CN110493004B - Digital certificate configuration method and device and digital certificate signing and issuing method and device - Google Patents
Digital certificate configuration method and device and digital certificate signing and issuing method and device Download PDFInfo
- Publication number
- CN110493004B CN110493004B CN201910677122.7A CN201910677122A CN110493004B CN 110493004 B CN110493004 B CN 110493004B CN 201910677122 A CN201910677122 A CN 201910677122A CN 110493004 B CN110493004 B CN 110493004B
- Authority
- CN
- China
- Prior art keywords
- access
- digital certificate
- target user
- validity period
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
- G06F21/645—Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a digital certificate configuration method and a device, and a digital certificate signing method and a device, wherein the digital certificate configuration method comprises the following steps: acquiring historical access data of a target user in a preset time period; determining a risk coefficient of a target user based on the change condition of historical access data in a preset time period; and determining the validity period of the digital certificate issued to the target user according to the risk coefficient. The invention adaptively controls the validity period of the digital certificate issued to the user based on the risk coefficient of the user, prevents and controls the occurrence of security risk, and can effectively prevent illegal data tampering caused by certificate leakage.
Description
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for configuring a digital certificate and a method and an apparatus for issuing a digital certificate mark.
Background
The digital certificate is a series of data for marking identity information of each communication party in network communication, and provides electronic authentication for realizing safe communication of the two parties. Digital certificates are used to perform identification and electronic information encryption in the internet, corporate intranets, or extranets.
The digital certificate is generally issued by an authority or an intranet management center, so that the identity of the other party is identified by using the digital certificate in the internet or intranet, and once the digital certificate is leaked and illegally used, data in the internet or intranet risks being illegally tampered. Therefore, how to safely and effectively manage and control issued digital certificates is a problem to be solved urgently by those skilled in the art.
Disclosure of Invention
In view of this, embodiments of the present application provide a method and an apparatus for configuring a digital certificate and a method and an apparatus for issuing a digital certificate, which can solve or partially solve the problem in the prior art that data security is affected by digital certificate leakage.
A first aspect of an embodiment of the present application provides a method for configuring a digital certificate, including:
acquiring historical access data of a target user in a preset time period;
determining a risk coefficient of the target user based on the change condition of the historical access data in the preset time period;
and determining the validity period of the digital certificate issued to the target user according to the risk coefficient.
Optionally, the determining the risk coefficient of the target user based on the change condition of the historical access data in the preset time period specifically includes:
taking the historical access data generated in the first time period as a reference data set, and taking the historical access data generated in the second time period as an evaluation data set; the preset time period comprises the first time period and the second time period, and the ending time of the first time period is not later than the starting time of the second time period;
obtaining a risk factor for the target user based on data differences between the reference dataset and the evaluation dataset.
Optionally, the historical access data includes access transaction information and/or access device information; when the historical access data includes the access transaction information, the obtaining of the risk coefficient of the target user based on the data difference between the reference data set and the evaluation data set specifically includes:
acquiring access object change conditions between the reference data set and the evaluation data set based on access object information in the historical access data;
determining the risk coefficient based on the access thing change condition;
when the historical access data includes access device information, the obtaining of the risk coefficient of the target user based on the data difference between the reference data set and the evaluation data set specifically includes:
acquiring access device change conditions between the reference data set and the evaluation data set based on access device information in the historical access data;
determining the risk factor based on the access device change.
Optionally, the accessing transaction information includes: accessing objects and their corresponding access times; then, the obtaining of the access item change between the reference data set and the evaluation data set based on the access item information in the historical access data specifically includes:
counting all access matters contained in the reference data set and the evaluation data set to obtain an access matter set;
according to the access times corresponding to the access objects in the reference data set, calculating the distribution proportion of the access objects in the access object set in the reference data set to obtain a first distribution proportion of the access objects in the access object set;
according to the access times corresponding to the access objects in the evaluation data set, calculating the distribution proportion of the access objects in the access object set in the evaluation data set to obtain a second distribution proportion of the access objects in the access object set;
determining the access thing change condition based on a difference between a first distribution ratio and a second distribution ratio of each access thing in the set of access things.
Optionally, the determining the variation of the access object based on the difference between the first distribution ratio and the second distribution ratio of each access object in the access object set specifically includes:
calculating the difference between the first distribution proportion and the second distribution proportion of the access matters for each access matters in the access matters set;
judging whether the difference between the first distribution proportion and the second distribution proportion is in a first threshold value range or not;
and if not, adding one to the access object risk factor.
Optionally, the obtaining, based on the access device information in the historical access data, the access device change condition between the reference data set and the evaluation data set specifically includes:
judging whether the information of each access device in the evaluation data set is included in the reference data set;
adding one to an access device risk factor when one of the access device information in the evaluation dataset is not included in the reference dataset.
Optionally, the determining, according to the risk coefficient, a validity period of the digital certificate issued to the target user at this time specifically includes:
determining a suggested value of the validity period for the target user according to the risk coefficient;
calculating the difference between the suggested value of the validity period and the validity period of the digital certificate which is issued to the target user last time to obtain a validity period change value;
judging whether the validity period change value falls within a second threshold value range;
if so, determining the suggested value of the validity period as the validity period of the digital certificate signed to the target user at this time;
if not, determining the validity period of the digital certificate issued to the target user at this time based on the validity period of the digital certificate issued to the target user last time.
Optionally, the determining, based on the validity period of the digital certificate issued to the target user last time, the validity period of the digital certificate issued to the target user this time specifically includes:
when the variation value of the validity period is smaller than the minimum value of the second threshold range, the validity period of the digital certificate which is issued to the target user last time is subtracted by a first preset value to be used as the validity period of the digital certificate which is issued to the target user this time;
when the change value of the validity period is larger than the maximum value of the second threshold range, adding a second preset value to the validity period of the digital certificate which is issued to the target user last time, and taking the result as the validity period of the digital certificate which is issued to the target user this time;
wherein the first preset value and the second preset value are both greater than zero.
Optionally, the determining the suggested value of the validity period for the target user according to the risk coefficient specifically includes:
judging whether the difference between a third preset value and the risk coefficient is within a third threshold value range;
if so, taking the difference between the third preset value and the risk coefficient as the suggested value of the validity period;
if the difference between the third preset value and the risk coefficient is smaller than the minimum value of the third threshold range, taking the minimum value of the third threshold range as the suggested value of the validity period;
and if the difference between the third preset value and the risk coefficient is larger than the maximum value of the third threshold range, taking the maximum value of the third threshold range as the recommended validity period value.
A second aspect of the embodiments of the present application provides a method for issuing a digital certificate mark, including:
in response to a digital certificate update demand for a target user, determining a validity period of a digital certificate issued to the target user this time according to any one of the digital certificate configuration methods provided in the first aspect of the embodiments of the present application;
and issuing a digital certificate for the target user based on the determined validity period.
A third aspect of the embodiments of the present application provides a digital certificate configuration apparatus, including: the device comprises a data acquisition module, a coefficient determination module and a valid period determination module;
the data acquisition module is used for acquiring historical access data of a target user in a preset time period;
the coefficient determining module is used for determining a risk coefficient of the target user based on the change condition of the historical access data in the preset time period;
and the validity period determining module is used for determining the validity period of the digital certificate which is issued to the target user at this time according to the risk coefficient.
A fourth aspect of the present embodiment provides a digital certificate issuing apparatus, including: a determining module and an issuing module;
the determining module is configured to determine, in response to a digital certificate update demand for a target user, a validity period of a digital certificate issued to the target user this time according to any one of the digital certificate configuration methods provided in the first aspect of the embodiments of the present application;
and the issuing module is used for issuing a digital certificate for the target user based on the determined validity period.
A fifth aspect of embodiments of the present application provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements any one of the digital certificate configuration methods provided in the first aspect of embodiments of the present application, or any one of the digital certificate issuing methods provided in the second aspect of embodiments of the present application.
A sixth aspect of embodiments of the present application provides a server, including: a processor and a memory;
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute any one of the digital certificate configuration methods provided in the first aspect of the embodiment of the present application or any one of the digital certificate issuing methods provided in the second aspect of the embodiment of the present application according to instructions in the program code.
Compared with the prior art, the method has the advantages that:
in the embodiment of the application, historical access data of a target user in a preset time period are collected, a risk coefficient of the target user is determined based on the change condition of the historical access data, the digital certificate of the target user is leaked or other access risks are evaluated, and then the validity period of the digital certificate signed to the target user at this time is determined according to the risk coefficient obtained through evaluation. According to the method and the device, the validity of the digital certificate issued to the user is adaptively controlled based on the risk coefficient of the user, the occurrence of security risks is prevented and controlled, and illegal data tampering caused by certificate leakage can be effectively prevented.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flowchart of a digital certificate configuration method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of another digital certificate configuration method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of another digital certificate configuration method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of another digital certificate configuring method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of another digital certificate configuration method according to an embodiment of the present application;
fig. 6 is a schematic flowchart of a digital certificate issuing method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a digital certificate configuring apparatus according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a digital certificate issuing method according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be understood that in the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" for describing an association relationship of associated objects, indicating that there may be three relationships, e.g., "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In order to reduce the risk of digital certificate leakage, according to the embodiment of the application, historical access data of a user in a preset time period are counted, the risk coefficient of the user is determined based on the obtained historical access data, the validity period of the digital certificate issued to the user is determined based on the risk coefficient of the user, so that the occurrence of security risk is prevented and controlled, and the illegal data tampering caused by digital certificate leakage can be effectively reduced.
It should be noted that the digital certificate configuration method and apparatus and the digital certificate issuing method and apparatus provided in the embodiments of the present application can be applied to any kind of scenario that requires issuing a digital certificate, for example, in the internet, an intranet, a data system, a block chain system, or other systems, and are used to issue a digital certificate applicable to the scenario, so as to control access of a user in the scenario. The method may be applied to a server that a user issues a digital certificate in the scenario, or may be applied to other devices that may communicate with the server that issues the digital certificate, so as to provide configuration information (such as an expiration date) of the digital certificate to be issued for the digital certificate issuing server, which is not limited herein.
Based on the above-mentioned ideas, in order to make the above-mentioned objects, features and advantages of the present application more comprehensible, specific embodiments of the present application are described in detail below with reference to the accompanying drawings.
Referring to fig. 1, the figure is a schematic flowchart of a digital certificate configuration method according to an embodiment of the present application.
The digital certificate configuration method provided by the embodiment of the application comprises the following steps:
s101: and acquiring historical access data of the target user in a preset time period.
In this embodiment of the present application, the historical access data specifically includes historical access data of a scenario (hereinafter, referred to as a usage scenario) used by the issued digital certificate, where the historical access data specifically may include: access transaction information and/or access device information. The access object information includes, but is not limited to, an operation behavior (may be referred to as an access object) of the target user in the usage scenario and the number of times (may be referred to as an access number) corresponding to each operation behavior, and the access device information includes, but is not limited to, a device used by the target user to access the usage scenario, an IP address where the target user is located when accessing, and the like. Based on the historical access data, the access habits of the target user in the use scene can be reflected, so that whether the target user has the risk of digital certificate leakage or not can be judged, and the validity period of the digital certificate can be adaptively adjusted.
In practical applications, the preset time period for collecting the historical access data may be set according to specific usage scenarios and requirements, and is not limited herein. The general preset time period is not easy to set too short, so that the problem that the risk evaluation of a target user has a large error due to too little data and the data safety is influenced is avoided. For example, the preset time period may be historical access data within the first 6 months, or the like. As an example, in order to improve accuracy, the historical access data may be the access data of the target user within a certain time (i.e., within 6 months) before the current time from the current time.
In some possible designs, the access data generated by the target user during the validity period of the digital certificate issued one or more times (e.g., twice) before may also be used as the historical access data during the preset time period. The validity period of a previously issued digital certificate may determine the validity period of the issued digital certificate based on the level of risk of the digital certificate being compromised. For example, the risk level of a digital certificate may be determined according to its usage, and a digital certificate with a low risk level may be assigned a shorter validity period, and a digital certificate with a high risk level may be assigned a longer validity period.
As an example, for a digital certificate used in an intranet (intranet) in a local area network, such as a Transport Layer Security (TLS) certificate, since the risk of leakage is low, a long validity period may be configured for the certificate, for example, 1095 days; for the digital certificate used by the administrator, if the leakage risk is higher than that of the digital certificate used in the local area network, the validity period of the digital certificate used in the local area network is shorter than that of the digital certificate used in the local area network, for example 365 days; for digital certificates used by ordinary users, the shortest validity period, such as 30 days, can be set for the digital certificates with the highest risk of leakage.
S102: and determining the risk coefficient of the target user based on the change condition of the historical access data in a preset time period.
Since the historical access data of the target user can reflect the access habits of the target user in the use scene, if the access habits of the target user are greatly changed, the target user has certain security risk. Therefore, based on the change situation of the historical access data of the target user, whether the target user has the risk of digital certificate leakage or not can be determined, and the risk coefficient of the target user can be obtained.
In the embodiment of the present application, the transformation condition of the historical access data specifically refers to a change of things accessed by the user in the usage scenario (i.e. operation behaviors within the usage scenario, such as clicking on a page, data viewed, request sent, and the like), a change of a device used by the user for accessing, a change of an IP address used by the user for accessing, and the like. If the change of the historical access data is large, the risk coefficient of the target user is high; on the contrary, if the change of the historical access data is small, the risk coefficient of the target user is low. The method for determining the risk coefficient is not limited in the present application, and how to determine the risk coefficient of the target user according to the change situation of the historical access data will be described with reference to a specific example, which is not repeated herein.
S103: and determining the validity period of the digital certificate issued to the target user according to the risk coefficient.
It can be understood that, because the risk coefficient of the target user represents whether the risk of digital certificate leakage exists, the valid period of the digital certificate signed to the target user is flexibly controlled according to the risk coefficient of the user, so that the leakage of the digital certificate can be effectively prevented, and the data security is ensured. In practical application, when the risk coefficient of a target user is higher, a shorter validity period is configured for a digital certificate issued to the target user; when the risk coefficient of the target user is low, a longer validity period is configured for the digital certificate issued to the target user, so that the access of the user with the high risk coefficient can be limited on the basis of ensuring the normal use of the user with the low risk coefficient, and the risk of data certificate leakage is reduced.
In the embodiment of the application, historical access data of a target user in a preset time period are collected, a risk coefficient of the target user is determined based on the change condition of the historical access data, the digital certificate of the target user is leaked or other access risks are evaluated, and then the validity period of the digital certificate signed to the target user at this time is determined according to the risk coefficient obtained through evaluation. According to the method and the device, the validity of the digital certificate issued to the user is adaptively controlled based on the risk coefficient of the user, the occurrence of security risks is prevented and controlled, and illegal data tampering caused by certificate leakage can be effectively prevented.
How to determine the risk factor of the target user is described in detail below with reference to a specific example.
Referring to fig. 2, this figure is a schematic flowchart of another digital certificate configuration method provided in this embodiment of the present application. This figure provides a more specific method of digital certificate configuration than figure 1.
In some possible implementation manners of the embodiment of the present application, the step 102 may specifically include:
s1021: and taking the historical access data generated in the first time period as a reference data set, and taking the historical access data generated in the second time period as an evaluation data set.
In the embodiment of the present application, the preset time period includes the first time period and the second time period, that is, the historical access data in the preset time period includes the historical access data generated in the first time period and the historical access data generated in the second time period, and the ending time of the first time period is not later than the starting time of the second time period. The historical access data in the preset event period are divided into a reference data set and an evaluation data set, and the data difference between the reference data set and the evaluation data set is compared, so that the change condition of the historical access data of the target user in the preset time period can be determined, and the risk coefficient of the target user can be obtained.
As an example, when the digital certificate to be issued is the kth digital certificate, the historical access data generated in the first half (i.e., the first time period) of the validity period of the kth-1 th digital certificate may be used as the reference data set, and the historical access data generated in the second half (i.e., the second time period) may be used as the evaluation data set (i.e., the preset time period is the validity period of the kth-1 th digital certificate); historical access data generated in the valid period of the (k-1) th digital certificate (namely, the first time period) can be used as an evaluation data set, historical access data generated in the valid period of the (k-2) th digital certificate (namely, the second time period) can be used as a reference data set (namely, the preset time period is the sum of the valid periods of the (k-1) th digital certificate and the (k-2) th digital certificate), historical access data generated in the previous 0-6 months (namely, the first time period) can be directly used as the evaluation data set, historical access data generated in the previous 6-12 months (namely, the second time period) can be used as the reference data set (namely, the preset time period is the previous 12 months), and the like.
S1022: a risk coefficient for the target user is obtained based on data differences between the reference dataset and the evaluation dataset.
It can be understood that the data difference between the reference data set and the evaluation data set can reflect the change of the historical access data within the preset time period, and the risk coefficient of the target user is obtained. It will be appreciated that the data differences between the reference data set and the evaluation data set may specifically be any one or more of differences in what the target user accesses, differences in the device used for access, and differences in the IP address used for access, as described below in connection with a specific example.
In some possible implementation manners of the embodiment of the present application, step S1022 at least includes the following three possible implementation manners:
in a first possible implementation manner, referring to fig. 3, when the historical access data includes access item information, step S1022 specifically may include:
s301: based on the access transaction information, access transaction variation between the reference dataset and the evaluation dataset is obtained.
In the embodiment of the present application, the access change specifically refers to a change of an operation behavior of the target user in the usage scenario. As an example, the accessing the transaction information may specifically include: the access object change situation may specifically include a change in the access object and/or a change in the number of times of access object, for example, an increase or decrease in the access object, an increase or decrease in the number of times of access, or a change in the ratio of access objects.
In an example, step S301 may specifically include:
s3011: and counting all the access matters contained in the reference data set and the evaluation data set to obtain an access matter set.
In the embodiment of the application, the access object set comprises all the access objects in the reference data set and the evaluation data set, so that the change situation of the access objects in the reference data set and the evaluation data set can be counted subsequently. To simplify the computational flow, the access transactions included in the set of access transactions are not duplicated.
For example, reference data set includes visits A, B and C, assessment data set includes visits B, C and D, and visits A, B, C and D.
S3012: calculating the distribution proportion of each access object in the access object set in the reference data set according to the access times corresponding to each access object in the reference data set, and obtaining the first distribution proportion of each access object in the access object set;
s3013: and calculating the distribution proportion of each access object in the access object set in the evaluation data set according to the access times corresponding to each access object in the evaluation data set, and obtaining the second distribution proportion of each access object in the access object set.
In the embodiment of the present application, the execution sequence of step S3012 and step S3013 is not limited, and both steps may be executed one by one in any order or may be executed in parallel, which is not listed here.
It will be appreciated that when a first access transaction in the set of access transactions is included in the reference data set, then the first distribution ratio for that first access transaction is the ratio of the number of accesses of the first access transaction in the reference data set to the total number of accesses of all access transactions in the reference data set; when the first access transaction is not included in the reference data set, the first distribution ratio is zero because the number of accesses of the first access transaction in the reference data set is zero. Similarly, when a first access thing in the access thing set is included in the evaluation data set, the second distribution proportion of the first access thing is the ratio of the number of times the first access thing is accessed in the evaluation data set to the total number of times all access things are accessed in the evaluation data set; when the first access transaction is not included in the evaluation dataset, then the second distribution ratio is zero because the number of accesses of the first access transaction in the evaluation dataset is zero.
With continuing reference to the example given under step S3011, the number of accesses to the access object A, B and C in the reference dataset is S A1 、S B1 And S C1 The number of accesses of the access object B, C and D in the evaluation data set is S B2 、S C2 And S D2 . Then, the first distribution ratio of the access things A, B, C and D in the access dataset is respectively
And 0, second distribution ratioRespectively 0,
And
s3014: determining an access thing change condition based on a difference between the first distribution ratio and the second distribution ratio of each access thing in the access thing set.
In the embodiment of the application, the change condition of the access object is counted based on the change of the proportion of the access frequency of the access object in the reference data set and the evaluation data set (namely the difference between the first distribution proportion and the second distribution proportion), the access habit of the target user can still be accurately analyzed and obtained under the condition that the total access frequency of the target user is changed, and the analysis accuracy of the change condition of the access object is improved.
In practical applications, the access object change condition may be a difference between the first distribution ratio and the second distribution ratio, or a change rate between the first distribution ratio and the second distribution ratio, and any data reflecting a change between the first distribution ratio and the second distribution ratio may be used as the access object change condition, and is not limited herein.
In some possible implementation manners of the embodiment of the application, the access object change condition can be quantitatively represented by using the access object risk factor. The access object risk factor is in positive correlation with the change condition of the access object, and when the access object risk factor is larger, the change condition of the access object is larger; when the risk factor of the access object is smaller, the change situation of the access object is smaller.
Specifically, the visit matter risk factor is related to a difference between a first distribution ratio and a second distribution ratio of each visit matter in the visit matter set, and when the difference between the first distribution ratio and the second distribution ratio of the visit matter is large, the visit matter risk factor increases; when the difference between the first distribution proportion and the second distribution proportion of the access things is small, the access things risk factor is unchanged. As an example, step S3014 may specifically include:
step A: for each access thing in the access thing set, the difference between the first distribution ratio and the second distribution ratio of the access thing is calculated.
And B: judging whether the difference between the first distribution ratio and the second distribution ratio falls within a first threshold range; if not, executing the step C.
It can be understood that when the difference between the first distribution ratio and the second distribution ratio of the same access object falls within the first threshold value range, it indicates that the access habit of the target user to the access object has not changed greatly; however, when the difference between the first distribution ratio and the second distribution ratio of the same access object exceeds the first threshold range, it indicates that the access habit of the target user for the access object is greatly changed, and there is a risk of digital certificate leakage, and it is necessary to increase the access object risk factor of the target user.
In practical applications, the first threshold range may be set according to specific situations, for example, the first threshold range may be (-0.1, 0.1), and is not limited herein.
Step C: the interview thing risk factor is incremented by one.
In the embodiment of the application, the initial value of the access object risk factor can be set to be zero, the change condition of the total access objects of the target user is counted by judging whether the difference between the first distribution proportion and the second distribution proportion of each access object in the access object set falls within the first threshold range, and the access object risk factor of the target user is obtained, so that whether the target user has the risk of digital certificate leakage can be determined, and the valid period of the digital certificate is adaptively configured to ensure data security.
S302: and determining a risk coefficient based on the change condition of the access object.
In the embodiment of the application, when the change condition of the access object is large, the access habit of the target user is changed greatly, the risk of data certificate leakage is high, and the risk coefficient is large; on the contrary, when the change condition of the access object is smaller, the change of the access habit of the target user is not large, the risk of digital certificate leakage is smaller, and the risk coefficient is smaller.
In practical applications, the change condition of the access object (such as the access object risk factor) may be directly used as the risk coefficient, or the change condition may be multiplied by a certain coefficient to be used as the risk coefficient, which is not limited herein.
Referring to fig. 4, when the historical access data includes access device information, step S1022 may specifically include:
s401: based on the access device information in the historical access data, access device variation between the reference data set and the evaluation data set is obtained.
In this embodiment, the access device change condition specifically refers to a change condition of information related to the access device used by the target user when accessing the usage scenario. As an example, the accessing the device information may specifically include: the target user accesses the device used in the usage scenario and/or the IP address where the target user accesses, and since both the new access initiating device and the new IP address are prone to have a risk of digital certificate disclosure, in this embodiment of the present application, the access device change condition may specifically include an increase condition of the access device and/or the access IP address in the evaluation data set compared with the reference data set.
In some possible implementations of the embodiments of the present application, the access device variation condition may be quantitatively expressed by using an access device risk factor. The risk factor of the access equipment is in positive correlation with the change condition of the access equipment, and when the risk factor of the access equipment is larger, the change condition of the access equipment is larger; when the risk factor of the access device is smaller, the change situation of the access device is smaller.
As an example, step S401 may specifically include:
s4011: it is determined whether the respective access device information in the evaluation dataset is included in the reference dataset. When one of the access device information in the evaluation dataset is not included in the reference dataset, step S4012 is performed.
It can be understood that when the access initiating device in the evaluation data set is included in the reference data set, which indicates that the target user initiated access in the usage scenario with the device within a time period corresponding to the reference data set, the risk of digital certificate disclosure is low; on the contrary, when the access initiating device in the evaluation data set is not included in the reference data set, it is indicated that the access initiating device is a new device used by the target user, the access habit of the user changes, and a certain risk of digital certificate disclosure exists. The description of accessing the IP address is similar to this and will not be described again.
S4012: the access device risk factor is incremented by one.
In the embodiment of the application, the initial value of the risk factor of the access device may be set to zero, and the risk factor of the access device of the target user is obtained by statistically evaluating whether a new device (i.e., a device that does not appear in the reference data set) or a new IP address (i.e., an IP address that does not appear in the reference data set) appears in the data set, so that whether the target user has a risk of digital certificate leakage can be determined, and the validity period of the digital certificate is adaptively configured to ensure data security.
S402: based on the access device change, a risk factor is determined.
In the embodiment of the application, when the access device has a large change condition, the access habit of the target user is changed greatly, the risk of data certificate leakage is high, and the risk coefficient is large; on the contrary, when the change condition of the access device is smaller, it indicates that the access habit of the target user is not changed much, the risk of digital certificate disclosure is smaller, and the risk coefficient is smaller.
In practical applications, the access device change condition (such as the access device risk factor) may be directly used as the risk coefficient, or the access device change condition may be multiplied by a certain coefficient to be used as the risk coefficient, which is not limited herein.
In a third possible implementation manner, when the historical access data includes not only the access object information but also the access device information, the influence of the change of each parameter (i.e., the access object information and the access device information) in the historical access data on the digital certificate disclosure risk can be comprehensively considered, so as to obtain the risk coefficient of the target user. As an example, the sum of the risk factor of the access object and the risk factor of the access device may be used as a risk coefficient, or the sum of the risk factor of the access object and the risk factor of the access device may be multiplied by a certain coefficient to be used as a risk coefficient. For the description of the risk factor of the access object and the risk factor of the access device, reference may be made to the above related contents, which are not described in detail.
In the embodiment of the application, historical access data in a preset time period are divided into a reference data set and an evaluation data set according to a time sequence, and the target user risk level is determined by counting the difference between the reference data set and the evaluation data set, so that the accuracy can be ensured, and the risk of digital certificate leakage is reduced.
The above details describe how to determine the risk factor of the target user, and the following describes how to determine the validity period of the digital certificate issued to the target user according to the risk factor, so as to realize flexible control of the validity period of the digital certificate and ensure data security.
In the embodiment of the application, the risk coefficient and the valid period of the digital certificate are in a negative correlation relationship, and when the risk coefficient of the target user is higher, a shorter valid period is configured for the digital certificate issued to the target user; when the risk coefficient of the target user is low, a longer validity period is configured for the digital certificate issued to the target user, so that the access of the user with the high risk coefficient can be limited on the basis of ensuring the normal use of the user with the low risk coefficient, and the risk of data certificate leakage is reduced. In one example, the validity period of a digital certificate issued to a target user may be configured directly according to the risk factor. However, the inventor finds in research that the condition that the valid period of the digital certificate is determined directly according to the risk coefficient may cause a sudden increase or a sudden decrease of the valid period of the digital certificate in the use process of the target user, and for a general user, when the digital certificate is close to being expired, the general user needs to actively apply for a new digital certificate, and a sudden change of the valid period of the digital certificate may affect the use experience of the target user, resulting in poor user experience.
Therefore, in some possible implementation manners of the embodiment of the present application, on the basis of ensuring data security, a method for gradually changing the validity period of the digital certificate may be further provided to ensure user experience. Specifically, referring to fig. 5, step S103 may specifically include:
s501: and determining a valid period suggestion value for the target user according to the risk coefficient.
In practical application, any manner may be adopted to determine the suggested validity period value of the target user based on the risk coefficient, for example, pre-calibrated suggested validity period values may be set for risk coefficients in different ranges, or the suggested validity period value corresponding to the risk coefficient may be calculated by using a formula, as long as the risk coefficient is in a negative correlation with the validity period of the digital certificate, which is not limited herein.
As an example, step S501 may specifically include:
s5011: judging whether the difference between the third preset value and the risk coefficient is within a third threshold value range; if yes, go to step S5012; if the difference between the third preset value and the risk coefficient is smaller than the minimum value of the third threshold range, executing step S5013; if the difference between the third preset value and the risk factor is greater than the maximum value of the third threshold range, step S5014 is executed.
S5012: and taking the difference between the third preset value and the risk coefficient as a validity period suggestion value.
S5013: taking the minimum value of the third threshold range as a validity period suggestion value;
s5014: the maximum value of the third threshold range is taken as the validity period advice value.
In the embodiment of the application, the risk coefficients can be divided into 3 levels according to the magnitude of the risk coefficients, and different suggested valid period values are set for the risk coefficients in different ranges. And determining the validity period suggestion value of the target user according to the relation between the third preset value and the difference between the risk coefficients and the third threshold range. When the difference between the third preset value and the risk coefficient is within a third threshold value range, taking the difference between the third preset value and the risk coefficient as a validity period suggestion value; when the difference between the third preset value and the risk coefficient is smaller than the minimum value of the third threshold range, taking the minimum value of the third threshold range as a suggested value of the validity period; when the difference between the third preset value and the risk coefficient is larger than the maximum value of the third threshold range, the maximum value of the third threshold range is used as the suggested value of the validity period, and the effect of limiting sudden changes of the validity period of the digital certificate can be achieved.
In practical application, the third preset value and the third threshold range can be set according to actual conditions and scene requirements. In a specific example, the third preset value may be 360, and the third threshold range may be (30, 360). Then, the suggested value of the validity period of the target user can be determined according to the following formula (1):
wherein d is a proposed validity period value and X is a risk factor. In a specific example, X is kx, X is the sum of the access item risk factor and the access device risk factor, and k is a coefficient (e.g., 16.5).
S502: and calculating the difference between the suggested valid period value and the valid period of the digital certificate which is issued to the target user last time to obtain a valid period change value.
In the embodiment of the present application, the suggested validity period value is directly determined according to the risk coefficient of the target user, and compared with the validity period of the digital certificate issued to the target user last time, the suggested validity period value is prone to change sharply, so if the difference between the suggested validity period value and the validity period of the digital certificate issued to the target user last time (i.e., the changed validity period value) is too large, adaptive adjustment needs to be performed according to the suggested validity period value to ensure user experience.
S503: judging whether the valid period change value falls within a second threshold range; if yes, go to step S504; if not, step S505 is executed.
S504: and determining the suggested value of the validity period as the validity period of the digital certificate which is issued to the target user at this time.
It can be understood that, when the validity period change value falls within the second threshold range, the validity period change of the digital certificate issued to the target user is reduced, and the validity period suggested value can be directly determined as the validity period of the digital certificate issued to the target user at this time, so as to reduce the risk of digital certificate leakage.
In practical application, the second threshold range can be set according to actual needs to ensure user experience and avoid abrupt changes of the validity period of the digital certificate. For example, the second threshold range may be set to (-30, 30).
S505: and determining the validity period of the digital certificate issued to the target user at this time based on the validity period of the digital certificate issued to the target user last time.
It can be understood that when the validity period change value exceeds the second threshold range, the validity period of the digital certificate issued to the target user changes greatly, and the validity period of the digital certificate issued to the target user at this time should be adaptively adjusted based on the validity period of the digital certificate issued to the target user last time, so that the user experience is ensured on the basis of reducing the digital certificate leakage risk. In practical applications, the validity period of the digital certificate issued to the target user at this time may be obtained by increasing or decreasing a certain value on the basis of the validity period of the digital certificate issued to the target user at the last time, which is not limited herein.
As an example, step S505 may specifically include:
s5051: and when the variation value of the validity period is smaller than the minimum value of the second threshold range, subtracting the first preset value from the validity period of the digital certificate which is issued to the target user last time, and taking the result as the validity period of the digital certificate which is issued to the target user this time.
S5052: and when the validity period change value is larger than the maximum value of the second threshold range, adding a second preset value to the validity period of the digital certificate which is issued to the target user most recently, and taking the result as the validity period of the digital certificate which is issued to the target user at this time.
In the embodiment of the present application, both the first preset value and the second preset value are greater than zero. In practical application, the first preset value and the second preset value may be set according to actual needs, and the first preset value and the second preset value may be equal to or unequal to each other, for example, the first preset value and the second preset value may both be 30.
Then, the validity period of the digital certificate issued to the target user at this time may be determined according to the following formula (2):
wherein, R is the validity period of the digital certificate which is issued to the target user at this time, R' is the validity period of the digital certificate which is issued to the target user at the last time, and d is the suggested value of the validity period.
In some possible implementation manners of the embodiment of the application, the suggested valid period value can be determined according to the risk level of the target user, whether the condition of abrupt change of the valid period occurs is determined according to the valid period of the digital certificate issued to the target user last time and the suggested valid period value, and if yes, the valid period of the digital certificate issued to the target user last time is adaptively adjusted to be used as the valid period of the digital certificate issued to the target user this time; if not, the suggested value of the validity period is directly determined as the validity period of the digital certificate which is signed to the target user at this time. By adaptively adjusting the validity period of the digital certificate issued to the target user, the use experience of the user can be improved on the basis of ensuring the data security.
Based on the digital certificate configuration method provided by the embodiment, the embodiment of the application further provides a digital certificate issuing method, which is applied to a server for issuing a digital certificate.
Referring to fig. 6, this figure is a schematic flow chart of a digital certificate issuing method according to an embodiment of the present application.
The digital certificate issuing method provided by the embodiment of the application comprises the following steps:
s601: in response to a digital certificate update demand for a target user, determining a validity period of a digital certificate issued to the target user this time according to any one of the digital certificate configuration methods provided in the embodiments described above.
In the embodiment of the present application, the digital certificate update requirement may be obtained in any manner, and may be actively executed by a server issuing a digital certificate, or passively executed by a target user or another user, which is not limited herein. For a specific method for determining the validity period of the digital certificate, reference may be made to the relevant contents in the foregoing embodiments, which are not described in detail.
In one example, a digital certificate used by a device in a local area network may be actively judged by a digital certificate management server according to a validity period carried in the digital certificate whether to renew the signature, so as to obtain a digital certificate update requirement for a target user; for the digital certificate used by the administrator or the ordinary user, the administrator or the ordinary user can actively apply for a new digital certificate to obtain the digital certificate updating requirement of the target user.
S602: and issuing a digital certificate for the target user based on the determined validity period.
In practical applications, any digital certificate issuing method can be used to issue a digital certificate for a target user, which is not limited herein and is not listed.
In the embodiment of the application, the validity period of the digital certificate issued to the target user is determined based on the digital certificate disclosure risk coefficient of the target user, so that the digital certificate can be effectively prevented from disclosure, and the data security is ensured.
Based on the digital certificate configuration method provided by the embodiment, the embodiment of the application further provides a digital certificate configuration device.
Referring to fig. 7, this figure is a schematic structural diagram of a digital certificate configuring apparatus according to an embodiment of the present application.
The digital certificate configuration device provided by the embodiment of the application comprises: a data acquisition module 710, a coefficient determination module 720 and a validity period determination module 730;
the data acquisition module 710 is used for acquiring historical access data of a target user within a preset time period;
a coefficient determining module 720, configured to determine a risk coefficient of the target user based on a change condition of the historical access data within a preset time period;
and the validity period determining module 730 is configured to determine the validity period of the digital certificate issued to the target user according to the risk coefficient.
In some possible implementation manners of the embodiment of the present application, the coefficient determining module 720 may specifically include: a data set determining submodule and an obtaining submodule;
the data set determining submodule is used for taking the historical access data generated in the first time period as a reference data set and taking the historical access data generated in the second time period as an evaluation data set; the preset time period comprises a first time period and a second time period, and the ending time of the first time period is not later than the starting time of the second time period;
and the obtaining sub-module is used for obtaining the risk coefficient of the target user based on the data difference between the reference data set and the evaluation data set.
In some possible implementations of embodiments of the present application, the historical access data may include access transaction information and/or access device information; then, when the historical access data includes access item information, the obtaining sub-module may specifically include: a first variation obtaining sub-module and a first coefficient determining sub-module;
the first change acquisition submodule is used for acquiring the change condition of the access object between the reference data set and the evaluation data set based on the access object information in the historical access data;
and the first coefficient determining submodule is used for determining the risk coefficient based on the change situation of the access object.
In some possible implementation manners of the embodiment of the present application, the accessing the object information includes: accessing objects and their corresponding access times; then, the first variation obtaining sub-module may specifically include: the system comprises a first statistic submodule, a first calculation submodule, a second calculation submodule and a change determination submodule;
the first statistic submodule is used for counting all access objects included in the reference data set and the evaluation data set to obtain an access object set;
the first calculation submodule is used for calculating the distribution proportion of each access object in the access object set in the reference data set according to the access times corresponding to each access object in the reference data set to obtain the first distribution proportion of each access object in the access object set;
the second calculation submodule is used for calculating the distribution proportion of each access object in the access object set in the evaluation data set according to the access frequency corresponding to each access object in the evaluation data set to obtain a second distribution proportion of each access object in the access object set;
and the change determining submodule is used for determining the change condition of the access things based on the difference between the first distribution proportion and the second distribution proportion of each access thing in the access thing set.
In some possible implementation manners of the embodiment of the present application, the change determining sub-module may specifically include: the third calculation submodule, the first judgment submodule and the fourth calculation submodule;
the third calculation submodule is used for calculating the difference between the first distribution proportion and the second distribution proportion of the access objects for each access object in the access object set;
a first judgment sub-module for judging whether a difference between the first distribution ratio and the second distribution ratio falls within a first threshold range;
and the fourth calculation submodule is used for adding one to the visit thing risk factor when the first judgment submodule judges that the difference between the first distribution proportion and the second distribution proportion does not fall within the first threshold value range.
In some possible implementation manners of the embodiment of the present application, when the historical access data includes access device information, the obtaining of the sub-module may specifically include: a second transformation obtaining sub-module and a second coefficient determining sub-module;
the second transformation obtaining submodule is used for obtaining the access equipment change condition between the reference data set and the evaluation data set based on the access equipment information in the historical access data;
and the second coefficient determining submodule is used for determining the risk coefficient based on the change condition of the access equipment.
In some possible implementation manners of the embodiment of the present application, the second transformation obtaining sub-module may specifically include: a second judgment submodule and a fifth calculation submodule;
the second judgment submodule is used for judging whether the information of each access device in the evaluation data set is included in the reference data set or not;
and a fifth calculating sub-module for adding one to the access device risk factor when the second judging sub-module judges that one of the access device information in the evaluation data set is not included in the reference data set.
In some possible implementation manners of the embodiment of the present application, the validity period determining module 730 may specifically include: the recommendation determining submodule, the sixth calculating submodule, the third judging submodule, the first determining submodule and the second determining submodule;
the suggestion determination submodule is used for determining a valid period suggestion value for the target user according to the risk coefficient;
the sixth calculation submodule is used for calculating the difference between the suggested value of the valid period and the valid period of the digital certificate which is issued to the target user at the last time to obtain a valid period change value;
a third judgment submodule for judging whether the validity period variation value falls within the second threshold range;
the first determining submodule is used for determining the validity period suggestion value as the validity period of the digital certificate which is signed to the target user at this time when the third judging submodule judges that the validity period change value falls within the second threshold value range;
and the second determining submodule is used for determining the validity period of the digital certificate which is issued to the target user at this time based on the validity period of the digital certificate which is issued to the target user last time when the third judging submodule judges that the validity period change value does not fall within the second threshold value range.
In some possible implementation manners of the embodiment of the application, the second determining sub-module may specifically include: a first setting submodule and a second setting submodule;
the first setting submodule is used for subtracting a first preset value from the valid period of the digital certificate which is issued to the target user most recently when the valid period change value is smaller than the minimum value of the second threshold range, and then taking the valid period as the valid period of the digital certificate which is issued to the target user at this time;
the second setting submodule is used for adding a second preset value to the valid period of the digital certificate which is issued to the target user most recently when the valid period change value is larger than the maximum value of the second threshold range, and then taking the valid period as the valid period of the digital certificate which is issued to the target user at this time;
and the first preset value and the second preset value are both larger than zero.
In the embodiment of the application, historical access data of a target user in a preset time period are collected, a risk coefficient of the target user is determined based on the change condition of the historical access data, the digital certificate of the target user is leaked or other access risks are evaluated, and then the validity period of the digital certificate signed to the target user at this time is determined according to the risk coefficient obtained through evaluation. According to the method and the device, the validity of the digital certificate issued to the user is adaptively controlled based on the risk coefficient of the user, the occurrence of security risks is prevented and controlled, and illegal data tampering caused by certificate leakage can be effectively prevented.
Based on the digital certificate configuration method and device provided by the embodiment, the embodiment of the application further provides a digital certificate signing and issuing device.
Referring to fig. 8, the figure is a schematic structural diagram of a digital certificate issuing apparatus according to an embodiment of the present application.
The digital certificate signing and issuing device provided by the embodiment of the application comprises: a determination module 810 and an issuance module 820;
a determining module 810, configured to determine, in response to a digital certificate update demand for a target user, a validity period of a digital certificate issued to the target user this time according to any one of the digital certificate configuration methods provided in the foregoing embodiments;
and an issuing module 820 configured to issue a digital certificate for the target user based on the determined validity period.
In the embodiment of the application, the validity period of the digital certificate issued to the target user is determined based on the digital certificate disclosure risk coefficient of the target user, so that the digital certificate can be effectively prevented from disclosure, and the data security is ensured.
Based on the digital certificate configuration method and the digital certificate issuing method provided by the above embodiments, embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program implements any one of the digital certificate configuration methods provided by the above embodiments, or implements any one of the digital certificate issuing methods provided by the above embodiments.
Based on the digital certificate configuration method and the digital certificate issuing method provided by the embodiments, the embodiments of the present application further provide a server, including: a processor and a memory;
a memory for storing the program code and transmitting the program code to the processor;
a processor configured to execute any one of the digital certificate configuration methods provided by the above embodiments or any one of the digital certificate issuing methods provided by the above embodiments according to instructions in the program code.
It should be noted that, in the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The system or the device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The foregoing is merely a preferred embodiment of the present application and is not intended to limit the present application in any way. Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application. Those skilled in the art can now make numerous possible variations and modifications to the disclosed embodiments, or modify equivalent embodiments, using the methods and techniques disclosed above, without departing from the scope of the claimed embodiments. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical essence of the present application still fall within the protection scope of the technical solution of the present application without departing from the content of the technical solution of the present application.
Claims (13)
1. A method for configuring a digital certificate, the method comprising:
acquiring historical access data of a target user in a preset time period;
determining a risk coefficient of the target user based on the change condition of the historical access data in the preset time period;
determining the validity period of the digital certificate issued to the target user according to the risk coefficient;
determining the validity period of the digital certificate which is issued to the target user at this time according to the risk coefficient specifically comprises:
determining a suggested value of the validity period for the target user according to the risk coefficient;
calculating the difference between the suggested value of the validity period and the validity period of the digital certificate which is issued to the target user last time to obtain a validity period change value;
judging whether the validity period change value falls within a second threshold value range;
if so, determining the suggested valid period value as the valid period of the digital certificate signed to the target user at this time;
if not, determining the validity period of the digital certificate issued to the target user at this time based on the validity period of the digital certificate issued to the target user last time.
2. The method according to claim 1, wherein the determining the risk factor of the target user based on the change of the historical access data within the preset time period specifically comprises:
taking the historical access data generated in the first time period as a reference data set, and taking the historical access data generated in the second time period as an evaluation data set; the preset time period comprises the first time period and the second time period, and the ending time of the first time period is not later than the starting time of the second time period;
obtaining a risk factor for the target user based on data differences between the reference dataset and the evaluation dataset.
3. The method of claim 2, wherein the historical access data comprises access transaction information and/or access device information; when the historical access data includes the access transaction information, the obtaining a risk coefficient of the target user based on a data difference between the reference data set and the evaluation data set specifically includes:
acquiring access thing change conditions between the reference data set and the evaluation data set based on access thing information in the historical access data;
determining the risk coefficient based on the access thing change condition;
when the historical access data includes access device information, the obtaining of the risk coefficient of the target user based on the data difference between the reference data set and the evaluation data set specifically includes:
acquiring access device change conditions between the reference data set and the evaluation data set based on access device information in the historical access data;
determining the risk factor based on the access device change.
4. The method of claim 3, wherein said accessing transaction information comprises: accessing objects and the corresponding access times; then, the obtaining of the access item change between the reference data set and the evaluation data set based on the access item information in the historical access data specifically includes:
counting all access matters contained in the reference data set and the evaluation data set to obtain an access matter set;
according to the access times corresponding to the access objects in the reference data set, calculating the distribution proportion of the access objects in the access object set in the reference data set to obtain a first distribution proportion of the access objects in the access object set;
according to the access times corresponding to the access matters in the evaluation data set, calculating the distribution proportion of the access matters in the evaluation data set to obtain a second distribution proportion of the access matters in the access matters set;
determining the access thing change condition based on a difference between a first distribution ratio and a second distribution ratio of each access thing in the set of access things.
5. The method of claim 4, wherein determining the access transaction variation based on a difference between a first distribution ratio and a second distribution ratio of each access transaction in the set of access transactions comprises:
calculating the difference between the first distribution proportion and the second distribution proportion of the access matters for each access matters in the access matters set;
judging whether the difference between the first distribution proportion and the second distribution proportion is within a first threshold value range;
and if not, adding one to the access object risk factor.
6. The method according to any one of claims 3 to 5, wherein the obtaining of the access device variation between the reference data set and the evaluation data set based on the access device information in the historical access data specifically comprises:
judging whether the information of each access device in the evaluation data set is included in the reference data set;
adding one to an access device risk factor when one of the access device information in the evaluation dataset is not included in the reference dataset.
7. The method according to claim 1, wherein the determining the validity period of the digital certificate issued to the target user this time based on the validity period of the digital certificate issued to the target user last time specifically comprises:
when the variation value of the validity period is smaller than the minimum value of the second threshold range, the validity period of the digital certificate which is issued to the target user last time is subtracted by a first preset value to be used as the validity period of the digital certificate which is issued to the target user this time;
when the change value of the validity period is larger than the maximum value of the second threshold range, adding a second preset value to the validity period of the digital certificate which is issued to the target user last time, and taking the result as the validity period of the digital certificate which is issued to the target user this time;
wherein the first preset value and the second preset value are both greater than zero.
8. The method according to claim 1 or 7, wherein the determining a suggested value of validity period for the target user according to the risk factor specifically comprises:
judging whether the difference between a third preset value and the risk coefficient is within a third threshold value range;
if so, taking the difference between the third preset value and the risk coefficient as the suggested value of the validity period;
if the difference between the third preset value and the risk coefficient is smaller than the minimum value of the third threshold range, taking the minimum value of the third threshold range as the suggested value of the validity period;
and if the difference between the third preset value and the risk coefficient is larger than the maximum value of the third threshold range, taking the maximum value of the third threshold range as the recommended validity period value.
9. A method for issuing a digital certificate, the method comprising:
in response to a digital certificate update demand on a target user, determining a validity period of a digital certificate issued to the target user at the present time according to the digital certificate configuration method of any one of claims 1 to 8;
and issuing a digital certificate for the target user based on the determined validity period.
10. An apparatus for digital certificate configuration, the apparatus comprising: the device comprises a data acquisition module, a coefficient determination module and a valid period determination module;
the data acquisition module is used for acquiring historical access data of a target user in a preset time period;
the coefficient determining module is used for determining a risk coefficient of the target user based on the change condition of the historical access data in the preset time period;
the validity period determining module is used for determining the validity period of the digital certificate which is issued to the target user at this time according to the risk coefficient;
the validity period determining module specifically includes: the suggestion determination submodule, the sixth calculation submodule, the third judgment submodule, the first determination submodule and the second determination submodule are connected;
the suggestion determination submodule is used for determining a valid period suggestion value for the target user according to the risk coefficient;
the sixth calculation submodule is used for calculating the difference between the suggested value of the validity period and the validity period of the digital certificate which is issued to the target user at the last time to obtain a validity period change value;
the third judgment submodule is used for judging whether the change value of the validity period falls within a second threshold range;
the first determining submodule is used for determining the suggested value of the validity period as the validity period of the digital certificate which is issued to the target user at this time when the third judging submodule judges that the variation value of the validity period falls within the range of the second threshold value;
and the second determining submodule is used for determining the validity period of the digital certificate which is issued to the target user at this time based on the validity period of the digital certificate which is issued to the target user last time when the third judging submodule judges that the validity period change value does not fall within the second threshold value range.
11. An apparatus for issuing a digital certificate, the apparatus comprising: a determining module and an issuing module;
the determining module is used for responding to the digital certificate updating demand of a target user, and determining the validity period of the digital certificate which is issued to the target user at the time according to the digital certificate configuration method of any one of claims 1 to 8;
and the issuing module is used for issuing a digital certificate for the target user based on the determined validity period.
12. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the digital certificate configuration method of any one of claims 1 to 8, or the digital certificate issuance method of claim 9.
13. A server, comprising: a processor and a memory;
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute the digital certificate configuration method according to any one of claims 1 to 8 or the digital certificate issuance method according to claim 9 according to instructions in the program code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910677122.7A CN110493004B (en) | 2019-07-25 | 2019-07-25 | Digital certificate configuration method and device and digital certificate signing and issuing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910677122.7A CN110493004B (en) | 2019-07-25 | 2019-07-25 | Digital certificate configuration method and device and digital certificate signing and issuing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110493004A CN110493004A (en) | 2019-11-22 |
| CN110493004B true CN110493004B (en) | 2022-09-02 |
Family
ID=68548469
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910677122.7A Active CN110493004B (en) | 2019-07-25 | 2019-07-25 | Digital certificate configuration method and device and digital certificate signing and issuing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110493004B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111080303B (en) * | 2019-12-06 | 2022-05-31 | 支付宝(杭州)信息技术有限公司 | Risk identification method and device of terminal equipment and equipment |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5731673B2 (en) * | 2011-12-09 | 2015-06-10 | アラクサラネットワークス株式会社 | Certificate distribution apparatus and method, and computer program |
| US9037849B2 (en) * | 2013-04-30 | 2015-05-19 | Cloudpath Networks, Inc. | System and method for managing network access based on a history of a certificate |
| JP2016009276A (en) * | 2014-06-23 | 2016-01-18 | 富士通株式会社 | System, authentication device, authentication program, and authentication method |
| CN106529288A (en) * | 2016-11-16 | 2017-03-22 | 智者四海(北京)技术有限公司 | Account risk identification method and device |
| CN109379193B (en) * | 2018-12-06 | 2021-06-29 | 佛山科学技术学院 | Dynamic replay attack prevention authentication method and device |
-
2019
- 2019-07-25 CN CN201910677122.7A patent/CN110493004B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110493004A (en) | 2019-11-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10404748B2 (en) | Cyber risk analysis and remediation using network monitored sensors and methods of use | |
| US8667056B1 (en) | Dynamic traffic management | |
| US11075941B2 (en) | Risk control method, risk control apparatus, electronic device, and storage medium | |
| US11019053B2 (en) | Requesting credentials | |
| EP3607698B1 (en) | Detection of anomalous key material | |
| US10482231B1 (en) | Context-based access controls | |
| Uddin et al. | CAT: a context-aware trust model for open and dynamic systems | |
| CA2965505A1 (en) | System and method for automatic calculation of cyber-risk in business-critical applications | |
| US9037849B2 (en) | System and method for managing network access based on a history of a certificate | |
| US11405394B2 (en) | Trust broker system for managing and sharing trust levels | |
| EP3542299A1 (en) | Systems and methods for securing access to resources | |
| Chase et al. | A scalable approach to joint cyber insurance and security-as-a-service provisioning in cloud computing | |
| WO2014124175A1 (en) | Privacy against interference attack against mismatched prior | |
| US20210391992A1 (en) | Managing client authorisation | |
| US9251321B2 (en) | Methods and nodes for handling usage policy | |
| CN113452752B (en) | Trust management and game method and system under multi-domain internet of things scene | |
| CN110930161A (en) | Method for determining operation time of business operation and self-service business operation equipment | |
| CN110493004B (en) | Digital certificate configuration method and device and digital certificate signing and issuing method and device | |
| Braun et al. | The potential of an individualized set of trusted cas: Defending against ca failures in the web pki | |
| Guillen et al. | Using external data in operational risk | |
| TW202125379A (en) | Fraud detection system, fraud detection method, and program | |
| CN116436692A (en) | Data access method, device, equipment and storage medium | |
| US10587597B1 (en) | Data exfiltration control | |
| CN117597696A (en) | Machine learning computer system architecture | |
| CN112765106A (en) | File access method, electronic device and computer program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |