CN110008727B - Encryption sensitive parameter processing method and device, computer equipment and storage medium - Google Patents
Encryption sensitive parameter processing method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN110008727B CN110008727B CN201910282983.5A CN201910282983A CN110008727B CN 110008727 B CN110008727 B CN 110008727B CN 201910282983 A CN201910282983 A CN 201910282983A CN 110008727 B CN110008727 B CN 110008727B
- Authority
- CN
- China
- Prior art keywords
- parameter
- client
- sensitive parameters
- sensitive
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The application relates to a processing method and device for encrypting sensitive parameters, computer equipment and a storage medium. The method comprises the following steps: receiving an encrypted sensitive parameter of a parameter service platform, and writing the encrypted sensitive parameter into a local memory of a client; decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters; performing service operation according to the decryption sensitive parameters; and when the business operation is finished, destroying the decryption sensitive parameters and the encryption sensitive parameters from a local memory of the client. By adopting the method, the sensitive parameters can be prevented from being leaked.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for processing encrypted sensitive parameters, a computer device, and a storage medium.
Background
RPA (Robotic Process Automation) is an automated software technology that allows business processes to be performed by configuring automated software (also called "robots") to simulate the same actions that humans interact with in a software system.
When automated software executes to perform a business process, it is often necessary to perform a series of automated operations in the business system using sensitive parameters on the client. However, since the client is often attacked by a lawless person and accessed illegally, the sensitive parameters stored in the client are leaked and stolen by the lawless person.
Therefore, the existing automation software is prone to leak sensitive parameters.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, an apparatus, a computer device, and a storage medium for processing encrypted sensitive parameters, which can avoid leakage of the sensitive parameters.
A method of processing encryption sensitive parameters, the method comprising:
receiving an encrypted sensitive parameter of a parameter service platform, and writing the encrypted sensitive parameter into a local memory of a client;
decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters;
performing service operation according to the decryption sensitive parameters;
and when the business operation is finished, destroying the decryption sensitive parameters and the encryption sensitive parameters from a local memory of the client.
In one embodiment, the decryption sensitive parameter comprises at least one of a login account number, a login password and a webpage access address of a business system;
the business operation according to the decryption sensitive parameters comprises:
accessing the service system according to the webpage access address;
executing the simulated login operation of the robot; and the robot simulation login operation is used for logging in the service system by using the login account and the login password.
In one embodiment, the decrypting the encrypted sensitive parameter to obtain a decrypted sensitive parameter includes:
acquiring a password key acquisition request, and sending the password key acquisition request to the parameter service platform;
receiving a session encryption key for the password key acquisition request;
and decrypting the encrypted sensitive parameters by using the session encryption key to generate the decrypted sensitive parameters.
In one embodiment, the obtaining a password key obtaining request includes:
sending a password acquisition request to the parameter service platform;
receiving a user password for the password acquisition request;
and generating the password key acquisition request according to the user password.
In one embodiment, the receiving encryption sensitive parameters of the parameter service platform includes:
sending a parameter acquisition request to the parameter service platform; the parameter obtaining request is used for the parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine encryption sensitive parameters aiming at the client;
receiving the encryption sensitive parameter for the parameter acquisition request.
A method of transmitting encryption sensitive parameters, the method comprising:
receiving a parameter acquisition request of a client;
generating encryption sensitive parameters aiming at the parameter acquisition request;
sending the encryption sensitive parameter; the encryption sensitive parameter is used for being received by the client and written into a local memory of the client; the encrypted sensitive parameters are also used for the client to decrypt to obtain decrypted sensitive parameters; the decryption sensitive parameter is used for the client to perform business operation; and when the business operation is finished, the client destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory.
In one embodiment, the generating encryption-sensitive parameters for the parameter acquisition request includes:
determining the user identity characteristics of the client according to the parameter acquisition request; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration;
judging whether the client has a parameter use authority or not according to the user identity characteristics;
if so, inquiring the initial sensitive parameters aiming at the parameter acquisition request;
and acquiring a session encryption key, and encrypting the initial sensitive parameters by using the session encryption key to generate the encrypted sensitive parameters.
In one embodiment, the obtaining the session encryption key includes:
receiving a password key acquisition request of the client;
determining a user password according to the password key acquisition request;
inquiring whether the session encryption key exists in a preset key mapping table according to the user password;
if not, generating the session encryption key, and writing the session encryption key into the key mapping table;
and sending the session encryption key to the client.
In one embodiment, the querying for the initial sensitive parameters of the parameter obtaining request includes:
inquiring initial encryption parameters according to the parameter acquisition request;
and acquiring a platform key, and decrypting the initial encryption parameter by using the platform key to obtain the initial sensitive parameter.
A system for processing encrypted sensitive parameters, the system comprising: a client and a parameter service platform;
the client is used for sending a parameter acquisition request to the parameter service platform; the client side is also used for receiving the encrypted sensitive parameters of the parameter service platform and writing the encrypted sensitive parameters into a local memory of the client side; decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters; performing service operation according to the decryption sensitive parameters; when the business operation is finished, destroying the decryption sensitive parameters and the encryption sensitive parameters from a local memory of the client;
the parameter service platform is used for receiving a parameter acquisition request of the client; generating encryption sensitive parameters aiming at the parameter acquisition request; and sending the encryption sensitive parameters.
A processing apparatus for encrypting a sensitive parameter, the apparatus comprising:
the write-in module is used for receiving the encrypted sensitive parameters of the parameter service platform and writing the encrypted sensitive parameters into a local memory of the client;
the decryption module is used for decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters;
the operation module is used for carrying out service operation according to the decryption sensitive parameters;
and the destroying module is used for destroying the decryption sensitive parameters and the encryption sensitive parameters from the local memory of the client when the business operation is finished.
An apparatus for transmitting encryption sensitive parameters, the apparatus comprising:
the receiving module is used for receiving a parameter acquisition request of a client;
the generating module is used for generating encryption sensitive parameters aiming at the parameter acquisition request;
the sending module is used for sending the encryption sensitive parameters; the encryption sensitive parameter is used for being received by the client and written into a local memory of the client; the encrypted sensitive parameters are also used for the client to decrypt to obtain decrypted sensitive parameters; the decryption sensitive parameter is used for the client to perform business operation; and when the business operation is finished, the client destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
receiving an encrypted sensitive parameter of a parameter service platform, and writing the encrypted sensitive parameter into a local memory of a client;
decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters;
performing service operation according to the decryption sensitive parameters;
and when the business operation is finished, destroying the decryption sensitive parameters and the encryption sensitive parameters from a local memory of the client.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
receiving a parameter acquisition request of a client;
generating encryption sensitive parameters aiming at the parameter acquisition request;
sending the encryption sensitive parameter; the encryption sensitive parameter is used for being received by the client and written into a local memory of the client; the encrypted sensitive parameters are also used for the client to decrypt to obtain decrypted sensitive parameters; the decryption sensitive parameter is used for the client to perform business operation; and when the business operation is finished, the client destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory.
According to the processing method and device for the encryption sensitive parameters, the computer equipment and the storage medium, the client receives the encryption sensitive parameters of the parameter service platform and writes the encryption sensitive parameters into the local memory of the client; then, decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters; finally, performing business operation according to the decrypted sensitive parameters; when the business operation is completed, the decryption sensitive parameters and the encryption sensitive parameters are destroyed from the local memory of the client, the sensitive parameters are prevented from being easily leaked due to long-time storage in the local of the client, the unified control on the sensitive parameters is realized by using the parameter management platform, and the difficulty of the leakage of the sensitive parameters is further improved.
Drawings
FIG. 1 is a diagram of an application environment of a method for processing encryption sensitive parameters, according to an embodiment;
FIG. 2 is a flow diagram that illustrates a method for processing encrypted sensitive parameters, according to one embodiment;
FIG. 3 is a flow chart illustrating a method for sending encryption sensitive parameters according to another embodiment;
FIG. 4 is a block diagram of a processing device for encrypting sensitive parameters, according to an embodiment;
FIG. 5 is a block diagram of an apparatus for sending encrypted sensitive parameters according to another embodiment;
FIG. 6 is a timing diagram of a processing system for encrypting sensitive parameters in another embodiment;
FIG. 7 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The processing method for encrypting the sensitive parameters can be applied to the application environment shown in fig. 1. Wherein the client 110 communicates with the parameter service platform 120 via a network. . The client 110 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the parameter service platform 120 may be implemented by an independent server or a server cluster formed by a plurality of servers.
In one embodiment, as shown in fig. 2, a method for processing encryption-sensitive parameters is provided, which includes the following steps:
and step 210, receiving the encrypted sensitive parameters of the parameter service platform, and writing the encrypted sensitive parameters into a local memory of the client.
Sensitive parameters may refer to parameters related to personal privacy or trade secrets, among others.
Wherein, encrypting sensitive data may refer to sensitive parameters encrypted by a specific key.
In a specific implementation, the client 110 may perform a series of automated operations in the business system by using the sensitive parameters. When the client 110 needs to use the sensitive parameters, the client 110 sends a parameter obtaining request to the parameter service platform 120. When the parameter service platform 120 receives the parameter obtaining request, the parameter service platform 120 searches the sensitive parameter corresponding to the parameter obtaining request from the parameter database, encrypts the sensitive parameter to generate an encrypted sensitive parameter, and sends the encrypted sensitive parameter to the client 110. Then, the client 110 receives the encrypted sensitive parameter of the parameter service platform, and writes the encrypted sensitive parameter into the local memory of the client 110 for further use by the client 110.
And step 220, decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters.
Wherein, the decryption sensitive parameter may refer to a decoded sensitive parameter.
In a specific implementation, after the client 110 receives the encrypted sensitive parameter, the client 110 obtains a decryption key corresponding to the encrypted sensitive parameter according to the encrypted sensitive parameter, and decrypts the encrypted sensitive parameter by using the decryption key to obtain the decrypted sensitive parameter.
And step 230, performing business operation according to the decryption sensitive parameters.
The business operation may refer to an operation that needs to use a sensitive parameter for business processing.
In a specific implementation, after the client 110 decrypts the encrypted sensitive parameter and obtains the decrypted sensitive parameter, the client 110 performs a series of business operations, such as automatically logging in a financial system, automatically auditing financial information, and the like, according to the decrypted sensitive parameter.
And step 240, destroying the decryption sensitive parameters and the encryption sensitive parameters from the local memory of the client when the business operation is finished.
In a specific implementation, whether the business operation is executed is monitored in real time, and when the business operation is executed, the client 110 destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory, so as to avoid leakage. For example, the client 110 monitors whether the current business operation is executed in real time by monitoring the running process of the system, and when the business operation is executed, the client 110 destroys the decryption sensitive parameters and the encryption sensitive parameters stored in the local memory.
In the method for processing the encrypted sensitive parameters, the client receives the encrypted sensitive parameters of the parameter service platform and writes the encrypted sensitive parameters into a local memory of the client; then, decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters; finally, performing business operation according to the decrypted sensitive parameters; when the business operation is completed, the decryption sensitive parameters and the encryption sensitive parameters are destroyed from the local memory of the client, the sensitive parameters are prevented from being easily leaked due to long-time storage in the local of the client, the same control on the sensitive parameters is realized by using the parameter management platform, and the difficulty of sensitive parameter leakage is further improved.
In another embodiment, the decryption sensitive parameter comprises at least one of a login account number, a login password and a webpage access address of the business system; and performing business operation according to the decryption sensitive parameters, wherein the business operation comprises the following steps: accessing a service system according to the webpage access address; executing the simulated login operation of the robot; the robot simulates login operation and is used for logging in a business system by using a login account and a login password.
Wherein, a business system may refer to a system for processing financial businesses.
In a specific implementation, the decryption sensitive parameter may include at least one of a login account, a login password, and a web access address of the service system; when the client 110 performs a service operation according to the decryption sensitive parameter, the client 110 accesses an address through a web page of a service system and accesses the service system by calling an internet browser. Then, the client 110 performs a robot simulation login operation. The robot simulated login operation may be an automatic login script written based on a SeleniumWebdriver (a browser automated testing framework), and when the client 110 executes the robot simulated login operation, the automatic login script is started, and at this time, the automatic login script automatically fills a login account and a login password into a corresponding entry frame, so that a user of the service system performs user authentication and logs in the service system, and then the service operation is completed.
According to the technical scheme of the embodiment, when business operation is carried out according to the decryption sensitive parameters, the client accesses the business system according to the webpage access address; and the robot simulation login operation is executed, so that the service operation of automatic login of the service system is realized while the safety degree of sensitive parameters is provided.
In another embodiment, decrypting the encryption sensitive parameter to obtain a decryption sensitive parameter comprises: acquiring a password key acquisition request, and sending the password key acquisition request to a parameter service platform; receiving a session encryption key for a password key acquisition request; and decrypting the encrypted sensitive parameters by using the session encryption key to generate decrypted sensitive parameters.
The password key acquisition request may refer to a request for acquiring a key having password information.
The session encryption key may refer to an encryption key that is valid in a session period in which the current client and the parameter service platform are located.
In practical application, the parameter service platform encrypts the sensitive parameter by using the session encryption key to generate an encrypted sensitive parameter.
In a specific implementation, when the client 110 decrypts the encrypted sensitive parameter, the client 110 obtains a password key obtaining request according to a current user password; the client 110 then sends the password key acquisition request to the parameter service platform 120. After the parameter service platform 120 receives the password key acquisition request, the parameter service platform 120 queries a session encryption key corresponding to the encryption sensitive parameter according to the password key acquisition request, wherein the session encryption key only takes effect in a session period in which the current client and the parameter service platform are located; the session encryption key is then sent to the client 110. After receiving the session encryption key, the client 110 decrypts the encrypted sensitive parameter using the session encryption key to generate a decrypted sensitive parameter.
According to the technical scheme of the embodiment, the session encryption key which takes effect in the session period of the current client and the parameter service platform is used for encrypting and decrypting the sensitive parameter, so that the security of the communication session between the client and the parameter service platform is guaranteed, and the sensitive parameter can be prevented from being leaked due to hijack and cracking of lawbreakers.
In another embodiment, obtaining a password key acquisition request includes: sending a password acquisition request to a parameter service platform; receiving a user password for a password acquisition request; and generating a password key acquisition request according to the user password.
The user password may refer to a temporary authentication token for the client user.
In a specific implementation, when a user successfully logs in the client 110, the client 110 sends a password obtaining request to the parameter service platform 120; after the parameter service platform 120 receives the password obtaining request, the parameter service platform 120 generates a user password, wherein the user password may be composed of an identity unique to the user, a timestamp of the current time, and a signature. The parameter service platform 120 then sends the user password to the client 110. The client 110 receives a user password for the password acquisition request. The client 110 may also generate a password key acquisition request based on the user password.
According to the technical scheme of the embodiment, the client side sends a password acquisition request to the parameter service platform; receiving a user password for the password acquisition request; then, generating a password key acquisition request according to the user password; the parameter service platform can determine the user password corresponding to the current client according to the password key acquisition request, and inquire the corresponding session encryption key according to the user password, so that the safety degree of the parameter management platform for managing and controlling sensitive parameters is improved.
In another embodiment, receiving encryption sensitive parameters of a parameter service platform includes: sending a parameter acquisition request to a parameter service platform; the parameter obtaining request is used for the parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine an encryption sensitive parameter aiming at the client; an encryption sensitive parameter for a parameter acquisition request is received.
In a specific implementation, after the client 110 sends a parameter obtaining request to the parameter service platform 120, the parameter service platform 120 determines, according to the parameter obtaining request, user identity characteristics of a user using the client 110, such as a user name, a user position level, a user privacy level, and a user job entry duration. Then, the parameter service platform 120 determines the encryption sensitive parameters for the user using the current client 110 according to the user identity characteristics, and sends the encryption sensitive parameters to the client 110 for the client 110 to receive.
For example, when the user using the client 110 has a low level of security, all the parameters to be sent to the client 110 by the parameter management platform 120 are sensitive parameters, so that the parameter management platform 120 encrypts all the parameters to obtain encrypted sensitive parameters. When the user using the client 110 has a higher level of security, only part of the parameters to be sent to the client 110 by the parameter management platform 120 belong to the sensitive parameters, so that the parameter management platform 120 encrypts only part of the parameters to obtain encrypted sensitive parameters.
According to the technical scheme of the embodiment, the user identity characteristics are determined according to the sending parameter acquisition request, and the sensitive parameters are selectively encrypted according to the user identity characteristics, so that the efficiency of the client side for acquiring the encrypted sensitive parameters is improved.
In one embodiment, as shown in fig. 3, a method for sending encryption sensitive parameters is provided, which includes the following steps:
step 310, receiving a parameter obtaining request of the client.
The parameter obtaining request may refer to a request for obtaining a sensitive parameter.
In a specific implementation, the client 110 may perform a series of automated operations in the business system by using the sensitive parameters. When the client 110 needs to use the sensitive parameters, the client 110 sends a parameter obtaining request to the parameter service platform 120. The parameter service platform 120 receives a parameter obtaining request sent by the client terminal 110.
At step 320, encryption sensitive parameters for the parameter acquisition request are generated.
In a specific implementation, after the parameter service platform 120 receives the parameter obtaining request, the parameter service platform 120 searches for a sensitive parameter corresponding to the parameter obtaining request from the parameter database, and encrypts the sensitive parameter to generate an encrypted sensitive parameter.
Step 330, sending encryption sensitive parameters; the encrypted sensitive parameters are used for being received by the client and written into a local memory of the client; the encrypted sensitive parameters are also used for the client to decrypt to obtain decrypted sensitive parameters; the decryption sensitive parameters are used for the client to perform business operation; and when the business operation is finished, the client destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory.
In a specific implementation, after the parameter service platform 120 generates the encryption sensitive parameter, the encryption sensitive parameter is sent to the client 110. The client 110 receives the encrypted sensitive parameters of the parameter service platform, and writes the encrypted sensitive parameters into the local memory of the client 110. Then, the client 110 obtains a decryption key corresponding to the encrypted sensitive parameter according to the encrypted sensitive parameter, and decrypts the encrypted sensitive parameter by using the decryption key to obtain the decrypted sensitive parameter.
Then, the client 110 performs a business operation according to the decrypted sensitive parameter, for example, a series of business operations such as automatically logging in a financial system, automatically auditing financial information, and the like are performed. When the business operation is completed, the client 110 destroys the decryption sensitive parameter and the encryption sensitive parameter stored in the local memory.
According to the method for sending the encrypted sensitive parameters, the client receives the encrypted sensitive parameters of the parameter service platform and writes the encrypted sensitive parameters into a local memory of the client; then, decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters; finally, performing business operation according to the decrypted sensitive parameters; when the business operation is completed, the decryption sensitive parameters and the encryption sensitive parameters are destroyed from the local memory of the client, the sensitive parameters are prevented from being easily leaked due to long-time storage in the local of the client, the same control on the sensitive parameters is realized by using the parameter management platform, and the difficulty of sensitive parameter leakage is further improved.
In another embodiment, generating encryption sensitive parameters for a parameter acquisition request includes: determining the user identity characteristics of the client according to the parameter acquisition request; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration; judging whether the client has the parameter use authority or not according to the identity characteristics of the user; if so, inquiring the initial sensitive parameters aiming at the parameter acquisition request; and acquiring a session encryption key, and encrypting the initial sensitive parameters by using the session encryption key to generate encrypted sensitive parameters.
The initial sensitive parameter may refer to a sensitive parameter that is not encrypted by a key.
In a specific implementation, in the process that the parameter service platform 120 generates the encryption sensitive parameters for the parameter acquisition request, the parameter service platform 120 determines to use the user identity characteristics of the current client 110 user according to the parameter acquisition request, wherein the user identity characteristics include at least one of a user position grade, a user secret-related grade and a user job time; then, the parameter service platform 120 determines whether the client has a parameter use right according to the user identity characteristics; when the client 110 has the parameter use right, the parameter service platform 120 queries the initial sensitive parameters in the server database according to the parameter obtaining request and the user identity characteristics; and acquiring a session encryption key, wherein the session encryption key is only valid in a session period in which the current client and the parameter service platform are positioned. The parameter service platform 120 then encrypts the initial sensitive parameters using the session encryption key to generate encrypted sensitive parameters. When the client 110 does not have the parameter usage right, the parameter service platform 120 returns a parameter obtaining error message to the client 110.
According to the technical scheme of the embodiment, the parameter service platform determines the user identity characteristics of the client side through acquiring the request according to the parameters; judging whether the client has the parameter use authority or not according to the identity characteristics of the user; when the client has the parameter use right, the encryption sensitive parameter is sent; by verifying whether the user using the client has the parameter use authority or not, the safety degree of the parameter management platform for managing and controlling the sensitive parameters is improved.
In another embodiment, obtaining a session encryption key comprises: receiving a password key acquisition request of a client; determining a user password according to the password key acquisition request; inquiring whether a session encryption key exists in a preset key mapping table according to a user password; if not, generating a session encryption key, and writing the session encryption key into a key mapping table; and sending the session encryption key to the client.
The key mapping table may refer to a data table generated according to a mapping relationship between a user password and a session encryption key.
In practical applications, the parameter service platform 120 stores the session encryption key in a (token, key) format in a memory mapping table of the parameter service platform 120 server, and the parameter service platform 120 server manages the validity period of the session encryption key.
In a specific implementation, in the process of acquiring the session encryption key by the parameter service platform 120, the parameter service platform 120 receives a password key acquisition request of the client; the parameter service platform 120 then determines the user password of the current client 110 according to the password key obtaining request, wherein the user password may be composed of the unique user identity, the timestamp of the current time and the signature. The parameter service platform 120 queries whether a session encryption key exists in a preset key mapping table according to the user password.
When the session encryption key cannot be queried in the preset key mapping table, the parameter service platform 120 generates the session encryption key and writes the session encryption key into the key mapping table; finally, the session encryption key is sent to the client 110.
When the session encryption key is found in the preset key mapping table, the parameter service platform 120 directly sends the session encryption key to the client 110. In addition, when the session encryption key expires, the parameter service platform 120 regenerates the session encryption key and writes the session encryption key to the key mapping table.
According to the technical scheme of the embodiment, the session encryption key which takes effect in the session period of the current client and the parameter service platform is used for encrypting and decrypting the sensitive parameter, so that the security of the communication session between the client and the parameter service platform is guaranteed, and the sensitive parameter can be prevented from being leaked due to hijack and cracking of lawbreakers.
In another embodiment, querying the initial sensitive parameters for the parameter acquisition request includes: inquiring initial encryption parameters according to the parameter acquisition request; and acquiring a platform key, and decrypting the initial encryption parameter by using the platform key to obtain the initial sensitive parameter.
The platform key may refer to an encryption key only used by the parameter service platform.
The initial encryption parameter may refer to an initial sensitive parameter encrypted by a platform key.
In a specific implementation, the server database of the parameter service platform 120 stores in advance the initial sensitive parameters encrypted by the platform key, that is, the initial encryption parameters. In the process of querying the initial sensitive parameters for the parameter obtaining request in the server database, the parameter service platform 120 first queries the initial encryption parameters in the server database of the parameter service platform 120 according to the parameter obtaining request; and then, acquiring a platform key, and decrypting the initial encryption parameter by using the platform key to obtain the initial sensitive parameter.
According to the technical scheme of the embodiment, the initial encryption parameters encrypted by the platform key are stored in the server database in advance, and when the client needs to use the sensitive parameters, the platform key is used for decrypting the initial encryption parameters to obtain the initial sensitive parameters. The encryption storage of the sensitive parameters by the parameter service platform is realized, and the safety degree of the parameter service platform for managing and storing the sensitive parameters is improved.
It should be understood that although the steps in the flowcharts of fig. 2 and 3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2 and 3 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least some of the sub-steps or stages of other steps.
In one embodiment, there is provided a processing system for encrypting sensitive parameters, the system comprising: a client and a parameter service platform;
the client is used for sending a parameter acquisition request to the parameter service platform; the client side is also used for receiving the encrypted sensitive parameters of the parameter service platform and writing the encrypted sensitive parameters into a local memory of the client side; decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters; performing business operation according to the decrypted sensitive parameters; when the business operation is completed, destroying the decryption sensitive parameters and the encryption sensitive parameters from the local memory of the client;
the parameter service platform is used for receiving a parameter acquisition request of the client; generating encryption sensitive parameters aiming at the parameter acquisition request; the encryption sensitive parameters are sent.
For the specific limitation of the processing system for an encryption-sensitive parameter, reference may be made to the above limitation on the processing method for an encryption-sensitive parameter, and details are not described here.
In one embodiment, as shown in fig. 4, there is provided a processing apparatus for encrypting a sensitive parameter, including:
a write-in module 410, configured to receive an encrypted sensitive parameter of a parameter service platform, and write the encrypted sensitive parameter into a local memory of a client;
the decryption module 420 is configured to decrypt the encrypted sensitive parameter to obtain a decrypted sensitive parameter;
an operation module 430, configured to perform a service operation according to the decryption sensitive parameter;
a destroying module 440, configured to destroy the decryption sensitive parameter and the encryption sensitive parameter from the local memory of the client when the service operation is completed.
In one embodiment, the decryption sensitive parameter comprises at least one of a login account number, a login password and a webpage access address of a business system; the operation module 430 includes: the access submodule is used for accessing the business system according to the webpage access address; the login submodule is used for executing the simulated login operation of the robot; and the robot simulation login operation is used for logging in the service system by using the login account and the login password.
In one embodiment, the decryption module 420 includes: the request acquisition submodule is used for acquiring a password key acquisition request and sending the password key acquisition request to the parameter service platform; a key receiving submodule, configured to receive a session encryption key for the password key acquisition request; and the decryption submodule is used for decrypting the encrypted sensitive parameters by using the session encryption key to generate the decrypted sensitive parameters.
In an embodiment, the request obtaining sub-module includes: the sending unit is used for sending a password acquisition request to the parameter service platform; a receiving unit configured to receive a user password for the password acquisition request; and the generating unit is used for generating the password key acquisition request according to the user password.
In one embodiment, the writing module 410 includes: the sending submodule is used for sending a parameter obtaining request to the parameter service platform; the parameter obtaining request is used for the parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine encryption sensitive parameters aiming at the client; and the parameter receiving submodule is used for receiving the encryption sensitive parameters aiming at the parameter acquisition request.
For the specific definition of the processing apparatus for an encryption sensitive parameter, refer to the above definition of the processing method for an encryption sensitive parameter, which is not described herein again. The modules in the processing device for encrypting the sensitive parameters can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, as shown in fig. 5, there is provided a transmission apparatus for encrypting a sensitive parameter, including:
a receiving module 510, configured to receive a parameter obtaining request of a client;
a generating module 520, configured to generate an encryption sensitive parameter for the parameter obtaining request;
a sending module 530, configured to send the encryption sensitive parameter; the encryption sensitive parameter is used for being received by the client and written into a local memory of the client; the encrypted sensitive parameters are also used for the client to decrypt to obtain decrypted sensitive parameters; the decryption sensitive parameter is used for the client to perform business operation; and when the business operation is finished, the client destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory.
In one embodiment, the generating module 520 includes: the determining submodule is used for determining the user identity characteristics of the client according to the parameter acquisition request; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration; the judging submodule is used for judging whether the client has the parameter use permission or not according to the user identity characteristics; the query submodule is used for querying the initial sensitive parameters aiming at the parameter acquisition request if the initial sensitive parameters are the same as the parameter acquisition request; and the obtaining submodule is used for obtaining a session encryption key and encrypting the initial sensitive parameters by using the session encryption key to generate the encrypted sensitive parameters.
In an embodiment, the obtaining sub-module includes: a receiving unit, configured to receive a password key acquisition request of the client; the determining unit is used for determining a user password according to the password key acquisition request; a first query unit, configured to query, according to the user password, whether the session encryption key exists in a preset key mapping table; a writing unit, configured to generate the session encryption key if the key mapping table is not used, and write the session encryption key into the key mapping table; a sending unit, configured to send the session encryption key to the client.
In one embodiment, the query submodule includes: the second query unit is used for querying the initial encryption parameters according to the parameter acquisition request; and the key acquisition unit is used for acquiring a platform key and decrypting the initial encryption parameter by using the platform key to obtain the initial sensitive parameter.
For specific limitations of a sending apparatus for an encryption sensitive parameter, refer to the above limitations for sending a encryption sensitive parameter, which are not described herein again. The modules in the sending device for encrypting the sensitive parameters can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, to facilitate understanding by those skilled in the art, a timing diagram of a processing system for encrypting sensitive parameters is provided, as shown in FIG. 6; wherein the content of the first and second substances,
when a user logs into the client 110, the parameter service platform 120 generates a user password (token) and returns the user password to the client 110.
When the client 110 requests the session encryption key from the parameter service platform 120, the parameter service platform 120 queries whether a valid session encryption key exists according to the user password. If the session encryption key does not exist or is expired, the parameter service platform 120 generates the session encryption key and writes the session encryption key into the key mapping table; finally, the session encryption key is sent to the client 110.
When the client 110 requests the sensitive parameters of the parameter service platform 120, the parameter service platform 120 determines whether the client has the parameter use permission; if the parameter has the parameter use authority, the parameter service platform 120 queries the initial encryption parameter in a server database of the parameter service platform 120 according to the parameter acquisition request; and then, acquiring a platform key, and decrypting the initial encryption parameter by using the platform key to obtain the initial sensitive parameter. The parameter service platform 120 encrypts the initial sensitive parameters using the session encryption key to generate encrypted sensitive parameters.
When the client 110 does not have the parameter usage right, the parameter service platform 120 returns a parameter obtaining error message to the client 110.
The parameter service platform 120 sends the encryption sensitive parameters to the client 110. The client 110 receives the encrypted sensitive parameters of the parameter service platform, and writes the encrypted sensitive parameters into the local memory of the client 110. Then, the client 110 obtains a decryption key corresponding to the encrypted sensitive parameter according to the encrypted sensitive parameter, and decrypts the encrypted sensitive parameter by using the decryption key to obtain the decrypted sensitive parameter.
Then, the client 110 performs a business operation according to the decrypted sensitive parameter, for example, a series of business operations such as automatically logging in a financial system, automatically auditing financial information, and the like are performed. When the business operation is completed, the client 110 destroys the decryption sensitive parameter and the encryption sensitive parameter stored in the local memory.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 7. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing encryption sensitive parameters and decryption sensitive parameter data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of processing an encryption sensitive parameter and a method of transmitting an encryption sensitive parameter.
Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
step 210, receiving an encrypted sensitive parameter of a parameter service platform, and writing the encrypted sensitive parameter into a local memory of a client;
step 220, decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters;
step 230, performing service operation according to the decryption sensitive parameters;
step 240, when the business operation is completed, destroying the decryption sensitive parameter and the encryption sensitive parameter from the local memory of the client.
In one embodiment, the processor, when executing the computer program, further performs the following steps; accessing the service system according to the webpage access address; executing the simulated login operation of the robot; and the robot simulation login operation is used for logging in the service system by using the login account and the login password.
In one embodiment, the processor, when executing the computer program, further performs the steps of: acquiring a password key acquisition request, and sending the password key acquisition request to the parameter service platform; receiving a session encryption key for the password key acquisition request; and decrypting the encrypted sensitive parameters by using the session encryption key to generate the decrypted sensitive parameters.
In one embodiment, the processor, when executing the computer program, further performs the steps of: sending a password acquisition request to the parameter service platform; receiving a user password for the password acquisition request; and generating the password key acquisition request according to the user password.
In one embodiment, the processor, when executing the computer program, further performs the steps of: sending a parameter acquisition request to the parameter service platform; the parameter obtaining request is used for the parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine encryption sensitive parameters aiming at the client; receiving the encryption sensitive parameter for the parameter acquisition request.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
step 210, receiving an encrypted sensitive parameter of a parameter service platform, and writing the encrypted sensitive parameter into a local memory of a client;
step 220, decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters;
step 230, performing service operation according to the decryption sensitive parameters;
step 240, when the business operation is completed, destroying the decryption sensitive parameter and the encryption sensitive parameter from the local memory of the client.
In one embodiment, the computer program when executed by the processor further performs the following steps; accessing the service system according to the webpage access address; executing the simulated login operation of the robot; and the robot simulation login operation is used for logging in the service system by using the login account and the login password.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring a password key acquisition request, and sending the password key acquisition request to the parameter service platform; receiving a session encryption key for the password key acquisition request; and decrypting the encrypted sensitive parameters by using the session encryption key to generate the decrypted sensitive parameters.
In one embodiment, the computer program when executed by the processor further performs the steps of: sending a password acquisition request to the parameter service platform; receiving a user password for the password acquisition request; and generating the password key acquisition request according to the user password.
In one embodiment, the computer program when executed by the processor further performs the steps of: sending a parameter acquisition request to the parameter service platform; the parameter obtaining request is used for the parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine encryption sensitive parameters aiming at the client; receiving the encryption sensitive parameter for the parameter acquisition request.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
step 310, receiving a parameter acquisition request of a client;
step 320, generating an encryption sensitive parameter aiming at the parameter acquisition request;
step 330, sending the encryption sensitive parameters; the encryption sensitive parameter is used for being received by the client and written into a local memory of the client; the encrypted sensitive parameters are also used for the client to decrypt to obtain decrypted sensitive parameters; the decryption sensitive parameter is used for the client to perform business operation; and when the business operation is finished, the client destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory.
In one embodiment, the processor, when executing the computer program, further performs the steps of: determining the user identity characteristics of the client according to the parameter acquisition request; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration; judging whether the client has a parameter use authority or not according to the user identity characteristics; if so, inquiring the initial sensitive parameters aiming at the parameter acquisition request; and acquiring a session encryption key, and encrypting the initial sensitive parameters by using the session encryption key to generate the encrypted sensitive parameters.
In one embodiment, the processor, when executing the computer program, further performs the steps of: receiving a password key acquisition request of the client; determining a user password according to the password key acquisition request; inquiring whether the session encryption key exists in a preset key mapping table according to the user password; if not, generating the session encryption key, and writing the session encryption key into the key mapping table; and sending the session encryption key to the client.
In one embodiment, the processor, when executing the computer program, further performs the steps of: inquiring initial encryption parameters according to the parameter acquisition request; and acquiring a platform key, and decrypting the initial encryption parameter by using the platform key to obtain the initial sensitive parameter.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
step 310, receiving a parameter acquisition request of a client;
step 320, generating an encryption sensitive parameter aiming at the parameter acquisition request;
step 330, sending the encryption sensitive parameters; the encryption sensitive parameter is used for being received by the client and written into a local memory of the client; the encrypted sensitive parameters are also used for the client to decrypt to obtain decrypted sensitive parameters; the decryption sensitive parameter is used for the client to perform business operation; and when the business operation is finished, the client destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory.
In one embodiment, the computer program when executed by the processor further performs the steps of: determining the user identity characteristics of the client according to the parameter acquisition request; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration; judging whether the client has a parameter use authority or not according to the user identity characteristics; if so, inquiring the initial sensitive parameters aiming at the parameter acquisition request; and acquiring a session encryption key, and encrypting the initial sensitive parameters by using the session encryption key to generate the encrypted sensitive parameters.
In one embodiment, the computer program when executed by the processor further performs the steps of: receiving a password key acquisition request of the client; determining a user password according to the password key acquisition request; inquiring whether the session encryption key exists in a preset key mapping table according to the user password; if not, generating the session encryption key, and writing the session encryption key into the key mapping table; and sending the session encryption key to the client.
In one embodiment, the computer program when executed by the processor further performs the steps of: inquiring initial encryption parameters according to the parameter acquisition request; and acquiring a platform key, and decrypting the initial encryption parameter by using the platform key to obtain the initial sensitive parameter.
It will be understood by those of ordinary skill in the art that all or a portion of the processes of the methods of the embodiments described above may be implemented by a computer program that may be stored on a non-volatile computer-readable storage medium, which when executed, may include the processes of the embodiments of the methods described above, wherein any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (12)
1. A method for processing sensitive parameters, the method comprising:
receiving an encrypted sensitive parameter of a parameter service platform, and writing the encrypted sensitive parameter into a local memory of a client; the receiving of the encryption sensitive parameters of the parameter service platform comprises: sending a parameter acquisition request to the parameter service platform; the parameter obtaining request is used for the parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine encryption sensitive parameters aiming at the client; receiving the encryption sensitive parameters for the parameter acquisition request; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration; the encryption sensitive parameters are obtained by acquiring session encryption keys by the parameter service platform and encrypting initial sensitive parameters by using the session encryption keys; the initial sensitive parameter is obtained by the parameter service platform according to the parameter acquisition request query when the client side is judged to have the parameter use right according to the user identity characteristic; the session encryption key is obtained by the parameter service platform through inquiring in a preset key mapping table according to a user password; the user password is obtained by the parameter service platform according to a password key acquisition request sent by the client; the user password consists of a unique identity of the user, a timestamp of the current time and a signature; when the parameter service platform cannot inquire the session encryption key in the key mapping table or the parameter service platform determines that the session encryption key is overdue, the parameter service platform generates a new session encryption key and writes the new session encryption key into the key mapping table;
decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters;
performing service operation according to the decryption sensitive parameters;
monitoring whether the business operation is finished or not in real time in a mode of monitoring the running process of the system; and when the business operation is executed, destroying the decryption sensitive parameters and the encryption sensitive parameters from a local memory of the client.
2. The method of claim 1, wherein the decryption sensitive parameters include at least one of a login account number, a login password, and a web access address of a business system;
the business operation according to the decryption sensitive parameters comprises:
accessing the service system according to the webpage access address;
executing the simulated login operation of the robot; and the robot simulation login operation is used for logging in the service system by using the login account and the login password.
3. The method of claim 1, wherein said decrypting the encryption sensitive parameter to obtain a decryption sensitive parameter comprises:
acquiring a password key acquisition request, and sending the password key acquisition request to the parameter service platform;
receiving a session encryption key for the password key acquisition request;
and decrypting the encrypted sensitive parameters by using the session encryption key to generate the decrypted sensitive parameters.
4. The method of claim 2, wherein the obtaining a password key obtaining request comprises:
sending a password acquisition request to the parameter service platform;
receiving a user password for the password acquisition request;
and generating the password key acquisition request according to the user password.
5. A method for sending encryption sensitive parameters, the method comprising:
receiving a parameter acquisition request of a client; the parameter obtaining request is used for a parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine encryption sensitive parameters aiming at the client; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration;
generating encryption sensitive parameters aiming at the parameter acquisition request; the generating encryption sensitive parameters for the parameter acquisition request comprises: determining the user identity characteristics of the client according to the parameter acquisition request; judging whether the client has a parameter use authority or not according to the user identity characteristics; if so, inquiring the initial sensitive parameters aiming at the parameter acquisition request; acquiring a session encryption key, and encrypting the initial sensitive parameters by using the session encryption key to generate encrypted sensitive parameters; the obtaining of the session encryption key includes: receiving a password key acquisition request of the client; determining a user password according to the password key acquisition request; inquiring the session encryption key in a preset key mapping table according to the user password; the user password consists of a unique identity of the user, a timestamp of the current time and a signature; when the parameter service platform cannot inquire the session encryption key in the key mapping table or the parameter service platform determines that the session encryption key is overdue, the parameter service platform generates a new session encryption key and writes the new session encryption key into the key mapping table;
sending the encryption sensitive parameter; the encryption sensitive parameter is used for being received by the client and written into a local memory of the client; the encrypted sensitive parameters are also used for the client to decrypt to obtain decrypted sensitive parameters; the decryption sensitive parameter is used for the client to perform business operation; monitoring whether the business operation is finished or not in real time in a mode of monitoring the running process of the system; and when the business operation is executed, the client destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory.
6. The method of claim 5, wherein obtaining the session encryption key comprises:
receiving a password key acquisition request of the client;
determining a user password according to the password key acquisition request;
inquiring whether the session encryption key exists in a preset key mapping table according to the user password;
if not, generating the session encryption key, and writing the session encryption key into the key mapping table;
and sending the session encryption key to the client.
7. The method of claim 5, wherein querying for the initial sensitive parameters of the parameter acquisition request comprises:
inquiring initial encryption parameters according to the parameter acquisition request;
and acquiring a platform key, and decrypting the initial encryption parameter by using the platform key to obtain the initial sensitive parameter.
8. A system for processing encrypted sensitive parameters, the system comprising: a client and a parameter service platform;
the client is used for sending a parameter acquisition request to the parameter service platform; the parameter obtaining request is used for the parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine encryption sensitive parameters aiming at the client; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration; the client side is also used for receiving the encrypted sensitive parameters of the parameter service platform and writing the encrypted sensitive parameters into a local memory of the client side; decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters; performing service operation according to the decryption sensitive parameters; monitoring whether the business operation is finished or not in real time in a mode of monitoring the running process of the system; when the business operation is completed, destroying the decryption sensitive parameters and the encryption sensitive parameters from a local memory of the client;
the parameter service platform is used for receiving a parameter acquisition request of the client; generating encryption sensitive parameters aiming at the parameter acquisition request; sending the encryption sensitive parameter; the generating encryption sensitive parameters for the parameter acquisition request comprises: determining the user identity characteristics of the client according to the parameter acquisition request; judging whether the client has a parameter use authority or not according to the user identity characteristics; if so, inquiring the initial sensitive parameters aiming at the parameter acquisition request; acquiring a session encryption key, and encrypting the initial sensitive parameters by using the session encryption key to generate encrypted sensitive parameters; the obtaining of the session encryption key includes: receiving a password key acquisition request of the client; determining a user password according to the password key acquisition request; inquiring the session encryption key in a preset key mapping table according to the user password; the user password consists of a unique identity of the user, a timestamp of the current time and a signature; and when the parameter service platform cannot inquire the session encryption key in the key mapping table or determines that the session encryption key is overdue, the parameter service platform generates a new session encryption key and writes the new session encryption key into the key mapping table.
9. A device for processing encrypted sensitive parameters, the device comprising:
the write-in module is used for receiving the encrypted sensitive parameters of the parameter service platform and writing the encrypted sensitive parameters into a local memory of the client; the receiving of the encryption sensitive parameters of the parameter service platform comprises: sending a parameter acquisition request to the parameter service platform; the parameter obtaining request is used for the parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine encryption sensitive parameters aiming at the client; receiving the encryption sensitive parameters for the parameter acquisition request; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration; the encryption sensitive parameters are obtained by acquiring session encryption keys by the parameter service platform and encrypting initial sensitive parameters by using the session encryption keys; the initial sensitive parameter is obtained by the parameter service platform according to the parameter acquisition request query when the client side is judged to have the parameter use right according to the user identity characteristic; the session encryption key is obtained by the parameter service platform through inquiring in a preset key mapping table according to a user password; the user password is obtained by the parameter service platform according to a password key acquisition request sent by the client; the user password consists of a unique identity of the user, a timestamp of the current time and a signature; when the parameter service platform cannot inquire the session encryption key in the key mapping table or the parameter service platform determines that the session encryption key is overdue, the parameter service platform generates a new session encryption key and writes the new session encryption key into the key mapping table;
the decryption module is used for decrypting the encrypted sensitive parameters to obtain decrypted sensitive parameters;
the operation module is used for carrying out service operation according to the decryption sensitive parameters;
the destruction module is used for monitoring whether the business operation is finished in real time in a mode of monitoring the running process of the system; and when the business operation is executed, destroying the decryption sensitive parameters and the encryption sensitive parameters from a local memory of the client.
10. An apparatus for transmitting encryption sensitive parameters, the apparatus comprising:
the receiving module is used for receiving a parameter acquisition request of a client; the parameter obtaining request is used for a parameter service platform to determine the user identity characteristics of the client; the user identity characteristic is used for the parameter service platform to determine encryption sensitive parameters aiming at the client; the user identity characteristics comprise at least one of a user position grade, a user secret-related grade and a user job entry duration;
the generating module is used for generating encryption sensitive parameters aiming at the parameter acquisition request;
the sending module is used for sending the encryption sensitive parameters; the encryption sensitive parameter is used for being received by the client and written into a local memory of the client; the encrypted sensitive parameters are also used for the client to decrypt to obtain decrypted sensitive parameters; the decryption sensitive parameter is used for the client to perform business operation; monitoring whether the business operation is finished or not in real time in a mode of monitoring the running process of the system; when the business operation is completed, the client destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory; the generating encryption sensitive parameters for the parameter acquisition request comprises: determining the user identity characteristics of the client according to the parameter acquisition request; judging whether the client has a parameter use authority or not according to the user identity characteristics; if so, inquiring the initial sensitive parameters aiming at the parameter acquisition request; acquiring a session encryption key, and encrypting the initial sensitive parameters by using the session encryption key to generate encrypted sensitive parameters; the obtaining of the session encryption key includes: receiving a password key acquisition request of the client; determining a user password according to the password key acquisition request; inquiring the session encryption key in a preset key mapping table according to the user password; the user password consists of a unique identity of the user, a timestamp of the current time and a signature; and when the parameter service platform cannot inquire the session encryption key in the key mapping table or determines that the session encryption key is overdue, the parameter service platform generates a new session encryption key and writes the new session encryption key into the key mapping table.
11. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910282983.5A CN110008727B (en) | 2019-04-10 | 2019-04-10 | Encryption sensitive parameter processing method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910282983.5A CN110008727B (en) | 2019-04-10 | 2019-04-10 | Encryption sensitive parameter processing method and device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110008727A CN110008727A (en) | 2019-07-12 |
| CN110008727B true CN110008727B (en) | 2020-07-21 |
Family
ID=67170606
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910282983.5A Active CN110008727B (en) | 2019-04-10 | 2019-04-10 | Encryption sensitive parameter processing method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110008727B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111027047B (en) * | 2019-11-29 | 2024-04-02 | 安天科技集团股份有限公司 | Application sensitive information management and control method and device, electronic equipment and storage medium |
| CN115955325B (en) * | 2022-10-26 | 2024-02-02 | 贝壳找房(北京)科技有限公司 | Information management and control method and system and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0843928A2 (en) * | 1995-07-17 | 1998-05-27 | Roger E. Billings | Distributed data processing network |
| CN1753359A (en) * | 2004-09-24 | 2006-03-29 | 华为技术有限公司 | Method of implementing transmission syncML synchronous data |
| CN105307165A (en) * | 2015-10-10 | 2016-02-03 | 中国民生银行股份有限公司 | Communication method based on mobile application, server and client |
| CN107566324A (en) * | 2016-06-30 | 2018-01-09 | 南京中兴新软件有限责任公司 | Encryption method, decryption method and device |
| CN109347626A (en) * | 2018-09-03 | 2019-02-15 | 杭州电子科技大学 | A kind of safety identification authentication method with antitracking characteristic |
| CN109471844A (en) * | 2018-10-10 | 2019-03-15 | 深圳市达仁基因科技有限公司 | File sharing method, device, computer equipment and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101742508A (en) * | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | System and method for transmitting files between WAPI terminal and application server |
| CN101964793A (en) * | 2010-10-08 | 2011-02-02 | 上海银联电子支付服务有限公司 | Method and system for transmitting data between terminal and server and sign-in and payment method |
| CN108418785B (en) * | 2017-12-13 | 2020-07-21 | 平安科技(深圳)有限公司 | Password calling method, server and storage medium |
| CN109409109A (en) * | 2018-10-17 | 2019-03-01 | 网易(杭州)网络有限公司 | Data processing method, device, processor and server in network service |
| CN109600730B (en) * | 2019-01-22 | 2021-07-06 | 李愿军 | Information collection control method and terminal |
-
2019
- 2019-04-10 CN CN201910282983.5A patent/CN110008727B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0843928A2 (en) * | 1995-07-17 | 1998-05-27 | Roger E. Billings | Distributed data processing network |
| CN1753359A (en) * | 2004-09-24 | 2006-03-29 | 华为技术有限公司 | Method of implementing transmission syncML synchronous data |
| CN105307165A (en) * | 2015-10-10 | 2016-02-03 | 中国民生银行股份有限公司 | Communication method based on mobile application, server and client |
| CN107566324A (en) * | 2016-06-30 | 2018-01-09 | 南京中兴新软件有限责任公司 | Encryption method, decryption method and device |
| CN109347626A (en) * | 2018-09-03 | 2019-02-15 | 杭州电子科技大学 | A kind of safety identification authentication method with antitracking characteristic |
| CN109471844A (en) * | 2018-10-10 | 2019-03-15 | 深圳市达仁基因科技有限公司 | File sharing method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110008727A (en) | 2019-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111488598B (en) | Access control method, device, computer equipment and storage medium | |
| US9560026B1 (en) | Secure computer operations | |
| CN109587101B (en) | Digital certificate management method, device and storage medium | |
| EP2963958B1 (en) | Network device, terminal device and information security improving method | |
| CN111708991A (en) | Service authorization method, service authorization device, computer equipment and storage medium | |
| CN107528865B (en) | File downloading method and system | |
| CN110889130B (en) | Database-based fine-grained data encryption method, system and device | |
| CN109600377B (en) | Method and device for preventing unauthorized use computer device and storage medium | |
| CN111241555B (en) | Access method and device for simulating user login, computer equipment and storage medium | |
| CN109873805A (en) | Cloud desktop login method, device, equipment and storage medium based on cloud security | |
| CN106790045B (en) | distributed virtual machine agent device based on cloud environment and data integrity guarantee method | |
| CN116490868A (en) | System and method for secure and fast machine learning reasoning in trusted execution environments | |
| CN108289074B (en) | User account login method and device | |
| CN111538977A (en) | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| CN110008727B (en) | Encryption sensitive parameter processing method and device, computer equipment and storage medium | |
| CN112399392A (en) | Communication connection method, device, equipment and storage medium of home care terminal | |
| CN104935608A (en) | Identity authentication method in cloud computing network | |
| CN112836206A (en) | Login method, device, storage medium and computer equipment | |
| CN106992978A (en) | Network safety managing method and server | |
| CN112528268B (en) | Cross-channel applet login management method and device and related equipment | |
| CN110855656B (en) | Plug-in flow proxy method, device and system capable of realizing application server protection | |
| CN112087417A (en) | Terminal authority control method and device, computer equipment and storage medium | |
| CN116827551A (en) | Method and device for preventing global override | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 511458 Room 1301, Chengtou Building, 106 Fengze East Road, Nansha District, Guangzhou City, Guangdong Province (self-compiled 1301-12159) Applicant after: Southern Power Grid Digital Grid Research Institute Co., Ltd. Address before: 511458 Room 1301, Chengtou Building, 106 Fengze East Road, Nansha District, Guangzhou City, Guangdong Province (self-compiled 1301-12159) Applicant before: Dingxin Information Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |