |
| CN111639307A (en) | Trusted resource authorization system, software trusted authentication system and method thereof | |
| JP6010672B2 (en) | Security setting system, security setting method and program | |
| CN116418541B (en) | Communication method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210201 Address after: 101300 room 153, 1 / F, building 17, 16 Caixiang East Road, Nancai Town, Shunyi District, Beijing Patentee after: Yuanxin Information Technology Group Co.,Ltd. Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Daxing District, Beijing Patentee before: BEIJING YUANXIN SCIENCE & TECHNOLOGY Co.,Ltd. |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20170609 Assignee: Beijing Yuanxin Junsheng Technology Co.,Ltd. Assignor: Yuanxin Information Technology Group Co.,Ltd. Contract record no.: X2021110000018 Denomination of invention: Data transmission method and device Granted publication date: 20200331 License type: Common License Record date: 20210531 |