CN109274650B - Electronic image retrieval management system and method - Google Patents

Electronic image retrieval management system and method Download PDF

Info

Publication number
CN109274650B
CN109274650B CN201811003144.7A CN201811003144A CN109274650B CN 109274650 B CN109274650 B CN 109274650B CN 201811003144 A CN201811003144 A CN 201811003144A CN 109274650 B CN109274650 B CN 109274650B
Authority
CN
China
Prior art keywords
image
subsystem
electronic image
identity authentication
access token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811003144.7A
Other languages
Chinese (zh)
Other versions
CN109274650A (en
Inventor
李伟龙
罗辉
刘本熙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur General Software Co Ltd
Original Assignee
Inspur General Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur General Software Co Ltd filed Critical Inspur General Software Co Ltd
Priority to CN201811003144.7A priority Critical patent/CN109274650B/en
Publication of CN109274650A publication Critical patent/CN109274650A/en
Application granted granted Critical
Publication of CN109274650B publication Critical patent/CN109274650B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Abstract

The invention provides a management system and a method for electronic image retrieval, which comprises the following steps: at least one service subsystem, an identity authentication center and an image subsystem; the service subsystem is used for acquiring user information and an image identifier input by a user, sending an identity authentication request carrying the user information and the system identifier to the identity authentication center, receiving an access token sent by the identity authentication center when the identity authentication request passes the verification, sending the access token and the image identifier to the image subsystem, so that the image subsystem sends a corresponding Uniform Resource Locator (URL) after the identity authentication center verifies the access token, and acquiring a corresponding electronic image by receiving the URL sent by the image subsystem. The scheme can reduce the maintenance difficulty of the electronic image system.

Description

Electronic image retrieval management system and method
Technical Field
The invention relates to the technical field of computers, in particular to a management system and a method for electronic image retrieval.
Background
With the enhancement of environmental awareness of people and the continuous upgrading of various industries on the requirements of office models and the acceleration of modernization and informatization construction steps, the traditional image management of paper documents is upgraded into electronic image management, and services such as storage, retrieval and the like of electronic images are provided through an electronic image system.
At present, due to the sensitivity of enterprise information, an electronic image system not only provides services for storing and retrieving image data, but also needs to provide a user identity verification service, and after the identity of a user is confirmed to be legal, the related retrieved electronic image is provided for the user.
However, with the continuous development of enterprises, the number of business systems and employees is continuously increased, and the electronic image system simultaneously provides services such as storage, retrieval, identity verification and the like of electronic image data, so that the maintenance difficulty of the electronic image system is increased.
Disclosure of Invention
The embodiment of the invention provides a management system and a management method for electronic image retrieval, which can reduce the maintenance difficulty of an electronic image system.
In a first aspect, an embodiment of the present invention provides a management system for electronic image retrieval, including:
at least one service subsystem, an identity authentication center and an image subsystem;
each service subsystem is used for acquiring user information and an image identifier input by a user, sending an identity authentication request to an identity authentication center, and sending the image identifier and the access token to the image subsystem when receiving an access token sent by the identity authentication center, wherein the identity authentication request carries the user information and a system identifier of the service subsystem; receiving a Uniform Resource Locator (URL) sent by the image subsystem, and calling and displaying the electronic image corresponding to the image identifier through the URL;
the identity authentication center is used for receiving and verifying the identity authentication request sent by any one of the service subsystems, generating the access token corresponding to the identity authentication request when the identity authentication request passes the verification, and sending the access token to the service subsystem sending the identity authentication request; receiving and verifying the access token sent by the image subsystem, and sending a passing authentication to the image subsystem when the received access token passes the authentication;
the image subsystem is used for receiving the image identifier and the access token sent by the service subsystem and sending the access token to the identity authentication center; and when the passing authentication sent by the identity authentication center is received, acquiring the URL corresponding to the electronic image, and sending the URL to the service subsystem.
Preferably, the first and second electrodes are formed of a metal,
the image subsystem is further configured to acquire a storage location of the electronic image, acquire the electronic image from the storage location, encrypt the acquired electronic image using a preset key, store the encrypted electronic image to a preset encryption location, and generate a URL corresponding to the encryption location;
the service subsystem is further configured to access the encrypted electronic image through the URL, decrypt the encrypted electronic image through the key, obtain a decrypted electronic image, and display the decrypted electronic image to the user.
Preferably, the first and second electrodes are formed of a metal,
the image subsystem is further configured to generate digital watermark information corresponding to the access token, load the digital watermark information into the acquired electronic image, and encrypt the electronic image loaded with the digital watermark information by using a preset key.
Preferably, the first and second electrodes are formed of a metal,
the image subsystem is used for sending the URL to the service subsystem by utilizing a secure hypertext transfer protocol (HTTPS) protocol;
and the business subsystem is used for calling and reading the electronic image through the URL by utilizing the HTTPS protocol and displaying the called and read electronic image to the user.
Preferably, the first and second electrodes are formed of a metal,
the identity authentication center is further used for storing the generated access token; and upon receiving the access token sent by the imaging subsystem:
d0: determining whether the same access token as the access token sent by the image subsystem exists in the stored access tokens, if so, executing D1, otherwise, executing D2;
d1: determining whether the access token sent by the image subsystem is expired, if so, executing D2, otherwise, sending a pass authentication to the image subsystem;
d2: sending an authentication failure to the image subsystem;
the image subsystem is further configured to send the authentication failure to the service subsystem when receiving the authentication failure sent by the identity authentication center, so that the service subsystem displays the authentication failure to the user.
Preferably, the first and second electrodes are formed of a metal,
the identity authentication center is further used for pre-storing identity information of at least one user, at least one system identifier corresponding to each identity information and at least one corresponding image identifier; receiving the identity authentication request sent by any one of the service subsystems, and executing:
s0: determining whether the same identity information which is the same as the user information carried by the identity authentication request exists in each stored identity information, if so, executing S1, otherwise, executing S3;
s1: determining whether a system identifier identical to the system identifier carried in the identity authentication request exists in each system identifier corresponding to the same identity information, if so, executing S2, otherwise, executing S3;
s2: determining whether an image identifier identical to the image identifier carried in the identity authentication request exists in each image identifier corresponding to the same identity information, if so, executing the generation of the access token corresponding to the identity authentication request, otherwise, executing S3;
s3: and sending the unauthorized access to the service subsystem so that the service subsystem displays the unauthorized access to the user.
Preferably, the first and second electrodes are formed of a metal,
the image subsystem is further used for setting a retrieval authority and an operation authority corresponding to the URL, monitoring that the business subsystem retrieves the electronic image through the URL according to the retrieval authority, and preventing the business subsystem from executing the operation corresponding to the operation authority to retrieve the electronic image when the retrieval authority is invalid;
wherein, the retrieval authority comprises: the access duration and/or the access times of the service subsystem when accessing the electronic image, and the operation authority includes: and any one or more of viewing authority, downloading authority and modification authority when the service subsystem accesses the electronic image.
In a second aspect, an embodiment of the present invention provides a method for managing electronic image retrieval, including:
acquiring user information and an image identifier input by a user through at least one service subsystem, and sending an identity authentication request to an identity authentication center, wherein the identity authentication request carries the user information and a system identifier of the service subsystem;
receiving and verifying the identity authentication request sent by any one of the service subsystems through the identity authentication center, generating the access token corresponding to the identity authentication request when the identity authentication request passes the verification, and sending the access token to the service subsystem sending the identity authentication request;
when receiving an access token sent by the identity authentication center, the at least one service subsystem sends the image identifier and the access token to the image subsystem;
receiving the image identifier and the access token sent by the service subsystem through the image subsystem, and sending the access token to the identity authentication center;
receiving and verifying the access token sent by the image subsystem through the identity authentication center, and sending a passing authentication to the image subsystem when the received access token passes the authentication;
when receiving passing authentication sent by the identity authentication center, the image subsystem acquires a Uniform Resource Locator (URL) corresponding to the electronic image and sends the URL to the service subsystem;
and receiving a Uniform Resource Locator (URL) sent by the image subsystem through the at least one service subsystem, and calling and displaying the electronic image corresponding to the image identifier through the URL.
Preferably, the first and second electrodes are formed of a metal,
the acquiring of the uniform resource locator URL corresponding to the electronic image includes:
acquiring a storage position of the electronic image;
acquiring the electronic image from the storage position;
encrypting the acquired electronic image by using a preset secret key, and storing the encrypted electronic image to a preset encryption position;
generating a URL corresponding to the encrypted location;
the electronic image corresponding to the image identifier is called and displayed through the URL, and the method comprises the following steps:
calling and reading the encrypted electronic image through the URL;
decrypting the encrypted electronic image through the secret key to obtain the decrypted electronic image;
and displaying the decrypted electronic image to the user.
Preferably, the first and second electrodes are formed of a metal,
after the acquiring the electronic image from the storage location, before the encrypting the acquired electronic image with the preset key, the method further includes:
generating digital watermark information corresponding to the access token;
loading the digital watermark information into the acquired electronic image;
the encrypting the obtained electronic image by using the preset key comprises the following steps:
and encrypting the electronic image loaded with the digital watermark information by using a preset secret key.
In the embodiment of the invention, when acquiring the user information and the image identifier input by the user, the service subsystem needs to firstly send an identity authentication request to an identity authentication center, so that the identity authentication center can verify the identity of the user to determine whether the identity of the user is legal, thereby not only improving the security of electronic image retrieval, but also reducing the dependence of the service subsystem on the electronic image system through the identity authentication center, decoupling the service subsystem from the image subsystem and reducing the difficulty of maintaining the image subsystem, if and only if the user identity is legal, the service subsystem receives the access token sent by the identity authentication center, and by using the access token and the image identifier input by the user, the URL corresponding to the electronic image corresponding to the image identifier can be obtained from the image subsystem, and the electronic image called by the user can be obtained through the URL.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a management system for electronic image retrieval according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of another electronic image retrieval management system according to an embodiment of the present invention;
fig. 3 is a flowchart of a management method for electronic image retrieval according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a management system for electronic image retrieval, including:
at least one service subsystem 101, an identity authentication center 102 and an image subsystem 103;
each service subsystem 101 is configured to obtain user information and an image identifier input by a user, send an identity authentication request to the identity authentication center 102, and send the image identifier and the access token to the image subsystem 103 when receiving an access token sent by the identity authentication center 102, where the identity authentication request carries the user information and a system identifier of the service subsystem; receiving a Uniform Resource Locator (URL) sent by the image subsystem 103, and calling and displaying an electronic image corresponding to the image identifier through the URL;
the identity authentication center 102 is configured to receive and verify the identity authentication request sent by any one of the service subsystems 101, generate the access token corresponding to the identity authentication request when the identity authentication request passes the verification, and send the access token to the service subsystem 101 that sent the identity authentication request; receiving and verifying the access token sent by the image subsystem 103, and sending a pass authentication to the image subsystem 103 when the received access token passes the authentication;
the image subsystem 103 is configured to receive the image identifier and the access token sent by the service subsystem 101, and send the access token to the identity authentication center 102; and when the passing authentication sent by the identity authentication center 102 is received, acquiring the URL corresponding to the electronic image, and sending the URL to the service subsystem 101.
In the embodiment of the invention, when acquiring the user information and the image identifier input by the user, the service subsystem needs to firstly send an identity authentication request to an identity authentication center, so that the identity authentication center can verify the identity of the user to determine whether the identity of the user is legal, thereby not only improving the security of electronic image retrieval, but also reducing the dependence of the service subsystem on the electronic image system through the identity authentication center, decoupling the service subsystem from the image subsystem and reducing the difficulty of maintaining the image subsystem, if and only if the user identity is legal, the service subsystem receives the access token sent by the identity authentication center, and by using the access token and the image identifier input by the user, the URL corresponding to the electronic image corresponding to the image identifier can be obtained from the image subsystem, and the electronic image called by the user can be obtained through the URL.
In an embodiment of the present invention, the image subsystem is further configured to obtain a storage location of the electronic image, obtain the electronic image from the storage location, encrypt the obtained electronic image by using a preset key, store the encrypted electronic image to a preset encryption location, and generate a URL corresponding to the encryption location;
the service subsystem is further configured to access the encrypted electronic image through the URL, decrypt the encrypted electronic image through the key, obtain a decrypted electronic image, and display the decrypted electronic image to the user.
In the embodiment of the invention, when the image subsystem confirms that the access token sent by the service subsystem passes the authentication, the electronic image corresponding to the image identifier needs to be encrypted by using the preset secret key, the URL corresponding to the encrypted electronic image is generated, the service subsystem can acquire the encrypted electronic image through the URL, the encrypted electronic image can be decrypted through the secret key, the decrypted electronic image is acquired, the URL is prevented from being stolen by a third party to acquire the corresponding electronic image, and the safety of the electronic image can be improved.
