CN107918731A - Method and apparatus for controlling the authority to access to open interface - Google Patents

Method and apparatus for controlling the authority to access to open interface Download PDF

Info

Publication number
CN107918731A
CN107918731A CN201610885792.4A CN201610885792A CN107918731A CN 107918731 A CN107918731 A CN 107918731A CN 201610885792 A CN201610885792 A CN 201610885792A CN 107918731 A CN107918731 A CN 107918731A
Authority
CN
China
Prior art keywords
access
encrypted
authorization code
open interface
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610885792.4A
Other languages
Chinese (zh)
Inventor
崔红伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baidu Online Network Technology Beijing Co Ltd
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201610885792.4A priority Critical patent/CN107918731A/en
Publication of CN107918731A publication Critical patent/CN107918731A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2133Verifying human interaction, e.g., Captcha
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

This application discloses the method and apparatus for controlling the authority to access to open interface.One embodiment of the method includes:The authorization requests to access to open interface for including application identities in response to receiving client transmission, the public key corresponding with application identities prestored are searched according to application identities, and generate authorization code at random;Use found public key that authorization code is encrypted, and encrypted authorization code is sent to client;Access request in response to receiving client transmission, then be encrypted generation calculate the signature using the authorization code before encryption to accessing parameter;In response to determining that calculate the signature is consistent with access signature, the authority that client accesses open interface is authorized, and by the result to access to open interface with being sent to client after public key encryption.This embodiment improves the security of open interface, keeps information not leak, while keep its own system not to be subject to attack.

Description

Method and apparatus for controlling the authority to access to open interface
Technical field
This application involves field of computer technology, and in particular to Internet technical field, more particularly, to controls split The method and apparatus for putting the authority that interface accesses.
Background technology
Internet service provide platform provide open interface for third party developer in internet application is developed into Row calls these open interfaces, such as API (Application Programming Interface, Application Programming Interface), HTTP (Hyper TextTransport Protocol, based on hypertext transfer protocol) communicates.Service providing platform pair (access) request is called in received interface, it should is carried out effective certification, is only responded legal interface call request.Carry Open platform is thus referred to as in itself for the platform of open interface.At present, the opening API that most of open platform is provided, in quilt When third-party application calls, it is required for the licensing scheme that third-party application is provided by open platform to obtain one and accesses order Board, and it is properly termed as access authorization code.When third-party application calls opening API every time, it is required for carrying this access token, So that open platform can provide corresponding access rights according to the access token to third-party application.
In the prior art, application can be utilized using the application identification information and key letter that open platform is application distribution Breath, to open platform acquisition request access token, since user uses the method for private key encryption make it that user's transmission information is easy The third party for being possessed public key is known, therefore security is not high.The opening of API and extensive, the simplification of empowerment management mode are made It is easy to steal and leak user privacy information into client.
The content of the invention
The purpose of the application is to propose a kind of improved method for being used to control the authority for accessing to open interface And device, to solve the technical problem that background section above is mentioned.
In a first aspect, this application provides a kind of method for being used to control the authority for accessing to open interface, it is described Method includes:The authorization requests to access to open interface for including application identities in response to receiving client transmission, root The public key corresponding with the application identities prestored is searched according to the application identities, and generates authorization code at random;Using institute The authorization code is encrypted in the public key found, and encrypted authorization code is sent to the client;In response to receiving The access request sent to the client, then be encrypted generation calculating label using the authorization code before encryption to accessing parameter Name, wherein, the access request includes accessing parameter and the client uses the authorization code before encryption to be carried out to accessing parameter The access signature generated after encryption, the authorization code before the encryption that the client uses is by the way that the client is received What encrypted authorization code obtained after being decrypted;In response to determining that the calculate the signature is consistent with the access signature, award The authority for giving the client to access the open interface, and by the result to access to the open interface institute The client is sent to after stating public key encryption.
In certain embodiments, the method further includes:In response to determining the calculate the signature and the access signature It is inconsistent, the authority that the client accesses the open interface is not authorized.
In certain embodiments, the method further includes the step of prestoring public key, including:Application is received to open described The registration request that interface accesses is put, wherein, the registration request includes:Application identities and public key;Store the application mark Know the correspondence with public key.
In certain embodiments, it is described that the authorization code is encrypted, including:Using public key encryption algorithm RSA to institute Authorization code is stated to be encrypted.
In certain embodiments, it is described that generation calculate the signature is encrypted to the access parameter, including:Plucked using message Want the 5th edition MD5 of algorithm that generation calculate the signature is encrypted to the access parameter.
Second aspect, this application provides a kind of method for being used to control the authority for accessing to open interface, it is special Sign is, the described method includes:Being sent to server includes the authorization requests to access to open interface of application identities;Ring Ying Yu receives the encrypted authorization code that the server is sent, then the encrypted authorization code is decrypted using private key With authorized access code, wherein, the encrypted authorization code is the server by using prestoring and the application Identify what is obtained after the authorization code generated at random is encrypted in corresponding public key;Using the authorization code after decryption to accessing parameter Generation access signature is encrypted;Access request is sent to the server, wherein, the access request includes described access and joins Number and the access signature;In response to receiving being carried out through the public key encryption to the open interface for the server transmission Access as a result, being decrypted using private key to obtain the result to access to the open interface.
In certain embodiments, generation access signature is encrypted in described pair of access parameter, including:Calculated using eap-message digest Generation access signature is encrypted to accessing parameter in the 5th edition MD5 of method.
The third aspect, it is described this application provides a kind of device for being used to control the authority for accessing to open interface Device includes:Public key lookup unit, be configured in response to receive client transmission include application identities to open interface The authorization requests to access, the public key corresponding with the application identities prestored is searched according to the application identities, and Random generation authorization code;Authorization code encryption unit, is configured to use found public key that the authorization code is encrypted, And encrypted authorization code is sent to the client;Calculate the signature generation unit, is configured in response to receiving the visitor The access request that family end is sent, then be encrypted generation calculate the signature using the authorization code before encryption to accessing parameter, wherein, institute Stating access request includes generating after access parameter and the client are encrypted access parameter using the authorization code before encryption Access signature, the authorization code before the encryption that the client uses encrypted is awarded by receive the client What weighted code obtained after being decrypted;Granted unit, is configured in response to determining the calculate the signature and the access signature Unanimously, authorize the authority that the client accesses the open interface, and will access to the open interface As a result with being sent to the client after the public key encryption.
In certain embodiments, the granted unit is also configured to:In response to determine the calculate the signature with it is described Access signature is inconsistent, does not authorize the authority that the client accesses the open interface.
In certain embodiments, described device further includes storage unit, is configured to:Application is received to the open interface The registration request to access, wherein, the registration request includes:Application identities and public key;Store the application identities and public affairs The correspondence of key.
In certain embodiments, the authorization code encryption unit is further configured to:Using RSA pairs of public key encryption algorithm The authorization code is encrypted.
In certain embodiments, the calculate the signature generation unit is further configured to:Using Message Digest 5 Generation calculate the signature is encrypted to the access parameter in five editions MD5.
Fourth aspect, it is described this application provides a kind of device for being used to control the authority for accessing to open interface Device includes:Authorization requests units, being configured to send to server includes accessing to open interface for application identities Authorization requests;Authorization code decryption unit, is configured to the encrypted authorization code sent in response to receiving the server, then makes The encrypted authorization code is decrypted with authorized access code with private key, wherein, the encrypted authorization code is described After server is encrypted the authorization code generated at random by using the public key corresponding with the application identities prestored Obtain;Access signature generation unit, is configured to that generation access is encrypted to accessing parameter using the authorization code after decryption Signature;Access request unit, is configured to send access request to the server, wherein, the access request includes described Access parameter and the access signature;Result decryption unit is accessed, is configured to the warp sent in response to receiving the server The public key encryption accessing to the open interface as a result, decrypted using private key with obtain to the open interface into The result that row accesses.
In certain embodiments, the access signature generation unit is further configured to:Using Message Digest 5 Generation access signature is encrypted to accessing parameter in five editions MD5.
The method and apparatus for being used to control the authority for accessing to open interface that the application provides, by being opened by offer The server for putting interface decrypts authorized code to authorizing code encryption, then by client using public key using private key, is opened Interface access control.The third party to avoid public key is possessed is encrypted without using private key to know.Private key only has product client Hold and oneself possess, can significantly lift security.Meanwhile generation signing messages is encrypted to accessing parameter using authorization code Re-authentication is carried out, improves the security of open interface again.
Brief description of the drawings
By reading the detailed description made to non-limiting example made with reference to the following drawings, the application's is other Feature, objects and advantages will become more apparent upon:
Fig. 1 is that this application can be applied to exemplary system architecture figure therein;
Fig. 2 is one embodiment for being used to control the method for the authority to access to open interface according to the application Flow chart;
Fig. 3 is the application scenarios for being used to control the method for the authority to access to open interface according to the application Schematic diagram;
Fig. 4 is another embodiment for being used to control the method for the authority to access to open interface according to the application Flow chart;
Fig. 5 is one embodiment for being used to control the device of the authority to access to open interface according to the application Structure diagram;
Fig. 6 is another embodiment for being used to control the device of the authority to access to open interface according to the application Structure diagram;
Fig. 7 is adapted for the structural representation for realizing the terminal device of the embodiment of the present application or the computer system of server Figure.
Embodiment
The application is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched The specific embodiment stated is used only for explaining related invention, rather than the restriction to the invention.It also should be noted that in order to It illustrate only easy to describe, in attached drawing and invent relevant part with related.
It should be noted that in the case where there is no conflict, the feature in embodiment and embodiment in the application can phase Mutually combination.Describe the application in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
Fig. 1 shows the method for being used for the authority that control accesses open interface that can apply the application or is used for Control the exemplary system architecture 100 of the embodiment of the device of the authority to access to open interface.
As shown in Figure 1, system architecture 100 can include terminal device 101,102,103, network 104 and server 105. Network 104 between terminal device 101,102,103 and server 105 provide communication link medium.Network 104 can be with Including various connection types, such as wired, wireless communication link or fiber optic cables etc..
User can be interacted with using terminal equipment 101,102,103 by network 104 with server 105, to receive or send out Send message etc..Various telecommunication customer end applications can be installed, such as web browser should on terminal device 101,102,103 With, shopping class application, searching class application, instant messaging tools, mailbox client, social platform software etc..
Terminal device 101,102,103 can be the various electronic equipments for having the function of to access open interface, including but It is not limited to smart mobile phone, tablet computer, E-book reader, MP3 player (Moving Picture Experts Group Audio Layer III, dynamic image expert's compression standard audio aspect 3), MP4 (Moving Picture Experts Group Audio Layer IV, dynamic image expert's compression standard audio aspect 4) player, pocket computer on knee and Desktop computer etc..
Server 105 can be to provide the server of various services, such as to being accessed on terminal device 101,102,103 Open interface provides the backstage open interface server supported.Backstage open interface server can dock it is received to opening connect The data such as the authorization requests that access of mouth analyze etc. processing, and handling result (such as accesses open interface Result) feed back to terminal device.
It should be noted that the side for being used to control the authority to access to open interface that the embodiment of the present application is provided Method is generally performed by server 105 and terminal device 101,102,103, correspondingly, is accessed for controlling to open interface The device of authority be generally positioned in server 105 and terminal device 101,102,103.
It should be understood that the number of the terminal device, network and server in Fig. 1 is only schematical.According to realizing need Will, can have any number of terminal device, network and server.
With continued reference to Fig. 2, the method for being used to control the authority for accessing to open interface according to the application is shown One embodiment flow 200.The method for being used to control the authority for accessing to open interface, including following step Suddenly:
Step 201, the mandate to access to open interface for including application identities sent in response to receiving client Request, the public key corresponding with application identities prestored is searched according to application identities, and generates authorization code at random.
In the present embodiment, for controlling the electronics of the method operation of the authority to access to open interface thereon to set Standby (such as server shown in Fig. 1) can be opened by wired connection mode or radio connection from user using it The terminal for putting interface access receives the authorization requests to access to open interface, wherein, which includes operating in end The application identities of application (for example, instant messaging tools, shopping class application etc.) to access to open interface are treated on end.It should answer Can be English alphabet, numeral, symbol or any combination between them with mark.The application identities in advance via should Developer registered on open interface server, and provided the corresponding public key of application identities.Public key is commonly used in Encrypted session key, verification digital signature, or the data that encryption can be decrypted with corresponding private key.Obtained by this algorithm Key is worldwide unique to can guarantee that.Using this key to when, if with one of key encrypt One piece of data, it is necessary to another secret key decryption.For example must just be decrypted with public key encryption data with private key, if added with private key Close also to use public key decryptions, otherwise decryption will not succeed.After above-mentioned electronic equipment receives the authorization requests of client transmission, The public key corresponding with application identities prestored can be searched according to application identities, and generates authorization code at random, for example, advance Authorization code is randomly choosed in the authorization code pond of setting.
In some optional implementations of the present embodiment, for controlling the side of the authority to access to open interface Method further includes the step of prestoring public key, including:The registration request that application accesses the open interface is received, its In, the registration request includes:Application identities and public key;Store the correspondence of the application identities and public key.The registration please Developer that can be from applying is asked to be sent to above-mentioned electronic equipment.The corresponding public key of different application is different, therefore above-mentioned electronic equipment Its corresponding public key can be searched by application identities.
Step 202, use found public key that authorization code is encrypted, and encrypted authorization code is sent to visitor Family end.
In the present embodiment, the authorization code generated at random is encrypted based on the public key that step 201 is found, then passed through Encrypted authorization code is sent to client by network 104.
In some optional implementations of the present embodiment, the authorization code is encrypted, including:Using public key plus The authorization code is encrypted in close algorithm RSA.RSA is current most influential public key encryption algorithm, it can be resisted Most cryptographic attacks known so far.
Step 203, the access request sent in response to receiving client, then using the authorization code before encryption to accessing parameter Generation calculate the signature is encrypted.
In the present embodiment, client will receive encrypted authorization code decryption after step 202 is completed, then with decryption Authorization code afterwards by access signature and accesses the access of parameter composition to accessing the access signature generated after parameter is encrypted Above-mentioned electronic equipment is issued in request.After above-mentioned electronic equipment receives the access request of client transmission, the mandate before encryption is used Generation calculate the signature is encrypted to accessing parameter in code.API Name, API parameters etc. can be included by accessing parameter.Calculate the signature is A kind of digital signature, is others the hop count word string that can not forge that the sender of only information could produce, this hop count word string It is also the valid certificates that information authenticity is sent to the sender of information at the same time, and digital signature is able to verify that information Integrality.
In some optional implementations of the present embodiment, generation calculate the signature is encrypted to the access parameter, Including:The access parameter is carried out using MD5 (Message-Digest Algorithm 5, Message Digest Algorithm 5) Encryption generation calculate the signature.MD5 is a kind of widely used hash function of computer safety field, to provide the complete of message Property protection.The effect of MD5 is to allow large capacity information to be protected before private key is signed with digital signature software by " compression " into one kind Close form (being exactly the hexadecimal number word string for the byte serial of a random length being transformed into a fixed length).
Step 204, in response to determining that calculate the signature is consistent with access signature, authorize client and open interface is visited The authority asked, and by the result to access to open interface with being sent to client after public key encryption.
In the present embodiment, judgment step 203 obtains calculate the signature and the access signature that is received from client whether one Cause, if unanimously, client can access open interface, and the result public key encryption that will be accessed to open interface After be sent to client.For example, inquiring about user identity by an open interface demonstrate,proves information, client application is passed to what is inquired about For identification card number as accessing parameter, the result of access is exactly the corresponding name of the identification card number, the age, the information such as address.
In some optional implementations of the present embodiment, if calculate the signature is inconsistent with access signature, do not authorize The authority that the client accesses the open interface.Can not have to can to client, client by the result of refusal Judge whether to be rejected according to time-out.Refusal information can also be generated and client will be issued after refusal information encryption.
With continued reference to Fig. 3, Fig. 3 is the method for being used to control the authority for accessing to open interface according to the present embodiment Application scenarios a schematic diagram.In the application scenarios of Fig. 3, user initiates API by client to API server first Authorization requests, API server obtains public key according to application identities, and is returned again to after generating authorization code at random with public key encryption to visitor Family end.Client is decrypted with authorized access code using private key, reuses authorization code encrypted access gain of parameter access signature visit Ask function API.After server obtains calculate the signature using the authorization code encryption parameter issued, access signature and calculate the signature are judged It is whether consistent, if unanimously, providing and accessing API service, and using access result of the public key encryption to API and return to client. Client is obtained using private key decryption and accesses result.
The method that above-described embodiment of the application provides encrypts open interface access information by using public key, and client makes The result information for obtaining open interface and returning is decrypted with private key.Private key only has product client oneself to possess, and can significantly carry Rise security.
With continued reference to Fig. 4, the method for being used to control the authority for accessing to open interface according to the application is shown Another embodiment flow 400.The method for being used to control the authority for accessing to open interface, including it is following Step:
Step 401, being sent to server includes the authorization requests to access to open interface of application identities.
In the present embodiment, for controlling the electronics of the method operation of the authority to access to open interface thereon to set Standby (such as terminal shown in Fig. 1) can be sent to server by wired connection mode or radio connection and be connect to opening The authorization requests that access of mouth, wherein, the authorization requests include operating in terminal treat to access to open interface should With the application identities of (for example, instant messaging tools, shopping class application etc.), the correspondence of the application identities and public key exists Registered on server.
Step 402, the encrypted authorization code sent in response to receiving server, then using the mandate after private key pair encryption Code is decrypted with authorized access code.
In the present embodiment, after terminal sends authorization requests, server can be received after performing step 201-202 by server For the encrypted authorization code sent, it is necessary to the authorization code that server is originally generated can just be obtained by being decrypted, when decryption, uses private Key, personal key algorithm carry out encrypting and decrypting data using single private key.Since any one party with key can use The secret key decryption data, it is therefore necessary to protect key not obtained by unwarranted agency.
Step 403, generation access signature is encrypted to accessing parameter using the authorization code after decryption.
In the present embodiment, generation access signature is encrypted to accessing parameter using the authorization code that step 402 obtains.This Method is encrypted using authorization code rather than is encrypted using private key, and key can be protected not acted on behalf of by unwarranted Arrive.
In some optional implementations of the present embodiment, generation access signature is encrypted to accessing parameter, including: Generation access signature is encrypted to accessing parameter using Message Digest Algorithm 5 MD5.
Step 404, access request is sent to server.
In the present embodiment, access request is sent to server based on the access signature that step 403 obtains, wherein, the visit Ask that request includes accessing parameter and access signature.Server calculates calculate the signature using the access parameter and authorization code, so The access signature sent afterwards with terminal is compared, and the complete of data cell source and data cell is can confirm that if consistent Property.Server is carrying out re-authentication by rear to signing messages, just allows the application call open interface in terminal.
Step 405, in response to receiving the accessing to open interface as a result, making through public key encryption of server transmission Decrypted with private key to obtain the result to access to open interface.
In the present embodiment, server performs step 203-204 after the access request of step 404 transmission is received, to end End send accessing to open interface through public key encryption as a result, terminal decrypted using private key with obtain to open interface into The result that row accesses.
Figure 4, it is seen that compared with the corresponding embodiments of Fig. 2, it is used to control to open interface in the present embodiment The flow 400 of the method for the authority to access highlights the encryption and decryption processes of terminal, terminal without using private key encryption and Using authorizing code encryption that private key can be avoided to be obtained by unwarranted agency, the security of system is improved.
With further reference to Fig. 5, as the realization to method shown in above-mentioned each figure, this application provides one kind to be used for control pair One embodiment of the device for the authority that open interface accesses, the device embodiment and the embodiment of the method phase shown in Fig. 2 Corresponding, which specifically can be applied in various electronic equipments.
As shown in figure 5, the device 500 for being used for the authority that control accesses open interface described in the present embodiment wraps Include:Public key lookup unit 501, authorization code encryption unit 502, calculate the signature generation unit 503 and granted unit 504.Wherein, it is public Key searching unit 501 is configured to include the accessing to open interface of application identities in response to receive client transmission Authorization requests, the public key corresponding with the application identities prestored is searched according to the application identities, and generation is awarded at random Weighted code;Authorization code encryption unit 502 is configured to use found public key that the authorization code is encrypted, and will encryption Authorization code afterwards is sent to the client;Calculate the signature generation unit 503 is configured in response to receiving the client hair The access request sent, then be encrypted generation calculate the signature using the authorization code before encryption to accessing parameter, wherein, the access Request includes accessing parameter and the client using the authorization code before encryption to accessing the access generated after parameter is encrypted Signature, the authorization code before the encryption that the client uses be by by the encrypted authorization code that the client receives into Obtained after row decryption;Granted unit 504 is configured in response to determining that the calculate the signature is consistent with the access signature, The authority that the client accesses the open interface is authorized, and the result to access to the open interface is used The client is sent to after the public key encryption.
In the present embodiment, device 500 should by the utilization of public key lookup unit 501 after receiving the authorization requests that terminal is sent With identifier lookup to public key, then after the authorization code generated at random is encrypted using public key by authorization code encryption unit 502 Terminal is sent to, waits terminal to retransmit access request, is visited after receiving access request by the utilization of calculate the signature generation unit 503 Ask that parameter and authorization code recalculate a calculate the signature, be then confirmed whether that client can be authorized by granted unit 504 again Hold the authority to access to the open interface.
In some optional implementations of the present embodiment, Unit 504 are authorized to be also configured to:In response to determining State calculate the signature and the access signature is inconsistent, do not authorize the authority that the client accesses the open interface.
In some optional implementations of the present embodiment, device 500 further includes storage unit, is configured to:Receive Using the registration request to access to the open interface, wherein, the registration request includes:Application identities and public key;Deposit Store up the correspondence of the application identities and public key.
In some optional implementations of the present embodiment, authorization code encryption unit 502 is further configured to:Using The authorization code is encrypted in public key encryption algorithm RSA.
In some optional implementations of the present embodiment, calculate the signature generation unit 503 is further configured to:Adopt Generation calculate the signature is encrypted to the access parameter with Message Digest Algorithm 5 MD5.
With further reference to Fig. 6, as the realization to method shown in above-mentioned each figure, this application provides one kind to be used for control pair Another embodiment of the device for the authority that open interface accesses, the device embodiment and the embodiment of the method shown in Fig. 4 Corresponding, which specifically can be applied in various electronic equipments.
As shown in fig. 6, the device 600 for being used for the authority that control accesses open interface described in the present embodiment wraps Include:Authorization requests unit 601, authorization code decryption unit 602, access signature generation unit 603, access request unit 604 and visit Ask result decryption unit 605.Wherein, authorization requests unit 601, which is configured to send to server, includes the split of application identities Put the authorization requests that interface accesses;Authorization code decryption unit 602 is configured to what is sent in response to receiving the server Encrypted authorization code, then be decrypted with authorized access code the encrypted authorization code using private key, wherein, it is described to add Authorization code after close is that the server is generated by using public key corresponding with the application identities is prestored to random Authorization code be encrypted after obtain;Access signature generation unit 603 is configured to using the authorization code after decryption to accessing Generation access signature is encrypted in parameter;Access request unit 604 is configured to send access request to the server, its In, the access request includes the access parameter and the access signature;Result decryption unit 605 is accessed to be configured to respond In receive the server send it is accessing to the open interface as a result, using private key solution through the public key encryption The close result to be accessed with acquisition to the open interface.
In the present embodiment, terminal sends what is accessed to open interface by authorization requests unit 601 to server Request, the encrypted authorization code that then etc. server to be received is sent, is decrypted authorization code by authorization code decryption unit 602 The access signature being sent in the access request of server is out generated by access signature generation unit 603 again, please by accessing Ask unit 604 to send the response of waiting for server after access request to server, the result of server feedback is tied by accessing Fruit decryption unit 605 decrypts.
In some optional implementations of the present embodiment, access signature generation unit 603 is further configured to:Adopt Generation access signature is encrypted to accessing parameter with Message Digest Algorithm 5 MD5.
Below with reference to Fig. 7, it illustrates suitable for for realizing the calculating of the terminal device of the embodiment of the present application or server The structure diagram of machine system 700.
As shown in fig. 7, computer system 700 includes central processing unit (CPU) 701, it can be read-only according to being stored in Program in memory (ROM) 702 or be loaded into program in random access storage device (RAM) 703 from storage part 708 and Perform various appropriate actions and processing.In RAM 703, also it is stored with system 700 and operates required various programs and data. CPU 701, ROM 702 and RAM 703 are connected with each other by bus 704.Input/output (I/O) interface 705 is also connected to always Line 704.
I/O interfaces 705 are connected to lower component:Importation 706 including keyboard, mouse etc.;Including such as liquid crystal Show the output par, c 707 of device (LCD) etc. and loudspeaker etc.;Storage part 708 including hard disk etc.;And including such as LAN The communications portion 709 of the network interface card of card, modem etc..Communications portion 709 is performed via the network of such as internet Communication process.Driver 710 is also according to needing to be connected to I/O interfaces 705.Detachable media 711, such as disk, CD, magneto-optic Disk, semiconductor memory etc., are installed on driver 710, in order to the computer program root read from it as needed Part 708 is stored according to needing to be mounted into.
Especially, in accordance with an embodiment of the present disclosure, it may be implemented as computer above with reference to the process of flow chart description Software program.For example, embodiment of the disclosure includes a kind of computer program product, it includes being tangibly embodied in machine readable Computer program on medium, the computer program include the program code for being used for the method shown in execution flow chart.At this In the embodiment of sample, which can be downloaded and installed by communications portion 709 from network, and/or from removable Medium 711 is unloaded to be mounted.When the computer program is performed by central processing unit (CPU) 701, perform in the present processes The above-mentioned function of limiting.
Flow chart and block diagram in attached drawing, it is illustrated that according to the system of the various embodiments of the application, method and computer journey Architectural framework in the cards, function and the operation of sequence product.At this point, each square frame in flow chart or block diagram can generation The part of one module of table, program segment or code, a part for the module, program segment or code include one or more The executable instruction of logic function as defined in being used for realization.It should also be noted that some as replace realization in, institute in square frame The function of mark can also be with different from the order marked in attached drawing generation.For example, two square frames succeedingly represented are actual On can perform substantially in parallel, they can also be performed in the opposite order sometimes, this is depending on involved function.Also It is noted that the combination of each square frame and block diagram in block diagram and/or flow chart and/or the square frame in flow chart, Ke Yiyong The dedicated hardware based systems of functions or operations as defined in execution is realized, or can be referred to specialized hardware and computer The combination of order is realized.
Being described in unit involved in the embodiment of the present application can be realized by way of software, can also be by hard The mode of part is realized.Described unit can also be set within a processor, for example, can be described as:A kind of processor bag Include public key lookup unit, authorization code encryption unit, calculate the signature generation unit and granted unit.Wherein, the title of these units The restriction to the unit in itself is not formed under certain conditions, for example, authorization code encryption unit is also described as " using The authorization code is encrypted in the public key found, and encrypted authorization code is sent to the unit of the client ".
As on the other hand, present invention also provides a kind of nonvolatile computer storage media, the non-volatile calculating Machine storage medium can be nonvolatile computer storage media included in device described in above-described embodiment;Can also be Individualism, without the nonvolatile computer storage media in supplying terminal.Above-mentioned nonvolatile computer storage media is deposited One or more program is contained, when one or more of programs are performed by an equipment so that the equipment:Response In the authorization requests to access to open interface for including application identities for receiving client transmission, according to the application identities The public key corresponding with the application identities prestored is searched, and generates authorization code at random;Use found public key pair The authorization code is encrypted, and encrypted authorization code is sent to the client;In response to receiving the client hair The access request sent, then be encrypted generation calculate the signature using the authorization code before encryption to accessing parameter, wherein, the access Request includes accessing parameter and the client using the authorization code before encryption to accessing the access generated after parameter is encrypted Signature, the authorization code before the encryption that the client uses be by by the encrypted authorization code that the client receives into Obtained after row decryption;In response to determining that the calculate the signature is consistent with the access signature, the client is authorized to institute State the authority that open interface accesses, and by the result that the open interface accesses with being sent after the public key encryption To the client.
Above description is only the preferred embodiment of the application and the explanation to institute's application technology principle.People in the art Member should be appreciated that invention scope involved in the application, however it is not limited to the technology that the particular combination of above-mentioned technical characteristic forms Scheme, while should also cover in the case where not departing from the inventive concept, carried out by above-mentioned technical characteristic or its equivalent feature The other technical solutions for being combined and being formed.Such as features described above has similar work(with (but not limited to) disclosed herein The technical solution that the technical characteristic of energy is replaced mutually and formed.

Claims (14)

  1. A kind of 1. method for being used to control the authority for accessing to open interface, it is characterised in that the described method includes:
    The authorization requests to access to open interface for including application identities in response to receiving client transmission, according to described Application identities search the public key corresponding with the application identities prestored, and generate authorization code at random;
    Use found public key that the authorization code is encrypted, and encrypted authorization code is sent to the client End;
    The access request sent in response to receiving the client, then be encrypted using the authorization code before encryption to accessing parameter Calculate the signature is generated, wherein, the access request includes accessing parameter and the client using the authorization code before encryption to visiting Ask the access signature that parameter generates after being encrypted, the authorization code before the encryption that the client uses is by by the client Terminate what is obtained after received encrypted authorization code is decrypted;
    In response to determining that the calculate the signature is consistent with the access signature, authorize the client to the open interface into The authority that row accesses, and by the result that the open interface accesses with being sent to the client after the public key encryption End.
  2. 2. the method according to claim 1 for being used to control the authority for accessing to open interface, it is characterised in that institute The method of stating further includes:
    In response to determining that the calculate the signature and the access signature are inconsistent, the client is not authorized the opening is connect The authority that mouth accesses.
  3. 3. the method according to claim 1 for being used to control the authority for accessing to open interface, it is characterised in that institute The method of stating further includes the step of prestoring public key, including:
    The registration request that application accesses the open interface is received, wherein, the registration request includes:Application identities and Public key;
    Store the correspondence of the application identities and public key.
  4. 4. the method according to claim 1 for being used to control the authority for accessing to open interface, it is characterised in that institute State and the authorization code is encrypted, including:
    The authorization code is encrypted using public key encryption algorithm RSA.
  5. 5. the method according to claim 1 for being used to control the authority for accessing to open interface, it is characterised in that institute State and generation calculate the signature is encrypted to the access parameter, including:
    Generation calculate the signature is encrypted to the access parameter using Message Digest Algorithm 5 MD5.
  6. A kind of 6. method for being used to control the authority for accessing to open interface, it is characterised in that the described method includes:
    Being sent to server includes the authorization requests to access to open interface of application identities;
    The encrypted authorization code sent in response to receiving the server, then using private key to the encrypted authorization code into Row decryption with authorized access code, wherein, the encrypted authorization code is the server by using prestoring and institute State what is obtained after the authorization code generated at random is encrypted in the corresponding public key of application identities;
    Generation access signature is encrypted to accessing parameter using the authorization code after decryption;
    Access request is sent to the server, wherein, the access request includes the access parameter and the access signature;
    In response to accessing to the open interface of receiving that the server sends through the public key encryption as a result, making Decrypted with private key to obtain the result to access to the open interface.
  7. 7. the method according to claim 6 for being used to control the authority for accessing to open interface, it is characterised in that institute State and generation access signature is encrypted to accessing parameter, including:
    Generation access signature is encrypted to accessing parameter using Message Digest Algorithm 5 MD5.
  8. 8. a kind of device for being used to control the authority for accessing to open interface, it is characterised in that described device includes:
    Public key lookup unit, is configured to the visiting open interface including application identities in response to receiving client transmission The authorization requests asked, the public key corresponding with the application identities prestored is searched according to the application identities, and is given birth at random Into authorization code;
    Authorization code encryption unit, is configured to use found public key that the authorization code is encrypted, and by after encryption Authorization code be sent to the client;
    Calculate the signature generation unit, is configured to the access request sent in response to receiving the client, then before using encryption Authorization code generation calculate the signature is encrypted to accessing parameter, wherein, the access request includes accessing parameter and the visitor Family end is using the authorization code before encryption to accessing the access signature generated after parameter is encrypted, the encryption that the client uses Preceding authorization code is obtained after being decrypted by the encrypted authorization code for receiving the client;
    Granted unit, is configured to, in response to determining that the calculate the signature is consistent with the access signature, authorize the client Hold the authority that accesses to the open interface, and by the result that the open interface accesses with the public key encryption After be sent to the client.
  9. 9. the device according to claim 8 for being used to control the authority for accessing to open interface, it is characterised in that institute Granted unit is stated to be also configured to:
    In response to determining that the calculate the signature and the access signature are inconsistent, the client is not authorized the opening is connect The authority that mouth accesses.
  10. 10. the device according to claim 8 for being used to control the authority for accessing to open interface, it is characterised in that Described device further includes storage unit, is configured to:
    The registration request that application accesses the open interface is received, wherein, the registration request includes:Application identities and Public key;
    Store the correspondence of the application identities and public key.
  11. 11. the device according to claim 8 for being used to control the authority for accessing to open interface, it is characterised in that The authorization code encryption unit is further configured to:
    The authorization code is encrypted using public key encryption algorithm RSA.
  12. 12. the device according to claim 8 for being used to control the authority for accessing to open interface, it is characterised in that The calculate the signature generation unit is further configured to:
    Generation calculate the signature is encrypted to the access parameter using Message Digest Algorithm 5 MD5.
  13. 13. a kind of device for being used to control the authority for accessing to open interface, it is characterised in that described device includes:
    Authorization requests unit, the mandate to access to open interface for being configured to include to server transmission application identities please Ask;
    Authorization code decryption unit, is configured to the encrypted authorization code sent in response to receiving the server, then using private The encrypted authorization code is decrypted with authorized access code in key, wherein, the encrypted authorization code is the service Device is obtained after the authorization code generated at random is encrypted by using the public key corresponding with the application identities prestored 's;
    Access signature generation unit, is configured to that generation access label are encrypted to accessing parameter using the authorization code after decryption Name;
    Access request unit, is configured to send access request to the server, wherein, the access request includes the visit Ask parameter and the access signature;
    Result decryption unit is accessed, is configured in response to receiving that the server sends through the public key encryption to described It is that open interface accesses as a result, being decrypted using private key to obtain the result to access to the open interface.
  14. 14. the device according to claim 13 for being used to control the authority for accessing to open interface, it is characterised in that The access signature generation unit is further configured to:
    Generation access signature is encrypted to accessing parameter using Message Digest Algorithm 5 MD5.
CN201610885792.4A 2016-10-11 2016-10-11 Method and apparatus for controlling the authority to access to open interface Pending CN107918731A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610885792.4A CN107918731A (en) 2016-10-11 2016-10-11 Method and apparatus for controlling the authority to access to open interface

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610885792.4A CN107918731A (en) 2016-10-11 2016-10-11 Method and apparatus for controlling the authority to access to open interface

Publications (1)

Publication Number Publication Date
CN107918731A true CN107918731A (en) 2018-04-17

Family

ID=61892547

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610885792.4A Pending CN107918731A (en) 2016-10-11 2016-10-11 Method and apparatus for controlling the authority to access to open interface

Country Status (1)

Country Link
CN (1) CN107918731A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108717507A (en) * 2018-04-20 2018-10-30 烽火通信科技股份有限公司 A kind of management method and system of Android application programs permission
CN108984315A (en) * 2018-06-14 2018-12-11 深圳市轱辘汽车维修技术有限公司 Application data processing method, device, terminal and readable medium
CN110149367A (en) * 2019-04-17 2019-08-20 平安科技(深圳)有限公司 Judge calling interface request whether normal method, apparatus and computer equipment
CN110287686A (en) * 2019-06-24 2019-09-27 深圳市同泰怡信息技术有限公司 A kind of the clean boot right management method and equipment of basic input output system
CN111800426A (en) * 2020-07-07 2020-10-20 腾讯科技(深圳)有限公司 Method, device, equipment and medium for accessing native code interface in application program
CN111914293A (en) * 2020-07-31 2020-11-10 平安科技(深圳)有限公司 Data access authority verification method and device, computer equipment and storage medium
CN112099964A (en) * 2019-06-18 2020-12-18 北京思源政通科技集团有限公司 Interface calling method and device, storage medium and electronic device
CN112131590A (en) * 2020-09-28 2020-12-25 平安国际智慧城市科技股份有限公司 Database connection establishing method and device, computer equipment and storage medium
WO2021007142A1 (en) 2019-07-05 2021-01-14 Visa International Service Association System, method, and computer program product for third-party authorization
CN112367302A (en) * 2020-10-20 2021-02-12 北京空间飞行器总体设计部 Identity authentication method and system suitable for chrome browser
CN113612744A (en) * 2021-07-23 2021-11-05 天津中新智冠信息技术有限公司 Remote authorization system and method
CN116432190A (en) * 2023-06-15 2023-07-14 杭州美创科技股份有限公司 Method and device for detecting unauthorized access of interface, computer equipment and storage medium
CN117331964A (en) * 2023-12-01 2024-01-02 成都明途科技有限公司 Data query method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780176A (en) * 2015-04-28 2015-07-15 中国科学院微电子研究所 Method and system for safely calling representational state transition application programming interface
CN105306534A (en) * 2015-09-21 2016-02-03 拉扎斯网络科技(上海)有限公司 Information verification method based on open platform and open platform
CN105376216A (en) * 2015-10-12 2016-03-02 华为技术有限公司 Remote access method, agent server and client end
CN105530253A (en) * 2015-12-17 2016-04-27 河南大学 Wireless sensor network access authentication method based on CA certificate and under Restful architecture
CN105634743A (en) * 2015-12-30 2016-06-01 中国银联股份有限公司 Authentication method used for open interface calling

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780176A (en) * 2015-04-28 2015-07-15 中国科学院微电子研究所 Method and system for safely calling representational state transition application programming interface
CN105306534A (en) * 2015-09-21 2016-02-03 拉扎斯网络科技(上海)有限公司 Information verification method based on open platform and open platform
CN105376216A (en) * 2015-10-12 2016-03-02 华为技术有限公司 Remote access method, agent server and client end
CN105530253A (en) * 2015-12-17 2016-04-27 河南大学 Wireless sensor network access authentication method based on CA certificate and under Restful architecture
CN105634743A (en) * 2015-12-30 2016-06-01 中国银联股份有限公司 Authentication method used for open interface calling

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108717507A (en) * 2018-04-20 2018-10-30 烽火通信科技股份有限公司 A kind of management method and system of Android application programs permission
CN108984315A (en) * 2018-06-14 2018-12-11 深圳市轱辘汽车维修技术有限公司 Application data processing method, device, terminal and readable medium
CN108984315B (en) * 2018-06-14 2022-04-15 深圳市轱辘车联数据技术有限公司 Application data processing method and device, terminal and readable medium
CN110149367A (en) * 2019-04-17 2019-08-20 平安科技(深圳)有限公司 Judge calling interface request whether normal method, apparatus and computer equipment
CN112099964A (en) * 2019-06-18 2020-12-18 北京思源政通科技集团有限公司 Interface calling method and device, storage medium and electronic device
CN110287686B (en) * 2019-06-24 2021-06-15 深圳市同泰怡信息技术有限公司 Safe starting authority management method and equipment for basic input output system
CN110287686A (en) * 2019-06-24 2019-09-27 深圳市同泰怡信息技术有限公司 A kind of the clean boot right management method and equipment of basic input output system
EP3994593A4 (en) * 2019-07-05 2022-08-17 Visa International Service Association System, method, and computer program product for third-party authorization
WO2021007142A1 (en) 2019-07-05 2021-01-14 Visa International Service Association System, method, and computer program product for third-party authorization
CN111800426A (en) * 2020-07-07 2020-10-20 腾讯科技(深圳)有限公司 Method, device, equipment and medium for accessing native code interface in application program
CN111914293A (en) * 2020-07-31 2020-11-10 平安科技(深圳)有限公司 Data access authority verification method and device, computer equipment and storage medium
CN111914293B (en) * 2020-07-31 2024-05-24 平安科技(深圳)有限公司 Data access right verification method and device, computer equipment and storage medium
CN112131590A (en) * 2020-09-28 2020-12-25 平安国际智慧城市科技股份有限公司 Database connection establishing method and device, computer equipment and storage medium
CN112367302A (en) * 2020-10-20 2021-02-12 北京空间飞行器总体设计部 Identity authentication method and system suitable for chrome browser
CN112367302B (en) * 2020-10-20 2023-07-18 北京空间飞行器总体设计部 Identity authentication method and system suitable for chrome browser
CN113612744A (en) * 2021-07-23 2021-11-05 天津中新智冠信息技术有限公司 Remote authorization system and method
CN113612744B (en) * 2021-07-23 2023-09-22 天津中新智冠信息技术有限公司 Remote authorization system and method
CN116432190A (en) * 2023-06-15 2023-07-14 杭州美创科技股份有限公司 Method and device for detecting unauthorized access of interface, computer equipment and storage medium
CN116432190B (en) * 2023-06-15 2023-09-08 杭州美创科技股份有限公司 Method and device for detecting unauthorized access of interface, computer equipment and storage medium
CN117331964A (en) * 2023-12-01 2024-01-02 成都明途科技有限公司 Data query method, device, equipment and storage medium
CN117331964B (en) * 2023-12-01 2024-02-27 成都明途科技有限公司 Data query method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107918731A (en) Method and apparatus for controlling the authority to access to open interface
EP2304636B1 (en) Mobile device assisted secure computer network communications
CN105007279B (en) Authentication method and Verification System
JP4866863B2 (en) Security code generation method and user device
WO2019079356A1 (en) Authentication token with client key
CN106533665B (en) Mthods, systems and devices for storing website private key plaintext
CN106487765B (en) Authorized access method and device using the same
WO2021184755A1 (en) Application access method and apparatus, and electronic device and storage medium
US20070240226A1 (en) Method and apparatus for user centric private data management
CN107810617A (en) Secret certification and supply
CN108347419A (en) Data transmission method and device
CN108322416B (en) Security authentication implementation method, device and system
US8397281B2 (en) Service assisted secret provisioning
CN106464496A (en) Method and system for creating a certificate to authenticate a user identity
CN107248984A (en) Data exchange system, method and apparatus
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN111131416A (en) Business service providing method and device, storage medium and electronic device
KR101879758B1 (en) Method for Generating User Digital Certificate for Individual User Terminal and for Authenticating Using the Same Digital Certificate
CN111130799B (en) Method and system for HTTPS protocol transmission based on TEE
CN110868291A (en) Data encryption transmission method, device, system and storage medium
CN109379345B (en) Sensitive information transmission method and system
CN102404337A (en) Data encryption method and device
CN110049032A (en) A kind of the data content encryption method and device of two-way authentication
CN107154916A (en) A kind of authentication information acquisition methods, offer method and device
CN104901967A (en) Registration method for trusted device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180417