CN108600264B - Encryption and decryption method applied to credit authorization and credit authorization system - Google Patents

Encryption and decryption method applied to credit authorization and credit authorization system Download PDF

Info

Publication number
CN108600264B
CN108600264B CN201810437742.9A CN201810437742A CN108600264B CN 108600264 B CN108600264 B CN 108600264B CN 201810437742 A CN201810437742 A CN 201810437742A CN 108600264 B CN108600264 B CN 108600264B
Authority
CN
China
Prior art keywords
parameter
authentication
key token
parameters
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810437742.9A
Other languages
Chinese (zh)
Other versions
CN108600264A (en
Inventor
柳长庆
曾明
高原
孙强
代红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Julong Co Ltd
Original Assignee
Julong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Julong Co Ltd filed Critical Julong Co Ltd
Priority to CN201810437742.9A priority Critical patent/CN108600264B/en
Publication of CN108600264A publication Critical patent/CN108600264A/en
Application granted granted Critical
Publication of CN108600264B publication Critical patent/CN108600264B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The invention discloses an encryption and decryption method and a credit authorization system applied to credit authorization, wherein the encryption and decryption method comprises the following steps of S1, sending an interface request to a service client through a credit authorization client; s2, triggering a parameter interceptor; s3, acquiring service number parameters corresponding to the credit client through the parameter interceptor; s4, obtaining key token parameters; s5, receiving the interface request parameter through the service client; s6, triggering a pre-filter according to the authentication annotation statement; and S7, judging whether the authentication result can be authenticated through the credit authorization service. The credit authorization system comprises a credit authorization client, a parameter interceptor, a service client, a pre-filter and a credit authorization unit. The invention ensures higher security of the credit authorization.

Description

Encryption and decryption method applied to credit authorization and credit authorization system
Technical Field
The invention relates to an encryption algorithm, in particular to an encryption and decryption method applied to credit authorization and a credit authorization system.
Background
At present, with the deep development of the internet +, software systems have been deep into different scenes of various industries, and the connection between different systems is becoming tighter and tighter. Therefore, with the advent of various cloud platforms, combination systems, single sign-on services, and the like, communication between systems on the same platform and between systems is becoming more frequent, and thus, the requirements for security and reliability of communication are becoming higher. The services are that the original single software system is split into different functional components, and the different functional components are communicated with each other through contract dependency relationship among the services to form a complete system application, and the services under the unified platform can be communicated with each other and can also be communicated with non-trusted services outside the platform, such as a browser software end, an android system software end, an apple system software end, a client system software end and the like. However, in any communication mode, it is necessary to ensure the security and reliability of the request before the execution of the communication request is acquired.
At present, for the requirement of cross-platform unified authentication in the prior art, a single sign-on solution is generally used, and an authentication system needs an authentication server which is a browser application deployed independently; the server side is mainly responsible for authentication work of the user, interacts with the database and jumps to a corresponding request picture in a redirection mode after authentication is finished. The authentication client and the system client are deployed together, and authentication protection is carried out on protected resources in a filtering mode. For each request for accessing protected resources, the client analyzes whether the request parameters contain user credentials, and if not, client authentication or server authentication is carried out; in practical application scenarios, single sign-on needs to be combined with an authority control framework, such as apache shiro (JAVA security framework). The security framework uses the user session to cache the user authentication information, which also indicates that the client needs to store the user state cache. The client security framework uses the cache information to perform request authentication, and simultaneously provides a group of declaration interfaces, so that the interfaces can be subjected to authority verification description, the interceptors perform authority verification, and interface access is performed after the interfaces pass.
In summary, for the requirement of uniform authentication across platforms, an independently deployed authentication server is required, which has the disadvantages of fixed deployment mode of the authentication server, strong network constraint, complex load balancing or distributed scheme, and the like for the distributed deployment scheme across regions. Meanwhile, the encryption algorithm of the existing credit granting authentication system is low in security, is easy to copy and is not beneficial to the credit granting client and the client server.
Disclosure of Invention
In view of the disadvantages of the existing cross-platform unified authentication technology, the invention provides a credit granting encryption and decryption method applied to credit granting authentication, so as to effectively solve the technical problems mentioned in the background technology.
An encryption and decryption method applied to credit authorization comprises the following steps:
s1, sending an interface request to the service client through the trust client;
s2, analyzing interface request parameters from the received interface request and triggering a parameter interceptor, wherein the interface request parameters are used for identifying interface calling parameters corresponding to an interface to be requested by a trusted client, the parameter interceptor is used for automatically packaging encryption authentication parameters into a data dictionary data structure of the interface request parameters to be sent, and the encryption authentication parameters at least comprise secret key token parameters;
s3, acquiring service number parameters corresponding to the credit client through the parameter interceptor, and packaging the interface request parameters to form a corresponding data dictionary data structure;
s4, obtaining a secret key token parameter, adding a service number parameter and the obtained secret key token parameter in a data dictionary data structure of the interface request parameter, and then sending the interface request parameter, wherein the secret key token parameter is obtained by encrypting a parameter ciphertext and the service number parameter, and the parameter ciphertext is extracted from a dynamic parameter dictionary preset by a trust client;
s5, receiving the interface request parameter through the service client;
s6, triggering a pre-filter according to an authentication annotation statement, wherein the authentication annotation statement carries out filtering authentication on request parameters in an interface request, the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to a request interface, the annotation authentication tag has a plurality of tag attributes, each tag attribute corresponds to one filtering authentication algorithm preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the pre-filter is used for extracting a secret key token parameter from the interface request parameter, authenticating based on a set automatic authentication mechanism and giving an authentication result;
and S7, judging whether the authentication result can pass the trust service authentication, if so, executing an interface and returning the result, otherwise, throwing out abnormal authentication failure, wherein the trust service authentication is used for decrypting the key token parameter and judging whether the service number parameter extracted from the key token parameter exists in a preset local registry after the decryption is successful.
In the step S4, the key token parameter obtaining method includes the following steps:
s41: taking a dynamic parameter dictionary preset by a credit client as an initialization parameter, and obtaining an ordered parameter dictionary;
s42: performing character string conversion on the ordered parameter dictionary to obtain a parameter character string;
s43: carrying out asymmetric encryption on the parameter character string to obtain a parameter ciphertext;
s44: symmetrically encrypting the service number parameter by using the parameter ciphertext as an auxiliary parameter to obtain an encrypted key token byte array;
s45: and transcoding the key token byte array to obtain key token parameters.
The decryption method for decrypting the key token parameter in the step S7 includes the following steps:
s71, taking a dynamic parameter dictionary preset by the credit client as an initialization parameter, and obtaining the ordered parameter dictionary;
s72, performing character string conversion on the ordered parameter dictionary to obtain a parameter character string;
s73, carrying out asymmetric encryption on the parameter character string to obtain a parameter ciphertext;
s74, carrying out byte array conversion on the parameter ciphertext to obtain a parameter ciphertext byte array;
s75, decoding the key token parameters to obtain a key token byte array;
s76, carrying out symmetric algorithm decryption on the secret key token byte array by using the parameter ciphertext byte array to obtain a service number byte array;
and S77, converting the character strings of the service number byte arrays to obtain the service numbers.
A trust authentication system, comprising:
the system comprises a credit client, a parameter interception system and a credit client, wherein the credit client is used for analyzing an interface request parameter from a received interface request and triggering the parameter interception system when the interface request is sent, and the interface request parameter is used for identifying an interface calling parameter corresponding to an interface required by the credit client;
the parameter interceptor is used for acquiring a secret key token parameter, adding a service number parameter and the acquired secret key token parameter in a data dictionary data structure of the interface request parameter, and then sending the interface request parameter; the key token parameter is obtained by encrypting a parameter ciphertext and the service number parameter; the parameter ciphertext is extracted from a dynamic parameter dictionary preset by the credit granting client;
the service client is used for receiving the interface request parameters and executing the interface request parameters;
the pre-filter is used for carrying out filtering authentication on request parameters in the interface request according to authentication annotation statement triggering operation, namely, the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to the request interface, the annotation authentication tag has a plurality of tag attributes, each tag attribute corresponds to one filtering authentication algorithm which is preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the pre-filter is also used for extracting a secret key token parameter from the interface request parameter, authenticating based on a set automatic authentication mechanism and giving an authentication result;
and the credit service authentication unit is used for decrypting the key token parameters, judging whether the service number parameters extracted from the key token parameters exist in a preset local registry or not after the decryption is successful, and executing the service client if the service number parameters exist in the preset local registry.
The parameter interceptor includes a first parameter obtaining unit for obtaining a key token parameter, which includes:
the first parameter initialization module is used for taking a dynamic parameter dictionary preset by the credit client as an initialization parameter and obtaining an ordered parameter dictionary;
the first character string conversion module is used for carrying out character string conversion on the ordered parameter dictionary to obtain a parameter character string;
the first encryption module is used for carrying out asymmetric encryption on the parameter character string to obtain a parameter ciphertext;
the second encryption module is used for symmetrically encrypting the service number parameter by using the parameter ciphertext as an auxiliary parameter to obtain an encrypted key token byte array;
a transcoding module for transcoding the key token byte array to obtain key token parameters.
The parameter interceptor further comprises a first data appending unit for adding the service number parameter and the key token parameter acquired by the first parameter acquiring unit to the data dictionary data structure of the interface request parameter.
The credit service authentication unit comprises a first service number obtaining unit for obtaining service parameters in the key token parameters, and the credit service authentication unit comprises:
the second parameter initialization module is used for taking a dynamic parameter dictionary preset by the credit client as an initialization parameter and obtaining an ordered parameter dictionary;
the second character string conversion module is used for carrying out character string conversion on the ordered parameter dictionary to obtain a parameter character string;
the third encryption module is used for carrying out asymmetric encryption on the parameter character string to obtain a parameter ciphertext;
the first byte array conversion module is used for carrying out byte array conversion on the parameter ciphertext to obtain a parameter ciphertext byte array;
a first decoding module, configured to decode the key token parameter to obtain a key token byte array;
the first decryption module is used for decrypting the secret key token byte array by using the parameter ciphertext byte array through a symmetric algorithm to obtain a service number byte array;
and the third character string conversion module is used for carrying out character string conversion on the service number byte array to obtain a service number.
The credit service authentication unit also comprises a first judgment unit which is used for judging whether the service number parameter extracted from the key token parameter exists in a preset local registry.