In an embodiment of the present invention, the image subsystem is further configured to generate digital watermark information corresponding to the access token, load the digital watermark information into the acquired electronic image, and encrypt the electronic image loaded with the digital watermark information by using a preset key.
In the embodiment of the invention, after the access token of the service subsystem is confirmed to pass the verification, the image subsystem needs to generate the digital watermark information, and the digital watermark information is loaded into the electronic image corresponding to the image identifier, so that the electronic image can be prevented from being tampered when being stolen by a third party.
It will be appreciated that the digital watermark information may include system identification and user information for the service subsystem.
The generated digital watermark information may include, for example, the system identification 002 of the service subsystem and a user information thumbnail.
In an embodiment of the present invention, the image subsystem is configured to send the URL to the service subsystem by using a secure hypertext transfer protocol HTTPS protocol;
and the business subsystem is used for calling and reading the electronic image through the URL by utilizing the HTTPS protocol and displaying the called and read electronic image to the user.
In the embodiment of the invention, when the image subsystem and the service subsystem transmit the URL and the electronic image, the URL and the electronic image need to be transmitted through an HTTPS protocol, so that the risks of stealing information by a third party and falsification and identity impersonation can be greatly reduced.
In an embodiment of the present invention, the identity authentication center is further configured to store the generated access token; and upon receiving the access token sent by the imaging subsystem:
d0: determining whether the same access token as the access token sent by the image subsystem exists in the stored access tokens, if so, executing D1, otherwise, executing D2;
d1: determining whether the access token sent by the image subsystem is expired, if so, executing D2, otherwise, sending a pass authentication to the image subsystem;
d2: sending an authentication failure to the image subsystem;
the image subsystem is further configured to send the authentication failure to the service subsystem when receiving the authentication failure sent by the identity authentication center, so that the service subsystem displays the authentication failure to the user.
In the embodiment of the invention, the identity authentication center needs to store each generated access token, so that whether the access token sent by the image subsystem is legal and effective is determined according to each stored access token, thereby improving the security of electronic image retrieval.
In an embodiment of the present invention, the identity authentication center is further configured to pre-store identity information of at least one user, at least one system identifier corresponding to each of the identity information, and at least one image identifier corresponding to each of the identity information; receiving the identity authentication request sent by any one of the service subsystems, and executing:
s0: determining whether the same identity information which is the same as the user information carried by the identity authentication request exists in each stored identity information, if so, executing S1, otherwise, executing S3;
s1: determining whether a system identifier identical to the system identifier carried in the identity authentication request exists in each system identifier corresponding to the same identity information, if so, executing S2, otherwise, executing S3;
s2: determining whether an image identifier identical to the image identifier carried in the identity authentication request exists in each image identifier corresponding to the same identity information, if so, executing the generation of the access token corresponding to the identity authentication request, otherwise, executing S3;
s3: and sending the unauthorized access to the service subsystem so that the service subsystem displays the unauthorized access to the user.
In the embodiment of the invention, when the identity authentication center receives the identity authentication request sent by the service subsystem, the validity of the user identity needs to be checked according to the corresponding relationship among the pre-stored user information, the system identifier and the image identifier so as to improve the security of electronic image retrieval, and if and only if the user identity is determined to be legal, a corresponding access token is generated so as to be used by the user to retrieve the electronic image.
In an embodiment of the present invention, the image subsystem is further configured to set a retrieval authority and an operation authority corresponding to the URL, monitor that the business subsystem retrieves the electronic image through the URL according to the retrieval authority, and prevent the business subsystem from executing an operation corresponding to the operation authority to obtain the electronic image when the retrieval authority is invalid;
wherein, the retrieval authority comprises: the access duration and/or the access times of the service subsystem when accessing the electronic image, and the operation authority includes: and any one or more of viewing authority, downloading authority and modification authority when the service subsystem accesses the electronic image.
In the embodiment of the invention, after the image subsystem generates the URL, the retrieval authority and the operation authority corresponding to the URL need to be set, so that the operation behavior of the business subsystem in retrieving the electronic image is monitored according to the retrieval authority and the operation authority, and the aim of improving the safety of the electronic image is fulfilled.
In summary, the electronic images are managed and read by the service subsystem, the identity authentication center and the image subsystem, so that the service subsystem and the image subsystem can be completely decoupled, the retrieval process can be safer and more efficient, namely, the identity authentication center provides intermediary safety interaction, the image subsystem internally retrieves the control from identity authentication, authorization authentication to physical storage access of the electronic images and presentation of encryption and digital watermark integrity of the electronic images, the security of the electronic images is improved, and the integrity of the electronic images is ensured in terms of reliability.
As shown in fig. 2, in order to more clearly illustrate the technical solution and advantages of the present invention, the following service subsystem b201, identity authentication center 202 and image subsystem 203 are taken as examples to describe in detail a management system for electronic image retrieval provided by the present invention, and the management system includes:
and the service subsystem b201 is configured to acquire user information and an image identifier input by a user, and send an identity authentication request to the identity authentication center 202, where the identity authentication request carries the user information and a system identifier of the service subsystem b 201.
Specifically, when acquiring the user information and the image identifier input by the user, the service subsystem does not directly send the user information and the image identifier to the image subsystem, but needs to be checked by an identity authentication center to determine whether the identity of the user is legal.
For example, the service subsystem obtains a user information subthread input by a user, and the image identifier is an electrocardiogram image, and sends an identity authentication request carrying the system identifier b of the service subsystem b and the user information subthread to the identity authentication center.
The identity authentication center 202 is used for pre-storing identity information of at least one user, at least one system identifier corresponding to each identity information and at least one corresponding image identifier; receiving an identity authentication request sent by any service subsystem b201, and executing:
s0: and determining whether the same identity information which is the same as the user information carried by the identity authentication request exists in the stored identity information, if so, executing S1, otherwise, executing S3.
Specifically, the identity authentication center may determine a correspondence between the identity information and the system identifier and the image identifier by pre-storing the identity information of the user, the system identifier corresponding to the identity information, and the corresponding image identifier, and may determine whether the user information carried in the identity authentication request is legal according to the correspondence.
S1: and determining whether the system identifier which is the same as the system identifier carried by the identity authentication request exists in each system identifier corresponding to the same identity information, if so, executing S2, otherwise, executing S3.
Specifically, when the identity authentication center determines that the same identity information identical to the user information sent by the service subsystem exists in each stored identity information, it can be determined that the identity of the user passes the initial verification, but it is also required to determine whether the service subsystem has the right to access the image subsystem according to the corresponding relationship, so that the user is prevented from acquiring enterprise information by using an external system.
S2: and determining whether the image identifier same as the image identifier carried in the identity authentication request exists in the image identifiers corresponding to the same identity information, if so, generating and storing an access token corresponding to the identity authentication request, and sending the access token to the service subsystem b201, otherwise, executing S3.
Specifically, after the identity authentication center determines that the identity of the user is legal and the service subsystem has the right to access the image subsystem, whether the user has the right to access the image identifier carried by the identity authentication request needs to be determined according to the corresponding relation, so that enterprise information leakage is avoided, and the security of electronic image data can be improved.
S3: and sending the unauthorized access to the service subsystem b201, so that the service subsystem b201 shows the unauthorized access to the user.
Specifically, when the identity authentication center determines that the identity of the user is illegal, or the service subsystem does not have the right to access the image subsystem, or the user does not have the right to access the image identifier carried in the identity authentication request, it needs to send an unauthorized access to the service subsystem, so that the service subsystem informs the user that the user cannot access the corresponding electronic image.
And the service subsystem b201 is used for sending the image identifier and the access token to the image subsystem when receiving the access token sent by the identity authentication center 202.
Specifically, when the service subsystem acquires the access token sent by the identity authentication center, the service subsystem needs to send the access token and an image identifier corresponding to an electronic image to be retrieved by a user to the image subsystem, so that the image subsystem verifies the validity of the access token.
And the image subsystem 203 is used for receiving the image identifier and the access token sent by the service subsystem b201 and sending the access token to the identity authentication center 202.
Specifically, when receiving the access token and the image identifier sent by the service subsystem, the image subsystem does not directly send the electronic image corresponding to the image identifier to the service subsystem, but needs to verify the authenticity and validity of the access token, so as to determine whether the authority of accessing the electronic image corresponding to the sent image identifier is allowed.
The identity authentication center 202 is configured to, upon receiving the access token sent by the imaging subsystem 203, perform:
d0: determining whether the same access token as the access token sent by the vision subsystem 203 exists in the stored access tokens, if so, executing D1, otherwise, executing D2;
d1: determining whether the access token sent by the image subsystem 203 is expired, if so, executing D2, otherwise, sending a pass authentication to the image subsystem 203;
d2: sending an authentication failure to the vision subsystem 203.
Specifically, the identity authentication center needs to store each generated access token, so that when the access token sent by the image subsystem is received, the authenticity of the access token is determined according to the stored access tokens, when the access token sent by the image subsystem is determined to be a legal token, the validity of the access token is determined, that is, whether the access token is expired is determined, and if and only if the access token is both valid and legal, the authentication is sent to the image subsystem, so that the image subsystem executes the electronic image required by the retrieval user.
When the validity or validity of the access token sent by the image subsystem is abnormal, authentication failure needs to be sent to the service subsystem, so that a user can know the retrieval condition of the electronic image through the service subsystem.
The image subsystem 203 is configured to, when receiving a pass authentication sent by the identity authentication center 202, obtain a storage location of an electronic image, obtain the electronic image from the storage location, generate digital watermark information corresponding to the access token, load the digital watermark information into the obtained electronic image, encrypt the electronic image loaded with the digital watermark information by using a preset key, store the encrypted electronic image to a preset encryption location, generate a URL corresponding to the encryption location, and send the URL to the service subsystem b201 by using a secure hypertext transfer protocol HTTPS protocol.
Specifically, after determining that the access token sent by the service subsystem is real and valid, the image subsystem needs to acquire a storage location of an electronic image corresponding to an image identifier to be retrieved by a user, so that the electronic image is acquired from the storage location. After the corresponding electronic image is acquired, digital watermark information corresponding to the access token needs to be generated, that is, the digital watermark information is generated according to the acquired image information of the electronic image, the user information of the user and the system identifier, and the digital watermark information is loaded into the acquired electronic image and encrypted, so that the security of the electronic image can be improved, and the integrity of the electronic image can be ensured to the greatest extent. And generating a URL corresponding to the encrypted electronic image, and utilizing an HTTPS protocol to call the electronic image by the service subsystem, thereby further improving the safety of the electronic image.
And the service subsystem b201 is used for receiving the uniform resource locator URL sent by the image subsystem 203, calling and reading the encrypted electronic image through the URL, decrypting the encrypted electronic image through the key to obtain a decrypted electronic image, and displaying the decrypted electronic image to a user.
The image subsystem is further used for setting retrieval authority and operation authority corresponding to the URL, monitoring the service subsystem to retrieve the electronic image through the URL according to the retrieval authority, and when the retrieval authority is invalid, preventing the service subsystem from executing the operation corresponding to the operation authority to retrieve the electronic image;
wherein, recall the authority includes: the access duration and/or access times of the service subsystem when accessing the electronic image and the operation authority comprise: and the service subsystem accesses any one or more of viewing authority, downloading authority and modification authority of the electronic image.
Specifically, the image subsystem needs to monitor the operation of the business subsystem when the business subsystem accesses the electronic image according to the access authority and the operation authority by setting the access authority and the operation authority corresponding to each URL, and when the operation of the business subsystem accesses the electronic image is abnormal, the electronic image needs to be prevented from being accessed, so that the security of the electronic image is improved.
In conclusion, the identity authentication center reverses the authentication dependence of the service subsystem on the image subsystem, then performs digital watermarking processing and encryption processing on the electronic image, and transmits the generated URL through the HTTPS protocol, so that the service subsystem can complete retrieval of the electronic image through the URL, the security of the electronic image is guaranteed to the greatest extent, the integrity of the electronic image is guaranteed to the greatest extent from the aspect of reliability, and the probability of tampering the electronic image is reduced to the greatest extent.
As shown in fig. 3, an embodiment of the present invention provides a method for managing electronic image retrieval, including:
step 301: acquiring user information and an image identifier input by a user through at least one service subsystem, and sending an identity authentication request to an identity authentication center, wherein the identity authentication request carries the user information and a system identifier of the service subsystem;
step 302: receiving and verifying the identity authentication request sent by any one of the service subsystems through the identity authentication center, generating the access token corresponding to the identity authentication request when the identity authentication request passes the verification, and sending the access token to the service subsystem sending the identity authentication request;
step 303: when receiving an access token sent by the identity authentication center, the at least one service subsystem sends the image identifier and the access token to the image subsystem;
step 304: receiving the image identifier and the access token sent by the service subsystem through the image subsystem, and sending the access token to the identity authentication center;
step 305: receiving and verifying the access token sent by the image subsystem through the identity authentication center, and sending a passing authentication to the image subsystem when the received access token passes the authentication;
step 306: when receiving passing authentication sent by the identity authentication center, the image subsystem acquires a Uniform Resource Locator (URL) corresponding to the electronic image and sends the URL to the service subsystem;
step 307: and receiving a Uniform Resource Locator (URL) sent by the image subsystem through the at least one service subsystem, and calling and displaying the electronic image corresponding to the image identifier through the URL.
In the embodiment of the invention, when the service subsystem acquires the user information and the image identifier input by the user, the service subsystem needs to firstly send an identity authentication request to an identity authentication center, so that the identity of the user is verified through the identity authentication center to determine whether the identity of the user is legal or not, thereby not only improving the security of electronic image retrieval, but also reducing the dependence of the service subsystem on the electronic image system through the identity authentication center, decoupling the service subsystem from the image subsystem and reducing the difficulty of maintaining the image subsystem, if and only if the user identity is legal, the access token sent by the identity authentication center is received through the service subsystem, and by utilizing the access token and the image identification input by the user, the URL corresponding to the electronic image corresponding to the image identifier can be obtained from the image subsystem, and the electronic image called by the user can be obtained through the URL.
In an embodiment of the present invention, the obtaining the URL corresponding to the electronic image includes:
acquiring a storage position of the electronic image;
acquiring the electronic image from the storage position;
encrypting the acquired electronic image by using a preset secret key, and storing the encrypted electronic image to a preset encryption position;
generating a URL corresponding to the encrypted location;
the electronic image corresponding to the image identifier is called and displayed through the URL, and the method comprises the following steps:
calling and reading the encrypted electronic image through the URL;
decrypting the encrypted electronic image through the secret key to obtain the decrypted electronic image;
and displaying the decrypted electronic image to the user.
In an embodiment of the present invention, after the acquiring the electronic image from the storage location, before the encrypting the acquired electronic image with a predetermined key, the method further includes:
generating digital watermark information corresponding to the access token;
loading the digital watermark information into the acquired electronic image;
the encrypting the obtained electronic image by using the preset key comprises the following steps:
and encrypting the electronic image loaded with the digital watermark information by using a preset secret key.
The embodiments of the invention have at least the following beneficial effects:
1. in an embodiment of the invention, when acquiring the user information and the image identifier input by the user, the service subsystem needs to send an identity authentication request to an identity authentication center, so that the identity authentication center can verify the identity of the user to determine whether the identity of the user is legal, thereby not only improving the security of electronic image retrieval, but also reducing the dependence of the service subsystem on the electronic image system through the identity authentication center, decoupling the service subsystem from the image subsystem and reducing the difficulty of maintaining the image subsystem, if and only if the user identity is legal, the service subsystem receives the access token sent by the identity authentication center, and by using the access token and the image identifier input by the user, the URL corresponding to the electronic image corresponding to the image identifier can be obtained from the image subsystem, and the electronic image called by the user can be obtained through the URL.
2. In an embodiment of the present invention, when the image subsystem confirms that the access token sent by the service subsystem passes the authentication, the electronic image corresponding to the image identifier needs to be encrypted by using a preset secret key, and then the URL corresponding to the encrypted electronic image is generated.
3. In an embodiment of the present invention, after the access token of the service subsystem is determined to pass the verification, the image subsystem needs to generate digital watermark information, and the digital watermark information is loaded into the electronic image corresponding to the image identifier, so that the electronic image can be prevented from being tampered when stolen by a third party.
4. In an embodiment of the present invention, when the image subsystem and the service subsystem transmit the URL and the electronic image, the URL and the electronic image need to be transmitted through an HTTPS protocol, which can greatly reduce the risk of third parties stealing information and falsifying identity.
5. In an embodiment of the present invention, the identity authentication center needs to store each generated access token, so as to determine whether the access token sent by the image subsystem is legal and valid according to each stored access token, thereby improving security of electronic image retrieval.
6. In an embodiment of the present invention, when receiving an identity authentication request sent by a service subsystem, an identity authentication center needs to check the validity of a user identity according to a correspondence relationship between pre-stored user information, a system identifier, and an image identifier, so as to improve the security of electronic image retrieval, and if and only if it is determined that the user identity is valid, a corresponding access token is generated, so that the user can retrieve the electronic image.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (2)

1. A management system for retrieving electronic images, comprising:
at least one service subsystem, an identity authentication center and an image subsystem;
each service subsystem is used for acquiring user information and an image identifier input by a user, sending an identity authentication request to an identity authentication center, and sending the image identifier and the access token to the image subsystem when receiving an access token sent by the identity authentication center, wherein the identity authentication request carries the user information and a system identifier of the service subsystem; receiving a Uniform Resource Locator (URL) sent by the image subsystem, and calling and displaying the electronic image corresponding to the image identifier through the URL;
the identity authentication center is used for receiving and verifying the identity authentication request sent by any one of the service subsystems, generating the access token corresponding to the identity authentication request when the identity authentication request passes the verification, and sending the access token to the service subsystem sending the identity authentication request; receiving and verifying the access token sent by the image subsystem, and sending a passing authentication to the image subsystem when the received access token passes the authentication;
the image subsystem is used for receiving the image identifier and the access token sent by the service subsystem and sending the access token to the identity authentication center; when passing authentication sent by the identity authentication center is received, the URL corresponding to the electronic image is obtained, and the URL is sent to the service subsystem;
the image subsystem is further configured to acquire a storage location of the electronic image, acquire the electronic image from the storage location, encrypt the acquired electronic image using a preset key, store the encrypted electronic image to a preset encryption location, and generate a URL corresponding to the encryption location;
the service subsystem is further used for calling and reading the encrypted electronic image through the URL, decrypting the encrypted electronic image through the secret key to obtain the decrypted electronic image, and displaying the decrypted electronic image to the user;
the image subsystem is further configured to generate digital watermark information corresponding to the access token, load the digital watermark information into the acquired electronic image, and encrypt the electronic image loaded with the digital watermark information by using a preset key;
the image subsystem is used for sending the URL to the service subsystem by utilizing a secure hypertext transfer protocol (HTTPS) protocol;
the business subsystem is used for calling and reading the electronic image through the URL by utilizing the HTTPS protocol and displaying the called and read electronic image to the user;
the identity authentication center is further used for storing the generated access token; and upon receiving the access token sent by the imaging subsystem:
d0: determining whether the same access token as the access token sent by the image subsystem exists in the stored access tokens, if so, executing D1, otherwise, executing D2;
d1: determining whether the access token sent by the image subsystem is expired, if so, executing D2, otherwise, sending a pass authentication to the image subsystem;
d2: sending an authentication failure to the image subsystem;
the image subsystem is further configured to send the authentication failure to the service subsystem when receiving the authentication failure sent by the identity authentication center, so that the service subsystem displays the authentication failure to the user;
the identity authentication center is further used for pre-storing identity information of at least one user, at least one system identifier corresponding to each identity information and at least one corresponding image identifier; receiving the identity authentication request sent by any one of the service subsystems, and executing:
s0: determining whether the same identity information which is the same as the user information carried by the identity authentication request exists in each stored identity information, if so, executing S1, otherwise, executing S3;
s1: determining whether a system identifier identical to the system identifier carried in the identity authentication request exists in each system identifier corresponding to the same identity information, if so, executing S2, otherwise, executing S3;
s2: determining whether an image identifier identical to the image identifier carried in the identity authentication request exists in each image identifier corresponding to the same identity information, if so, executing the generation of the access token corresponding to the identity authentication request, otherwise, executing S3;
s3: sending an unauthorized access to the service subsystem, so that the service subsystem presents the unauthorized access to the user;
the image subsystem is further used for setting a retrieval authority and an operation authority corresponding to the URL, monitoring that the business subsystem retrieves the electronic image through the URL according to the retrieval authority, and preventing the business subsystem from executing the operation corresponding to the operation authority to retrieve the electronic image when the retrieval authority is invalid;
wherein, the retrieval authority comprises: the access duration and/or the access times of the service subsystem when accessing the electronic image, and the operation authority includes: and any one or more of viewing authority, downloading authority and modification authority when the service subsystem accesses the electronic image.
2. A method for managing electronic image retrieval using the electronic image retrieval management system according to claim 1, comprising:
acquiring user information and an image identifier input by a user through at least one service subsystem, and sending an identity authentication request to an identity authentication center, wherein the identity authentication request carries the user information and the system identifier of the service subsystem;
receiving and verifying the identity authentication request sent by any one of the service subsystems through the identity authentication center, generating an access token corresponding to the identity authentication request when the identity authentication request passes the verification, and sending the access token to the service subsystem sending the identity authentication request;
when an access token sent by an identity authentication center is received through at least one service subsystem, the image identifier and the access token are sent to an image subsystem;
receiving the image identifier and the access token sent by the service subsystem through the image subsystem, and sending the access token to the identity authentication center;
receiving and verifying the access token sent by the image subsystem through the identity authentication center, and sending a passing authentication to the image subsystem when the received access token passes the authentication;
when receiving passing authentication sent by the identity authentication center, the image subsystem acquires a Uniform Resource Locator (URL) corresponding to the electronic image and sends the URL to the service subsystem;
receiving a Uniform Resource Locator (URL) sent by the image subsystem through the at least one service subsystem, and calling and displaying an electronic image corresponding to the image identifier through the URL;
the acquiring of the uniform resource locator URL corresponding to the electronic image includes:
acquiring a storage position of the electronic image;
acquiring the electronic image from the storage position;
encrypting the acquired electronic image by using a preset secret key, and storing the encrypted electronic image to a preset encryption position;
generating a URL corresponding to the encrypted location;
the electronic image corresponding to the image identifier is called and displayed through the URL, and the method comprises the following steps:
calling and reading the encrypted electronic image through the URL;
decrypting the encrypted electronic image through the secret key to obtain the decrypted electronic image;
displaying the decrypted electronic image to the user;
after the acquiring the electronic image from the storage location, before the encrypting the acquired electronic image with the preset key, the method further includes:
generating digital watermark information corresponding to the access token;
loading the digital watermark information into the acquired electronic image;
the encrypting the obtained electronic image by using the preset key comprises the following steps:
and encrypting the electronic image loaded with the digital watermark information by using a preset secret key.
CN201811003144.7A 2018-08-30 2018-08-30 Electronic image retrieval management system and method Active CN109274650B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811003144.7A CN109274650B (en) 2018-08-30 2018-08-30 Electronic image retrieval management system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811003144.7A CN109274650B (en) 2018-08-30 2018-08-30 Electronic image retrieval management system and method

Publications (2)

Publication Number Publication Date
CN109274650A CN109274650A (en) 2019-01-25
CN109274650B true CN109274650B (en) 2020-12-08

Family

ID=65154942

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811003144.7A Active CN109274650B (en) 2018-08-30 2018-08-30 Electronic image retrieval management system and method

Country Status (1)

Country Link
CN (1) CN109274650B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112003702B (en) * 2020-07-08 2023-12-26 武汉旷视金智科技有限公司 Authentication method, authentication device, electronic equipment, computer storage medium and authentication system
CN112052434A (en) * 2020-07-30 2020-12-08 中国建设银行股份有限公司 Electronic file verification method and device, electronic equipment and readable storage medium
CN112582045A (en) * 2020-12-22 2021-03-30 无锡慧方科技有限公司 Electronic medical report sheet transmission system
CN112905986B (en) * 2021-04-16 2023-10-20 杭州海康威视数字技术股份有限公司 Authority authentication method, device and system and computer readable storage medium
CN113836331A (en) * 2021-09-24 2021-12-24 中国联合网络通信集团有限公司 Image query method, device and storage medium
CN116504365A (en) * 2023-06-25 2023-07-28 安徽影联云享医疗科技有限公司 Medical image information sharing method and related device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729541A (en) * 2009-11-26 2010-06-09 广东宇天信通通信科技有限公司 Method and system for accessing resources of multi-service platform
CN102333353A (en) * 2011-10-29 2012-01-25 华为技术有限公司 Media content accessing method and device
CN102685086A (en) * 2011-04-14 2012-09-19 天脉聚源(北京)传媒科技有限公司 File access method and system
US8997198B1 (en) * 2012-12-31 2015-03-31 Emc Corporation Techniques for securing a centralized metadata distributed filesystem
CN105704139A (en) * 2016-03-16 2016-06-22 杭州狮说教育科技有限公司 RTMP protocol-based streaming media service user authentication method
CN106713367A (en) * 2017-03-02 2017-05-24 山东浪潮云服务信息科技有限公司 Authentication method, authentication platform, business system and authentication system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729541A (en) * 2009-11-26 2010-06-09 广东宇天信通通信科技有限公司 Method and system for accessing resources of multi-service platform
CN102685086A (en) * 2011-04-14 2012-09-19 天脉聚源(北京)传媒科技有限公司 File access method and system
CN102333353A (en) * 2011-10-29 2012-01-25 华为技术有限公司 Media content accessing method and device
US8997198B1 (en) * 2012-12-31 2015-03-31 Emc Corporation Techniques for securing a centralized metadata distributed filesystem
CN105704139A (en) * 2016-03-16 2016-06-22 杭州狮说教育科技有限公司 RTMP protocol-based streaming media service user authentication method
CN106713367A (en) * 2017-03-02 2017-05-24 山东浪潮云服务信息科技有限公司 Authentication method, authentication platform, business system and authentication system

Also Published As

Publication number Publication date
CN109274650A (en) 2019-01-25

Similar Documents

Publication Publication Date Title
CN109274650B (en) Electronic image retrieval management system and method
US11818253B2 (en) Trustworthy data exchange using distributed databases
CN112333198B (en) Secure cross-domain login method, system and server
US20070136202A1 (en) Personal-information managing apparatus, method of providing personal information, computer product, and personal-information-providing system
US11456876B2 (en) Virtual credentials and licenses
JP2007527059A (en) User and method and apparatus for authentication of communications received from a computer system
CN113487321A (en) Identity identification and verification method and system based on block chain wallet
CN114925141B (en) Cloud primary automation deployment management system and method based on block chain
EP1063579A2 (en) Method, apparatus and storage medium for authentication on the world wide web
CN107948235A (en) Cloud data safety management and audit device based on JAR
WO2022094648A1 (en) Method for suspending protection of an object achieved by a protection device
KR101876672B1 (en) Digital signature method using block chain and system performing the same
JP2000331088A (en) Method and system for approval mark management
CN115547441A (en) Safety acquisition method and system based on personal health medical data
CN110532792B (en) Method and system for checking privacy information
US7661111B2 (en) Method for assuring event record integrity
WO2019235450A1 (en) Information processing device, information processing method, information processing program, and information processing system
CN112100178A (en) Delegation authorization verification method and system
JP6319675B1 (en) Information processing system
JP4295391B2 (en) Access control method and apparatus
WO2021124568A1 (en) Access control device, control method, and program
CN117455489A (en) Transaction authorization method, device, equipment and storage medium
JP2023179334A (en) Authentication method, authentication system, portable information device, and authentication device
CN115580495A (en) Data auditing method and device, electronic equipment and storage medium
JP2024007650A (en) Electronic signature system, electronic signature method, and electronic signature program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20201113

Address after: 250100 Ji'nan high tech Zone, Shandong, No. 1036 wave road

Applicant after: INSPUR GENERAL SOFTWARE Co.,Ltd.

Address before: 250100, No. 2877, fairway, Sun Town, Ji'nan hi tech Zone, Shandong

Applicant before: SHANDONG INSPUR GENESOFT INFORMATION TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant