CN107707528B - Method and device for isolating user information - Google Patents

Method and device for isolating user information Download PDF

Info

Publication number
CN107707528B
CN107707528B CN201710784930.4A CN201710784930A CN107707528B CN 107707528 B CN107707528 B CN 107707528B CN 201710784930 A CN201710784930 A CN 201710784930A CN 107707528 B CN107707528 B CN 107707528B
Authority
CN
China
Prior art keywords
user
external
identifier
external system
mapping
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710784930.4A
Other languages
Chinese (zh)
Other versions
CN107707528A (en
Inventor
高启航
朱雪妍
袁建伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Jingdong Shangke Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN201710784930.4A priority Critical patent/CN107707528B/en
Publication of CN107707528A publication Critical patent/CN107707528A/en
Application granted granted Critical
Publication of CN107707528B publication Critical patent/CN107707528B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4547Network directories; Name-to-address mapping for personal communications, i.e. using a personal identifier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key

Abstract

The invention discloses a method and a device for isolating user information, and relates to the technical field of computers. One embodiment of the method comprises: the method comprises the steps that an internal system determines a key corresponding to an external system identifier in request information under the condition that the internal system receives the request information sent by an external system; the request information is used for the external system to acquire an external identification, corresponding to the external system, of a user in the internal system; the internal system encrypts the specified information based on the key to generate an external identifier of the user in the external system; the internal system returns the external identification of the user to the external system. According to the embodiment, the internal information and the external information of the user are isolated, so that a service party of an external system cannot crack through the external information of the user, and the safety and the reliability of encryption are improved while the user information is effectively isolated.

Description

Method and device for isolating user information
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for isolating a pair of user information.
Background
In internet products, each user has a unique ID for identifying identity, and each ID has information such as gender, age, work, and the like. For example, the user IDs of many products are mobile phone numbers, each user ID corresponds to information such as the gender, age, and purchased goods of a user, if some external service parties want to use some user data of a product in cooperation with a certain product, for example, the a service party wants information such as the occupation and age of the user, the B service party wants information such as the gender and frequently purchased goods, in order to protect the security and privacy of the user, the ID of the user cannot be directly opened to the external service parties, the ID of the user needs to be encrypted, and the internal user ID and the external user ID need to be isolated. Meanwhile, in order to prevent the external service party from complementing the user information according to the ID, the ID of the unused service party also needs to be isolated.
The existing method for isolating the internal ID and the external ID of the user mainly has the following modes of simple hash mapping and ID encryption:
1. simple hash mapping: mapping the internal ID to an external ID through a hash function, such as algorithms of MD2, MD4, MD5 and the like, and using the external ID by an external caller;
2. encrypting the ID using an encryption algorithm: the internal ID is first encrypted using an encryption algorithm and then used by the external service.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
although simple Hash mapping is easy to realize, the confidentiality is poor, and when an external business party has enough data, a Hash algorithm can be easily cracked, so that the real information of a user can be obtained; although the confidentiality of the user ID can be improved to a certain extent by encrypting the user ID through the encryption algorithm, once the encryption algorithm is leaked, ID information of all users is easily leaked, and in order to isolate different business parties, the user ID needs to be encrypted by using different algorithms, so that the implementation process is complex and the cost is high. Therefore, in the prior art, when the information of the user is isolated, the problems of poor safety and reliability such as weak encryption, complex process, easy disclosure and the like exist.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for isolating user information, which can solve the problem in the prior art that security and reliability are poor when isolating user information.
To achieve the above object, according to an aspect of an embodiment of the present invention, a method for user information isolation is provided.
The method for isolating the user information comprises the following steps: the internal system stores keys corresponding to a plurality of external system identifications, and determines the key corresponding to the external system identification in the request information when receiving the request information sent by the external system; the request information is used for the external system to acquire an external identification, corresponding to the external system, of a user in the internal system; the internal system encrypts the specified information based on the key to generate an external identifier of the user in the external system; the internal system returns the external identification of the user to the external system.
Optionally, the specified information in the embodiment of the present invention includes a user identifier of the user in the internal system.
Optionally, the specified information in the embodiment of the present invention further includes a mapping identifier; the mapping identifier comprises one or more of a server network address, a server process number and a server timestamp; after the step of the internal system returning the external identification of the user to the external system, the method further comprises the following steps: and determining a key according to the external system identifier of the external system, and decrypting according to the key, the external identifier of the user corresponding to the external system and the external system identifier to obtain the mapping identifier.
Optionally, the mapping identifier of the embodiment of the present invention further includes a random character string; and the method of the invention further comprises: storing a mapping relation table between the random character string and a user identifier in an internal system of a user; and after the step of decrypting to obtain the mapping identifier, the method further comprises the following steps: and inquiring the user identification of the user in the internal system in the mapping relation table according to the random character string in the mapping identifier.
Optionally, the step of encrypting, by the internal system according to the embodiment of the present invention, the specified information based on the key to generate the external identifier of the user in the external system includes: based on the key, the specified information is encrypted once by using a data encryption algorithm DES, and then the data obtained by the encryption is encrypted twice by using a coding mode Base64 to generate the external identifier.
To achieve the above object, according to another aspect of the embodiments of the present invention, there is provided an apparatus for isolating user information.
The device for isolating the user information in the embodiment of the invention comprises: the determining module is used for determining a key corresponding to the external system identifier in the request information under the condition that the internal system receives the request information sent by the external system; the request information is used for the external system to acquire an external identification, corresponding to the external system, of a user in the internal system; the processing module is used for encrypting the specified information by the internal system based on the key so as to generate an external identifier of the user in the external system; and the return module is used for returning the external identifier of the user to the external system by the internal system.
Optionally, the specified information in the embodiment of the present invention includes a user identifier of the user in the internal system.
Optionally, the specified information in the embodiment of the present invention further includes a mapping identifier; the mapping identifier comprises one or more of a server network address, a server process number and a server timestamp; the processing module is further configured to: and determining a key according to the external system identifier of the external system, and decrypting according to the key, the external identifier of the user corresponding to the external system and the external system identifier to obtain the mapping identifier.
Optionally, the mapping identifier of the embodiment of the present invention further includes a random character string; and the apparatus further comprises a saving module for: storing a mapping relation table between the random character string and a user identifier in an internal system of a user; and a processing module further configured to: and inquiring the user identification of the user in the internal system in the mapping relation table according to the random character string in the mapping identifier.
Optionally, the processing module of the embodiment of the present invention is configured to: based on the key, the specified information is encrypted once by using a data encryption algorithm DES, and then the data obtained by the encryption is encrypted twice by using a coding mode Base64 to generate the external identifier.
To achieve the above object, according to still another aspect of the embodiments of the present invention, an electronic device of a method for isolating user information is provided.
An electronic device of an embodiment of the present invention includes: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors realize the user information isolation method of the embodiment of the invention.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided a computer-readable medium.
A computer-readable medium of an embodiment of the present invention has a computer program stored thereon, and when the program is executed by a processor, the program implements the method for user information isolation of an embodiment of the present invention.
One embodiment of the above invention has the following advantages or benefits: because the technical means of encrypting the appointed information by using the key corresponding to the external identifier and then generating the external identifier of the user is adopted, the technical problem of poor safety and reliability when the information of the user is isolated is solved, and the technical effect of improving the safety and reliability is further achieved; by isolating the internal information and the external information of the user, a service party of an external system cannot crack through the external information of the user, and the safety and the reliability of encryption are improved while the user information is effectively isolated.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of a main flow of a method of user information isolation according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a method for isolating user information according to an embodiment of the present invention;
FIG. 3 is a flow diagram illustrating a method for user information isolation in accordance with one embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for querying user information according to another embodiment of the present invention;
FIG. 5 is a schematic diagram of the main blocks of a device for user information isolation according to an embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 7 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of a main flow of a method for isolating user information according to an embodiment of the present invention, and as shown in fig. 1, the method for isolating user information according to an embodiment of the present invention mainly includes the following steps:
step S101: the method comprises the steps that an internal system determines a key corresponding to an external system identifier in request information under the condition that the internal system receives the request information sent by an external system; the request message is used by the external system to obtain an external identification of the user in the internal system corresponding to the external system. The key corresponding to the plurality of external system identifications of the external system is pre-stored in the internal system, so that when request information sent by the external system is received, the key corresponding to the external system identification in the request information can be determined according to the corresponding relation. Here, the external system can obtain the external identifier of the user in the internal system corresponding to the external system through the key, so that the purpose that the user uses the internal identifier in the internal system and uses the external identifier in the external system is achieved.
Step S102: the internal system encrypts the specified information based on the key to generate an external identification of the user in the external system. As described in step S101, the external identifier of the user in the internal system corresponding to the external system is obtained by using the key, and the specified information is encrypted based on the key, so as to generate the corresponding external identifier.
In some embodiments, the specified information includes a user identification of the user on the internal system. That is, based on the key, the user identifier in the internal system can be directly encrypted to generate the external identifier corresponding to the external system identifier in the external system.
In other embodiments, the specified information further comprises a mapping identifier; the mapping identifier comprises one or more of a server network address, a server process number and a server timestamp. That is, at least one of the server network address, the server process number, and the server timestamp included in the mapping identifier may be encrypted, and then an external identifier corresponding to the external system identifier in the external system may be generated.
Furthermore, it should be noted that, after the step of returning the external identifier of the user to the external system by the internal system, the method further includes: and determining a key according to the external system identifier of the external system, and decrypting according to the key, the external identifier of the user corresponding to the external system and the external system identifier to obtain the mapping identifier. In this way, the decryption can be completed based on the key, the external identifier, and the external system identifier, and the mapping identifier can be obtained, or at least one of the server network address, the server process number, and the server timestamp included in the mapping identifier can be obtained, and then the network information to be processed can be further determined.
In other embodiments, the mapping identifier further comprises a random string; and the method of the invention further comprises: storing a mapping relation table between the random character string and a user identifier in an internal system of a user; and after the step of decrypting to obtain the mapping identifier, the method further comprises the following steps: and inquiring the user identification of the user in the internal system in the mapping relation table according to the random character string in the mapping identifier. Information of the network device that needs to be processed can then be determined from the user identification.
In some embodiments of the present invention, the step of the internal system encrypting the specified information based on the key to generate the external identification of the user in the external system comprises: based on the key, the specified information is encrypted once by using a data encryption algorithm DES, and then the data obtained by the encryption is encrypted twice by using a coding mode Base64 to generate the external identifier. It should be noted that the data encryption algorithm DES and the encoding mode Base64 adopted by the present invention are only one preferred mode, and are not limited to the mode adopted by the present invention, and the purpose of encryption to be performed by the present invention can also be solved.
Step S103: the internal system returns the external identification of the user to the external system. And returning the generated external identification to the corresponding external system.
Fig. 2 is a schematic diagram of a method for isolating user information according to an embodiment of the present invention. As shown in fig. 2, the present invention includes an external system and an internal system, and the specific implementation manner is as follows:
external system: the external system requests the ID information of the user to the internal system, and the external system has different service parties, and each service party has a business ID (i.e., the external system identifier) for identification. The external system gets the encrypted open ID (i.e. the external identification of the user).
An internal system: the internal system encrypts the internal ID (namely the user identification of the user in the internal system) into different open IDs according to business IDs of different service parties and returns the different open IDs to the external service party.
Fig. 3 is a flowchart illustrating a method for isolating user information according to an embodiment of the present invention. As shown in fig. 3, the process of generating a corresponding open ID, that is, an encryption process, according to the received business ID in the present invention includes the following specific steps:
1. and acquiring the business ID in the request information of the service party.
2. And judging whether the business ID is valid or not, and if the business ID is invalid, directly ending the process.
3. The secret key (i.e. the key) is obtained according to the business ID by storing a relationship table of keys corresponding to a plurality of external system identifiers in the internal system in advance, and then determining the key according to the external system identifiers and the stored relationship table. In the invention, the secret key is the key of the following encryption algorithm, must be strictly kept secret and cannot be leaked to the outside.
4. Judging whether the internal UID (namely the user identification of the user in the internal system) is valid, if the UID is deleted by the user, the UID is invalid, and deleting the mapping relation between the UID and the mapping ID (namely the mapping identifier) in the redis (database).
5. And if the UID is valid, inquiring mapping ID from the cache of the redis according to the UID.
6. And judging whether the mapping ID exists or not. If the mapping ID exists, generating an open ID directly according to the mapping ID, the business ID and the secret key and according to rules; if the mapping ID does not exist, the mapping ID is generated.
7. Generating the mapping ID according to the rule, wherein the specific process of generating the mapping ID is as follows:
mapping ID is server IP; a server process number; a server timestamp; random character string
The mapping ID may include at least one of the server IP, the server process number, the server time stamp, and the random string, or may include all of them.
8. And writing the corresponding relation between the UID and the mapping ID into the redis. The corresponding relation comprises: when the key value is UID, the value is mapping ID, and the corresponding relation is used for the encryption process; when the key value is a random string, the value is the UID, and the correspondence is used in the decryption process.
9. After secret key, mapping ID and business ID are obtained, open ID is generated according to the corresponding rule, and the specific generation formula is as follows:
open ID=Base64(DES(secret key,mapping ID+business ID))
where DES is used to encrypt the mapping ID and base64 is used to pass information over the network. Because business IDs and secret keys of different business parties cannot be the same, different open IDs can be obtained even if the same UID is faced with different business modes, so that different business parties are isolated, and the privacy of a user is protected; it is also very convenient for the same service party to want to generate a new set of open IDs, because even if the business ID, secret key, UID are the same, the server ip, server process number and server timestamp will not be the same, so at different times, the mapping IDs obtained by different server processes will also be different, and the generated open IDs will not be the same.
Fig. 4 is a flowchart illustrating a method for querying user information according to another embodiment of the present invention. As shown in fig. 4, the process of querying the related information in the internal system according to the received bussiness ID, that is, the process of decryption, in the present invention, specifically includes the following steps:
1. and acquiring secret key according to the business ID. The key is also determined according to the external system identification stored in the internal system and the stored relation table.
2. Decoding the encrypted source code (the source code comprises the open ID) to obtain mapping ID, performing base64 operation on the open ID to obtain the original encrypted character string, and then performing DES decoding according to secret key to obtain mapping ID.
3. And inquiring UID according to mapping ID. And inquiring the stored corresponding relation in the redis according to the information in the mapping ID so as to obtain the UID.
It should be noted that, since the service for generating the open ID is deployed in multiple devices, once the open ID generated by that server is broken and needs to be tracked, the open ID needs to be regenerated. The compromised device is then further tracked and the open ID is regenerated. In the process of regenerating the open ID, firstly, the mapping ID is obtained by decoding according to the decoded open ID (the process is the process of decryption as described above), then, according to the server IP and the server timestamp in the mapping ID, the mapping ID generated by the server can be determined to process dangerous states, which open IDs and UIDs are cracked can be determined according to the mapping IDs, and finally, the mapping ID of the server can be regenerated.
According to the method for isolating the user information, the technical means that the designated information is encrypted by using the key corresponding to the external identifier and then the external identifier of the user is generated is adopted, so that the technical problem of poor safety and reliability in the process of isolating the user information is solved, and the technical effect of improving the safety and reliability is further achieved; by isolating the internal information and the external information of the user, a service party of an external system cannot crack through the external information of the user, and the safety and the reliability of encryption are improved while the user information is effectively isolated.
Fig. 5 is a schematic diagram of main blocks of a device for user information isolation according to an embodiment of the present invention. As shown in fig. 5, the apparatus 500 for isolating user information according to the embodiment of the present invention mainly includes: a determination module 501, a processing module 502, and a return module 503. Wherein:
a determining module 501, configured to determine, by an internal system, a key corresponding to an external system identifier in request information when the internal system receives the request information sent by an external system; the request information is used for the external system to acquire an external identification, corresponding to the external system, of a user in the internal system; a processing module 502, configured to encrypt the specified information based on the key by the internal system to generate an external identifier of the user in the external system; a returning module 503, configured to return the external identifier of the user to the external system by the internal system.
Optionally, the specified information in the embodiment of the present invention includes a user identifier of the user in the internal system.
Optionally, the specified information in the embodiment of the present invention further includes a mapping identifier; the mapping identifier comprises one or more of a server network address, a server process number and a server timestamp; the processing module 502 is further configured to: and determining a key according to the external system identifier of the external system, and decrypting according to the key, the external identifier of the user corresponding to the external system and the external system identifier to obtain the mapping identifier.
Optionally, the mapping identifier of the embodiment of the present invention further includes a random character string; and the device further comprises a saving module (not shown in the figures) for: storing a mapping relation table between the random character string and a user identifier in an internal system of a user; and a processing module further configured to: and inquiring the user identification of the user in the internal system in the mapping relation table according to the random character string in the mapping identifier.
Optionally, the processing module 502 in this embodiment of the present invention is configured to: based on the key, the specified information is encrypted once by using a data encryption algorithm DES, and then the data obtained by the encryption is encrypted twice by using a coding mode Base64 to generate the external identifier.
As can be seen from the above description, the technical means of encrypting the specified information by using the key corresponding to the external identifier and then generating the external identifier of the user is adopted, so that the technical problem of poor safety and reliability when the information of the user is isolated is solved, and the technical effect of improving the safety and reliability is achieved; by isolating the internal information and the external information of the user, a service party of an external system cannot crack through the external information of the user, and the safety and the reliability of encryption are improved while the user information is effectively isolated.
Fig. 6 shows an exemplary system architecture 600 to which the user information isolation method or device of an embodiment of the present invention may be applied.
As shown in fig. 6, the system architecture 600 may include terminal devices 601, 602, 603, a network 604, and a server 605. The network 604 serves to provide a medium for communication links between the terminal devices 601, 602, 603 and the server 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 601, 602, 603 to interact with the server 605 via the network 604 to receive or send messages or the like. The terminal devices 601, 602, 603 may have installed thereon various communication client applications, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 601, 602, 603 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 605 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 601, 602, 603. The backend management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (for example, target push information, product information — just an example) to the terminal device.
It should be noted that the user information isolation method provided by the embodiment of the present invention is generally executed by the server 605, and accordingly, the user information isolation apparatus is generally disposed in the server 605.
It should be understood that the number of terminal devices, networks, and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a determination module, a processing module, and a return module. Wherein the names of the modules do not in some cases constitute a limitation of the module itself.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: the method comprises the steps that an internal system determines a key corresponding to an external system identifier in request information under the condition that the internal system receives the request information sent by an external system; the request information is used for the external system to acquire an external identification, corresponding to the external system, of a user in the internal system; the internal system encrypts the specified information based on the key to generate an external identifier of the user in the external system; the internal system returns the external identification of the user to the external system.
According to the technical scheme of the embodiment of the invention, as the technical means of encrypting the appointed information by using the key corresponding to the external identifier and then generating the external identifier of the user is adopted, the technical problem of poor safety and reliability when the information of the user is isolated is solved, and the technical effect of improving the safety and reliability is further achieved; by isolating the internal information and the external information of the user, a service party of an external system cannot crack through the external information of the user, and the safety and the reliability of encryption are improved while the user information is effectively isolated.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. A method for isolating user information, wherein an internal system maintains keys corresponding to a plurality of external system identifiers, the method comprising:
the method comprises the steps that an internal system determines a key corresponding to an external system identifier in request information under the condition that the internal system receives the request information sent by an external system; the request information is used for the external system to acquire an external identifier of a user in the internal system, which corresponds to the external system;
the internal system encrypts specified information based on the key to generate an external identifier of the user in the external system; the specified information comprises a mapping identifier;
the internal system returns the external identification of the user to an external system;
determining a key according to an external system identifier of an external system, and decrypting according to the key, the external identifier of the user corresponding to the external system and the external system identifier to obtain the mapping identifier;
the mapping identifier comprises one or more of a server network address, a server process number and a server timestamp;
wherein, the mapping identifier also comprises a random character string;
and the method further comprises: storing a mapping relation table between the random character string and a user identifier in an internal system of the user;
and after the step of decrypting to obtain the mapping identifier, the method further comprises the following steps: and inquiring the user identification of the user in the internal system in the mapping relation table according to the random character string in the mapping identifier.
2. The method of claim 1, wherein the specified information comprises a user identifier of the user in an internal system.
3. The method according to any one of claims 1 or 2, wherein the step of the internal system encrypting the specified information based on the key to generate the external identification of the user in the external system comprises:
based on the key, the specified information is encrypted once by using a data encryption algorithm DES, and then the data obtained by the encryption is encrypted twice by using a coding mode Base64 to generate the external identifier.
4. An apparatus for isolating user information, wherein an internal system holds keys corresponding to a plurality of external system identifications, the apparatus comprising:
the determining module is used for determining a key corresponding to the external system identifier in the request information under the condition that the internal system receives the request information sent by the external system; the request information is used for the external system to acquire an external identifier of a user in the internal system, which corresponds to the external system;
the processing module is used for encrypting the specified information by the internal system based on the key so as to generate an external identifier of the user in the external system; the specified information comprises a mapping identifier; determining a key according to an external system identifier of an external system, and decrypting according to the key, the external identifier of the user corresponding to the external system and the external system identifier to obtain the mapping identifier; the mapping identifier comprises one or more of a server network address, a server process number and a server timestamp; wherein, the mapping identifier also comprises a random character string; and the apparatus further comprises a saving module for: storing a mapping relation table between the random character string and a user identifier in an internal system of the user; and the processing module is further configured to: inquiring the user identification of the user in the internal system in the mapping relation table according to the random character string in the mapping identifier;
and the return module is used for returning the external identifier of the user to an external system by the internal system.
5. The apparatus of claim 4, wherein the specified information comprises a user identifier of the user in an internal system.
6. The apparatus of any one of claims 4 or 5, wherein the processing module is configured to:
based on the key, the specified information is encrypted once by using a data encryption algorithm DES, and then the data obtained by the encryption is encrypted twice by using a coding mode Base64 to generate the external identifier.
7. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-3.
8. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-3.
CN201710784930.4A 2017-09-04 2017-09-04 Method and device for isolating user information Active CN107707528B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710784930.4A CN107707528B (en) 2017-09-04 2017-09-04 Method and device for isolating user information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710784930.4A CN107707528B (en) 2017-09-04 2017-09-04 Method and device for isolating user information

Publications (2)

Publication Number Publication Date
CN107707528A CN107707528A (en) 2018-02-16
CN107707528B true CN107707528B (en) 2020-06-30

Family

ID=61171928

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710784930.4A Active CN107707528B (en) 2017-09-04 2017-09-04 Method and device for isolating user information

Country Status (1)

Country Link
CN (1) CN107707528B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491772B (en) * 2018-09-28 2020-10-27 深圳财富农场互联网金融服务有限公司 Service sequence number generation method and device, computer equipment and storage medium
CN111382409A (en) * 2020-03-19 2020-07-07 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739708A (en) * 2011-04-07 2012-10-17 腾讯科技(深圳)有限公司 System and method for accessing third party application based on cloud platform
CN103297436A (en) * 2013-06-14 2013-09-11 大连三通科技发展有限公司 Electronic authorization method and system
CN105812341A (en) * 2014-12-31 2016-07-27 阿里巴巴集团控股有限公司 User identity identifying method and device
CN106817358A (en) * 2015-12-02 2017-06-09 阿里巴巴集团控股有限公司 The encryption and decryption method and equipment of a kind of user resources

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9418216B2 (en) * 2011-07-21 2016-08-16 Microsoft Technology Licensing, Llc Cloud service authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739708A (en) * 2011-04-07 2012-10-17 腾讯科技(深圳)有限公司 System and method for accessing third party application based on cloud platform
CN103297436A (en) * 2013-06-14 2013-09-11 大连三通科技发展有限公司 Electronic authorization method and system
CN105812341A (en) * 2014-12-31 2016-07-27 阿里巴巴集团控股有限公司 User identity identifying method and device
CN106817358A (en) * 2015-12-02 2017-06-09 阿里巴巴集团控股有限公司 The encryption and decryption method and equipment of a kind of user resources

Also Published As

Publication number Publication date
CN107707528A (en) 2018-02-16

Similar Documents

Publication Publication Date Title
CN110636043A (en) File authorization access method, device and system based on block chain
CN108880812B (en) Method and system for data encryption
CN108777685B (en) Method and apparatus for processing information
CN112437044B (en) Instant messaging method and device
CN113536327A (en) Data processing method, device and system
CN111339206A (en) Data sharing method and device based on block chain
CN107707528B (en) Method and device for isolating user information
CN110519203B (en) Data encryption transmission method and device
CN110022207B (en) Method, apparatus, device and computer readable medium for key management and data processing
CN111416788A (en) Method and device for preventing transmitted data from being tampered
WO2024060630A1 (en) Data transmission management method, and data processing method and apparatus
CN112115500A (en) Method, device and system for accessing file
CN109995534B (en) Method and device for carrying out security authentication on application program
CN110602075A (en) File stream processing method, device and system for encryption access control
CN112966286B (en) Method, system, device and computer readable medium for user login
CN112966287B (en) Method, system, device and computer readable medium for acquiring user data
CN112565156B (en) Information registration method, device and system
CN113761566A (en) Data processing method and device
CN113992345A (en) Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium
CN110619236A (en) File authorization access method, device and system based on file credential information
CN110166226B (en) Method and device for generating secret key
CN111831978A (en) Method and device for protecting configuration file
CN111786874B (en) Caller identification method and device
CN113420331B (en) Method and device for managing file downloading permission
CN110602074B (en) Service identity using method, device and system based on master-slave association

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant