CN107918731A - Method and apparatus for controlling the authority to access to open interface - Google Patents
Method and apparatus for controlling the authority to access to open interface Download PDFInfo
- Publication number
- CN107918731A CN107918731A CN201610885792.4A CN201610885792A CN107918731A CN 107918731 A CN107918731 A CN 107918731A CN 201610885792 A CN201610885792 A CN 201610885792A CN 107918731 A CN107918731 A CN 107918731A
- Authority
- CN
- China
- Prior art keywords
- access
- encrypted
- authorization code
- open interface
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2133—Verifying human interaction, e.g., Captcha
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
This application discloses the method and apparatus for controlling the authority to access to open interface.One embodiment of the method includes:The authorization requests to access to open interface for including application identities in response to receiving client transmission, the public key corresponding with application identities prestored are searched according to application identities, and generate authorization code at random;Use found public key that authorization code is encrypted, and encrypted authorization code is sent to client;Access request in response to receiving client transmission, then be encrypted generation calculate the signature using the authorization code before encryption to accessing parameter;In response to determining that calculate the signature is consistent with access signature, the authority that client accesses open interface is authorized, and by the result to access to open interface with being sent to client after public key encryption.This embodiment improves the security of open interface, keeps information not leak, while keep its own system not to be subject to attack.
Description
Technical field
This application involves field of computer technology, and in particular to Internet technical field, more particularly, to controls split
The method and apparatus for putting the authority that interface accesses.
Background technology
Internet service provide platform provide open interface for third party developer in internet application is developed into
Row calls these open interfaces, such as API (Application Programming Interface, Application Programming Interface),
HTTP (Hyper TextTransport Protocol, based on hypertext transfer protocol) communicates.Service providing platform pair
(access) request is called in received interface, it should is carried out effective certification, is only responded legal interface call request.Carry
Open platform is thus referred to as in itself for the platform of open interface.At present, the opening API that most of open platform is provided, in quilt
When third-party application calls, it is required for the licensing scheme that third-party application is provided by open platform to obtain one and accesses order
Board, and it is properly termed as access authorization code.When third-party application calls opening API every time, it is required for carrying this access token,
So that open platform can provide corresponding access rights according to the access token to third-party application.
In the prior art, application can be utilized using the application identification information and key letter that open platform is application distribution
Breath, to open platform acquisition request access token, since user uses the method for private key encryption make it that user's transmission information is easy
The third party for being possessed public key is known, therefore security is not high.The opening of API and extensive, the simplification of empowerment management mode are made
It is easy to steal and leak user privacy information into client.
The content of the invention
The purpose of the application is to propose a kind of improved method for being used to control the authority for accessing to open interface
And device, to solve the technical problem that background section above is mentioned.
In a first aspect, this application provides a kind of method for being used to control the authority for accessing to open interface, it is described
Method includes:The authorization requests to access to open interface for including application identities in response to receiving client transmission, root
The public key corresponding with the application identities prestored is searched according to the application identities, and generates authorization code at random;Using institute
The authorization code is encrypted in the public key found, and encrypted authorization code is sent to the client;In response to receiving
The access request sent to the client, then be encrypted generation calculating label using the authorization code before encryption to accessing parameter
Name, wherein, the access request includes accessing parameter and the client uses the authorization code before encryption to be carried out to accessing parameter
The access signature generated after encryption, the authorization code before the encryption that the client uses is by the way that the client is received
What encrypted authorization code obtained after being decrypted;In response to determining that the calculate the signature is consistent with the access signature, award
The authority for giving the client to access the open interface, and by the result to access to the open interface institute
The client is sent to after stating public key encryption.
In certain embodiments, the method further includes:In response to determining the calculate the signature and the access signature
It is inconsistent, the authority that the client accesses the open interface is not authorized.
In certain embodiments, the method further includes the step of prestoring public key, including:Application is received to open described
The registration request that interface accesses is put, wherein, the registration request includes:Application identities and public key;Store the application mark
Know the correspondence with public key.
In certain embodiments, it is described that the authorization code is encrypted, including:Using public key encryption algorithm RSA to institute
Authorization code is stated to be encrypted.
In certain embodiments, it is described that generation calculate the signature is encrypted to the access parameter, including:Plucked using message
Want the 5th edition MD5 of algorithm that generation calculate the signature is encrypted to the access parameter.
Second aspect, this application provides a kind of method for being used to control the authority for accessing to open interface, it is special
Sign is, the described method includes:Being sent to server includes the authorization requests to access to open interface of application identities;Ring
Ying Yu receives the encrypted authorization code that the server is sent, then the encrypted authorization code is decrypted using private key
With authorized access code, wherein, the encrypted authorization code is the server by using prestoring and the application
Identify what is obtained after the authorization code generated at random is encrypted in corresponding public key;Using the authorization code after decryption to accessing parameter
Generation access signature is encrypted;Access request is sent to the server, wherein, the access request includes described access and joins
Number and the access signature;In response to receiving being carried out through the public key encryption to the open interface for the server transmission
Access as a result, being decrypted using private key to obtain the result to access to the open interface.
In certain embodiments, generation access signature is encrypted in described pair of access parameter, including:Calculated using eap-message digest
Generation access signature is encrypted to accessing parameter in the 5th edition MD5 of method.
The third aspect, it is described this application provides a kind of device for being used to control the authority for accessing to open interface
Device includes:Public key lookup unit, be configured in response to receive client transmission include application identities to open interface
The authorization requests to access, the public key corresponding with the application identities prestored is searched according to the application identities, and
Random generation authorization code;Authorization code encryption unit, is configured to use found public key that the authorization code is encrypted,
And encrypted authorization code is sent to the client;Calculate the signature generation unit, is configured in response to receiving the visitor
The access request that family end is sent, then be encrypted generation calculate the signature using the authorization code before encryption to accessing parameter, wherein, institute
Stating access request includes generating after access parameter and the client are encrypted access parameter using the authorization code before encryption
Access signature, the authorization code before the encryption that the client uses encrypted is awarded by receive the client
What weighted code obtained after being decrypted;Granted unit, is configured in response to determining the calculate the signature and the access signature
Unanimously, authorize the authority that the client accesses the open interface, and will access to the open interface
As a result with being sent to the client after the public key encryption.
In certain embodiments, the granted unit is also configured to:In response to determine the calculate the signature with it is described
Access signature is inconsistent, does not authorize the authority that the client accesses the open interface.
In certain embodiments, described device further includes storage unit, is configured to:Application is received to the open interface
The registration request to access, wherein, the registration request includes:Application identities and public key;Store the application identities and public affairs
The correspondence of key.
In certain embodiments, the authorization code encryption unit is further configured to:Using RSA pairs of public key encryption algorithm
The authorization code is encrypted.
In certain embodiments, the calculate the signature generation unit is further configured to:Using Message Digest 5
Generation calculate the signature is encrypted to the access parameter in five editions MD5.
Fourth aspect, it is described this application provides a kind of device for being used to control the authority for accessing to open interface
Device includes:Authorization requests units, being configured to send to server includes accessing to open interface for application identities
Authorization requests;Authorization code decryption unit, is configured to the encrypted authorization code sent in response to receiving the server, then makes
The encrypted authorization code is decrypted with authorized access code with private key, wherein, the encrypted authorization code is described
After server is encrypted the authorization code generated at random by using the public key corresponding with the application identities prestored
Obtain;Access signature generation unit, is configured to that generation access is encrypted to accessing parameter using the authorization code after decryption
Signature;Access request unit, is configured to send access request to the server, wherein, the access request includes described
Access parameter and the access signature;Result decryption unit is accessed, is configured to the warp sent in response to receiving the server
The public key encryption accessing to the open interface as a result, decrypted using private key with obtain to the open interface into
The result that row accesses.
In certain embodiments, the access signature generation unit is further configured to:Using Message Digest 5
Generation access signature is encrypted to accessing parameter in five editions MD5.
The method and apparatus for being used to control the authority for accessing to open interface that the application provides, by being opened by offer
The server for putting interface decrypts authorized code to authorizing code encryption, then by client using public key using private key, is opened
Interface access control.The third party to avoid public key is possessed is encrypted without using private key to know.Private key only has product client
Hold and oneself possess, can significantly lift security.Meanwhile generation signing messages is encrypted to accessing parameter using authorization code
Re-authentication is carried out, improves the security of open interface again.
Brief description of the drawings
By reading the detailed description made to non-limiting example made with reference to the following drawings, the application's is other
Feature, objects and advantages will become more apparent upon:
Fig. 1 is that this application can be applied to exemplary system architecture figure therein;
Fig. 2 is one embodiment for being used to control the method for the authority to access to open interface according to the application
Flow chart;
Fig. 3 is the application scenarios for being used to control the method for the authority to access to open interface according to the application
Schematic diagram;
Fig. 4 is another embodiment for being used to control the method for the authority to access to open interface according to the application
Flow chart;
Fig. 5 is one embodiment for being used to control the device of the authority to access to open interface according to the application
Structure diagram;
Fig. 6 is another embodiment for being used to control the device of the authority to access to open interface according to the application
Structure diagram;
Fig. 7 is adapted for the structural representation for realizing the terminal device of the embodiment of the present application or the computer system of server
Figure.
Embodiment
The application is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched
The specific embodiment stated is used only for explaining related invention, rather than the restriction to the invention.It also should be noted that in order to
It illustrate only easy to describe, in attached drawing and invent relevant part with related.
It should be noted that in the case where there is no conflict, the feature in embodiment and embodiment in the application can phase
Mutually combination.Describe the application in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
Fig. 1 shows the method for being used for the authority that control accesses open interface that can apply the application or is used for
Control the exemplary system architecture 100 of the embodiment of the device of the authority to access to open interface.
As shown in Figure 1, system architecture 100 can include terminal device 101,102,103, network 104 and server 105.
Network 104 between terminal device 101,102,103 and server 105 provide communication link medium.Network 104 can be with
Including various connection types, such as wired, wireless communication link or fiber optic cables etc..
User can be interacted with using terminal equipment 101,102,103 by network 104 with server 105, to receive or send out
Send message etc..Various telecommunication customer end applications can be installed, such as web browser should on terminal device 101,102,103
With, shopping class application, searching class application, instant messaging tools, mailbox client, social platform software etc..
Terminal device 101,102,103 can be the various electronic equipments for having the function of to access open interface, including but
It is not limited to smart mobile phone, tablet computer, E-book reader, MP3 player (Moving Picture Experts Group
Audio Layer III, dynamic image expert's compression standard audio aspect 3), MP4 (Moving Picture Experts
Group Audio Layer IV, dynamic image expert's compression standard audio aspect 4) player, pocket computer on knee and
Desktop computer etc..
Server 105 can be to provide the server of various services, such as to being accessed on terminal device 101,102,103
Open interface provides the backstage open interface server supported.Backstage open interface server can dock it is received to opening connect
The data such as the authorization requests that access of mouth analyze etc. processing, and handling result (such as accesses open interface
Result) feed back to terminal device.
It should be noted that the side for being used to control the authority to access to open interface that the embodiment of the present application is provided
Method is generally performed by server 105 and terminal device 101,102,103, correspondingly, is accessed for controlling to open interface
The device of authority be generally positioned in server 105 and terminal device 101,102,103.
It should be understood that the number of the terminal device, network and server in Fig. 1 is only schematical.According to realizing need
Will, can have any number of terminal device, network and server.
With continued reference to Fig. 2, the method for being used to control the authority for accessing to open interface according to the application is shown
One embodiment flow 200.The method for being used to control the authority for accessing to open interface, including following step
Suddenly:
Step 201, the mandate to access to open interface for including application identities sent in response to receiving client
Request, the public key corresponding with application identities prestored is searched according to application identities, and generates authorization code at random.
In the present embodiment, for controlling the electronics of the method operation of the authority to access to open interface thereon to set
Standby (such as server shown in Fig. 1) can be opened by wired connection mode or radio connection from user using it
The terminal for putting interface access receives the authorization requests to access to open interface, wherein, which includes operating in end
The application identities of application (for example, instant messaging tools, shopping class application etc.) to access to open interface are treated on end.It should answer
Can be English alphabet, numeral, symbol or any combination between them with mark.The application identities in advance via should
Developer registered on open interface server, and provided the corresponding public key of application identities.Public key is commonly used in
Encrypted session key, verification digital signature, or the data that encryption can be decrypted with corresponding private key.Obtained by this algorithm
Key is worldwide unique to can guarantee that.Using this key to when, if with one of key encrypt
One piece of data, it is necessary to another secret key decryption.For example must just be decrypted with public key encryption data with private key, if added with private key
Close also to use public key decryptions, otherwise decryption will not succeed.After above-mentioned electronic equipment receives the authorization requests of client transmission,
The public key corresponding with application identities prestored can be searched according to application identities, and generates authorization code at random, for example, advance
Authorization code is randomly choosed in the authorization code pond of setting.
In some optional implementations of the present embodiment, for controlling the side of the authority to access to open interface
Method further includes the step of prestoring public key, including:The registration request that application accesses the open interface is received, its
In, the registration request includes:Application identities and public key;Store the correspondence of the application identities and public key.The registration please
Developer that can be from applying is asked to be sent to above-mentioned electronic equipment.The corresponding public key of different application is different, therefore above-mentioned electronic equipment
Its corresponding public key can be searched by application identities.
Step 202, use found public key that authorization code is encrypted, and encrypted authorization code is sent to visitor
Family end.
In the present embodiment, the authorization code generated at random is encrypted based on the public key that step 201 is found, then passed through
Encrypted authorization code is sent to client by network 104.
In some optional implementations of the present embodiment, the authorization code is encrypted, including:Using public key plus
The authorization code is encrypted in close algorithm RSA.RSA is current most influential public key encryption algorithm, it can be resisted
Most cryptographic attacks known so far.
Step 203, the access request sent in response to receiving client, then using the authorization code before encryption to accessing parameter
Generation calculate the signature is encrypted.
In the present embodiment, client will receive encrypted authorization code decryption after step 202 is completed, then with decryption
Authorization code afterwards by access signature and accesses the access of parameter composition to accessing the access signature generated after parameter is encrypted
Above-mentioned electronic equipment is issued in request.After above-mentioned electronic equipment receives the access request of client transmission, the mandate before encryption is used
Generation calculate the signature is encrypted to accessing parameter in code.API Name, API parameters etc. can be included by accessing parameter.Calculate the signature is
A kind of digital signature, is others the hop count word string that can not forge that the sender of only information could produce, this hop count word string
It is also the valid certificates that information authenticity is sent to the sender of information at the same time, and digital signature is able to verify that information
Integrality.
In some optional implementations of the present embodiment, generation calculate the signature is encrypted to the access parameter,
Including:The access parameter is carried out using MD5 (Message-Digest Algorithm 5, Message Digest Algorithm 5)
Encryption generation calculate the signature.MD5 is a kind of widely used hash function of computer safety field, to provide the complete of message
Property protection.The effect of MD5 is to allow large capacity information to be protected before private key is signed with digital signature software by " compression " into one kind
Close form (being exactly the hexadecimal number word string for the byte serial of a random length being transformed into a fixed length).
Step 204, in response to determining that calculate the signature is consistent with access signature, authorize client and open interface is visited
The authority asked, and by the result to access to open interface with being sent to client after public key encryption.
In the present embodiment, judgment step 203 obtains calculate the signature and the access signature that is received from client whether one
Cause, if unanimously, client can access open interface, and the result public key encryption that will be accessed to open interface
After be sent to client.For example, inquiring about user identity by an open interface demonstrate,proves information, client application is passed to what is inquired about
For identification card number as accessing parameter, the result of access is exactly the corresponding name of the identification card number, the age, the information such as address.
In some optional implementations of the present embodiment, if calculate the signature is inconsistent with access signature, do not authorize
The authority that the client accesses the open interface.Can not have to can to client, client by the result of refusal
Judge whether to be rejected according to time-out.Refusal information can also be generated and client will be issued after refusal information encryption.
With continued reference to Fig. 3, Fig. 3 is the method for being used to control the authority for accessing to open interface according to the present embodiment
Application scenarios a schematic diagram.In the application scenarios of Fig. 3, user initiates API by client to API server first
Authorization requests, API server obtains public key according to application identities, and is returned again to after generating authorization code at random with public key encryption to visitor
Family end.Client is decrypted with authorized access code using private key, reuses authorization code encrypted access gain of parameter access signature visit
Ask function API.After server obtains calculate the signature using the authorization code encryption parameter issued, access signature and calculate the signature are judged
It is whether consistent, if unanimously, providing and accessing API service, and using access result of the public key encryption to API and return to client.
Client is obtained using private key decryption and accesses result.
The method that above-described embodiment of the application provides encrypts open interface access information by using public key, and client makes
The result information for obtaining open interface and returning is decrypted with private key.Private key only has product client oneself to possess, and can significantly carry
Rise security.
With continued reference to Fig. 4, the method for being used to control the authority for accessing to open interface according to the application is shown
Another embodiment flow 400.The method for being used to control the authority for accessing to open interface, including it is following
Step:
Step 401, being sent to server includes the authorization requests to access to open interface of application identities.
In the present embodiment, for controlling the electronics of the method operation of the authority to access to open interface thereon to set
Standby (such as terminal shown in Fig. 1) can be sent to server by wired connection mode or radio connection and be connect to opening
The authorization requests that access of mouth, wherein, the authorization requests include operating in terminal treat to access to open interface should
With the application identities of (for example, instant messaging tools, shopping class application etc.), the correspondence of the application identities and public key exists
Registered on server.
Step 402, the encrypted authorization code sent in response to receiving server, then using the mandate after private key pair encryption
Code is decrypted with authorized access code.
In the present embodiment, after terminal sends authorization requests, server can be received after performing step 201-202 by server
For the encrypted authorization code sent, it is necessary to the authorization code that server is originally generated can just be obtained by being decrypted, when decryption, uses private
Key, personal key algorithm carry out encrypting and decrypting data using single private key.Since any one party with key can use
The secret key decryption data, it is therefore necessary to protect key not obtained by unwarranted agency.
Step 403, generation access signature is encrypted to accessing parameter using the authorization code after decryption.
In the present embodiment, generation access signature is encrypted to accessing parameter using the authorization code that step 402 obtains.This
Method is encrypted using authorization code rather than is encrypted using private key, and key can be protected not acted on behalf of by unwarranted
Arrive.
In some optional implementations of the present embodiment, generation access signature is encrypted to accessing parameter, including:
Generation access signature is encrypted to accessing parameter using Message Digest Algorithm 5 MD5.
Step 404, access request is sent to server.
In the present embodiment, access request is sent to server based on the access signature that step 403 obtains, wherein, the visit
Ask that request includes accessing parameter and access signature.Server calculates calculate the signature using the access parameter and authorization code, so
The access signature sent afterwards with terminal is compared, and the complete of data cell source and data cell is can confirm that if consistent
Property.Server is carrying out re-authentication by rear to signing messages, just allows the application call open interface in terminal.
Step 405, in response to receiving the accessing to open interface as a result, making through public key encryption of server transmission
Decrypted with private key to obtain the result to access to open interface.
In the present embodiment, server performs step 203-204 after the access request of step 404 transmission is received, to end
End send accessing to open interface through public key encryption as a result, terminal decrypted using private key with obtain to open interface into
The result that row accesses.
Figure 4, it is seen that compared with the corresponding embodiments of Fig. 2, it is used to control to open interface in the present embodiment
The flow 400 of the method for the authority to access highlights the encryption and decryption processes of terminal, terminal without using private key encryption and
Using authorizing code encryption that private key can be avoided to be obtained by unwarranted agency, the security of system is improved.
With further reference to Fig. 5, as the realization to method shown in above-mentioned each figure, this application provides one kind to be used for control pair
One embodiment of the device for the authority that open interface accesses, the device embodiment and the embodiment of the method phase shown in Fig. 2
Corresponding, which specifically can be applied in various electronic equipments.
As shown in figure 5, the device 500 for being used for the authority that control accesses open interface described in the present embodiment wraps
Include:Public key lookup unit 501, authorization code encryption unit 502, calculate the signature generation unit 503 and granted unit 504.Wherein, it is public
Key searching unit 501 is configured to include the accessing to open interface of application identities in response to receive client transmission
Authorization requests, the public key corresponding with the application identities prestored is searched according to the application identities, and generation is awarded at random
Weighted code;Authorization code encryption unit 502 is configured to use found public key that the authorization code is encrypted, and will encryption
Authorization code afterwards is sent to the client;Calculate the signature generation unit 503 is configured in response to receiving the client hair
The access request sent, then be encrypted generation calculate the signature using the authorization code before encryption to accessing parameter, wherein, the access
Request includes accessing parameter and the client using the authorization code before encryption to accessing the access generated after parameter is encrypted
Signature, the authorization code before the encryption that the client uses be by by the encrypted authorization code that the client receives into
Obtained after row decryption;Granted unit 504 is configured in response to determining that the calculate the signature is consistent with the access signature,
The authority that the client accesses the open interface is authorized, and the result to access to the open interface is used
The client is sent to after the public key encryption.
In the present embodiment, device 500 should by the utilization of public key lookup unit 501 after receiving the authorization requests that terminal is sent
With identifier lookup to public key, then after the authorization code generated at random is encrypted using public key by authorization code encryption unit 502
Terminal is sent to, waits terminal to retransmit access request, is visited after receiving access request by the utilization of calculate the signature generation unit 503
Ask that parameter and authorization code recalculate a calculate the signature, be then confirmed whether that client can be authorized by granted unit 504 again
Hold the authority to access to the open interface.
In some optional implementations of the present embodiment, Unit 504 are authorized to be also configured to:In response to determining
State calculate the signature and the access signature is inconsistent, do not authorize the authority that the client accesses the open interface.
In some optional implementations of the present embodiment, device 500 further includes storage unit, is configured to:Receive
Using the registration request to access to the open interface, wherein, the registration request includes:Application identities and public key;Deposit
Store up the correspondence of the application identities and public key.
In some optional implementations of the present embodiment, authorization code encryption unit 502 is further configured to:Using
The authorization code is encrypted in public key encryption algorithm RSA.
In some optional implementations of the present embodiment, calculate the signature generation unit 503 is further configured to:Adopt
Generation calculate the signature is encrypted to the access parameter with Message Digest Algorithm 5 MD5.
With further reference to Fig. 6, as the realization to method shown in above-mentioned each figure, this application provides one kind to be used for control pair
Another embodiment of the device for the authority that open interface accesses, the device embodiment and the embodiment of the method shown in Fig. 4
Corresponding, which specifically can be applied in various electronic equipments.
As shown in fig. 6, the device 600 for being used for the authority that control accesses open interface described in the present embodiment wraps
Include:Authorization requests unit 601, authorization code decryption unit 602, access signature generation unit 603, access request unit 604 and visit
Ask result decryption unit 605.Wherein, authorization requests unit 601, which is configured to send to server, includes the split of application identities
Put the authorization requests that interface accesses;Authorization code decryption unit 602 is configured to what is sent in response to receiving the server
Encrypted authorization code, then be decrypted with authorized access code the encrypted authorization code using private key, wherein, it is described to add
Authorization code after close is that the server is generated by using public key corresponding with the application identities is prestored to random
Authorization code be encrypted after obtain;Access signature generation unit 603 is configured to using the authorization code after decryption to accessing
Generation access signature is encrypted in parameter;Access request unit 604 is configured to send access request to the server, its
In, the access request includes the access parameter and the access signature;Result decryption unit 605 is accessed to be configured to respond
In receive the server send it is accessing to the open interface as a result, using private key solution through the public key encryption
The close result to be accessed with acquisition to the open interface.
In the present embodiment, terminal sends what is accessed to open interface by authorization requests unit 601 to server
Request, the encrypted authorization code that then etc. server to be received is sent, is decrypted authorization code by authorization code decryption unit 602
The access signature being sent in the access request of server is out generated by access signature generation unit 603 again, please by accessing
Ask unit 604 to send the response of waiting for server after access request to server, the result of server feedback is tied by accessing
Fruit decryption unit 605 decrypts.
In some optional implementations of the present embodiment, access signature generation unit 603 is further configured to:Adopt
Generation access signature is encrypted to accessing parameter with Message Digest Algorithm 5 MD5.
Below with reference to Fig. 7, it illustrates suitable for for realizing the calculating of the terminal device of the embodiment of the present application or server
The structure diagram of machine system 700.
As shown in fig. 7, computer system 700 includes central processing unit (CPU) 701, it can be read-only according to being stored in
Program in memory (ROM) 702 or be loaded into program in random access storage device (RAM) 703 from storage part 708 and
Perform various appropriate actions and processing.In RAM 703, also it is stored with system 700 and operates required various programs and data.
CPU 701, ROM 702 and RAM 703 are connected with each other by bus 704.Input/output (I/O) interface 705 is also connected to always
Line 704.
I/O interfaces 705 are connected to lower component:Importation 706 including keyboard, mouse etc.;Including such as liquid crystal
Show the output par, c 707 of device (LCD) etc. and loudspeaker etc.;Storage part 708 including hard disk etc.;And including such as LAN
The communications portion 709 of the network interface card of card, modem etc..Communications portion 709 is performed via the network of such as internet
Communication process.Driver 710 is also according to needing to be connected to I/O interfaces 705.Detachable media 711, such as disk, CD, magneto-optic
Disk, semiconductor memory etc., are installed on driver 710, in order to the computer program root read from it as needed
Part 708 is stored according to needing to be mounted into.
Especially, in accordance with an embodiment of the present disclosure, it may be implemented as computer above with reference to the process of flow chart description
Software program.For example, embodiment of the disclosure includes a kind of computer program product, it includes being tangibly embodied in machine readable
Computer program on medium, the computer program include the program code for being used for the method shown in execution flow chart.At this
In the embodiment of sample, which can be downloaded and installed by communications portion 709 from network, and/or from removable
Medium 711 is unloaded to be mounted.When the computer program is performed by central processing unit (CPU) 701, perform in the present processes
The above-mentioned function of limiting.
Flow chart and block diagram in attached drawing, it is illustrated that according to the system of the various embodiments of the application, method and computer journey
Architectural framework in the cards, function and the operation of sequence product.At this point, each square frame in flow chart or block diagram can generation
The part of one module of table, program segment or code, a part for the module, program segment or code include one or more
The executable instruction of logic function as defined in being used for realization.It should also be noted that some as replace realization in, institute in square frame
The function of mark can also be with different from the order marked in attached drawing generation.For example, two square frames succeedingly represented are actual
On can perform substantially in parallel, they can also be performed in the opposite order sometimes, this is depending on involved function.Also
It is noted that the combination of each square frame and block diagram in block diagram and/or flow chart and/or the square frame in flow chart, Ke Yiyong
The dedicated hardware based systems of functions or operations as defined in execution is realized, or can be referred to specialized hardware and computer
The combination of order is realized.
Being described in unit involved in the embodiment of the present application can be realized by way of software, can also be by hard
The mode of part is realized.Described unit can also be set within a processor, for example, can be described as:A kind of processor bag
Include public key lookup unit, authorization code encryption unit, calculate the signature generation unit and granted unit.Wherein, the title of these units
The restriction to the unit in itself is not formed under certain conditions, for example, authorization code encryption unit is also described as " using
The authorization code is encrypted in the public key found, and encrypted authorization code is sent to the unit of the client ".
As on the other hand, present invention also provides a kind of nonvolatile computer storage media, the non-volatile calculating
Machine storage medium can be nonvolatile computer storage media included in device described in above-described embodiment;Can also be
Individualism, without the nonvolatile computer storage media in supplying terminal.Above-mentioned nonvolatile computer storage media is deposited
One or more program is contained, when one or more of programs are performed by an equipment so that the equipment:Response
In the authorization requests to access to open interface for including application identities for receiving client transmission, according to the application identities
The public key corresponding with the application identities prestored is searched, and generates authorization code at random;Use found public key pair
The authorization code is encrypted, and encrypted authorization code is sent to the client;In response to receiving the client hair
The access request sent, then be encrypted generation calculate the signature using the authorization code before encryption to accessing parameter, wherein, the access
Request includes accessing parameter and the client using the authorization code before encryption to accessing the access generated after parameter is encrypted
Signature, the authorization code before the encryption that the client uses be by by the encrypted authorization code that the client receives into
Obtained after row decryption;In response to determining that the calculate the signature is consistent with the access signature, the client is authorized to institute
State the authority that open interface accesses, and by the result that the open interface accesses with being sent after the public key encryption
To the client.
Above description is only the preferred embodiment of the application and the explanation to institute's application technology principle.People in the art
Member should be appreciated that invention scope involved in the application, however it is not limited to the technology that the particular combination of above-mentioned technical characteristic forms
Scheme, while should also cover in the case where not departing from the inventive concept, carried out by above-mentioned technical characteristic or its equivalent feature
The other technical solutions for being combined and being formed.Such as features described above has similar work(with (but not limited to) disclosed herein
The technical solution that the technical characteristic of energy is replaced mutually and formed.
Claims (14)
- A kind of 1. method for being used to control the authority for accessing to open interface, it is characterised in that the described method includes:The authorization requests to access to open interface for including application identities in response to receiving client transmission, according to described Application identities search the public key corresponding with the application identities prestored, and generate authorization code at random;Use found public key that the authorization code is encrypted, and encrypted authorization code is sent to the client End;The access request sent in response to receiving the client, then be encrypted using the authorization code before encryption to accessing parameter Calculate the signature is generated, wherein, the access request includes accessing parameter and the client using the authorization code before encryption to visiting Ask the access signature that parameter generates after being encrypted, the authorization code before the encryption that the client uses is by by the client Terminate what is obtained after received encrypted authorization code is decrypted;In response to determining that the calculate the signature is consistent with the access signature, authorize the client to the open interface into The authority that row accesses, and by the result that the open interface accesses with being sent to the client after the public key encryption End.
- 2. the method according to claim 1 for being used to control the authority for accessing to open interface, it is characterised in that institute The method of stating further includes:In response to determining that the calculate the signature and the access signature are inconsistent, the client is not authorized the opening is connect The authority that mouth accesses.
- 3. the method according to claim 1 for being used to control the authority for accessing to open interface, it is characterised in that institute The method of stating further includes the step of prestoring public key, including:The registration request that application accesses the open interface is received, wherein, the registration request includes:Application identities and Public key;Store the correspondence of the application identities and public key.
- 4. the method according to claim 1 for being used to control the authority for accessing to open interface, it is characterised in that institute State and the authorization code is encrypted, including:The authorization code is encrypted using public key encryption algorithm RSA.
- 5. the method according to claim 1 for being used to control the authority for accessing to open interface, it is characterised in that institute State and generation calculate the signature is encrypted to the access parameter, including:Generation calculate the signature is encrypted to the access parameter using Message Digest Algorithm 5 MD5.
- A kind of 6. method for being used to control the authority for accessing to open interface, it is characterised in that the described method includes:Being sent to server includes the authorization requests to access to open interface of application identities;The encrypted authorization code sent in response to receiving the server, then using private key to the encrypted authorization code into Row decryption with authorized access code, wherein, the encrypted authorization code is the server by using prestoring and institute State what is obtained after the authorization code generated at random is encrypted in the corresponding public key of application identities;Generation access signature is encrypted to accessing parameter using the authorization code after decryption;Access request is sent to the server, wherein, the access request includes the access parameter and the access signature;In response to accessing to the open interface of receiving that the server sends through the public key encryption as a result, making Decrypted with private key to obtain the result to access to the open interface.
- 7. the method according to claim 6 for being used to control the authority for accessing to open interface, it is characterised in that institute State and generation access signature is encrypted to accessing parameter, including:Generation access signature is encrypted to accessing parameter using Message Digest Algorithm 5 MD5.
- 8. a kind of device for being used to control the authority for accessing to open interface, it is characterised in that described device includes:Public key lookup unit, is configured to the visiting open interface including application identities in response to receiving client transmission The authorization requests asked, the public key corresponding with the application identities prestored is searched according to the application identities, and is given birth at random Into authorization code;Authorization code encryption unit, is configured to use found public key that the authorization code is encrypted, and by after encryption Authorization code be sent to the client;Calculate the signature generation unit, is configured to the access request sent in response to receiving the client, then before using encryption Authorization code generation calculate the signature is encrypted to accessing parameter, wherein, the access request includes accessing parameter and the visitor Family end is using the authorization code before encryption to accessing the access signature generated after parameter is encrypted, the encryption that the client uses Preceding authorization code is obtained after being decrypted by the encrypted authorization code for receiving the client;Granted unit, is configured to, in response to determining that the calculate the signature is consistent with the access signature, authorize the client Hold the authority that accesses to the open interface, and by the result that the open interface accesses with the public key encryption After be sent to the client.
- 9. the device according to claim 8 for being used to control the authority for accessing to open interface, it is characterised in that institute Granted unit is stated to be also configured to:In response to determining that the calculate the signature and the access signature are inconsistent, the client is not authorized the opening is connect The authority that mouth accesses.
- 10. the device according to claim 8 for being used to control the authority for accessing to open interface, it is characterised in that Described device further includes storage unit, is configured to:The registration request that application accesses the open interface is received, wherein, the registration request includes:Application identities and Public key;Store the correspondence of the application identities and public key.
- 11. the device according to claim 8 for being used to control the authority for accessing to open interface, it is characterised in that The authorization code encryption unit is further configured to:The authorization code is encrypted using public key encryption algorithm RSA.
- 12. the device according to claim 8 for being used to control the authority for accessing to open interface, it is characterised in that The calculate the signature generation unit is further configured to:Generation calculate the signature is encrypted to the access parameter using Message Digest Algorithm 5 MD5.
- 13. a kind of device for being used to control the authority for accessing to open interface, it is characterised in that described device includes:Authorization requests unit, the mandate to access to open interface for being configured to include to server transmission application identities please Ask;Authorization code decryption unit, is configured to the encrypted authorization code sent in response to receiving the server, then using private The encrypted authorization code is decrypted with authorized access code in key, wherein, the encrypted authorization code is the service Device is obtained after the authorization code generated at random is encrypted by using the public key corresponding with the application identities prestored 's;Access signature generation unit, is configured to that generation access label are encrypted to accessing parameter using the authorization code after decryption Name;Access request unit, is configured to send access request to the server, wherein, the access request includes the visit Ask parameter and the access signature;Result decryption unit is accessed, is configured in response to receiving that the server sends through the public key encryption to described It is that open interface accesses as a result, being decrypted using private key to obtain the result to access to the open interface.
- 14. the device according to claim 13 for being used to control the authority for accessing to open interface, it is characterised in that The access signature generation unit is further configured to:Generation access signature is encrypted to accessing parameter using Message Digest Algorithm 5 MD5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610885792.4A CN107918731A (en) | 2016-10-11 | 2016-10-11 | Method and apparatus for controlling the authority to access to open interface |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610885792.4A CN107918731A (en) | 2016-10-11 | 2016-10-11 | Method and apparatus for controlling the authority to access to open interface |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107918731A true CN107918731A (en) | 2018-04-17 |
Family
ID=61892547
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610885792.4A Pending CN107918731A (en) | 2016-10-11 | 2016-10-11 | Method and apparatus for controlling the authority to access to open interface |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107918731A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108717507A (en) * | 2018-04-20 | 2018-10-30 | 烽火通信科技股份有限公司 | A kind of management method and system of Android application programs permission |
CN108984315A (en) * | 2018-06-14 | 2018-12-11 | 深圳市轱辘汽车维修技术有限公司 | Application data processing method, device, terminal and readable medium |
CN110149367A (en) * | 2019-04-17 | 2019-08-20 | 平安科技(深圳)有限公司 | Judge calling interface request whether normal method, apparatus and computer equipment |
CN110287686A (en) * | 2019-06-24 | 2019-09-27 | 深圳市同泰怡信息技术有限公司 | A kind of the clean boot right management method and equipment of basic input output system |
CN111800426A (en) * | 2020-07-07 | 2020-10-20 | 腾讯科技(深圳)有限公司 | Method, device, equipment and medium for accessing native code interface in application program |
CN111914293A (en) * | 2020-07-31 | 2020-11-10 | 平安科技(深圳)有限公司 | Data access authority verification method and device, computer equipment and storage medium |
CN112099964A (en) * | 2019-06-18 | 2020-12-18 | 北京思源政通科技集团有限公司 | Interface calling method and device, storage medium and electronic device |
CN112131590A (en) * | 2020-09-28 | 2020-12-25 | 平安国际智慧城市科技股份有限公司 | Database connection establishing method and device, computer equipment and storage medium |
WO2021007142A1 (en) | 2019-07-05 | 2021-01-14 | Visa International Service Association | System, method, and computer program product for third-party authorization |
CN112367302A (en) * | 2020-10-20 | 2021-02-12 | 北京空间飞行器总体设计部 | Identity authentication method and system suitable for chrome browser |
CN113612744A (en) * | 2021-07-23 | 2021-11-05 | 天津中新智冠信息技术有限公司 | Remote authorization system and method |
CN116432190A (en) * | 2023-06-15 | 2023-07-14 | 杭州美创科技股份有限公司 | Method and device for detecting unauthorized access of interface, computer equipment and storage medium |
CN117331964A (en) * | 2023-12-01 | 2024-01-02 | 成都明途科技有限公司 | Data query method, device, equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104780176A (en) * | 2015-04-28 | 2015-07-15 | 中国科学院微电子研究所 | Method and system for safely calling representational state transition application programming interface |
CN105306534A (en) * | 2015-09-21 | 2016-02-03 | 拉扎斯网络科技(上海)有限公司 | Information verification method based on open platform and open platform |
CN105376216A (en) * | 2015-10-12 | 2016-03-02 | 华为技术有限公司 | Remote access method, agent server and client end |
CN105530253A (en) * | 2015-12-17 | 2016-04-27 | 河南大学 | Wireless sensor network access authentication method based on CA certificate and under Restful architecture |
CN105634743A (en) * | 2015-12-30 | 2016-06-01 | 中国银联股份有限公司 | Authentication method used for open interface calling |
-
2016
- 2016-10-11 CN CN201610885792.4A patent/CN107918731A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104780176A (en) * | 2015-04-28 | 2015-07-15 | 中国科学院微电子研究所 | Method and system for safely calling representational state transition application programming interface |
CN105306534A (en) * | 2015-09-21 | 2016-02-03 | 拉扎斯网络科技(上海)有限公司 | Information verification method based on open platform and open platform |
CN105376216A (en) * | 2015-10-12 | 2016-03-02 | 华为技术有限公司 | Remote access method, agent server and client end |
CN105530253A (en) * | 2015-12-17 | 2016-04-27 | 河南大学 | Wireless sensor network access authentication method based on CA certificate and under Restful architecture |
CN105634743A (en) * | 2015-12-30 | 2016-06-01 | 中国银联股份有限公司 | Authentication method used for open interface calling |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108717507A (en) * | 2018-04-20 | 2018-10-30 | 烽火通信科技股份有限公司 | A kind of management method and system of Android application programs permission |
CN108984315A (en) * | 2018-06-14 | 2018-12-11 | 深圳市轱辘汽车维修技术有限公司 | Application data processing method, device, terminal and readable medium |
CN108984315B (en) * | 2018-06-14 | 2022-04-15 | 深圳市轱辘车联数据技术有限公司 | Application data processing method and device, terminal and readable medium |
CN110149367A (en) * | 2019-04-17 | 2019-08-20 | 平安科技(深圳)有限公司 | Judge calling interface request whether normal method, apparatus and computer equipment |
CN112099964A (en) * | 2019-06-18 | 2020-12-18 | 北京思源政通科技集团有限公司 | Interface calling method and device, storage medium and electronic device |
CN110287686B (en) * | 2019-06-24 | 2021-06-15 | 深圳市同泰怡信息技术有限公司 | Safe starting authority management method and equipment for basic input output system |
CN110287686A (en) * | 2019-06-24 | 2019-09-27 | 深圳市同泰怡信息技术有限公司 | A kind of the clean boot right management method and equipment of basic input output system |
EP3994593A4 (en) * | 2019-07-05 | 2022-08-17 | Visa International Service Association | System, method, and computer program product for third-party authorization |
WO2021007142A1 (en) | 2019-07-05 | 2021-01-14 | Visa International Service Association | System, method, and computer program product for third-party authorization |
CN111800426A (en) * | 2020-07-07 | 2020-10-20 | 腾讯科技(深圳)有限公司 | Method, device, equipment and medium for accessing native code interface in application program |
CN111914293A (en) * | 2020-07-31 | 2020-11-10 | 平安科技(深圳)有限公司 | Data access authority verification method and device, computer equipment and storage medium |
CN111914293B (en) * | 2020-07-31 | 2024-05-24 | 平安科技(深圳)有限公司 | Data access right verification method and device, computer equipment and storage medium |
CN112131590A (en) * | 2020-09-28 | 2020-12-25 | 平安国际智慧城市科技股份有限公司 | Database connection establishing method and device, computer equipment and storage medium |
CN112367302A (en) * | 2020-10-20 | 2021-02-12 | 北京空间飞行器总体设计部 | Identity authentication method and system suitable for chrome browser |
CN112367302B (en) * | 2020-10-20 | 2023-07-18 | 北京空间飞行器总体设计部 | Identity authentication method and system suitable for chrome browser |
CN113612744A (en) * | 2021-07-23 | 2021-11-05 | 天津中新智冠信息技术有限公司 | Remote authorization system and method |
CN113612744B (en) * | 2021-07-23 | 2023-09-22 | 天津中新智冠信息技术有限公司 | Remote authorization system and method |
CN116432190A (en) * | 2023-06-15 | 2023-07-14 | 杭州美创科技股份有限公司 | Method and device for detecting unauthorized access of interface, computer equipment and storage medium |
CN116432190B (en) * | 2023-06-15 | 2023-09-08 | 杭州美创科技股份有限公司 | Method and device for detecting unauthorized access of interface, computer equipment and storage medium |
CN117331964A (en) * | 2023-12-01 | 2024-01-02 | 成都明途科技有限公司 | Data query method, device, equipment and storage medium |
CN117331964B (en) * | 2023-12-01 | 2024-02-27 | 成都明途科技有限公司 | Data query method, device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107918731A (en) | Method and apparatus for controlling the authority to access to open interface | |
EP2304636B1 (en) | Mobile device assisted secure computer network communications | |
CN105007279B (en) | Authentication method and Verification System | |
JP4866863B2 (en) | Security code generation method and user device | |
WO2019079356A1 (en) | Authentication token with client key | |
CN106533665B (en) | Mthods, systems and devices for storing website private key plaintext | |
CN106487765B (en) | Authorized access method and device using the same | |
WO2021184755A1 (en) | Application access method and apparatus, and electronic device and storage medium | |
US20070240226A1 (en) | Method and apparatus for user centric private data management | |
CN107810617A (en) | Secret certification and supply | |
CN108347419A (en) | Data transmission method and device | |
CN108322416B (en) | Security authentication implementation method, device and system | |
US8397281B2 (en) | Service assisted secret provisioning | |
CN106464496A (en) | Method and system for creating a certificate to authenticate a user identity | |
CN107248984A (en) | Data exchange system, method and apparatus | |
CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
KR101879758B1 (en) | Method for Generating User Digital Certificate for Individual User Terminal and for Authenticating Using the Same Digital Certificate | |
CN111130799B (en) | Method and system for HTTPS protocol transmission based on TEE | |
CN110868291A (en) | Data encryption transmission method, device, system and storage medium | |
CN109379345B (en) | Sensitive information transmission method and system | |
CN102404337A (en) | Data encryption method and device | |
CN110049032A (en) | A kind of the data content encryption method and device of two-way authentication | |
CN107154916A (en) | A kind of authentication information acquisition methods, offer method and device | |
CN104901967A (en) | Registration method for trusted device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180417 |