In the face of an open network of the Internet, the token encryption algorithm of the credit client designed in the technical scheme uses a mode of mixed encryption of a symmetric encryption algorithm and an asymmetric encryption algorithm, ciphertext confusion and the like. Meanwhile, because the request parameter and the random time stamp are used as necessary encryption parameters, the ciphertext has the dynamic random characteristic, is unreadable, is not completely reversible, cannot be copied and has higher safety. Therefore, it is impossible to initiate a malicious illegal request by intercepting the ciphertext of the valid request and modifying the request parameters through a security authentication mechanism. An encryption and decryption method and a credit authentication system applied to credit authentication enable the security of the credit authentication to be higher.
Based on the reasons, the invention can be widely popularized in the field of credit.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a trust authentication system according to an embodiment of the present invention.
FIG. 2 is a schematic diagram of a parameter interceptor according to an embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a first parameter obtaining unit according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a trust service authentication unit in the embodiment of the present invention.
Fig. 5 is a diagram illustrating a first service numbering structure according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
An encryption and decryption method applied to credit authorization comprises the following steps:
s1, sending an interface request to the service client through the trust client;
s2, analyzing interface request parameters from the received interface request and triggering a parameter interceptor, wherein the interface request parameters are used for identifying interface calling parameters corresponding to an interface to be requested by a trusted client, the parameter interceptor is used for automatically packaging encryption authentication parameters into a data dictionary data structure of the interface request parameters to be sent, and the encryption authentication parameters at least comprise secret key token parameters;
s3, acquiring service number parameters corresponding to the credit client through the parameter interceptor, and packaging the interface request parameters to form a corresponding data dictionary data structure;
s4, obtaining a secret key token parameter, adding a service number parameter and the obtained secret key token parameter in a data dictionary data structure of the interface request parameter, and then sending the interface request parameter, wherein the secret key token parameter is obtained by encrypting a parameter ciphertext and the service number parameter, and the parameter ciphertext is extracted from a dynamic parameter dictionary preset by a trust client;
the method for acquiring the key token parameter comprises the following steps:
s41: taking a dynamic parameter dictionary preset by a credit client as an initialization parameter, and obtaining an ordered parameter dictionary;
s42: performing character string conversion on the ordered parameter dictionary, preferably performing JSON format character string conversion on the ordered parameter dictionary to obtain a parameter character string, and deleting all the characters of [ "and" ] "in the parameter character string;
s43: carrying out asymmetric encryption on the parameter character string, preferably using an SHA-1 encryption algorithm to obtain a parameter ciphertext;
s44: symmetrically encrypting the service number parameter by using the parameter ciphertext as an auxiliary parameter, preferably using an AES encryption algorithm, and obtaining an encrypted key token byte array;
s45: and transcoding the key token byte array, preferably performing Base64 transcoding on the key token byte array to obtain key token parameters.
S5, receiving the interface request parameter through the service client;
s6, triggering a pre-filter according to an authentication annotation statement, wherein the authentication annotation statement carries out filtering authentication on request parameters in an interface request, the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to a request interface, the annotation authentication tag has a plurality of tag attributes, each tag attribute corresponds to one filtering authentication algorithm preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the pre-filter is used for extracting a secret key token parameter from the interface request parameter, authenticating based on a set automatic authentication mechanism and giving an authentication result; the automatic authentication mechanism judges whether the key token parameter is empty, if so, the abnormal condition is thrown out, the authentication fails, and if not, the authentication succeeds, and an authentication result is given;
and S7, judging whether the authentication result can pass the trust service authentication, if so, executing an interface and returning the result, otherwise, throwing out abnormal authentication failure, wherein the trust service authentication is used for decrypting the key token parameter and judging whether the service number parameter extracted from the key token parameter exists in a preset local registry after the decryption is successful.
The decryption method for decrypting the key token parameter comprises the following steps:
s71, taking a dynamic parameter dictionary preset by the credit client as an initialization parameter, and obtaining the ordered parameter dictionary;
s72, performing character string conversion on the ordered parameter dictionary, preferably performing JSON format character string conversion on the ordered parameter dictionary to obtain a parameter character string;
s73, carrying out asymmetric encryption on the parameter character string, preferably using an SHA-1 encryption algorithm, and obtaining a parameter ciphertext;
s74, carrying out byte array conversion on the parameter ciphertext to obtain a parameter ciphertext byte array;
s75, decoding the key token parameters, preferably performing Base64 decoding on the key token parameters to obtain a key token byte array;
s76, carrying out symmetric algorithm decryption on the secret key token byte array by using the parameter ciphertext byte array to obtain a service number byte array;
and S77, converting the character strings of the service number byte arrays to obtain the service numbers.
Example 2
As shown in fig. 1 to 5, a trust authentication system includes:
the system comprises a credit client, a parameter interception system and a credit client, wherein the credit client is used for analyzing an interface request parameter from a received interface request and triggering the parameter interception system when the interface request is sent, and the interface request parameter is used for identifying an interface calling parameter corresponding to an interface required by the credit client;
the parameter interceptor is used for acquiring a secret key token parameter, adding a service number parameter and the acquired secret key token parameter in a data dictionary data structure of the interface request parameter, and then sending the interface request parameter; the key token parameter is obtained by encrypting a parameter ciphertext and the service number parameter; the parameter ciphertext is extracted from a dynamic parameter dictionary preset by the credit granting client;
the service client is used for receiving the interface request parameters and executing the interface request parameters;
the pre-filter is used for carrying out filtering authentication on request parameters in the interface request according to authentication annotation statement triggering operation, namely, the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to the request interface, the annotation authentication tag has a plurality of tag attributes, each tag attribute corresponds to one filtering authentication algorithm which is preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the pre-filter is also used for extracting a secret key token parameter from the interface request parameter, authenticating based on a set automatic authentication mechanism and giving an authentication result;
and the credit service authentication unit is used for decrypting the key token parameters, judging whether the service number parameters extracted from the key token parameters exist in a preset local registry or not after the decryption is successful, and executing the service client if the service number parameters exist in the preset local registry.
The parameter interceptor includes a first parameter obtaining unit for obtaining a key token parameter, which includes:
the first parameter initialization module is used for taking a dynamic parameter dictionary preset by the credit client as an initialization parameter and obtaining an ordered parameter dictionary;
a first character string conversion module, configured to perform character string conversion on the ordered parameter dictionary to obtain a parameter character string, preferably perform JSON format character string conversion on the ordered parameter dictionary, and delete all "[" and "]" characters in the parameter character string;
a first encryption module, configured to perform asymmetric encryption on the parameter string to obtain a parameter ciphertext, where a preferred asymmetric encryption algorithm uses an SHA-1 encryption algorithm;
a second encryption module, configured to perform symmetric encryption on the service number parameter using the parameter ciphertext as an auxiliary parameter to obtain an encrypted key token byte array, where preferably the symmetric encryption uses an AES encryption algorithm;
a transcoding module for transcoding the key token byte array to obtain key token parameters, preferably Base64 transcoding the key token byte array.
The parameter interceptor further comprises a first data appending unit for adding the service number parameter and the key token parameter acquired by the first parameter acquiring unit to the data dictionary data structure of the interface request parameter.
The credit service authentication unit comprises a first service number obtaining unit for obtaining service parameters in the key token parameters, and the credit service authentication unit comprises:
the second parameter initialization module is used for taking a dynamic parameter dictionary preset by the credit client as an initialization parameter and obtaining an ordered parameter dictionary;
a second string conversion module, configured to perform string conversion on the ordered parameter dictionary to obtain a parameter string, and preferably perform JSON format string conversion on the ordered parameter dictionary;
a third encryption module for asymmetrically encrypting the parameter string to obtain a parameter ciphertext, preferably the asymmetric encryption using a SHA-1 encryption algorithm;
the first byte array conversion module is used for carrying out byte array conversion on the parameter ciphertext to obtain a parameter ciphertext byte array;
a first decoding module for decoding the key token parameters to obtain a key token byte array, preferably Base64 decoding the key token parameters;
the first decryption module is used for decrypting the secret key token byte array by using the parameter ciphertext byte array through a symmetric algorithm to obtain a service number byte array;
and the third character string conversion module is used for carrying out character string conversion on the service number byte array to obtain a service number.
The credit service authentication unit also comprises a first judgment unit which is used for judging whether the service number parameter extracted from the key token parameter exists in a preset local registry.
In the face of an open network of the Internet, the token encryption algorithm of the credit client designed in the technical scheme uses a mode of mixed encryption of a symmetric encryption algorithm and an asymmetric encryption algorithm, ciphertext confusion and the like. Meanwhile, because the request parameter and the random time stamp are used as necessary encryption parameters, the ciphertext has the dynamic random characteristic, is unreadable, is not completely reversible, cannot be copied and has higher safety. Therefore, it is impossible to initiate a malicious illegal request by intercepting the ciphertext of the valid request and modifying the request parameters through a security authentication mechanism. An encryption and decryption method and a credit authentication system applied to credit authentication enable the security of the credit authentication to be higher.
Example 3
Example 3 is a further explanation of the filter authentication algorithm in examples 1 and 2:
the annotation authentication tag referred to in step S6 in embodiment 1 and the pre-filter in embodiment 2 is defined as the following attributes according to the interface authentication requirement: including but not limited to a credit service authentication tag, a guest authentication tag, a signed-in authentication tag, a role authentication tag, and a permission authentication tag.
Before the trust client sends an interface request to the server receiving end, a user state data structure matched with the server receiving end is further constructed, wherein the user state data structure is used for providing required user state information for a filtering authentication process, and is integrated into a data packet together with request parameters in the interface request to be sent to the server receiving end, and the request parameters are written with an authentication key and a service key used for authentication of the server end; the user state information at least comprises a user authority certificate, user basic information and authority data, wherein the user authority certificate is used for acquiring a unique user login state identifier, namely a keyword of the user state information under the stateless session condition; the authority data comprises role encoding data and resource authority encoding data.
The filtering authentication algorithm corresponding to the authorization service authentication tag comprises the following steps:
(101) acquiring an authentication key in a request parameter and judging whether the request parameter is empty, if so, throwing out abnormal authentication failure, otherwise, carrying out the next step;
(102) acquiring a corresponding service code instance from the set interface parameter dictionary and deleting the attribute information of the authentication key;
(103) based on a token decryption algorithm of the credit granting service end, decrypting the authentication secret key to obtain a decrypted service code of the client;
(104) judging whether the service code is empty, if so, throwing out abnormal authentication failure, and if not, carrying out the next step;
(105) judging whether the service code exists in a set local credit authorization service registry or not, otherwise, throwing out abnormal authentication failure;
(106) determining the attribute of the annotation authentication tag corresponding to the request interface, namely the allowed service coding array;
(107) if the length of the service coding array is 0, determining that any credit service can be authenticated;
(108) and (6) circulating the service code array in the step (106), judging whether a value identical to the service code of the client in the step (103) exists, if so, confirming that the authentication is passed, and otherwise, throwing out abnormal authentication failure.
The annotation tag attributes also include a custom authentication tag.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1. An encryption and decryption method applied to credit authorization is characterized by comprising the following steps:
s1, sending an interface request to the service client through the trust client;
s2, analyzing interface request parameters from the received interface request and triggering a parameter interceptor, wherein the interface request parameters are used for identifying interface calling parameters corresponding to an interface to be requested by a trusted client, the parameter interceptor is used for automatically packaging encryption authentication parameters into a data dictionary data structure of the interface request parameters to be sent, and the encryption authentication parameters at least comprise secret key token parameters;
s3, acquiring service number parameters corresponding to the credit client through the parameter interceptor, and packaging the interface request parameters to form a corresponding data dictionary data structure;
s4, obtaining a secret key token parameter, adding a service number parameter and the obtained secret key token parameter in a data dictionary data structure of the interface request parameter, and then sending the interface request parameter, wherein the secret key token parameter is obtained by encrypting a parameter ciphertext and the service number parameter, and the parameter ciphertext is extracted from a dynamic parameter dictionary preset by a trust client;
s5, receiving the interface request parameter through the service client;
s6, triggering a pre-filter according to an authentication annotation statement, wherein the authentication annotation statement carries out filtering authentication on request parameters in an interface request, the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to a request interface, the annotation authentication tag has a plurality of tag attributes, each tag attribute corresponds to one filtering authentication algorithm preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the pre-filter is used for extracting a secret key token parameter from the interface request parameter, authenticating based on a set automatic authentication mechanism and giving an authentication result;
and S7, judging whether the authentication result can pass the trust service authentication, if so, executing an interface and returning the result, otherwise, throwing out abnormal authentication failure, wherein the trust service authentication is used for decrypting the key token parameter and judging whether the service number parameter extracted from the key token parameter exists in a preset local registry after the decryption is successful.
2. The encryption and decryption method applied to credit authorization according to claim 1, wherein: in the step S4, the key token parameter obtaining method includes the following steps:
s41: taking a dynamic parameter dictionary preset by a credit client as an initialization parameter, and obtaining an ordered parameter dictionary;
s42: performing character string conversion on the ordered parameter dictionary to obtain a parameter character string;
s43: carrying out asymmetric encryption on the parameter character string to obtain a parameter ciphertext;
s44: symmetrically encrypting the service number parameter by using the parameter ciphertext as an auxiliary parameter to obtain an encrypted key token byte array;
s45: and transcoding the key token byte array to obtain key token parameters.
3. The encryption and decryption method applied to credit authorization according to claim 1 or 2, characterized in that: the decryption method for decrypting the key token parameter in the step S7 includes the following steps:
s71, taking a dynamic parameter dictionary preset by the credit client as an initialization parameter, and obtaining an ordered parameter dictionary;
s72, performing character string conversion on the ordered parameter dictionary to obtain a parameter character string;
s73, carrying out asymmetric encryption on the parameter character string to obtain a parameter ciphertext;
s74, carrying out byte array conversion on the parameter ciphertext to obtain a parameter ciphertext byte array;
s75, decoding the key token parameters to obtain a key token byte array;
s76, carrying out symmetric algorithm decryption on the secret key token byte array by using the parameter ciphertext byte array to obtain a service number byte array;
and S77, converting the character strings of the service number byte arrays to obtain the service numbers.
4. A trust authentication system, comprising:
the system comprises a credit client, a parameter interception system and a credit client, wherein the credit client is used for analyzing an interface request parameter from a received interface request and triggering the parameter interception system when the interface request is sent, and the interface request parameter is used for identifying an interface calling parameter corresponding to an interface required by the credit client;
the parameter interceptor is used for acquiring a secret key token parameter, adding a service number parameter and the acquired secret key token parameter in a data dictionary data structure of the interface request parameter, and then sending the interface request parameter; the key token parameter is obtained by encrypting a parameter ciphertext and the service number parameter; the parameter ciphertext is extracted from a dynamic parameter dictionary preset by the credit granting client;
the service client is used for receiving the interface request parameters and executing the interface request parameters;
the pre-filter is used for carrying out filtering authentication on request parameters in the interface request according to authentication annotation statement triggering operation, namely, the authentication annotation statement is used for confirming a filtering authentication algorithm which needs to be executed by the pre-filter based on an annotation authentication tag corresponding to the request interface, the annotation authentication tag has a plurality of tag attributes, each tag attribute corresponds to one filtering authentication algorithm which is preset in the pre-filter, and each request interface corresponds to an annotation authentication tag of a certain attribute; the pre-filter is also used for extracting a secret key token parameter from the interface request parameter, authenticating based on a set automatic authentication mechanism and giving an authentication result;
and the credit service authentication unit is used for decrypting the key token parameters, judging whether the service number parameters extracted from the key token parameters exist in a preset local registry or not after the decryption is successful, and executing the service client if the service number parameters exist in the preset local registry.
5. The trust authentication system of claim 4, wherein: the parameter interceptor includes a first parameter obtaining unit for obtaining a key token parameter, which includes:
the first parameter initialization module is used for taking a dynamic parameter dictionary preset by the credit client as an initialization parameter and obtaining an ordered parameter dictionary;
the first character string conversion module is used for carrying out character string conversion on the ordered parameter dictionary to obtain a parameter character string;
the first encryption module is used for carrying out asymmetric encryption on the parameter character string to obtain a parameter ciphertext;
the second encryption module is used for symmetrically encrypting the service number parameter by using the parameter ciphertext as an auxiliary parameter to obtain an encrypted key token byte array;
a transcoding module for transcoding the key token byte array to obtain key token parameters.
6. The trust authentication system of claim 5, wherein: the parameter interceptor further comprises a first data appending unit for adding the service number parameter and the key token parameter acquired by the first parameter acquiring unit to the data dictionary data structure of the interface request parameter.
7. The trust authentication system according to claim 4 or 5, wherein: the credit service authentication unit comprises a first service number obtaining unit for obtaining service parameters in the key token parameters, and the credit service authentication unit comprises:
the second parameter initialization module is used for taking a dynamic parameter dictionary preset by the credit client as an initialization parameter and obtaining an ordered parameter dictionary;
the second character string conversion module is used for carrying out character string conversion on the ordered parameter dictionary to obtain a parameter character string;
the third encryption module is used for carrying out asymmetric encryption on the parameter character string to obtain a parameter ciphertext;
the first byte array conversion module is used for carrying out byte array conversion on the parameter ciphertext to obtain a parameter ciphertext byte array;
a first decoding module, configured to decode the key token parameter to obtain a key token byte array;
the first decryption module is used for decrypting the secret key token byte array by using the parameter ciphertext byte array through a symmetric algorithm to obtain a service number byte array;
and the third character string conversion module is used for carrying out character string conversion on the service number byte array to obtain a service number.
8. The trust authentication system of claim 7, wherein: the credit service authentication unit also comprises a first judgment unit which is used for judging whether the service number parameter extracted from the key token parameter exists in a preset local registry.
CN201810437742.9A 2018-05-09 2018-05-09 Encryption and decryption method applied to credit authorization and credit authorization system Active CN108600264B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810437742.9A CN108600264B (en) 2018-05-09 2018-05-09 Encryption and decryption method applied to credit authorization and credit authorization system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810437742.9A CN108600264B (en) 2018-05-09 2018-05-09 Encryption and decryption method applied to credit authorization and credit authorization system

Publications (2)

Publication Number Publication Date
CN108600264A CN108600264A (en) 2018-09-28
CN108600264B true CN108600264B (en) 2020-10-02

Family

ID=63636554

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810437742.9A Active CN108600264B (en) 2018-05-09 2018-05-09 Encryption and decryption method applied to credit authorization and credit authorization system

Country Status (1)

Country Link
CN (1) CN108600264B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20020070623A (en) * 2001-03-02 2002-09-10 송우아이엔티 주식회사 System and method for intermediating credit information, and storage media having program source thereof
CN101132281A (en) * 2007-09-18 2008-02-27 刘亚梅 Network security authentication system for preventing key from stealing
CN101499904A (en) * 2008-02-01 2009-08-05 华为技术有限公司 Method, apparatus and system for safe interface call
CN103701761A (en) * 2012-09-28 2014-04-02 中国电信股份有限公司 Authentication method for invoking open interface and system
CN104104738A (en) * 2014-08-06 2014-10-15 江苏瑞中数据股份有限公司 FTP-based (file transfer protocol-based) data exchange system
CN104424678A (en) * 2013-08-30 2015-03-18 聚龙股份有限公司 Electronic password lock system and control method thereof
CN104901928A (en) * 2014-03-07 2015-09-09 中国移动通信集团浙江有限公司 Data interaction method, device and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20020070623A (en) * 2001-03-02 2002-09-10 송우아이엔티 주식회사 System and method for intermediating credit information, and storage media having program source thereof
CN101132281A (en) * 2007-09-18 2008-02-27 刘亚梅 Network security authentication system for preventing key from stealing
CN101499904A (en) * 2008-02-01 2009-08-05 华为技术有限公司 Method, apparatus and system for safe interface call
CN103701761A (en) * 2012-09-28 2014-04-02 中国电信股份有限公司 Authentication method for invoking open interface and system
CN104424678A (en) * 2013-08-30 2015-03-18 聚龙股份有限公司 Electronic password lock system and control method thereof
CN104901928A (en) * 2014-03-07 2015-09-09 中国移动通信集团浙江有限公司 Data interaction method, device and system
CN104104738A (en) * 2014-08-06 2014-10-15 江苏瑞中数据股份有限公司 FTP-based (file transfer protocol-based) data exchange system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"软件开发开放API接口的安全处理";刘俊;《信息与电脑(理论版)》;20170423;全文 *

Also Published As

Publication number Publication date
CN108600264A (en) 2018-09-28

Similar Documents

Publication Publication Date Title
US8978125B2 (en) Identity controlled data center
CN108684041B (en) System and method for login authentication
CN108600268B (en) Encryption and decryption method applied to non-credit authentication and non-credit authentication system
JP2020502616A (en) Enforce non-intrusive security for federated single sign-on (SSO)
CN106453361B (en) A kind of security protection method and system of the network information
CN108616540B (en) Platform authentication method and system based on cross-platform encryption algorithm and declarative filtering authentication
JP7309880B2 (en) Timestamp-based authentication including redirection
KR101817152B1 (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
CN106330829A (en) Method and system for realizing single signing on by using middleware
US11811739B2 (en) Web encryption for web messages and application programming interfaces
CN111800378A (en) Login authentication method, device, system and storage medium
CN112804269B (en) Method for realizing website interface anti-crawler
CN103516524A (en) Security authentication method and system
CN107040501B (en) Authentication method and device based on platform as a service
CN114844644A (en) Resource request method, device, electronic equipment and storage medium
CN110166471A (en) A kind of portal authentication method and device
CN108600266B (en) Statement filtering authentication method and system
CN108292997B (en) Authentication control system and method, server device, client device, authentication method, and recording medium
CN110912857B (en) Method and storage medium for sharing login between mobile applications
CN113794563B (en) Communication network security control method and system
CN108600264B (en) Encryption and decryption method applied to credit authorization and credit authorization system
Tutubala et al. A hybrid framework to improve data security in cloud computing
CN112312392B (en) Data acquisition method, system and storage medium suitable for mobile equipment
CN114595433A (en) Information system data security reinforcing method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant