CN109992976A - Access credentials verification method, device, computer equipment and storage medium - Google Patents
Access credentials verification method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN109992976A CN109992976A CN201910145579.3A CN201910145579A CN109992976A CN 109992976 A CN109992976 A CN 109992976A CN 201910145579 A CN201910145579 A CN 201910145579A CN 109992976 A CN109992976 A CN 109992976A
- Authority
- CN
- China
- Prior art keywords
- access
- client
- credentials
- code
- characteristic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012795 verification Methods 0.000 title claims abstract description 47
- 238000003860 storage Methods 0.000 title claims abstract description 37
- 238000004590 computer program Methods 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 16
- 238000004364 calculation method Methods 0.000 description 4
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- PEDCQBHIVMGVHV-UHFFFAOYSA-N Glycerine Chemical compound OCC(O)CO PEDCQBHIVMGVHV-UHFFFAOYSA-N 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
This application involves field of identity authentication, and according to the corresponding access code of client requested document and the characteristic information of client generates and authentication-access voucher, prevent the access credentials by stealing, distorting or forge from accessing file.A kind of access credentials verification method, device, computer equipment and storage medium are specifically disclosed, this method comprises: obtaining the access request that client is sent, access request includes access purpose;Obtain the corresponding access code of access purpose;Access credentials are generated according to access code and the characteristic information of client;Access credentials are sent to client;The access instruction that client is sent is obtained, access instruction includes the characteristic information and access credentials for accessing purpose, client;Validating documents are generated according to the characteristic information of the corresponding access code of access purpose and client;If validating documents are consistent with the access credentials in access instruction, access instruction passes through verifying.
Description
Technical field
This application involves identity identifying technology fields more particularly to a kind of access credentials verification method, device, computer to set
Standby and storage medium.
Background technique
Store the data file of a certain seed type on Cloud Server, the owner of data file can be shared with specified
Third party.
The mode of currently used data sharing lacks generally by the way of based on user name cryptographic acess there are following
It falls into: if user name password is too simple, being easy to be cracked by the third party of malice;If data File owner, pass through distribution
The mode of user name password has given data sharing to A, but can not ensure that A will not reveal user name password and give other people B, this is
File owners are undesirable;If user A is linked by the access that normal channel has obtained some data file, but
It is that the link is accidentally leaked, it will cause the privacy leakages of data file.
Summary of the invention
The embodiment of the present application provides a kind of access credentials verification method, device, computer equipment and storage medium, prevents from leading to
The access credentials access file stolen, distort or forged is crossed, preferably ensure that the privacy of data.
In a first aspect, this application provides a kind of access credentials verification methods, which comprises
The access request that client is sent is obtained, the access request includes access purpose;
Obtain the corresponding access code of the access purpose;
Access credentials are generated according to the access code and the characteristic information of the client;
The access credentials of generation are sent to the client;
The access instruction that client is sent is obtained, the access instruction includes the spy of the access purpose, the client
Reference breath and the access credentials;
Validating documents are generated according to the access corresponding access code of purpose and the characteristic information of the client;
If the validating documents are consistent with the access credentials in the access instruction, the access instruction passes through verifying.
Second aspect, this application provides a kind of access credentials to verify device, and described device includes:
First obtains module, and for obtaining the access request of client transmission, the access request includes access purpose;
Second obtains module, for obtaining the corresponding access code of the access purpose;
First generation module, for generating access credentials according to the access code and the characteristic information of the client;
Sending module, for the access credentials of generation to be sent to the client;
Third obtains module, and for obtaining the access instruction of client transmission, the access instruction includes the access mesh
, the characteristic information of the client and the access credentials;
Second generation module, for the characteristic information according to the access corresponding access code of purpose and the client
Generate validating documents;
Authentication module, if consistent with the access credentials in the access instruction for the validating documents, the access
Instruction passes through verifying.
The third aspect, this application provides a kind of computer equipment, the computer equipment includes memory and processor;
The memory is for storing computer program;The processor, by executing the computer program and based on execution is described
Above-mentioned access credentials verification method is realized when calculation machine program.
Fourth aspect, this application provides a kind of computer readable storage medium, the computer readable storage medium is deposited
Computer program is contained, if the computer program is executed by processor, realizes above-mentioned access credentials verification method.
This application discloses a kind of access credentials verification method, device, equipment and storage mediums, by according to client institute
The corresponding access code of demand file and the generation of the characteristic information of client and authentication-access voucher, prevent by stealing, distorting
Or the access credentials forged access this document;Such as it will be calculated according to the public key and/or expired time of access code and client
Access credentials of the cryptographic Hash as client, after can preventing the access credentials of a certain client from being stolen by other clients still
So access credentials can be avoided to be revealed intentionally or unintentionally, preferably ensure that the privacy of data by verifying.
Detailed description of the invention
Technical solution in ord to more clearly illustrate embodiments of the present application, below will be to required use in embodiment description
Attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description is some embodiments of the present application, for this field
For those of ordinary skill, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is the flow diagram of the access credentials verification method of one embodiment of the application;
Fig. 2 is the application scenarios schematic diagram of the access credentials verification method of the application;
Fig. 3 is the flow diagram of the access credentials verification method of another embodiment of the application;
Fig. 4 is the flow diagram of the access credentials verification method of the application another embodiment;
Fig. 5 is the flow diagram of the access credentials verification method of the another embodiment of the application;
Fig. 6 is the flow diagram of the access credentials verification method of the another embodiment of the application;
Fig. 7 is the flow diagram of the access credentials verification method of the another embodiment of the application;
Fig. 8 is the flow diagram of the access credentials verification method of the another embodiment of the application;
Fig. 9 is that the access credentials of one embodiment of the application verify the structural schematic diagram of device;
Figure 10 is that the access credentials of another embodiment of the application verify the structural schematic diagram of device;
Figure 11 is that the access credentials of the application another embodiment verify the structural schematic diagram of device;
Figure 12 is a kind of structural schematic diagram for computer equipment that one embodiment of the application provides.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiment is some embodiments of the present application, instead of all the embodiments.Based on this Shen
Please in embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall in the protection scope of this application.
Flow chart shown in the drawings only illustrates, it is not necessary to including all content and operation/step, also not
It is that must be executed by described sequence.For example, some operation/steps can also decompose, combine or partially merge, therefore practical
The sequence of execution is possible to change according to the actual situation.In addition, though the division of functional module has been carried out in schematic device,
But in some cases, it can be divided with the module being different from schematic device.
Embodiments herein provides a kind of access credentials verification method, device, equipment and storage medium.Wherein, should
Access credentials verification method can be applied in server, to verify whether client has corresponding permission.
For example, access credentials verification method is used for download server, naturally it is also possible to be looked into for website visiting control, data
The scenes such as inquiry.But in order to make it easy to understand, following embodiment by with certain file of user end to server request server management this
One scene describes in detail.
In the present embodiment, server be stored in advance documentary storage address, file identification corresponding with file and
Corresponding with file unique and fixed access code.
For example, the information that server stores a certain file, is indicated with following JSON format:
Wherein " server ": indicating the storage address of storage this document, for example, address of the server of storage this document.
" uid ": indicating the file identification of this document, is the unique mark corresponding with this document of this document on the server
Know.
" access_code ": the unique and fixed access code of this document is indicated, illustratively, access code is not to client
It is open.
In some embodiments, server to the information that each file stores can individually be placed on one for client into
Row verifying is provided in the server of voucher, and file is placed on other and is exclusively used in the server of storing data, the storage of file
Address of the address, that is, this document in the server for being exclusively used in storing data.In further embodiments, file and file storage
Information be located in the same server.
With reference to the accompanying drawing, it elaborates to some embodiments of the application.In the absence of conflict, following
Feature in embodiment and embodiment can be combined with each other.
Referring to Fig. 1, Fig. 1 is a kind of flow diagram for access credentials verification method that embodiments herein provides,
Access credentials verification method is used for server.
As shown in Fig. 2, certain file of user end to server request server management.
As shown in Figure 1, access credentials verification method the following steps are included:
Step S110, server obtains the access request that client is sent, and the access request includes access purpose.
Client can send corresponding access request to server, such as a certain text can be requested access to server
Part.
In some embodiments, the access purpose includes the network address of client request access and/or described
The file identification of the requested access to file of client.
Illustratively, client accesses the storage address of a certain file, as client directly accesses http: //
Download.pinganyun.com/image/, server can detect the access request of client transmission.
In further embodiments, user end to server requests access to the storage address of a certain file, as client will
Access request including storage address http://download.pinganyun.com/image/ is sent to server.
In some other embodiment, user end to server send include certain file identification access request, such as comprising
File identification, that is, uid is that the access request of ca0aeab7360a9dc6a29a-2aae6c35c94 ... 08b9ce91ee846ed is given
Server.
Step S120, server obtains the corresponding access code of the access purpose.
The access purpose in access request that server is sent according to client, as file storage address and/or with text
The corresponding file identification of part, so that it may be inquired according to the information that server stores this document and the storage address of this document
And/or the corresponding access code of corresponding with this document file identification, such as access code access_code are as follows: d6b0d82cea42
69b51572b8fab43adcee9fc3cf9a。
Step S130, server generates access credentials according to the access code and the characteristic information of the client.
In some embodiments, the characteristic information of the client includes the public key of the client.
Illustratively, when user end to server requests a certain file, the public key certificate of client is also sent to service
Device, thus the public key of the available client of server.For example, server obtains the access that client is sent in step S110
Request further includes the public key of the client.
Illustratively, when user end to server requests a certain file, also by the account pair of login user on the client
The public key certificate answered is sent to server, thus the public key of the available client of server.The public key of client can be
Server is the public key of relative client granting, or server is the public key of a certain account granting, and the account logs in certain
After one unspecific client, public key of the public key as the client.
Illustratively, when user end to server requests a certain file, also by the account etc. of login user on the client
Information is sent to server, and server inquires corresponding public key certificate according to information such as the accounts of user.
In some possible embodiments, as shown in figure 3, step S130 server is according to the access code and the visitor
The characteristic information at family end generates access credentials, specifically includes the following steps:
Step S131, server generates access credentials according to the access code and the public key of the client.
Illustratively, server calculates one according to the public key of the corresponding access code of this document and the client together
Cryptographic Hash accesses the access credentials of this document using calculated cryptographic Hash as the client.
Specifically, the access credentials access_key=SHA1 (access_code+certificate) that server generates,
Wherein access_code indicates that the access code of this document, certificate indicate the public key of the client.What server generated
Access credentials are the access code access_code with the requested specific file of client, and the public key of specific client
Certificate is relevant, can prevent the client forged access file.
Due to the uniqueness, that is, different client or different accounts of the client perhaps public key certificate of different accounts
Corresponding public key certificate is different;Therefore the storage address of different client or different account access same files, or
When person requests access to same file, server is all different according to the calculated access credentials of public key of client.
Step S140, the access credentials of generation are sent to the client by server.
In some possible embodiments, if same client repeatedly requests same file to server, each time all
User end to server is needed to send access request to obtain the access credentials of server generation, i.e. server is carried out every time
State step S110-S140, it is believed that the access credentials are disposable;In other feasible embodiments, same client
Hold when requesting same file to server, the access that the server that obtains when can reuse previous Request this document generates with
Card, so that server does not need to be carried out above-mentioned steps S110-S140 every time.
Step S150, server obtain client send access instruction, the access instruction include the access purpose,
The characteristic information of the client and the access credentials.
After client obtains the access credentials access_key_1 of server generation, so that it may go the server access access
The corresponding file of voucher access_key_1.
When client needs to request a certain file to server, the corresponding access credentials obtained from server are transferred to visit
Ask this document.In general, the access credentials in access instruction are the access credentials itself obtained from server.But it if will be from
The access credentials that server obtains distort after as the access credentials in access instruction, or access in forgery access instruction with
Card, then the access credentials in access instruction and the access credentials obtained from server are inconsistent.
In some embodiments, the purpose of access in access instruction includes the network address of the client request access
And/or the file identification of the requested access to file of client.
Illustratively, client accesses the storage address of a certain file, as client directly accesses http: //
Download.pinganyun.com/image/, server can detect the access instruction of client transmission.
In further embodiments, user end to server requests access to the storage address of a certain file, as client will
Access instruction including storage address http://download.pinganyun.com/image/ is sent to server.
In some other embodiment, user end to server send include certain file identification access instruction, such as comprising
File identification, that is, uid is that the access instruction of ca0aeab7360a9dc6a29a-2aae6c35c94 ... 08b9ce91ee846ed is given
Server.
Step S160, server is raw according to the access corresponding access code of purpose and the characteristic information of the client
At validating documents.
The access purpose in access instruction that server is sent according to client, as file storage address and/or with text
The corresponding file identification of part inquires and the storage address of this document and/or the corresponding access of file identification corresponding with this document
Code, such as d6b0d82cea4269b51572b8fab43adcee9fc3cf9a.
In some embodiments, the characteristic information of client includes described in the access instruction that step S150 server obtains
The public key of client.As shown in figure 3, step S160 server is according to the corresponding access code of access purpose and the client
The characteristic information at end generates validating documents, specifically includes the following steps:
Step S161, server client according to the corresponding access code of the access purpose and access instruction
Public key generates validating documents.
Illustratively, server accesses the public key of the corresponding access code of mesh and the client together according in access instruction
A cryptographic Hash is calculated, using this calculated cryptographic Hash as being used to verify the whether accessible this document of the client
Validating documents.
If step S170, the described validating documents are consistent with the access credentials in the access instruction, the access instruction
Pass through verifying.
If the validating documents that server generates are consistent with the access credentials in access instruction, then it represents that in the access instruction
Access credentials really belong to the client or corresponding account, then by verifying, which can visit the access instruction
It asks this document, such as can read, modify, move, delete this document;If validating documents and access instruction that server generates
In access credentials it is inconsistent, then access credentials be tampered either forge, this access instruction is unverified, server
Refuse the client and accesses this document.
Because of the characteristic information of different clients, as public key certificate is different, therefore same file is for different visitors
The access credentials at family end are different, and the access credentials after Hash calculation are inevitable also different.Even if having taken other people visit
Voucher is asked, when using the access credentials request data, it is also difficult to provide characteristic information corresponding with the access credentials, such as public key
Certificate, then the verifying of access credentials can not pass through.For example, third party is attached to certainly after the access credentials for getting other clients
Oneself public key certificate initiates access instruction, then, the validating documents that server is reruned centainly will not in client access instruction
Access credentials matching;Because public key used in Hash calculation is different.
Access credentials verification method provided by the above embodiment, by according to the corresponding access of client requested document
Code and the generation of the characteristic information of client and authentication-access voucher prevent the access credentials by stealing, distorting or forge from visiting
Ask this document;Such as using according to the calculated cryptographic Hash of the public key of access code and client as the access credentials of client, can
Still access credentials can be avoided to be had by verifying after preventing the access credentials of a certain client from being stolen by other clients
It anticipates or unintentionally reveals, preferably ensure that the privacy of data.
In some embodiments, it further includes the client that server, which obtains the access request that client is sent, in step S110
Public key.As shown in figure 4, such as being taken in step S120 after the access request that step S110 server obtains that client is sent
It is further comprising the steps of before the corresponding access code of the device acquisition access purpose of being engaged in:
Step S101, whether client described in the public key verifications of server client according to the access request closes
Method.
Illustratively, server authentication public key sign and issue mechanism whether trusted.If step S101 verifies the client
It is legal, then follow the steps S120.If it is illegal, then without executing subsequent step.
In some embodiments, in step S150 server from the access instruction that client obtains further include the client
Private key signature.Illustratively, client signs to access instruction with the private key certificate of oneself.
For example, access instruction may is that
POST/v1/image/data HTTP/1.1
Accept:application/json
Content-Length:676
Content-Type:application/json
Signature:3ff7af79177cae……121825582eb8a4a11d
{
"image_uid":"ca0aeab7360a9dc6a29a-2aae6c35c94…08b9ce91ee846ed",
"access_key":"d6b0d82cea4269b51572b8fab43adcee9fc3cf9a",
" certificate ": tLS1CRUdJTiBDakNDQVVHZ0F3SUJBZ ...=="
}
Wherein, image_uid is the file identification of this document of file, and access_key, which is that client is unique, to be somebody's turn to do
The reading voucher of file, i.e. access credentials, certificate are the public key of the client;On the head of the access instruction, there is one
A field Signature indicates that client to the request body BODY of entire HTTP request, that is, is accessed and referred to the private key certificate of oneself
Order is signed.
Illustratively, server distributes public spoon and private spoon for client, and public spoon represents client identity and corresponds to unique
Private spoon.
In some embodiments, as shown in figure 5, step S150 server obtain client send access instruction it
Afterwards, it is tested such as step S160 server according to the access corresponding access code of purpose and the generation of the characteristic information of the client
It is further comprising the steps of before demonstrate,proving voucher:
Step S102, whether private key signature described in the public key verifications of server client according to the access instruction
Correctly.
The access instruction is not tampered with if correct, subsequent step can be carried out, such as step S160;It is refused if incorrect
Access absolutely, does not execute subsequent step.
If third party is in the legal access credentials and client corresponding with the access credentials for stealing certain client
Public key initiate access instruction, and signed with the private key of oneself;Due to the private key signature and the public affairs in entire access instruction
Key be it is unmatched, even if can rerun out matched validating documents can not be by the verifying of private key signature.Because anyone
Private key be will not be disclosed, third-party public and private key mismatches.
In other feasible embodiments, the characteristic information of the client includes the expired time of the client.
Specifically, client or the corresponding expired time of account are pre-saved in the server or are provided by server.
For example, file owners and/or server side have decided through consultation client storage or the expired time using this document, server in advance
Save these information;Either server is according to the service conditions of file owners or client user, such as pay-per-view,
Monthly payment, packet year etc. have formulated the expired time of client.
Illustratively, file owners have subscribed monthly payment service and one file are deposited in server, for oneself or other
People's access, then the expired time of client is the time ordered when expiring the latter moon.In another example client user pays in due order
Take, then the expired time of client is the secondary business overdue time.
In some possible embodiments, as shown in fig. 6, step S130 server is according to the access code and the visitor
The characteristic information at family end generates access credentials, specifically includes the following steps:
Step S132, server generates access credentials according to the expired time of the access code and the client.
Illustratively, server calculates together according to the expired time of the corresponding access code of this document and the client
One cryptographic Hash, the access credentials of this document are accessed using calculated cryptographic Hash as the client.
Specifically, the access credentials access_key=SHA1 (access_code+expire_time) that server generates,
Wherein access_code indicates that the access code of this document, expire_time indicate the expired time of the client.Server is raw
At access credentials be expired with the access code access_code of the requested specific file of client and client when
Between expire_time it is relevant, can prevent client from accessing file using the expired time that is tampered or forges.
In some embodiments, access credentials verification method is further comprising the steps of: will be corresponding with the access credentials
Expired time is sent to the client.
Illustratively, which can be showed user in clear text manner by client, to prompt user to pay close attention to
The time of accessible this document such as prompts user to continue to pay dues in time.
In the present embodiment, the characteristic information of client includes client in the access instruction that step S150 server obtains
The expired time expire_time of transmission.
For example, access instruction may is that
{
"image_uid":"ca0aeab7360a9dc6a29a-2aae6c35c94…08b9ce91ee846ed",
"access_key":"d6b0d82cea4269b51572b8fab43adcee9fc3cf9a",
"expire_time":"1538097133"
}
Wherein, image_uid is the file identification of this document of file, and access_key is access credentials, expire_
Time is the expired time of client.
In the present embodiment, as shown in fig. 6, step S160 server according to the corresponding access code of the access purpose and
The characteristic information of the client generates validating documents, specifically includes the following steps:
Step S162, server client according to the corresponding access code of the access purpose and access instruction
Expired time generates validating documents.
Illustratively, server calculates a cryptographic Hash according to access code and the expired time together, will calculate
This cryptographic Hash as the validating documents for accessing this document for verifying the client.If the validating documents in step S170
It is consistent with the access credentials in access instruction, then it represents that the access credentials in the access instruction really belong to the client or phase
The account answered, then the access instruction is by verifying, the accessible this document of the client, such as can read, modify, moving,
Delete this document;If generate validating documents and access instruction in access credentials it is inconsistent, access credentials be tampered or
Person is to forge, and expired time may be tampered, this access instruction is unverified, and server refuses client access should
File.
Access credentials verification method provided by the above embodiment, by according to the corresponding access of client requested document
Code and the generation of this characteristic information of the expired time of client and authentication-access voucher, prevent by stealing, distorting or forge
Access credentials access this document;For example, client attempts are logical if the expired time access_key in access credentials is expired
Modification expired time is crossed to continue to use access credentials, it, can not basis since client does not know the access code of this document
Modified expired time regenerates legal access credentials, then cannot pass through verifying.
In some embodiments, as shown in fig. 7, step S150 server obtain client send access instruction it
Afterwards, it is tested such as step S160 server according to the access corresponding access code of purpose and the generation of the characteristic information of the client
It is further comprising the steps of before demonstrate,proving voucher:
Step S103, the expired time of server client according to the access instruction judges the access credentials
It is whether expired.
If not out of date, step S160 is executed;If out of date, refuse the client and access this document, tested without generation
Demonstrate,prove voucher.
In other feasible embodiments, the characteristic information of client had both included the public key of the client, also included
The expired time of client.
It is visited as shown in figure 8, step S130 server is generated according to the access code and the characteristic information of the client
Ask voucher, specifically includes the following steps:
Step S133, server according to the access code and the public key and expired time of the client generate access with
Card.
Illustratively, server is according to the public key certificate and mistake of access code access_code and client
Time phase expire_time calculates a cryptographic Hash together, and calculated cryptographic Hash is sent to the client as client
The access credentials at end;Both the client forged access file can be prevented, client utilization is also possible to prevent and is tampered or forges
Expired time access file.
Specifically, access_key=SHA1 (access_code+certificate+expire_time).
As shown in figure 8, step S160 server is according to the access purpose corresponding access code and the client
Characteristic information generates validating documents, specifically includes the following steps:
Step S163, server client according to the corresponding access code of the access purpose and access instruction
Public key and expired time generate validating documents.
Access credentials verification method provided by the above embodiment, by according to the corresponding access of client requested document
Code and the generation of the two characteristic informations of the public key and expired time of client and authentication-access voucher, prevent by stealing, usurping
The access credentials for changing or forging access this document, and safety is higher.
Referring to Fig. 9, Fig. 9 is a kind of structural schematic diagram for access credentials verifying device that one embodiment of the application provides,
Access credentials verifying device can be configured in server, for executing access credentials verification method above-mentioned.
As shown in figure 9, access credentials verifying device includes:
First obtains module 110, and for obtaining the access request of client transmission, the access request includes access mesh
's.
Specifically, the access purpose includes network address and/or the client institute of the client request access
Request access to the file identification of file.
Second obtains module 120, for obtaining the corresponding access code of the access purpose.
First generation module 130, for according to the access code and the characteristic information of the client generate access with
Card.
Specifically, the characteristic information of the client include the client public key and/or the client it is expired
Time.
Specifically, public key and/or the client of first generation module 130 according to the access code and the client
The expired time at end generates access credentials.
Sending module 140, for the access credentials of generation to be sent to the client.
Third obtains module 150, and for obtaining the access instruction of client transmission, the access instruction includes the access
Purpose, the characteristic information of the client and the access credentials.
Second generation module 160, for the feature according to the access corresponding access code of purpose and the client
Information generates validating documents.
Specifically, the characteristic information of the client include the client public key and/or the client it is expired
Time.
Specifically, the second generation module 160 is according to the corresponding access code of the access purpose and access instruction
The expired time of client described in the public key and/or access instruction of client generates validating documents.
Authentication module 170, if consistent with the access credentials in the access instruction for the validating documents, the visit
Ask that instruction passes through verifying.
In some possible embodiments, the access request of the client transmission of the first acquisition acquisition of module 110 further includes
The public key of the client.As shown in Figure 10, access credentials verify device further include:
Client described in first authentication unit 101, the public key verifications for the client according to the access request
It is whether legal.
If legal, the second acquisition module 120 obtains the corresponding access code of the access purpose.
In some possible embodiments, the access instruction of the client transmission of third acquisition module 150 acquisition further includes
The private key signature of the client.As shown in Figure 10, access credentials verify device further include:
Private key label described in second authentication unit 102, the public key verifications for the client according to the access instruction
Whether name is correct.
If correct, the second generation module 160 is according to the access corresponding access code of purpose and the spy of the client
Reference breath generates validating documents.
In some possible embodiments, as shown in figure 11, access credentials verify device further include:
Third authentication unit 103 judges the visit for the expired time of the client according to the access instruction
Ask whether voucher is expired.
If not out of date, the second generation module 160 is according to the access purpose corresponding access code and the client
Characteristic information generates validating documents.
It should be noted that it is apparent to those skilled in the art that, for convenience of description and succinctly,
The device of foregoing description and each module, the specific work process of unit, can refer to corresponding processes in the foregoing method embodiment,
Details are not described herein.
The present processes, device can be used in numerous general or special purpose computing system environments or configuration.Such as: it is personal
Computer, server computer, handheld device or portable device, multicomputer system, are based on microprocessor at laptop device
System, set-top box, programmable consumer-elcetronics devices, network PC, minicomputer, mainframe computer including any of the above
Distributed computing environment of system or equipment etc..
Illustratively, above-mentioned method, apparatus can be implemented as a kind of form of computer program, which can
To be run in computer equipment as shown in figure 12.
Figure 12 is please referred to, Figure 12 is a kind of structural schematic diagram of computer equipment provided by the embodiments of the present application.The calculating
Machine equipment can be server.
Refering to fig. 12, which includes processor, memory and the network interface connected by system bus,
In, memory may include non-volatile memory medium and built-in storage.
Non-volatile memory medium can storage program area and computer program.The computer program includes program instruction,
The program instruction is performed, and processor may make to execute any one access credentials verification method.
Processor supports the operation of entire computer equipment for providing calculating and control ability.
Built-in storage provides environment for the operation of the computer program in non-volatile memory medium, the computer program quilt
When processor executes, processor may make to execute any one access credentials verification method.
The network interface such as sends the task dispatching of distribution for carrying out network communication.It will be understood by those skilled in the art that
Structure shown in Figure 12, only the block diagram of part-structure relevant to application scheme, is not constituted to application scheme
The restriction for the computer equipment being applied thereon, specific computer equipment may include more more or fewer than as shown in the figure
Component perhaps combines certain components or with different component layouts.
It should be understood that processor can be central processing unit (Central Processing Unit, CPU), it should
Processor can also be other general processors, digital signal processor (Digital Signal Processor, DSP), specially
With integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array
(Field-Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor are patrolled
Collect device, discrete hardware components etc..Wherein, general processor can be microprocessor or the processor be also possible to it is any often
The processor etc. of rule.
Wherein, in one embodiment, the processor is for running computer program stored in memory, with reality
Existing following steps:
The access request that client is sent is obtained, the access request includes access purpose;Obtain the access purpose pair
The access code answered;Access credentials are generated according to the access code and the characteristic information of the client;By the access of generation with
Card is sent to the client;The access instruction that client is sent is obtained, the access instruction includes the access purpose, described
The characteristic information of client and the access credentials;According to the access purpose corresponding access code and the client
Characteristic information generates validating documents;If the validating documents are consistent with the access credentials in the access credentials access instruction,
The access instruction passes through verifying.
In some embodiments, the access purpose includes the network address of client request access and/or described
The file identification of the requested access to file of client.
In some embodiments, the characteristic information of the client includes the public key of the client;
The processor realize access credentials are generated according to the access code and the characteristic information of the client when,
For realizing:
Access credentials are generated according to the access code and the public key of the client;
The processor is realizing the characteristic information according to the access corresponding access code of purpose and the client
When generating validating documents, for realizing:
According to the public key of client described in the corresponding access code of the access purpose and access instruction generate verifying with
Card.
In some embodiments, the access request further includes the public key of the client;The processor is obtained in realization
Before taking the corresponding access code of the access purpose, it is also used to realize:
It is whether legal according to client described in the public key verifications of client described in the access request;
If legal, the processor obtains the corresponding access code of the access purpose.
In some embodiments, the access instruction further includes the private key signature of the client;The processor is in reality
Before now generating validating documents according to the access corresponding access code of purpose and the characteristic information of the client, it is also used to
It realizes:
It is whether correct according to private key signature described in the public key verifications of client described in the access instruction;
If correct, the processor is according to the access corresponding access code of purpose and the characteristic information of the client
Generate validating documents.
In some embodiments, the characteristic information of the client includes the expired time of the client;The processing
Device realize access credentials are generated according to the access code and the characteristic information of the client when, for realizing:
Access credentials are generated according to the expired time of the access code and the client;
The processor is realizing the characteristic information according to the access corresponding access code of purpose and the client
When generating validating documents, for realizing:
It is tested according to the expired time generation of client described in the corresponding access code of the access purpose and access instruction
Demonstrate,prove voucher.
In some embodiments, the processor is being realized according to the corresponding access code of access purpose and the visitor
Before the characteristic information at family end generates validating documents, it is also used to realize:
Judge whether the access credentials are expired according to the expired time of client described in the access instruction;
If not out of date, the processor is believed according to the feature of the access corresponding access code of purpose and the client
Breath generates validating documents.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
It realizes by means of software and necessary general hardware platform.Based on this understanding, the technical solution essence of the application
On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product
It can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a computer equipment
(can be personal computer, server or the network equipment etc.) executes the certain of each embodiment of the application or embodiment
Method described in part, such as:
A kind of computer readable storage medium, the computer-readable recording medium storage have computer program, the meter
It include program instruction in calculation machine program, the processor executes described program instruction, realizes provided by the embodiments of the present application any
Item access credentials verification method.
Wherein, the computer readable storage medium can be the storage inside of computer equipment described in previous embodiment
Unit, such as the hard disk or memory of the computer equipment.The computer readable storage medium is also possible to the computer
The plug-in type hard disk being equipped on the External memory equipment of equipment, such as the computer equipment, intelligent memory card (Smart
Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card) etc..
The above, the only specific embodiment of the application, but the protection scope of the application is not limited thereto, it is any
Those familiar with the art within the technical scope of the present application, can readily occur in various equivalent modifications or replace
It changes, these modifications or substitutions should all cover within the scope of protection of this application.Therefore, the protection scope of the application should be with right
It is required that protection scope subject to.
Claims (10)
1. a kind of access credentials verification method characterized by comprising
The access request that client is sent is obtained, the access request includes access purpose;
Obtain the corresponding access code of the access purpose;
Access credentials are generated according to the access code and the characteristic information of the client;
The access credentials of generation are sent to the client;
The access instruction that client is sent is obtained, the access instruction includes the access purpose, the feature of client letter
Breath and the access credentials;
Validating documents are generated according to the access corresponding access code of purpose and the characteristic information of the client;
If the validating documents are consistent with the access credentials in the access instruction, the access instruction passes through verifying.
2. access credentials verification method as described in claim 1, it is characterised in that: the access purpose includes the client
The file identification of the network address and/or the requested access to file of the client that request access to.
3. access credentials verification method as described in claim 1, it is characterised in that: the characteristic information of the client includes institute
State the public key of client;
It is described that access credentials are generated according to the access code and the characteristic information of the client, it specifically includes:
Access credentials are generated according to the access code and the public key of the client;
It is described that validating documents are generated according to the access corresponding access code of purpose and the characteristic information of the client, specifically
Include:
Validating documents are generated according to the public key of client described in the corresponding access code of the access purpose and access instruction.
4. access credentials verification method as claimed in claim 3, it is characterised in that: the access request further includes the client
The public key at end;
It is described obtain the corresponding access code of the access purpose before, further includes:
It is whether legal according to client described in the public key verifications of client described in the access request;
If legal, the corresponding access code of the access purpose is obtained.
5. access credentials verification method as claimed in claim 3, it is characterised in that: the access instruction further includes the client
The private key signature at end;
It is described according to it is described access the corresponding access code of purpose and the client characteristic information generate validating documents before,
Further include:
It is whether correct according to private key signature described in the public key verifications of client described in the access instruction;
If correct, validating documents are generated according to the access corresponding access code of purpose and the characteristic information of the client.
6. access credentials verification method according to any one of claims 1 to 5, it is characterised in that: the feature of the client
Information includes the expired time of the client;
It is described that access credentials are generated according to the access code and the characteristic information of the client, it specifically includes:
Access credentials are generated according to the expired time of the access code and the client;
It is described that validating documents are generated according to the access corresponding access code of purpose and the characteristic information of the client, specifically
Include:
According to the expired time of client described in the corresponding access code of the access purpose and access instruction generate verifying with
Card.
7. access credentials verification method as claimed in claim 6, which is characterized in that described corresponding according to the access purpose
Access code and the characteristic information of the client generate before validating documents, further includes:
Judge whether the access credentials are expired according to the expired time of client described in the access instruction;
If not out of date, according to it is described access the corresponding access code of purpose and the client characteristic information generate verifying with
Card.
8. a kind of access credentials verify device characterized by comprising
First obtains module, and for obtaining the access request of client transmission, the access request includes access purpose;
Second obtains module, for obtaining the corresponding access code of the access purpose;
First generation module, for generating access credentials according to the access code and the characteristic information of the client;
Sending module, for the access credentials of generation to be sent to the client;
Third obtains module, and for obtaining the access instruction of client transmission, the access instruction includes the access purpose, institute
State client characteristic information and the access credentials;
Second generation module, for being generated according to the characteristic information of the access corresponding access code of purpose and the client
Validating documents;
Authentication module, if consistent with the access credentials in the access instruction for the validating documents, the access instruction
Pass through verifying.
9. a kind of computer equipment, which is characterized in that the computer equipment includes memory and processor;
The memory is for storing computer program;
The processor, for executing the computer program and realization such as claim 1- when executing the computer program
Access credentials verification method described in any one of 7.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, and feature exists
In: if the computer program is executed by processor, realize such as access credentials authentication of any of claims 1-7
Method.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910145579.3A CN109992976A (en) | 2019-02-27 | 2019-02-27 | Access credentials verification method, device, computer equipment and storage medium |
| PCT/CN2019/091903 WO2020173019A1 (en) | 2019-02-27 | 2019-06-19 | Access certificate verification method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910145579.3A CN109992976A (en) | 2019-02-27 | 2019-02-27 | Access credentials verification method, device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109992976A true CN109992976A (en) | 2019-07-09 |
Family
ID=67130210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910145579.3A Pending CN109992976A (en) | 2019-02-27 | 2019-02-27 | Access credentials verification method, device, computer equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109992976A (en) |
| WO (1) | WO2020173019A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110443070A (en) * | 2019-08-12 | 2019-11-12 | 南京芯驰半导体科技有限公司 | More host shared memory systems and data completeness protection method |
| CN112910900A (en) * | 2021-02-03 | 2021-06-04 | 叮当快药科技集团有限公司 | File access control method, device, equipment and storage medium |
| CN113992420A (en) * | 2021-10-29 | 2022-01-28 | 蜂巢能源科技(无锡)有限公司 | Authority management method, system and electronic equipment |
| CN115061826A (en) * | 2022-02-28 | 2022-09-16 | 华为技术有限公司 | Component communication method and computing device |
| CN115277168A (en) * | 2022-07-25 | 2022-11-01 | 绿盟科技集团股份有限公司 | Method, device and system for accessing server |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428235A (en) * | 2012-05-15 | 2013-12-04 | 上海博路信息技术有限公司 | Data exchange system |
| CN106295401A (en) * | 2016-08-13 | 2017-01-04 | 深圳市樊溪电子有限公司 | A kind of read-only secure file storage system and method for block chain |
| CN106844111A (en) * | 2016-12-26 | 2017-06-13 | 创新科存储技术(深圳)有限公司 | The access method of cloud storage NFS |
| CN106899570A (en) * | 2016-12-14 | 2017-06-27 | 阿里巴巴集团控股有限公司 | The processing method of Quick Response Code, apparatus and system |
| CN107306246A (en) * | 2016-04-18 | 2017-10-31 | 北京市神州百戏文化产业有限公司 | Based on the data capture method for accessing key |
| CN108289100A (en) * | 2018-01-25 | 2018-07-17 | 北京深思数盾科技股份有限公司 | A kind of safety access method, terminal device and system |
| CN109039990A (en) * | 2017-06-08 | 2018-12-18 | 腾讯科技(深圳)有限公司 | The method and device of behavior verifying is carried out based on identifying code |
| CN109150910A (en) * | 2018-10-11 | 2019-01-04 | 平安科技(深圳)有限公司 | Log in token generation and verification method, device and storage medium |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN109344647A (en) * | 2018-09-12 | 2019-02-15 | 上海点融信息科技有限责任公司 | For the access credentials generation method of block chain network, data access method, storage medium, calculate equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103973736B (en) * | 2013-01-30 | 2017-12-29 | 华为终端(东莞)有限公司 | A kind of method and device of data sharing |
| CN109347637B (en) * | 2018-08-01 | 2021-01-15 | 华为技术有限公司 | Authentication method, Content Delivery Network (CDN) and content server |
| CN109150528A (en) * | 2018-11-07 | 2019-01-04 | 杭州海兴电力科技股份有限公司 | A kind of ammeter data access method, device, equipment and readable storage medium storing program for executing |
-
2019
- 2019-02-27 CN CN201910145579.3A patent/CN109992976A/en active Pending
- 2019-06-19 WO PCT/CN2019/091903 patent/WO2020173019A1/en active Application Filing
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428235A (en) * | 2012-05-15 | 2013-12-04 | 上海博路信息技术有限公司 | Data exchange system |
| CN107306246A (en) * | 2016-04-18 | 2017-10-31 | 北京市神州百戏文化产业有限公司 | Based on the data capture method for accessing key |
| CN106295401A (en) * | 2016-08-13 | 2017-01-04 | 深圳市樊溪电子有限公司 | A kind of read-only secure file storage system and method for block chain |
| CN106899570A (en) * | 2016-12-14 | 2017-06-27 | 阿里巴巴集团控股有限公司 | The processing method of Quick Response Code, apparatus and system |
| CN106844111A (en) * | 2016-12-26 | 2017-06-13 | 创新科存储技术(深圳)有限公司 | The access method of cloud storage NFS |
| CN109039990A (en) * | 2017-06-08 | 2018-12-18 | 腾讯科技(深圳)有限公司 | The method and device of behavior verifying is carried out based on identifying code |
| CN108289100A (en) * | 2018-01-25 | 2018-07-17 | 北京深思数盾科技股份有限公司 | A kind of safety access method, terminal device and system |
| CN109344647A (en) * | 2018-09-12 | 2019-02-15 | 上海点融信息科技有限责任公司 | For the access credentials generation method of block chain network, data access method, storage medium, calculate equipment |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN109150910A (en) * | 2018-10-11 | 2019-01-04 | 平安科技(深圳)有限公司 | Log in token generation and verification method, device and storage medium |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110443070A (en) * | 2019-08-12 | 2019-11-12 | 南京芯驰半导体科技有限公司 | More host shared memory systems and data completeness protection method |
| CN112910900A (en) * | 2021-02-03 | 2021-06-04 | 叮当快药科技集团有限公司 | File access control method, device, equipment and storage medium |
| CN113992420A (en) * | 2021-10-29 | 2022-01-28 | 蜂巢能源科技(无锡)有限公司 | Authority management method, system and electronic equipment |
| CN113992420B (en) * | 2021-10-29 | 2023-12-01 | 蜂巢能源科技(无锡)有限公司 | Authority management method, system, electronic equipment and storage medium |
| CN115061826A (en) * | 2022-02-28 | 2022-09-16 | 华为技术有限公司 | Component communication method and computing device |
| CN115061826B (en) * | 2022-02-28 | 2024-02-13 | 华为技术有限公司 | Component communication method and computing device |
| CN115277168A (en) * | 2022-07-25 | 2022-11-01 | 绿盟科技集团股份有限公司 | Method, device and system for accessing server |
| CN115277168B (en) * | 2022-07-25 | 2023-05-26 | 绿盟科技集团股份有限公司 | Method, device and system for accessing server |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020173019A1 (en) | 2020-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11818253B2 (en) | Trustworthy data exchange using distributed databases | |
| US11456876B2 (en) | Virtual credentials and licenses | |
| CN101589361B (en) | Controlling distribution and use of digital identity representations | |
| CN109992976A (en) | Access credentials verification method, device, computer equipment and storage medium | |
| US20180336554A1 (en) | Secure electronic transaction authentication | |
| US8539233B2 (en) | Binding content licenses to portable storage devices | |
| US20180197263A1 (en) | Virtual credentials and licenses | |
| US20130340093A1 (en) | System for Managing Computer Data Security Through Portable Data Access Security Tokens | |
| US10721077B2 (en) | Using multiple digital identification documents to control information disclosure | |
| WO2009070430A2 (en) | Apparatus and methods for providing scalable, dynamic, individualized credential services using mobile telephones | |
| KR20100126291A (en) | Method for reading attributes from an id token | |
| KR101543607B1 (en) | Medical certificate issuing system and method | |
| CN109274650A (en) | A kind of management system and method that electron image is had access to | |
| EP3883204B1 (en) | System and method for secure generation, exchange and management of a user identity data using a blockchain | |
| KR101936941B1 (en) | Electronic approval system, method, and program using biometric authentication | |
| EP3142064A1 (en) | Virtual credentials and licenses | |
| US20240070662A1 (en) | Non-fungible token document platform | |
| KR20080048321A (en) | Method for issuing certificate including legal guardian's agreements and apparatus thereof | |
| US20230224309A1 (en) | Method and system for digital identity and transaction verification | |
| WO2024021785A1 (en) | Digital entity processing method and apparatus, device, medium, and program product | |
| WO2021124568A1 (en) | Access control device, control method, and program | |
| KR20060110954A (en) | Method for issuing contents-certified documents in dvcs | |
| US20130167198A1 (en) | Protocol for sequential rights transactions | |
| CN102438014A (en) | Back-end constrained delegation model | |
| CN114697114A (en) | Data processing method, device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |