CN110365662B - Business approval method and device - Google Patents

Business approval method and device Download PDF

Info

Publication number
CN110365662B
CN110365662B CN201910578869.7A CN201910578869A CN110365662B CN 110365662 B CN110365662 B CN 110365662B CN 201910578869 A CN201910578869 A CN 201910578869A CN 110365662 B CN110365662 B CN 110365662B
Authority
CN
China
Prior art keywords
approval
account
signature
content
approved
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910578869.7A
Other languages
Chinese (zh)
Other versions
CN110365662A (en
Inventor
程威
丁磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Siyuan Ideal Holding Group Co Ltd
Original Assignee
Beijing Siyuan Ideal Holding Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Siyuan Ideal Holding Group Co ltd filed Critical Beijing Siyuan Ideal Holding Group Co ltd
Priority to CN201910578869.7A priority Critical patent/CN110365662B/en
Publication of CN110365662A publication Critical patent/CN110365662A/en
Application granted granted Critical
Publication of CN110365662B publication Critical patent/CN110365662B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a business approval method and a business approval device, wherein the method comprises the following steps: the server receives a payload sent by a first account, decrypts the payload to obtain the content to be approved and the public key of the approval account, and verifies the first signature; after the first signature passes verification, encrypting the payload by using the public keys of the approval accounts to acquire first information, and sending the first information to each approval account; by adopting the scheme, the server synchronously sends the examination and approval contents to the multiple examination and approval accounts, so that the examination and approval speed is increased, the information safety is ensured, the examination and approval process cannot be tampered, and the problem of low information safety caused by the fact that the business examination and approval process is easily tampered in the related technology is solved.

Description

Business approval method and device
Technical Field
The present application relates to, but not limited to, the field of computers, and in particular, to a method and an apparatus for business approval.
Background
In the related technology, currently, the internal approval process of an enterprise is a common business process or a watermark adding mode to prevent falsification and forgery; in fact, the number of the examination and approval personnel is required to be dynamically increased in the examination and approval process, and each examination and approval personnel needs to perform authentication, anti-repudiation and digital signature. Even if digital signature is carried out, the time sequence of the signature can be continuously updated, and the problems of overlong signature message and complicated interaction are solved. The patent is a solution to these problems. The original aggregation signature algorithm is always based on identity, multiple linear pairs and multiple interactions, and a practical aggregation signature algorithm with minimum interaction and highest computational efficiency is urgently needed.
Aiming at the problem of low information security caused by the fact that a business approval process is easy to be tampered in the related technology, no effective solution is provided at present.
Disclosure of Invention
The embodiment of the application provides a business approval method and a business approval device, which are used for at least solving the problem of low information security caused by the fact that a business approval process is easy to be tampered in the related technology.
According to an embodiment of the present application, there is provided a business approval method, including: the method comprises the steps that a server receives a payload sent by a first account, wherein the payload comprises: the encrypted content to be approved, at least two public keys of the approval account numbers and a first signature of the first account number; decrypting the payload to obtain the contents to be approved and the public key of the approval account number, and verifying the first signature; after the first signature passes verification, encrypting the payload by using the public keys of the approval accounts to acquire first information, and sending the first information to the approval accounts corresponding to the public keys of the approval accounts respectively; receiving feedback content of a second account in the approval accounts on the content to be approved, wherein the feedback content comprises: the approval opinion of the second account and the signature of the second account, wherein the signature of the second account is used for verifying the identity of the second account.
According to another embodiment of the present application, there is also provided a business approval method, including: receiving second information sent by a server by an approval account, wherein the second information comprises the contents to be approved and encrypted by using an approval account public key of the approval account and a first signature of an initiator of the contents to be approved; decrypting the second information by using an approval account private key of the approval account, and acquiring the content to be approved and a first signature of the originator of the content to be approved; verifying the first signature, and transmitting feedback content for the content to be approved to the server after the first signature is verified, wherein the feedback content comprises: the system comprises an approval opinion of the approval account and a signature of the approval account, wherein the signature of the approval account is used for verifying the identity of the approval account.
According to another embodiment of the present application, there is also provided a service approval apparatus, applied to a server, including: a first receiving module, configured to receive a payload sent by a first account, where the payload includes: the encrypted content to be approved, at least two public keys of the approval account numbers and a first signature of the first account number; the decryption module is used for decrypting the payload to obtain the content to be approved and the public key of the approval account number and verifying the first signature; the encryption module is used for encrypting the payload by using the public keys of the approval accounts to acquire first information after the first signature passes verification, and respectively sending the first information to the approval accounts corresponding to the public keys of the approval accounts; a second receiving module, configured to receive feedback content of a second account in the approval account on the content to be approved, where the feedback content includes: the approval opinion of the second account and a second signature of the second account, wherein the second signature is used for verifying the identity of the second account.
According to another embodiment of the present application, there is also provided a service approval apparatus, applied to an approval account, including: the third receiving module is used for receiving second information sent by the server, wherein the second information comprises the to-be-approved content encrypted by using the public key of the approval account and the first signature of the originator of the to-be-approved content; the second decryption module is used for decrypting the second information by using the private key of the approval account number and then acquiring the content to be approved and the first signature of the initiator of the content to be approved; a verification module, configured to verify the first signature, and transmit feedback content for the content to be approved to the server after the first signature is verified, where the feedback content includes: the system comprises an approval opinion of the approval account, a signature of the approval account, and the signature of the approval account, wherein the signature of the approval account is used for verifying the identity of the approval account.
According to a further embodiment of the present application, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present application, there is also provided an electronic device, comprising a memory in which a computer program is stored and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Through the application, the server receives payload sent by a first account, wherein the payload comprises: the encrypted content to be approved, the public key of the approval account number and the first signature of the first account number; decrypting the payload to obtain the content to be approved and at least two public keys of the approval account numbers, and verifying the first signature; after the first signature passes verification, encrypting the payload by using the public keys of the approval accounts to acquire first information, and respectively sending the first information to the approval accounts corresponding to the public keys of the approval accounts; receiving feedback content of a second account in the approval accounts on the content to be approved, wherein the feedback content comprises: according to the scheme, the server synchronously sends the examination and approval contents to the plurality of examination and approval accounts, so that the examination and approval speed is increased, the information safety is guaranteed, the examination and approval process cannot be tampered, and the problem of low information safety caused by the fact that the business examination and approval process is easily tampered in the related technology is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a server of a business approval method according to an embodiment of the present application;
fig. 2 is a flowchart of a business approval method according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Example one
The method provided by the first embodiment of the present application may be executed in a server or a similar computing device. Taking a server as an example, fig. 1 is a hardware structure block diagram of a server of a business approval method according to an embodiment of the present application, and as shown in fig. 1, the server may include one or more processors 102 (only one is shown in fig. 1) (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), and a memory 104 for storing data, and optionally, the server may further include a transmission device 106 for a communication function and an input/output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and is not intended to limit the structure of the server. For example, the server may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be configured to store software programs and modules of application software, such as program instructions/modules corresponding to the business approval method in the embodiment of the present application, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, so as to implement the business approval method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to a server over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the server. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In this embodiment, a service approval method running on the server is provided, and fig. 2 is a flowchart of a service approval method according to an embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S202, a server receives a payload sent by a first account, where the payload includes: the encrypted contents to be approved, at least two public keys of the approval account numbers and a first signature of the first account number;
the first account may be an account of an originator applying for approval; the first signature is obtained by signing the content to be approved by the private key of the first account.
Step S204, decrypting the payload to obtain the content to be approved and the public key of the approval account number, and verifying the first signature;
step S206, after the first signature passes verification, encrypting the payload by using the approval account public keys to acquire first information, and respectively sending the first information to the approval accounts corresponding to the approval account public keys;
specifically, different public keys of the approval account numbers are used for encrypting payload respectively to generate different first information, and the different first information is sent to the corresponding approval account numbers respectively;
step S208, receiving feedback content of the second account in the approval accounts on the content to be approved, where the feedback content includes: the approval opinion of the second account and a second signature of the second account, wherein the second signature is used for verifying the identity of the second account. The second signature is obtained by signing the approval opinion of the approval account private key of the second account.
Through the steps and the scheme, the server synchronously sends the examination and approval contents to the examination and approval accounts, so that the examination and approval speed is increased under the condition that the information safety is ensured, and the problem of low information safety caused by the fact that the business examination and approval process is easily tampered in the related technology is solved.
It should be noted that the technical solution of this embodiment is also applicable to the case where there is only one approval account. In the technical scheme of the embodiment, the initiator or the approver who applies for the approval attaches respective private key signatures when sending the content to be approved or the approval opinions, so that the safety of the approval process is improved.
Optionally, receiving feedback content of a second account in the approval accounts on the content to be approved includes: and verifying a second signature of the second account in the feedback content, and decrypting the feedback content to acquire the approval opinion of the second account after the second signature is verified.
Optionally, the content to be approved carries a timestamp when the content to be approved is generated; and the approval opinions of the second account carry a time stamp when the approval opinions are generated.
Optionally, after receiving the feedback content of the second account in the approval accounts on the content to be approved, when receiving the feedback content of one or more other approval accounts, sorting the feedback content according to the timestamp carried by the approval opinions in each feedback content; and generating a process message according to the sequencing result, wherein the process message comprises the received approval opinions of the approval accounts.
Optionally, the process message is generated again each time a feedback content of an approval account is received, until approval opinions of all approval accounts are received, and a final message is generated. By adopting the scheme, the process message is continuously updated, and the timeliness of the message information is ensured.
Optionally, the final message is encrypted and sent to the corresponding approval accounts by using the approval account public keys of the approval accounts, and the final message further includes signatures of all the approval accounts, so that the approval accounts verify identities of other approval accounts.
Optionally, only one final signature is reserved in the final message, and a first private key used by the final signature is determined by the server through negotiation between the server and the public keys of the approval accounts of all approval accounts which pass signature verification; and the first public key corresponding to the first private key is obtained by the first private key according to a preset algorithm. The key agreement algorithm adopts any key agreement algorithm in the prior art, and is not limited herein; the generation of the first public key is preferably obtained using an elliptic curve algorithm. The length of the final message is effectively controlled, and only one final signature is required to be reserved. The final signature generated by adopting the scheme can be verified by each approval user in time.
Optionally, the receiving, by the server, the payload sent by the first account includes: encrypting the payload by the first account by using a symmetric key, wherein the symmetric key is determined by the server and the first account according to a preset key negotiation algorithm; the first signature is obtained by signing the contents to be approved by adopting a private key of the first account; decrypting the payload to acquire the content to be approved and the public key of the approval account number, and verifying the first signature, wherein the steps comprise: and the server decrypts the payload by using the symmetric key, acquires the content to be approved and the public key of the approval account number, and verifies the first signature by using the public key of the first account number. By adopting the scheme, the symmetric key can send the approval account number along with the payload, so that the safety and the integrity of the approval content are enhanced.
Optionally, the payload is encrypted by the first account with a preset symmetric key by using a preset symmetric encryption algorithm, where the preset symmetric key is determined by the server and the first account according to an ecdhe key negotiation algorithm; the server decrypts the payload to obtain the content to be approved and the public key of the approval account number, and the method comprises the following steps: the server decrypts by using the same symmetric key and the corresponding symmetric decryption algorithm as the first account encrypted payload; respectively encrypting the payload by using the public key of the approval account number to acquire first information, wherein the first information comprises the following steps: and encrypting by using the public key of the approval account number and an asymmetric encryption algorithm. The symmetric encryption and decryption algorithm and the asymmetric encryption and decryption algorithm adopted in the embodiment are both in the prior art, and are not described herein again.
Optionally, after receiving the feedback content of the second account in the approval accounts on the to-be-approved content, when detecting that the approval opinions are not approved, terminating the approval process of the approval accounts for other unreturned messages, and notifying the first account; and informing the feedback content to the other approval accounts except the second account. By adopting the scheme, the server makes an instant response to the feedback of the approval accounts and timely informs other approval accounts to refer to the approval opinions of other people, so that the efficiency of the approval process is improved.
Optionally, after receiving the feedback content of the second account in the approval accounts on the content to be approved, the method further includes: and after detecting that all the approval accounts are approved, generating a final message, encrypting the final message by using the public key of the approval account of each approval account, and then sending the final message to the corresponding approval accounts.
Optionally, after receiving the changed second payload sent by the first account, according to the second payload, initiating an approval process to an approval user corresponding to the second payload again. By adopting the scheme, after detecting that the first account changes the content to be approved or the approval account, the server can reinitiate the approval process according to the second payload.
According to another embodiment of the present application, there is also provided a business approval method, including the steps of:
firstly, receiving second information sent by a server by an approval account, wherein the second information comprises the content to be approved and encrypted by using an approval account public key of the approval account and a first signature of an initiator of the content to be approved;
preferably, the second information further includes approval account public keys of all approval accounts;
step two, obtaining the contents to be approved and the first signature of the originator of the contents to be approved after decrypting the second information by using the private key of the approval account;
step three, verifying the first signature, and transmitting feedback content for the content to be approved to the server after the first signature passes the verification, wherein the feedback content comprises: the system comprises an approval opinion of the approval account, a signature of the approval account, and the signature of the approval account, wherein the signature of the approval account is used for verifying the identity of the approval account.
By adopting the scheme, the multiple approval accounts synchronously receive the contents to be approved sent by the server, the approval speed is increased under the condition of ensuring the information safety, and the problem of low information safety caused by the fact that the business approval process is easily tampered in the related technology is solved.
Optionally, the feedback content carries a timestamp when the feedback content is generated, so that the server sorts the feedback contents of all approval accounts according to the timestamp.
Optionally, a final message for the content to be approved, which is sent by the server, is received, and the signature of the corresponding approval account included in the final message is verified by using the approval account public key of each approval account. And the public key of the approval account number of each approval account number can be acquired through the received second information. By adopting the scheme, each approval account can verify the signatures of other approval accounts, so that the indelibility of the approval contents is ensured.
Optionally, after receiving a final message for the approval content sent by the server, obtaining a first private key by using the private key of the approval account and public keys of other approval accounts carried by the server and the final message through a preset key negotiation algorithm, obtaining a first public key corresponding to the first private key according to a preset elliptic curve algorithm, and verifying signature data signed by the first private key carried by the final message by using the first public key. And if the verification is passed, the final message is not tampered. By adopting the scheme, only one final signature is reserved in the final message, and the first private key used by the final signature is determined by the server through negotiation between the private key of the server and the public keys of the approval accounts of all approval accounts which pass signature verification; and the first public key corresponding to the first private key is obtained by the first private key according to a preset algorithm. Therefore, the length of the final message is effectively controlled, the signature of all the approval accounts does not need to be carried, and only one final signature needs to be reserved. Each approval account number can be calculated by itself to obtain the first private key and the first public key, and then the final signature is verified, so that the verification efficiency is improved.
Optionally, after obtaining the first public key corresponding to the first private key, the public key of the third account may be used to encrypt the first public key to obtain third information; and transmitting the third information and the final message to the third account. By adopting the scheme, the approval account number can send the final message to the third account number, and the third account number can belong to the third party, namely the third party can verify the signature information carried by the final message.
The scheme of the present application is described below with reference to an example:
the parameters in this example are defined as follows:
setting a content plaintext in an approval process as m, setting a symmetric encryption algorithm as senc (), setting a corresponding decryption algorithm as sdev (), setting an asymmetric encryption algorithm as aenc (), setting a corresponding decryption algorithm as adev (), and setting a signature algorithm as sign ().
Each user has its own public and private key pair, and assuming n users to participate in the process, the public and private key pair of each user is useri(pki,ski). The flow is initiated by the initiating user0Initiating, initiating user0The public and private key pair is user0(pk0,sk0). The approval process comprises the following steps:
step one, initiating a user0Performing ecdhe key negotiation with the server to obtain a symmetric key0
Step two, initiating user0Writing the plaintext m of the approval content and attaching a time stamp0Let the content msg to be examined be m time0Then send payload send (key)0Msg | | examine and approve user public key set) + sign (sk)0Msg) to the server; namely, the payload includes: by a symmetric key0Encrypted pending approval content, at least two approval user public keys and initiating user0Wherein, the pending content carries the time stamp t ime when the pending content is generated0(ii) a Wherein "|" represents a connector;
step three, the server receives paylAfter oad, sdev (key) is used0) Decrypting the encrypted information in the payload to obtain the content to be approved msg and the public key of the user to be approved, and simultaneously using pk0Verifying a signature sign;
after the verification is passed, the public key of each approval user is used for encrypting the transmission message: aec (pk)i,payload||key0) Respectively giving each examining and approving user;
step five, after each approval user receives the message, the key is obtained by using the private key for decryption0Use key0Decrypting payload to obtain msg of the content to be examined and using pk0Verifying whether sign is accurate;
step six, after each approval user verifies that the message is accurate, the attached approval opinion content is ni(including at least its own public key or id number), then the message body msg' ═ msg | | timei||niThen, payload' send (key) is sent separately0,msg’||pki)+signi(skiMsg') to the server;
step seven, when the server receives an approval opinion, firstly verifying whether the signature is correct; if it is correct, use key0After msg' is obtained through decryption, time is stamped according to timeiSequentially arranging to obtain the final message payload-msg ═ m | | | time0| | | n1||time1||sign1…||ni||timei||signi
When receiving an approval opinion, the server reorganizes a process message according to the timestamp until receiving feedback contents of all approval users, and generates a final message payload-msg;
and step eight, the server sends a final approval message payload-msg to all the approval users, and the message is encrypted by using the public keys of all the approval users to respectively send the corresponding approval users.
Preferably, any approval user who receives the final approval message can use the public key of the approval user group to verify each signature one by one, and each signature is correct and represents that the approval result is credible.
Preferably, each time the server receives an approval opinion, the approval opinion is sent to the other approval parties, so that the other approval parties know the approval opinion or refer to the approval opinion; preferably, if the approval opinions show that the approval is not passed, terminating the approval program, returning an approval result of the initiating user, sending other approval users who do not feed back the approval opinions, and terminating the approval;
preferably, the initiating user can change the approval content, or add the approval users, and the payload needs to be sent again to change the public key set of the approval users. And after receiving, the server repeats the step four to the new approval user.
Preferably, the embodiment adopts an aggregate signature scheme, and changes the signature algorithm in the scheme into a new aggregate signature algorithm, where the aggregate signature algorithm includes the following:
1, each examining and approving user uploads own payload' to a server, the server can verify the correctness of the signature according to the public key of each examining and approving user, and finally, according to the time stamp sequence, the final message payload-msg ═ m | | | | time is obtained0||n1||time1||…||ni||timei| all-sign; only one final signature all-sign is reserved in the final message;
2, the private key used by the final signature is: the server uses the private key of the server and all the user public key groups successfully verified and signed to obtain a key through ecdh negotiation;
3, the public key of the final signature can be obtained by the private key used by the final signature according to an elliptic curve algorithm;
4, when the server receives an approval opinion, reorganizing a complete message once again according to the timestamp, and marking the message as a final message payload-msg';
and 5, all the examining and approving member groups can calculate the private key used by the final signature locally according to payload-msg' and the server public key, the examining and approving user public key group and the private keys thereof, and further obtain the corresponding public key according to an elliptic curve algorithm to verify whether the final all-sign is correct.
Therefore, the length of the final message is effectively controlled, and only one signature value needs to be reserved.
Any user participating in the approval can automatically verify the final aggregated signature, and can also designate a third party to verify the signature, at this time, the verification public key of the aggregated signature can be calculated locally by any approval user, and the verification public key is transmitted by using the public key encryption of the third party, so that the trusted third party can be designated to perform aggregated signature verification.
By adopting the scheme, the following technical effects are realized: aggregating signatures to make the final message signature length shortest; the aggregation signature algorithm has few interactions and locally calculates a signature key. But also can appoint the third party to verify, only need to transmit the public key safely while verifying, guarantee the private key never transmits; the approval process can increase the approvers at any time, the anti-counterfeiting performance of the approval is not influenced, the whole approval process is dynamically maintained and expanded, and the approval process and personnel can be freely adjusted in business; each approver carries out digital signature, and the digital signature has strong resistance to denial; the message in the whole course is encrypted, and secret sharing is carried out in the members of the approval process.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application or portions thereof that contribute to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (such as a ROM/RAM, a magnetic disk, and an optical disk), and includes several instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, or a network device) to execute the method described in the embodiments of the present application.
Example two
In this embodiment, a service approval apparatus is further provided, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and the description already made is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
According to another embodiment of the present application, there is also provided a service approval apparatus, applied to a server, including: a first receiving module, configured to receive a payload sent by a first account, where the payload includes: the encrypted content to be approved, at least two public keys of the approval account numbers and a first signature of the first account number; the decryption module is used for decrypting the payload to obtain the content to be approved and the public key of the approval account number and verifying the first signature; the encryption module is used for encrypting the payload by using the public keys of the approval accounts to acquire first information after the first signature passes verification, and respectively sending the first information to the approval accounts corresponding to the public keys of the approval accounts; a second receiving module, configured to receive feedback content of a second account in the approval account on the content to be approved, where the feedback content includes: the approval opinion of the second account and a second signature of the second account are used for verifying the identity of the second account.
According to another embodiment of the present application, there is also provided a service approval apparatus, applied to an approval account, including: the third receiving module is used for receiving second information sent by the server, wherein the second information comprises the to-be-approved content encrypted by using the public key of the approval account and the first signature of the originator of the to-be-approved content; the second decryption module is used for decrypting the second information by using the private key of the approval account number and then acquiring the content to be approved and the first signature of the initiator of the content to be approved; a verification module, configured to verify the first signature, and transmit feedback content for the content to be approved to the server after the first signature is verified, where the feedback content includes: the system comprises an approval opinion of the approval account, a signature of the approval account, and the signature of the approval account, wherein the signature of the approval account is used for verifying the identity of the approval account.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
EXAMPLE III
Embodiments of the present application also provide a storage medium. Alternatively, in the present embodiment, the storage medium may be configured to store program codes for performing the following steps:
s1, the server receives a payload sent by the first account, where the payload includes: the encrypted content to be approved, at least two public keys of the approval account numbers and a first signature of the first account number;
s2, decrypting the payload to obtain the content to be approved and the public key of the approval account number, and verifying the first signature;
s3, after the first signature passes verification, encrypting the payload by using the public keys of the approval accounts to acquire first information, and sending the first information to the approval accounts corresponding to the public keys of the approval accounts;
s4, receiving feedback content of a second account in the approval accounts on the content to be approved, wherein the feedback content comprises: the approval opinion of the second account and a second signature of the second account, wherein the second signature is used for verifying the identity of the second account.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Embodiments of the present application further provide an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, the server receives a payload sent by the first account, where the payload includes: the encrypted content to be approved, at least two public keys of the approval account numbers and a first signature of the first account number;
s2, decrypting the payload to obtain the content to be approved and the public key of the approval account number, and verifying the first signature;
s3, after the first signature passes verification, encrypting the payload by using the public keys of the approval accounts to acquire first information, and sending the first information to the approval accounts corresponding to the public keys of the approval accounts;
s4, receiving feedback content of a second account in the approval accounts on the content to be approved, wherein the feedback content comprises: the approval opinion of the second account and a second signature of the second account, wherein the second signature is used for verifying the identity of the second account.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present application described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present application is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (14)

1. A business approval method is characterized by comprising the following steps:
the method comprises the steps that a server receives a payload sent by a first account, wherein the payload comprises: the encrypted content to be approved, at least two public keys of the approval account numbers and a first signature of the first account number, wherein the payload is encrypted by the first account number by using a symmetric key, and the symmetric key is determined by the server and the first account number according to a preset key negotiation algorithm; the first signature is obtained by adopting a private key of the first account to sign the contents to be approved;
decrypting the payload to obtain the content to be approved and the public key of the approval account number, and verifying the first signature;
after the first signature passes verification, encrypting the payload by using the examining and approving account public key to acquire first information, and sending the first information and the symmetric key to the examining and approving account corresponding to each examining and approving account public key;
receiving feedback content of a second account in the approval accounts on the content to be approved, wherein the feedback content comprises: the approval opinion of the second account and a second signature of the second account, wherein the second signature is used for verifying the identity of the second account.
2. The method of claim 1, wherein receiving feedback from a second account of the approval accounts to the content to be approved comprises:
and verifying a second signature of the second account in the feedback content, and decrypting the feedback content to acquire the approval opinion of the second account after the second signature is verified.
3. The method according to claim 2, wherein the content to be approved carries a timestamp of the time when the content to be approved is generated; and the approval opinions of the second account carry a time stamp when the approval opinions are generated.
4. The method of claim 3, wherein after receiving feedback from a second account of the approval accounts to the content to be approved, the method further comprises:
when feedback contents of one or more other approval accounts are received, sequencing the feedback contents according to a timestamp carried by approval opinions in each feedback content;
and generating a process message according to the sequencing result, wherein the process message comprises the received approval opinions of the approval accounts.
5. The method according to claim 4, wherein the process message is regenerated once each time the feedback content of an approval account is received, until the final message is generated after approval ideas of all approval accounts are received.
6. The method of claim 5, further comprising:
the final message comprises a final signature, and a first private key used by the final signature is determined by the server through negotiation between the private key of the server and the public keys of the approval accounts of all the approval accounts which pass signature verification;
and the first public key corresponding to the first private key is obtained by the first private key according to a preset algorithm.
7. The method of claim 1,
decrypting the payload to acquire the content to be approved and the public key of the approval account number, and verifying the first signature, wherein the steps comprise: and the server decrypts the payload by using the symmetric key, acquires the content to be approved and the public key of the approval account number, and verifies the first signature by using the public key of the first account number.
8. The method of claim 1, wherein after receiving feedback from a second account of the approval accounts to the content to be approved, the method further comprises:
when the examination and approval opinions are detected to be not approved, terminating examination and approval processes of other examination and approval accounts which are not fed back yet, and informing the first account;
and informing the feedback content to the other approval accounts except the second account.
9. The method of claim 1, wherein after receiving feedback from a second account of the approval accounts to the content to be approved, the method further comprises:
and after detecting that all the approval accounts are approved, generating a final message, encrypting the final message by using the public key of the approval account of each approval account, and then respectively sending the final message to the corresponding approval accounts.
10. A business approval method is characterized by comprising the following steps:
receiving second information sent by a server by an approval account, wherein the second information comprises the content to be approved and encrypted by using an approval account public key of the approval account and a first signature of an initiator of the content to be approved;
decrypting the second information by using an approval account private key of the approval account, and acquiring the content to be approved and a first signature of the originator of the content to be approved;
verifying the first signature, and transmitting feedback content for the content to be approved to the server after the first signature is verified, wherein the feedback content comprises: the approval opinions of the approval accounts and the signatures of the approval accounts are used for verifying the identities of the approval accounts;
wherein the second information is determined by the server in the following manner:
the method comprises the steps that a server receives a payload sent by a first account, wherein the payload comprises: the encrypted content to be approved, at least two public keys of the approval account numbers and a first signature of the first account number, wherein the payload is encrypted by the first account number by using a symmetric key, and the symmetric key is determined by the server and the first account number according to a preset key negotiation algorithm; the first signature is obtained by signing the contents to be approved by adopting a private key of the first account;
decrypting the payload to obtain the content to be approved and the public key of the approval account number, and verifying the first signature;
verifying the first signature, and after transmitting feedback content for the content to be approved to the server after the first signature is verified, the method further comprises:
and receiving a final message aiming at the to-be-approved content sent by the server, and respectively verifying the signature of the corresponding approval account in the final message by using the approval account public key of each approval account, wherein the final message is used for indicating that a process message is generated again when the feedback content of one approval account is received until a message determined after approval ideas of all approval accounts are received.
11. A business approval device is applied to a server and comprises the following components:
a first receiving module, configured to receive a payload sent by a first account, where the payload includes: the encrypted content to be approved, at least two public keys of the approval account numbers and a first signature of the first account number, wherein the payload is encrypted by the first account number by using a symmetric key, and the symmetric key is determined by the server and the first account number according to a preset key negotiation algorithm; the first signature is obtained by signing the contents to be approved by adopting a private key of the first account;
the decryption module is used for decrypting the payload to obtain the content to be approved and the public key of the approval account number and verifying the first signature;
the encryption module is used for encrypting the payload by using the public key of the approval account number to acquire first information after the first signature passes verification, and respectively sending the first information and the symmetric key to the approval account number corresponding to each public key of the approval account number;
a second receiving module, configured to receive feedback content of a second account in the approval account on the content to be approved, where the feedback content includes: the approval opinion of the second account and a second signature of the second account, wherein the second signature is used for verifying the identity of the second account.
12. A business approval device is applied to approval accounts and is characterized by comprising the following components:
the third receiving module is used for receiving second information sent by the server, wherein the second information comprises the to-be-approved content encrypted by using the public key of the approval account and the first signature of the originator of the to-be-approved content;
the second decryption module is used for decrypting the second information by using the private key of the approval account number and then acquiring the contents to be approved and the first signature of the initiator of the contents to be approved;
a verification module, configured to verify the first signature, and transmit feedback content for the content to be approved to the server after the first signature is verified, where the feedback content includes: the approval opinions of the approval accounts, the signatures of the approval accounts and the signatures of the approval accounts are used for verifying the identities of the approval accounts;
wherein the second information is determined by the server in the following manner:
the method comprises the steps that a server receives a payload sent by a first account, wherein the payload comprises: the encrypted content to be approved, at least two public keys of the approval account numbers and a first signature of the first account number, wherein the payload is encrypted by the first account number by using a symmetric key, and the symmetric key is determined by the server and the first account number according to a preset key negotiation algorithm; the first signature is obtained by signing the contents to be approved by adopting a private key of the first account;
decrypting the payload to obtain the contents to be approved and the public key of the approval account number, and verifying the first signature;
the device further comprises: and the message module is further configured to receive a final message, which is sent by the server and is directed to the content to be approved, and verify the signature of the corresponding approval account included in the final message by using the approval account public key of each approval account, wherein the final message is used for indicating that a process message is regenerated once when the feedback content of one approval account is received until a message determined after approval ideas of all approval accounts are received.
13. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 10 when executed.
14. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 10.
CN201910578869.7A 2019-06-28 2019-06-28 Business approval method and device Active CN110365662B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910578869.7A CN110365662B (en) 2019-06-28 2019-06-28 Business approval method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910578869.7A CN110365662B (en) 2019-06-28 2019-06-28 Business approval method and device

Publications (2)

Publication Number Publication Date
CN110365662A CN110365662A (en) 2019-10-22
CN110365662B true CN110365662B (en) 2022-05-17

Family

ID=68215999

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910578869.7A Active CN110365662B (en) 2019-06-28 2019-06-28 Business approval method and device

Country Status (1)

Country Link
CN (1) CN110365662B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111106929B (en) * 2019-12-09 2023-04-18 上海创能国瑞数据系统有限公司 Hash-based approval method
CN111541549B (en) * 2020-05-06 2022-01-14 深圳天玑数据有限公司 Block chain based information transfer method, device, equipment and storage medium
CN112580109B (en) * 2020-12-16 2022-12-06 恒银金融科技股份有限公司 Software business process legality design method by using block chain signature technology
CN114092039A (en) * 2021-11-05 2022-02-25 武汉筑链科技有限公司 Configurable process approval method and system based on block chain
CN114493552B (en) * 2022-04-01 2022-08-05 浙江保融科技股份有限公司 RPA (remote procedure Access) automatic approval method and system for public payment based on double time axes
CN116029675B (en) * 2023-01-30 2023-07-25 北京四方启点科技有限公司 Method and device for approving reimbursement application form

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843356A (en) * 2012-07-11 2012-12-26 深圳市紫色力腾科技发展有限公司 Controllable exchange method for symmetric key-encrypted file
CN103377173A (en) * 2012-04-27 2013-10-30 工业和信息化部电信传输研究所 Method and system for multiparty cooperation checking of controllable document
CN104144413A (en) * 2013-05-10 2014-11-12 中国电信股份有限公司 Approval method and system based on mobile terminal
CN105577768A (en) * 2015-12-17 2016-05-11 山东尚德软件股份有限公司 Service examination and approval electronic realization method
CN106789007A (en) * 2016-12-16 2017-05-31 中国科学院软件研究所 A kind of network information checking method and system based on searching ciphertext
CN107248917A (en) * 2017-06-05 2017-10-13 丁辰科技(北京)有限公司 The measures and procedures for the examination and approval, service end and approval system
CN107886306A (en) * 2017-11-24 2018-04-06 网易(杭州)网络有限公司 Document approvals method, medium, device and computing device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103377173A (en) * 2012-04-27 2013-10-30 工业和信息化部电信传输研究所 Method and system for multiparty cooperation checking of controllable document
CN102843356A (en) * 2012-07-11 2012-12-26 深圳市紫色力腾科技发展有限公司 Controllable exchange method for symmetric key-encrypted file
CN104144413A (en) * 2013-05-10 2014-11-12 中国电信股份有限公司 Approval method and system based on mobile terminal
CN105577768A (en) * 2015-12-17 2016-05-11 山东尚德软件股份有限公司 Service examination and approval electronic realization method
CN106789007A (en) * 2016-12-16 2017-05-31 中国科学院软件研究所 A kind of network information checking method and system based on searching ciphertext
CN107248917A (en) * 2017-06-05 2017-10-13 丁辰科技(北京)有限公司 The measures and procedures for the examination and approval, service end and approval system
CN107886306A (en) * 2017-11-24 2018-04-06 网易(杭州)网络有限公司 Document approvals method, medium, device and computing device

Also Published As

Publication number Publication date
CN110365662A (en) 2019-10-22

Similar Documents

Publication Publication Date Title
CN110365662B (en) Business approval method and device
CN109756485B (en) Electronic contract signing method, electronic contract signing device, computer equipment and storage medium
CN106357396B (en) Digital signature method and system and quantum key card
CN111914027B (en) Block chain transaction keyword searchable encryption method and system
CN109067539B (en) Alliance chain transaction method, alliance chain transaction equipment and computer readable storage medium
US20200068394A1 (en) Authentication of phone caller identity
JP4639084B2 (en) Encryption method and encryption apparatus for secure authentication
CN110022217B (en) Advertisement media service data credible storage system based on block chain
US9036818B2 (en) Private key generation apparatus and method, and storage media storing programs for executing the methods
CN109687976A (en) Fleet's establishment and management method and system based on block chain and PKI authentication mechanism
CN107493273A (en) Identity identifying method, system and computer-readable recording medium
CN108650080B (en) A kind of tagged keys management method and system
CN107360002B (en) Application method of digital certificate
CN106576043A (en) Virally distributable trusted messaging
CN113191863B (en) Bid method, third party device, bid issuing party device and bid issuing party device
CN112766962A (en) Method for receiving and sending certificate, transaction system, storage medium and electronic device
CN109767218A (en) Block chain certificate processing method and system
CN110635912B (en) Data processing method and device
CN110634068A (en) Community-chain-based credit investigation data processing method and system
CN108449756A (en) A kind of system of network cryptographic key updating, method and device
CN110113334A (en) Contract processing method, equipment and storage medium based on block chain
Duan et al. Flexible certificate revocation list for efficient authentication in IoT
CN113328854B (en) Service processing method and system based on block chain
Dwivedi et al. Design of blockchain and ecc-based robust and efficient batch authentication protocol for vehicular ad-hoc networks
CN106027254A (en) Secret key use method for identity card reading terminal in identity card authentication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20191126

Address after: 102300 no.6-1-21, office building, building 20, Pudong, Mentougou District, Beijing

Applicant after: Beijing Siyuan ideal Holding Group Co., Ltd

Address before: 100102 No. 301, No. 316 building, Nanhu garden, Chaoyang District, Beijing 18

Applicant before: Beijing Siyuan Internet Technology Co. Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant