CN110740136A - Network security control method for open bank and open bank platform - Google Patents

Network security control method for open bank and open bank platform Download PDF

Info

Publication number
CN110740136A
CN110740136A CN201911004113.8A CN201911004113A CN110740136A CN 110740136 A CN110740136 A CN 110740136A CN 201911004113 A CN201911004113 A CN 201911004113A CN 110740136 A CN110740136 A CN 110740136A
Authority
CN
China
Prior art keywords
request
client
information
string
network security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911004113.8A
Other languages
Chinese (zh)
Other versions
CN110740136B (en
Inventor
陈宏鸿
周磊
范兴泽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
神州数码融信软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 神州数码融信软件有限公司 filed Critical 神州数码融信软件有限公司
Priority to CN201911004113.8A priority Critical patent/CN110740136B/en
Publication of CN110740136A publication Critical patent/CN110740136A/en
Application granted granted Critical
Publication of CN110740136B publication Critical patent/CN110740136B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3827Use of message hashing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The invention provides network security control methods facing an open bank and an open bank platform.

Description

Network security control method for open bank and open bank platform
Technical Field
The invention relates to the technical field of information security, in particular to network security control methods facing open banks and an open bank platform.
Background
The open bank means that the traditional financial service and internet financial service of the bank, service capacity including non-financial service and the like are opened to an ecosphere including third-party developers, financial technology companies, manufacturers and other partners, so that the bank can construct new core capacity.
The open platform is a technical platform for constructing an open bank system and opening the bank capacity. The open platform provides a standardized and reliable safety mechanism by carrying out standardized definition and standardized output on the capabilities of inline services, technologies and the like, provides a perfectly packaged SDK, provides an online cooperative merchant docking process and comprehensively supports the construction of an open bank system.
The cooperative merchants include companies and individuals including third-party developers, financial technology companies, manufacturers and other cooperative partners, and the banks can push to open the business and technical capacity of the banks through cooperation with the cooperative merchants, so that the purpose of constructing an internet financial ecosystem is achieved.
In the years of bank development, many banks still continue the thinking of mobile banking, namely encryption channels are established between the mobile banking APP and the service end through technologies such as WTLS protocol/VPN, and the like, so as to ensure the safety of transactions.
The disadvantages of using encrypted channels are:
1) certificates are required to be stored when each mobile phone APP operates;
2) the security scheme is incomplete, an encryption channel is mainly established, and the security aspects of contents such as encryption, decryption, signature addition, signature verification and the like are weak;
3) the authority checking capability is weaker;
4) the method depends on asymmetric encryption too much, and the performance loss is large;
5) the method is only suitable for own APP, and cannot well support the requirement that the open bank needs to open service to the APP of the cooperative merchant in an SDK form.
Disclosure of Invention
The technical problem to be solved by the invention is to provide network security control methods facing open banks and open bank platforms, so that on the premise of not reducing the security of the whole scheme, a special certificate does not need to be stored at a client side, and the security of the system is improved.
In order to solve the technical problems, the invention provides network security control methods facing open banks, which comprise the steps of verifying client information and a signature in a verification request after the verification request of a client is obtained, returning a token to the client after the verification is passed, verifying the token contained in the call request after the call request of the client is obtained, and returning a call result to the client after the verification is successful.
In , after obtaining a verification request from a client, verifying customer information and a signature in the verification request, and returning a token to the client after the verification is passed, the method comprises receiving the request information of the verification request, decrypting an encrypted key string by using an asymmetric algorithm, decrypting data by using a symmetric algorithm, verifying the merchant signature string, generating a token, storing the token and a random work key locally, digitally signing information such as the token and a random number, encrypting return information by using a symmetric algorithm, and returning the encrypted return information string.
In , after returning the encrypted return message string, the client decrypts the encrypted return message using a symmetric algorithm, verifies the digital signature, and saves the token and the random work key locally.
In , the request message includes symmetric encryption message for encrypting information such as APPI D, random number, hardware device information, random work key, digital signature string, etc. by the client using symmetric algorithm, and asymmetric encryption message for encrypting random key using asymmetric algorithm.
In , the digital signature string is obtained from a merchant server request.
In , when the digital signature string is requested from the customer service, the request is made using HTTPS protocol.
In , the random number and the random working key are generated by the client in real time after the request for the digital signature string.
In embodiments, after a call request from a client is obtained, a token included in the call request is verified, and a call result is returned to the client after the call request is successfully verified, including decrypting a key string by using an asymmetric algorithm after the request information is received, decrypting encrypted request information by using a symmetric algorithm, verifying a signature string, forwarding a request message ReqData to a service system for processing, and obtaining a response message RspData, encrypting an abstract of the response message RspData by using the symmetric algorithm, encrypting the response message RspData and the signature string by using the symmetric algorithm, and returning the encrypted return information string.
In , after receiving the returned return message string, the client decrypts the encrypted return message using a symmetric algorithm and verifies the signature string.
In addition, the invention also provides open bank platforms, which include or more processors, and a storage device for storing or more programs, wherein when the or more programs are executed by the or more processors, the or more processors implement the open bank-oriented network security control method according to the foregoing.
After adopting such design, the invention has at least the following advantages:
1. in the step of utilizing the verification developer, the client requests the merchant server to obtain the merchant digital signature, so that the client does not need to store a special certificate on the premise of not reducing the safety of the whole scheme, and can better adapt to a cooperation mode that an open bank uses the SDK to carry out quick butt joint with a cooperation merchant on the Internet;
2. the random key is regenerated in each transaction and is transmitted to the open platform by using the public key of the open platform, so that the API calling is carried out for times of passwords, and the safety of the whole safety scheme is improved extremely;
3. in the process of verifying the developer, the client side initiates a request to the open platform, after the open platform verifies the identity, the Token is returned to the client side, and verification is carried out in the subsequent financial API calling process, so that the safety of the whole safety scheme is improved;
4. the financial API calling process is used for replacing asymmetric encryption and digital signatures with symmetric algorithms and class signatures, so that the performance loss caused by using a large amount of asymmetric algorithms is reduced while sufficient security is ensured, and the transaction operation performance is improved.
Drawings
The foregoing is merely an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood, the present invention is further described in with reference to the accompanying drawings and the detailed description.
Fig. 1 is a flowchart of an open bank-oriented network security control method according to an embodiment of the present invention;
fig. 2 is an interaction flowchart of an open bank-oriented network security control method according to an embodiment of the present invention;
FIG. 3 is a flowchart of an interaction for validating a developer provided by an embodiment of the invention;
FIG. 4 is a flow diagram of an interaction to invoke a financial API provided by an embodiment of the present invention;
fig. 5 is a structural diagram of an open bank-oriented network security control device according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
Fig. 1 shows a flow chart of a network security control method for an open bank provided by the invention. Referring to fig. 1, the network security control method of the open bank includes:
and S11, after the verification request of the client is obtained, verifying the client information and the signature in the verification request, and returning a token to the client after the verification is passed.
And S12, after acquiring the calling request of the client, verifying the token contained in the calling request, and returning the calling result to the client after the verification is successful.
That is, the network security control method for the open bank provided by the embodiment of the invention is mainly divided into two parts, namely, a verification developer and a financial transaction invoking part. Fig. 2 shows an interactive implementation process of the network security control method of the open bank.
Verification developer flow description:
1. the local configuration is loaded and verification of the developer is initiated.
2. After obtaining the APP related information, carrying out full message encryption, and initiating an HTTPS request to a merchant server.
3. After receiving the request, the merchant server decrypts the message to obtain the request message.
4. And the merchant server sequences the request information, then carries out digital signature, encrypts the signature string and returns the encrypted signature string to the request APP.
And 5, after the APP decrypts the message, acquiring a signature string of the merchant server.
And 6, the APP organizes a new request message, which comprises information such as APP related information and a merchant server signature string, and encrypts the full message.
And 7, the APP sends an HTTPS request to the open platform, and sends a request message to the open platform.
8. And the open platform decrypts the request message after receiving the request message to obtain the request information, and verifies the signature of the signature string of the merchant server.
9. And the opening platform checks the authority of the APP.
10. And generating a Token by the open platform, encrypting the Token and returning the encrypted Token to the APP.
After receiving the response message, the APP terminal decrypts the response message to obtain Token and stores the Token locally; the verification developer completes.
Invoking a financial transaction flow description:
and 1, the APP end assembles a request message and starts to call the financial service API.
And 2, the APP terminal signs the request message, fully encrypts the request message, the request message signature string, the Token and other information , and initiates an HTTPS request to the open platform.
3. And the open platform decrypts the received request message to obtain the request message and verifies the signature string of the request message.
4. And the open platform checks the Token in the request message to verify whether the Token is correct or not and whether the validity period is exceeded or not.
5. And the open platform verifies the authority of the APP for calling the current financial service API.
6. The open platform desensitizes/restores the sensitive information in the request/response message, adds money to the returned message after receiving the response message returned by the service system, encrypts the response message and the response message signature string together with the whole message, and returns the encrypted message to the APP terminal.
After receiving the return information, the APP terminal decrypts the full message and verifies the signature string of the response message; the APP terminal displays the information in the response message on an APP interface; and calling the financial API to complete.
FIG. 3 details the process of validating a developer. Referring to fig. 3, the process of verifying a developer includes the following operations:
1. the open platform has an open platform private key and a merchant public key, which are respectively represented by a private key S and a public key B below;
2. the merchant server side has a merchant private key, and is represented by a private key B;
3, the APP calls the SDK of the open platform to carry out safety and communication processing, and the SDK has an open platform public key and a commercial tenant public key, and is represented by a public key S and a public key B;
4. the communication is carried out twice in the process, wherein the th communication is that the APP terminal carries out HTTPS communication with the merchant server terminal, the request information is represented by Req1, and the response message is represented by Rsp1, and the second communication is that the APP terminal carries out HTTPS communication with the open platform, the request information is represented by Req2, and the response message is represented by Rsp 2.
More specifically, the process of verifying the developer is as follows:
the method comprises the steps that 1, an APP terminal obtains an APPID and hardware equipment information which are distributed to a merchant by an open platform, and generates a random number and a random key;
the APP terminal performs summary calculation on the information by using a summary algorithm to obtain a summary string, and encrypts the summary string by using a symmetric algorithm AES 256; encrypting the random key by using an asymmetric algorithm RSA;
3, the APP end sends the encrypted data to a merchant server end by using an HTTPS protocol;
4. after the merchant server receives the request information, decrypting the encrypted key string by using an asymmetric algorithm RSA and decrypting the data by using a symmetric algorithm AES 256;
5. the merchant server uses the merchant private key to digitally sign the request information; encrypting the digital signature by using a symmetric algorithm AES 256; then returning to the APP end;
after receiving the returned information, the APP terminal decrypts by using a symmetric algorithm AES256 to obtain a digital signature string returned by the merchant terminal;
7, the APP terminal generates a new random key and a random working key;
8, the APP terminal encrypts information such as an APPID, a random number, hardware equipment information, a random working key, a digital signature string and the like by using a symmetric algorithm AES 256; encrypting the random key by using an asymmetric algorithm RSA;
9, the APP end sends the encrypted data to the open platform by using an HTTPS protocol;
10. after the open platform receives the request information, the encrypted key string is decrypted by using an asymmetric algorithm RSA, and the data is decrypted by using a symmetric algorithm AES 256; verifying the merchant signature string;
11. the open platform generates a Token and stores the Token and the random working key locally;
12. the open platform carries out digital signature on the Token, the random number and other information; the returned information is encrypted by using a symmetric algorithm AES 256;
13. the open platform returns the encrypted return information string to the APP terminal;
after receiving the return information, the APP terminal decrypts the encrypted return information by using a symmetric algorithm AES 256; and verifying the digital signature;
the APP terminal saves Token and the random working key to the local; the verification developer completes.
FIG. 4 specifically illustrates the process of invoking a financial transaction. Referring to fig. 4, the process of invoking a financial transaction includes:
1. the open platform has an open platform private key and a merchant public key, which are respectively represented by a private key S and a public key B below; after the verification developer finishes, the open platform has Token strings and related information thereof and random working keys;
2, the APP calls the SDK of the open platform to carry out safety and communication processing, and the SDK has an open platform public key and a commercial tenant public key, and is represented by a public key S and a public key B; after the verification developer finishes, the APP terminal has a Token string and a random working key;
3. in the process, the APP terminal and the merchant server terminal carry out times of HTTPS communication, the request information is represented by Req3, and the response message is represented by Rsp 3.
More specifically, the above-mentioned process of invoking the financial transaction is as follows:
1, encrypting a Hash abstract of information such as a request message and Token by using a symmetric algorithm AES256 at an APP end;
2, the APP terminal generates a random key, and encrypts information such as request messages ReqData, Token and signature strings by using a symmetric algorithm AES 256; encrypting the random key by using an asymmetric algorithm RSA;
3, the APP end sends the encrypted request information to an open platform by using an HTTPS protocol;
4. after the open platform receives the request information, the key string is decrypted by using an asymmetric algorithm RSA; decrypting the encrypted request information by using a symmetric algorithm AES 256; and verifying the signature string;
5. the open platform forwards the request message ReqData to a service system for processing, and obtains a response message RspData;
6. the open platform encrypts a Hash abstract of the response message RspData by using a symmetric algorithm AES 256; encrypting the response message RspData and the signature string by using a symmetric algorithm AES 256;
7. the open platform returns the encrypted return information string to the APP terminal;
8, after receiving the return information, the APP terminal decrypts the encrypted return information by using a symmetric algorithm AES 256; and verifying the signature string;
9, the APP terminal obtains the decrypted response message; and calling the financial API to complete.
It should be understood by those skilled in the art that all the symmetric algorithms AES256 used in the present invention may be replaced by other symmetric encryption algorithms, such as SM1, SM4, DES, 3DES, AES128, etc.
All the asymmetric algorithms RSA used in the technical solution of the present invention can be replaced by other asymmetric encryption algorithms, such as SM2, ECC, etc.
All the digest algorithms Hash used in the technical scheme of the invention can be replaced by other digest algorithms, such as MD series, SHA series, MAC and the like.
All the digital signatures used in the technical solution of the present invention may be replaced by other digital signature algorithms, such as DSA.
Fig. 5 is a block diagram of the network security control device for open bank according to the present invention. Referring to fig. 5, the network security control device for open banks includes: a Central Processing Unit (CPU)501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for system operation are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
Compared with the method adopted in the prior bank system, the technical scheme provided by the embodiment of the invention has the following technical effects:
1. in the step of utilizing the verification developer, the APP terminal requests the merchant server terminal to obtain the merchant digital signature, so that the APP terminal does not need to store a special certificate on the premise of not reducing the safety of the whole scheme, and the method can better adapt to a cooperation mode that an open bank uses the SDK to carry out quick butt joint with a cooperation merchant on the Internet;
2. the random key is regenerated in each transaction and is transmitted to the open platform by using the public key of the open platform, so that the API calling is carried out for times of passwords, and the safety of the whole safety scheme is improved extremely;
3. in the process of verifying the developer, the APP terminal initiates a request to the open platform, after the open platform verifies the identity, the Token is returned to the APP terminal, and verification is carried out in the subsequent financial API calling process, so that the safety of the whole safety scheme is improved;
4. symmetric algorithms and class signatures are used in the financial API calling process to replace asymmetric encryption and digital signatures, so that the performance loss caused by using a large amount of asymmetric algorithms is reduced while sufficient security is ensured, and the transaction operation performance is improved;
5. by combining the 4 points and the design idea of the whole safety scheme, the safety scheme can well support the requirement that an open bank needs to open service to the APP of the cooperative merchant in the form of the SDK.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the present invention in any way, and it will be apparent to those skilled in the art that the above description of the present invention can be applied to various modifications, equivalent variations or modifications without departing from the spirit and scope of the present invention.

Claims (10)

1, A network security control method facing open bank, comprising:
after obtaining a verification request of the client, verifying client information and a signature in the verification request, and returning a token to the client after the verification is passed;
and after the calling request of the client is obtained, verifying the token contained in the calling request, and returning a calling result to the client after the verification is successful.
2. The open bank-oriented network security control method according to claim 1, wherein after obtaining the verification request of the client, verifying the client information and the signature in the verification request, and returning the token to the client after the verification is passed, comprises:
after request information of a verification request is received, decrypting the encrypted key string by using an asymmetric algorithm, decrypting data by using a symmetric algorithm, and verifying the merchant signature string;
generating a token, and storing the token and the random working key locally;
digitally signing information such as tokens and random numbers, and encrypting returned information by using a symmetric algorithm;
and returning the encrypted return information string.
3. The open bank-oriented network security control method according to claim 2, wherein after returning the encrypted return information string, the client decrypts the encrypted return information using a symmetric algorithm, verifies the digital signature, and stores the token and the random work key locally.
4. The open-bank-oriented network security control method according to claim 2, wherein the request information includes: the client side uses a symmetric algorithm to encrypt the APPID, the random number, the hardware equipment information, the random work key, the digital signature string and other information, and uses an asymmetric algorithm to encrypt the random key.
5. The open bank-oriented network security control method according to claim 4, wherein the digital signature string is obtained from a customer service end request.
6. The open bank-oriented network security control method according to claim 5, wherein when the digital signature string is requested from a customer service end, the digital signature string is requested by using an HTTPS protocol.
7. The open bank-oriented network security control method according to claim 4, wherein the random number and the random work key are generated by a client in real time after the digital signature string is requested.
8. The open bank-oriented network security control method according to claim 1, wherein after obtaining the invocation request of the client, verifying the token included in the invocation request, and returning the invocation result to the client after the verification is successful, comprises:
after the request information is received, decrypting the key string by using an asymmetric algorithm, decrypting the encrypted request information by using a symmetric algorithm, and verifying the signature of the signature string;
forwarding the request message ReqData to a service system for processing, and obtaining a response message RspData;
encrypting the abstract of the response message RspData by using a symmetric algorithm, and encrypting the response message RspData and the signature string by using the symmetric algorithm;
and returning the encrypted return information string.
9. The open bank-oriented network security control method according to claim 8, wherein after receiving the returned information string, the client decrypts the encrypted returned information using a symmetric algorithm; and verifying the signature string.
10, an open banking platform, comprising:
or more processors;
a storage device for storing or more programs,
when the or more programs are executed by the or more processors, the or more processors implement the open bank oriented network security control method of any of claims 1 to 9.
CN201911004113.8A 2019-10-22 2019-10-22 Network security control method for open bank and open bank platform Active CN110740136B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911004113.8A CN110740136B (en) 2019-10-22 2019-10-22 Network security control method for open bank and open bank platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911004113.8A CN110740136B (en) 2019-10-22 2019-10-22 Network security control method for open bank and open bank platform

Publications (2)

Publication Number Publication Date
CN110740136A true CN110740136A (en) 2020-01-31
CN110740136B CN110740136B (en) 2022-04-22

Family

ID=69270743

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911004113.8A Active CN110740136B (en) 2019-10-22 2019-10-22 Network security control method for open bank and open bank platform

Country Status (1)

Country Link
CN (1) CN110740136B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111698312A (en) * 2020-06-08 2020-09-22 中国建设银行股份有限公司 Service processing method, device, equipment and storage medium based on open platform
CN112468450A (en) * 2020-11-06 2021-03-09 通联支付网络服务股份有限公司 Method for integrating API interfaces among service providers by API open platform
CN112822258A (en) * 2020-12-31 2021-05-18 北京神州数字科技有限公司 Bank open system access method and system
CN113395269A (en) * 2021-06-04 2021-09-14 上海浦东发展银行股份有限公司 Data interaction method and device
CN114429341A (en) * 2022-01-24 2022-05-03 吉林银行股份有限公司 Grouped payment method, device and equipment

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442409A (en) * 2007-11-23 2009-05-27 东方钢铁电子商务有限公司 Encipher method and system for B2B data exchange
CN102413464A (en) * 2011-11-24 2012-04-11 杭州东信北邮信息技术有限公司 GBA (General Bootstrapping Architecture)-based secret key negotiation system and method of telecommunication capability open platform
CN102573112A (en) * 2010-12-07 2012-07-11 中国电信股份有限公司 Telecommunication network capability opening method, system and alliance support platform
CN102932149A (en) * 2012-10-30 2013-02-13 武汉理工大学 Integrated identity based encryption (IBE) data encryption system
CN103248481A (en) * 2012-02-10 2013-08-14 工业和信息化部电信传输研究所 Open-end API (application program interface) public license access control method based on digital application signature certification
US20140089202A1 (en) * 2012-09-27 2014-03-27 Michael K. Bond CRM Security Core
CN104199654A (en) * 2014-08-27 2014-12-10 百度在线网络技术(北京)有限公司 Open platform calling method and device
CN104283841A (en) * 2013-07-02 2015-01-14 阿里巴巴集团控股有限公司 Method, device and system for carrying out service access control on third-party application
CN106097167A (en) * 2016-06-07 2016-11-09 深圳心驰技术有限公司 A kind of finance escort information service system
CN106789067A (en) * 2016-12-13 2017-05-31 北京握奇智能科技有限公司 A kind of mobile phone Net silver Key method and system based on TEE and wearable device
CN108183907A (en) * 2017-12-29 2018-06-19 浪潮通用软件有限公司 A kind of authentication method, server and Verification System
CN108428173A (en) * 2018-01-31 2018-08-21 孙中东 1+1+N Internet banks application architecture and its business model application
US10319029B1 (en) * 2014-05-21 2019-06-11 Plaid Technologies, Inc. System and method for programmatically accessing financial data

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442409A (en) * 2007-11-23 2009-05-27 东方钢铁电子商务有限公司 Encipher method and system for B2B data exchange
CN102573112A (en) * 2010-12-07 2012-07-11 中国电信股份有限公司 Telecommunication network capability opening method, system and alliance support platform
CN102413464A (en) * 2011-11-24 2012-04-11 杭州东信北邮信息技术有限公司 GBA (General Bootstrapping Architecture)-based secret key negotiation system and method of telecommunication capability open platform
CN103248481A (en) * 2012-02-10 2013-08-14 工业和信息化部电信传输研究所 Open-end API (application program interface) public license access control method based on digital application signature certification
US20140089202A1 (en) * 2012-09-27 2014-03-27 Michael K. Bond CRM Security Core
CN102932149A (en) * 2012-10-30 2013-02-13 武汉理工大学 Integrated identity based encryption (IBE) data encryption system
CN104283841A (en) * 2013-07-02 2015-01-14 阿里巴巴集团控股有限公司 Method, device and system for carrying out service access control on third-party application
US10319029B1 (en) * 2014-05-21 2019-06-11 Plaid Technologies, Inc. System and method for programmatically accessing financial data
CN104199654A (en) * 2014-08-27 2014-12-10 百度在线网络技术(北京)有限公司 Open platform calling method and device
CN106097167A (en) * 2016-06-07 2016-11-09 深圳心驰技术有限公司 A kind of finance escort information service system
CN106789067A (en) * 2016-12-13 2017-05-31 北京握奇智能科技有限公司 A kind of mobile phone Net silver Key method and system based on TEE and wearable device
CN108183907A (en) * 2017-12-29 2018-06-19 浪潮通用软件有限公司 A kind of authentication method, server and Verification System
CN108428173A (en) * 2018-01-31 2018-08-21 孙中东 1+1+N Internet banks application architecture and its business model application

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111698312A (en) * 2020-06-08 2020-09-22 中国建设银行股份有限公司 Service processing method, device, equipment and storage medium based on open platform
CN112468450A (en) * 2020-11-06 2021-03-09 通联支付网络服务股份有限公司 Method for integrating API interfaces among service providers by API open platform
CN112468450B (en) * 2020-11-06 2023-05-23 通联支付网络服务股份有限公司 Method for integrating API (application program interface) interfaces among servers by using API (application program interface) open platform
CN112822258A (en) * 2020-12-31 2021-05-18 北京神州数字科技有限公司 Bank open system access method and system
CN112822258B (en) * 2020-12-31 2023-04-07 北京神州数字科技有限公司 Bank open system access method and system
CN113395269A (en) * 2021-06-04 2021-09-14 上海浦东发展银行股份有限公司 Data interaction method and device
CN113395269B (en) * 2021-06-04 2023-02-17 上海浦东发展银行股份有限公司 Data interaction method and device
CN114429341A (en) * 2022-01-24 2022-05-03 吉林银行股份有限公司 Grouped payment method, device and equipment
CN114429341B (en) * 2022-01-24 2022-12-02 吉林银行股份有限公司 Grouped payment method, device and equipment

Also Published As

Publication number Publication date
CN110740136B (en) 2022-04-22

Similar Documents

Publication Publication Date Title
CN110740136B (en) Network security control method for open bank and open bank platform
CN108027926B (en) Authentication system and method for service-based payment
US10164996B2 (en) Methods and systems for providing a low value token buffer
US9904919B2 (en) Verification of portable consumer devices
US8827154B2 (en) Verification of portable consumer devices
US20170249633A1 (en) One-Time Use Password Systems And Methods
US7606560B2 (en) Authentication services using mobile device
GB2549118A (en) Electronic payment system using identity-based public key cryptography
GB2515057A (en) System and Method for Obtaining a Digital Signature
US11716200B2 (en) Techniques for performing secure operations
CN113015991A (en) Secure digital wallet processing system
US20190370790A1 (en) Systems and methods for using a cryptogram lockbox
US10546292B1 (en) Systems and methods for substitute low-value tokens in secure network transactions
CN111698312A (en) Service processing method, device, equipment and storage medium based on open platform
CN110601836B (en) Key acquisition method, device, server and medium
WO2023160667A1 (en) Security authentication method, apparatus and system for digital currency transaction
US20230090972A1 (en) Online secret encryption
US11451376B2 (en) Systems and methods for secure communication
WO2020055401A1 (en) Checkout with mac
US20150235214A1 (en) User Authentication and Authorization
WO2022220993A1 (en) Secure transmission of sensitive data over an electronic network
CN114462990A (en) Method and device for secret-free payment based on digital currency
CN115222402A (en) Payment method, device and system of digital currency
AU2016203876A1 (en) Verification of portable consumer devices
TW200904114A (en) Method of subscriber terminal providing identity verification for server terminal, computer accessible storage media, transaction safety verification method and its system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Peng Yun

Inventor after: Huang Zhimin

Inventor after: Yang Yang

Inventor after: Wu Yifan

Inventor before: Chen Honghong

Inventor before: Zhou Lei

Inventor before: Fan Xingze

CB03 Change of inventor or designer information
TA01 Transfer of patent application right

Effective date of registration: 20210119

Address after: 25 Financial Street, Xicheng District, Beijing 100033

Applicant after: China Construction Bank Corp.

Address before: 101-302, 3 / F, building 18, yard 10, xibeiwangdong Road, Haidian District, Beijing

Applicant before: DIGITAL CHINA FINANCIAL SOFTWARE Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant