CN112434315A - Attachment access method, server and access terminal - Google Patents
Attachment access method, server and access terminal Download PDFInfo
- Publication number
- CN112434315A CN112434315A CN202011309094.2A CN202011309094A CN112434315A CN 112434315 A CN112434315 A CN 112434315A CN 202011309094 A CN202011309094 A CN 202011309094A CN 112434315 A CN112434315 A CN 112434315A
- Authority
- CN
- China
- Prior art keywords
- encrypted
- attachment
- accessory
- server
- identifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000012795 verification Methods 0.000 claims abstract description 208
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The application provides an attachment access method, a server and an access terminal, wherein the method can be applied to the server by uploading an attachment list with at least one encrypted attachment identifier; the encrypted accessory identifier is generated by encrypting the accessory identifier by adopting a first encryption algorithm and a first secret key; receiving a signature verification character string encrypted by the access terminal for the encrypted attachment identification and the encrypted attachment identification; verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result; determining whether to feed back an accessory corresponding to the accessory identifier to the access terminal based on the verification result; the access verification of the access terminal is realized, and the security of the access accessory is ensured.
Description
Technical Field
The invention relates to the technical field of network accessory access, in particular to an accessory access method, a server and an access terminal.
Background
An open-to-the-air network platform often provides some attachments for access by the access side.
Specifically, the access end accesses the accessory in an externally open network through an authorized accessory address, but many access ends often access other accessories which are not authorized to access based on the authorized accessory address and guessed address rules, so that the security of accessory access is reduced.
Disclosure of Invention
In view of this, the present invention provides an attachment access method, a server and an access terminal, so as to improve the security of attachment access.
In order to achieve the purpose, the invention provides the following technical scheme:
an attachment access method is applied to a server and comprises the following steps:
uploading an attachment list having at least one cryptographic attachment identification; the encrypted accessory identifier is generated by encrypting the accessory identifier by adopting a first encryption algorithm and a first secret key;
receiving a signature verification character string encrypted by the access terminal for the encrypted attachment identification and the encrypted attachment identification;
verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result;
and determining whether to feed back the accessory corresponding to the accessory identification to the access terminal or not based on the verification result.
Preferably, the deciding whether to feed back the accessory corresponding to the accessory identifier to the access terminal based on the verification result includes:
if the verification fails, refusing to feed back the accessory corresponding to the accessory identification to the access terminal;
if the verification is passed, decrypting the encrypted accessory identifier based on the first encryption algorithm and the first secret key to obtain an accessory identifier;
searching an accessory storage path corresponding to the accessory identification in a preset corresponding relation;
and acquiring the attachment from the attachment storage path, and feeding back the attachment to the access terminal.
Preferably, the verifying the access terminal based on the signature verification string and the encrypted accessory identifier to obtain a verification result includes:
decrypting the signature verification character string by using an agreed second encryption algorithm and a second secret key corresponding to the encrypted accessory identifier, and determining that the verification fails if the decryption fails;
if the decryption is successful, acquiring the decrypted encrypted attachment identifier;
judging whether the decrypted encrypted attachment identification is consistent with the received encrypted attachment identification;
if the verification is consistent, the verification is determined to be passed, and if the verification is not consistent, the verification is determined to be failed.
Preferably, the signature verification string is obtained by encrypting the encrypted attachment identifier and the current timestamp information by the access terminal;
correspondingly, the verifying the access terminal based on the signature verification character string and the encrypted accessory identifier to obtain a verification result includes:
decrypting the signature verification character string by using an agreed second encryption algorithm and a second secret key corresponding to the encrypted accessory identifier, and determining that the verification fails if the decryption fails;
if the decryption is successful, acquiring the decrypted encrypted attachment identification and the current timestamp information;
judging whether the access terminal is in the access timeliness or not based on the current timestamp information, and if not, determining that the verification fails; if yes, judging whether the decrypted encrypted attachment identification is consistent with the received encrypted attachment identification;
if the verification is consistent, the verification is determined to be passed, and if the verification is not consistent, the verification is determined to be failed.
An attachment access method is applied to an access terminal, and comprises the following steps:
acquiring an encrypted attachment identifier from an attachment list uploaded by a server; the encrypted attachment identifier is generated after the server encrypts the attachment identifier by adopting a first encryption algorithm and a first secret key;
encrypting the encrypted attachment identifier by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string;
sending the signature verification character string and the encrypted attachment identification to a server, so that the server verifies the access terminal based on the signature verification character string and the encrypted attachment identification to generate a verification result;
and obtaining information fed back by the server based on the verification result.
Preferably, the obtaining information fed back by the server based on the verification result includes:
and acquiring the attachment corresponding to the attachment identification fed back by the server after the authentication is successful.
Preferably, the encrypting the encrypted accessory identifier by using a second encryption algorithm and a second key agreed with the server to generate a signature verification string includes:
determining current timestamp information;
and encrypting the encrypted attachment identifier and the current timestamp information by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string.
Preferably, the method further comprises the following steps:
appointing a second encryption algorithm with the server in advance;
and receiving a second secret key which is distributed by the server and corresponds to the encrypted attachment identification.
A server, comprising:
a first memory for storing a program;
a first processor for uploading an attachment list having at least one cryptographic attachment identification by running the program; the encrypted accessory identifier is generated by encrypting the accessory identifier by adopting a first encryption algorithm and a first secret key;
receiving a signature verification character string encrypted by the access terminal for the encrypted attachment identification and the encrypted attachment identification;
verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result;
and determining whether to feed back the accessory corresponding to the accessory identification to the access terminal or not based on the verification result.
An access terminal, comprising:
a second memory for storing a program;
the second processor is used for acquiring the encrypted attachment identification from the attachment list uploaded by the server by running the program; the encrypted attachment identifier is generated after the server encrypts the attachment identifier by adopting a first encryption algorithm and a first secret key;
encrypting the encrypted attachment identifier by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string;
sending the signature verification character string and the encrypted attachment identification to a server, so that the server verifies the access terminal based on the signature verification character string and the encrypted attachment identification to generate a verification result; and obtaining information fed back by the server based on the verification result.
According to the technical scheme, compared with the prior art, the attachment access method provided by the invention can be applied to a server, and an attachment list with at least one encrypted attachment identifier is uploaded; the encrypted accessory identifier is generated by encrypting the accessory identifier by adopting a first encryption algorithm and a first secret key; receiving a signature verification character string and the encrypted attachment identifier, which are encrypted by the access terminal through a second encryption algorithm and a second secret key agreed with the server, from the encrypted attachment identifier; verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result; and determining whether to feed back the accessory corresponding to the accessory identifier to the access terminal based on the verification result, thereby realizing access verification of the access terminal and ensuring the security of accessing the accessory.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of an accessory access method according to an embodiment of the present application;
fig. 2 is a partial schematic flow chart of an accessory access method according to a second embodiment of the present application;
fig. 3 is a partial schematic flow chart of an attachment access method according to a third embodiment of the present application;
fig. 4 is a partial flowchart of an attachment access method according to a fourth embodiment of the present application;
fig. 5 is a partial schematic flow chart of an attachment access method according to a fifth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an access terminal according to a second embodiment of the apparatus of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of the method of the present invention provides an attachment access method, which may be applied in a server, as shown in fig. 1, and the method includes the following steps:
step 101: uploading an attachment list having at least one cryptographic attachment identification;
the server can encrypt each attachment identifier by adopting a preset first encryption algorithm and a first key to generate an encrypted attachment identifier, and upload the encrypted attachment identifier in the attachment list, specifically to a platform which can be accessed by the access terminal, such as an externally open network platform.
The access terminal may be specifically a client terminal such as an electronic device.
Step 102: receiving a signature verification character string encrypted by the access terminal for the encrypted attachment identification and the encrypted attachment identification;
the access terminal can access the attachment list and obtain the encrypted attachment identifier to be accessed from the attachment list, and if the access terminal has access authority, the access terminal can obtain a second encryption algorithm and a second secret key agreed with the server in advance, so that the obtained encrypted attachment identifier can be encrypted again by adopting the second encryption algorithm and the second secret key, a signature verification character string is generated, and the generated signature verification character string and the obtained encrypted attachment identifier are sent to the server.
Specifically, the server and the access terminal may pre-agree the second encryption algorithm and the second key in an offline manner. Optionally, a second encryption algorithm may be agreed with the access terminal in advance, and a second secret key corresponding to the encrypted accessory identifier is distributed to the access terminal, so that when the access terminal obtains the encrypted accessory identifier, the second secret key corresponding to the encrypted accessory identifier may be determined, and the encrypted accessory identifier is encrypted by using the agreed second encryption algorithm and the second secret key.
It should be noted that the first encryption algorithm and the second encryption algorithm may be the same, and the first secret key and the second secret key may be the same, and in order to improve the access security, it is preferable that the first encryption algorithm and the second encryption algorithm are different, and the first secret key and the second secret key are different.
Step 103: and verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result.
Step 104: and determining whether to feed back the accessory corresponding to the accessory identification to the access terminal or not based on the verification result.
Specifically, the determining whether to feed back the accessory corresponding to the accessory identifier to the access terminal based on the verification result may include the following steps:
if the verification fails, refusing to feed back the accessory corresponding to the accessory identification to the access terminal;
if the verification is passed, decrypting the encrypted accessory identifier based on the first encryption algorithm and the first secret key to obtain an accessory identifier;
searching an accessory storage path corresponding to the accessory identification in a preset corresponding relation;
and acquiring the attachment from the attachment storage path, and feeding back the attachment to the access terminal.
The server pre-establishes the corresponding relationship between various accessory identifications and the accessory storage paths corresponding to the accessory identifications, stores the accessory identifications and stores the accessory identifications in a data table, for example, the accessory identifications can be decrypted by searching the accessory storage paths corresponding to the accessory identifications based on the pre-established corresponding relationship, and then acquires the accessories.
It can be seen that, in the present embodiment, by uploading an attachment list having at least one encrypted attachment identifier; receiving a signature verification character string encrypted by the access terminal for the encrypted attachment identification and the encrypted attachment identification; verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result; and determining whether to feed back the accessory corresponding to the accessory identifier to the access terminal based on the verification result, thereby realizing access verification of the access terminal and ensuring the security of accessing the accessory.
In this step, as shown in fig. 2, the verifying the access terminal based on the signature verification string and the encrypted accessory identifier to obtain a verification result includes the following steps:
step 201: decrypting the signature verification character string by using an agreed second encryption algorithm and a second secret key corresponding to the encrypted accessory identifier, judging whether decryption is successful, and if yes, entering step 202; if not, go to step 205;
the server and the access terminal with the access authority can agree with a second encryption algorithm and a second secret key corresponding to the encryption secret key identifier in advance, after the server receives the signature verification character string and the encryption accessory identifier, the server can determine the second secret key corresponding to the encryption accessory identifier and the second encryption algorithm agreed with the access terminal in advance, and then decrypt the signature verification character string by using the second encryption algorithm and the second secret key, so that whether decryption is successful is judged, if the second encryption algorithm used for decryption is consistent with the second encryption algorithm used for encryption of the access terminal, and the second secret key used for decryption is consistent with the second secret key used for encryption of the access terminal, decryption can be successful, otherwise, decryption can be failed.
Step 202: acquiring the decrypted encrypted attachment identifier;
step 203: judging whether the decrypted encrypted attachment identification is consistent with the received encrypted attachment identification, if so, entering step 204; if not, go to step 205;
step 204: determining that the verification is successful;
step 205: it is determined that the authentication failed.
Through the mode, the server realizes the verification of the access terminal, if the verification is passed, the access terminal is confirmed to have the authority of accessing the accessory, and if the verification is failed, the access terminal is confirmed not to have the authority of accessing the accessory.
In this step, the signature verification string is obtained by encrypting the encrypted attachment identifier and the current timestamp information by the access point. Correspondingly, as shown in fig. 3, verifying the access terminal based on the signature verification string and the encrypted accessory identifier to obtain a verification result includes the following steps:
step 301: decrypting the signature verification character string by using an agreed second encryption algorithm and the second key corresponding to the encryption key identifier, judging whether decryption is successful, and if yes, entering step 302; if not, go to step 306;
the server and the access terminal with the access authority can agree with a second encryption algorithm and a second secret key corresponding to the encryption secret key identifier in advance, after the server receives the signature verification character string and the encryption accessory identifier, the server can determine the second secret key corresponding to the encryption accessory identifier and the second encryption algorithm agreed with the access terminal in advance, and then decrypt the signature verification character string by using the second encryption algorithm and the second secret key, so that whether decryption is successful is judged, if the second encryption algorithm used for decryption is consistent with the second encryption algorithm used for encryption of the access terminal, and the second secret key used for decryption is consistent with the second secret key used for encryption of the access terminal, decryption can be successful, otherwise, decryption can be failed.
Step 302: acquiring the decrypted encrypted attachment identification and the current timestamp information;
and the current timestamp information is the current time information obtained when the access terminal encrypts the encrypted attachment identifier.
Step 303: judging whether the access terminal is in the access timeliness or not based on the current timestamp information, if so, entering step 305; if not, go to step 306;
the server can preset an access time limit, judge whether the time length from the current timestamp information to the current time is within the access time limit, if so, indicate that the access is effective, if so, determine that the access is overtime, and then fail the verification.
Step 304: judging whether the decrypted encrypted attachment identifier is consistent with the received encrypted attachment identifier, if so, entering step 305; if not, go to step 306;
step 305: determining that the verification is passed;
step 306: it is determined that the authentication failed.
Through the mode, the server realizes the verification of the access terminal, if the verification is passed, the access terminal is confirmed to have the authority of accessing the accessory, and if the verification is failed, the access terminal is confirmed not to have the authority of accessing the accessory.
An accessory access method is provided in the fourth embodiment of the method of the present application, and is applied to an access end, as shown in fig. 4, the method includes the following steps:
step 401: acquiring an encrypted attachment identifier from an attachment list uploaded by a server; the encrypted attachment identifier is generated after the server encrypts the attachment identifier by adopting a first encryption algorithm and a first secret key;
the server can encrypt the attachment identifier by adopting a preset first encryption algorithm and a first key to generate an encrypted attachment identifier, and the encrypted attachment identifier is uploaded in the attachment list, and specifically can be uploaded to a platform which can be accessed by the access terminal, such as an externally open network platform.
Step 402: encrypting the encrypted attachment identifier by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string;
if the access terminal has the access right, the second encryption algorithm and the second secret key agreed with the server are obtained in advance, so that the obtained encrypted accessory identification can be encrypted again by adopting the second encryption algorithm and the second secret key, and the signature verification character string is generated.
Step 403: sending the signature verification character string and the encrypted attachment identification to a server, so that the server verifies the access terminal based on the signature verification character string and the encrypted attachment identification to generate a verification result;
the server and the access terminal with the access authority can agree with a second encryption algorithm and a second secret key corresponding to the encryption secret key identifier in advance, after the server receives the signature verification character string and the encryption accessory identifier, the server can determine the second secret key corresponding to the encryption accessory identifier and the second encryption algorithm agreed with the access terminal in advance, and then decrypt the signature verification character string by using the second encryption algorithm and the second secret key, so that whether decryption is successful is judged, if the second encryption algorithm used for decryption is consistent with the second encryption algorithm used for encryption of the access terminal, and the second secret key used for decryption is consistent with the second secret key used for encryption of the access terminal, decryption can be successful, otherwise, decryption is failed, and if decryption is failed, verification is determined to be failed.
And under the condition of successful decryption, the server can judge whether the decrypted encrypted attachment identification is consistent with the received encrypted attachment identification, and if so, the server determines that the verification is successful or determines that the verification is failed due to inconsistency.
Preferably, the server may be provided with an access failure. Specifically, the encrypting the encrypted attachment identifier by using a second encryption algorithm and a second key agreed with the server to generate a signature verification string includes:
determining current timestamp information;
and encrypting the encrypted attachment identifier and the current timestamp information by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string.
In this case, since the server and the access terminal having the access right may agree in advance with the second encryption algorithm and the second key corresponding to the encryption key identifier, after receiving the signature verification string and the encryption accessory identifier, the server may determine the second secret key corresponding to the encryption accessory identifier and the second encryption algorithm agreed in advance with the access terminal, and decrypt the signature verification string using the second encryption algorithm and the second key, thereby determining whether decryption is successful, where if the second encryption algorithm used for decryption is consistent with the second encryption algorithm used for encryption by the access terminal, and if the second secret key used for decryption is consistent with the second secret key used for encryption by the access terminal, decryption can be successful, otherwise, decryption may be failed, and if decryption is failed, it is determined that authentication is failed.
And under the condition of successful decryption, the server can acquire the decrypted encrypted attachment identification and the current timestamp information, judge whether the access terminal is in the access timeliness or not based on the current timestamp information, if so, determine that the authentication is passed, and if not, determine that the authentication is failed.
Step 404: and obtaining information fed back by the server based on the verification result.
Wherein the obtaining information fed back by the server based on the verification result includes:
and acquiring the attachment corresponding to the attachment identification fed back by the server after the authentication is successful.
Optionally, the method may further include: and obtaining the refused provided attachment information fed back by the server after the authentication fails.
Specifically, the server may generate information for denying provision of the accessory to the access terminal when it is determined that the authentication fails; when the verification is confirmed to pass, decrypting the encrypted accessory identifier based on a preset first encryption algorithm and a first secret key to obtain the accessory identifier; searching an accessory storage path corresponding to the accessory identification in a preset corresponding relation; and acquiring the attachment from the attachment storage path, and feeding back the attachment to the access terminal.
The server pre-establishes the corresponding relationship between various accessory identifications and the accessory storage paths corresponding to the accessory identifications, stores the accessory identifications and stores the accessory identifications in a data table, for example, the accessory identifications can be decrypted by searching the accessory storage paths corresponding to the accessory identifications based on the pre-established corresponding relationship, and then acquires the accessories.
An accessory access method is provided in the fifth embodiment of the present application, and is applied to an access end, as shown in fig. 5, the method includes the following steps:
step 501: appointing a second encryption algorithm with the server in advance;
step 502: receiving a second secret key which is distributed by the server and corresponds to the encrypted attachment identifier;
specifically, the access terminal and the server may pre-agree on the second encryption algorithm and the second key in an offline manner.
Step 503: acquiring an encrypted attachment identifier from an attachment list uploaded by the server; the encrypted attachment identifier is generated after the server encrypts the attachment identifier by adopting a first encryption algorithm and a first secret key;
step 504: encrypting the encrypted attachment identifier by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string;
it should be noted that the first encryption algorithm and the second encryption algorithm may be the same, and in order to improve access security, it is preferable that the first encryption algorithm and the second encryption algorithm are different.
Step 505: sending the signature verification character string and the encrypted attachment identification to a server, so that the server verifies the access terminal based on the signature verification character string and the encrypted attachment identification to generate a verification result;
step 506: and obtaining information fed back by the server based on the verification result.
Therefore, in the embodiment, the access terminal acquires the encrypted attachment identifier from the attachment list uploaded by the server; the encrypted attachment identifier is generated after the server encrypts the attachment identifier by adopting a first encryption algorithm and a first secret key; encrypting the encrypted attachment identifier by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string; sending the signature verification character string and the encrypted attachment identification to a server, so that the server verifies the access terminal based on the signature verification character string and the encrypted attachment identification to generate a verification result; and obtaining the information fed back by the server based on the verification result, thereby realizing the access verification of the access terminal and ensuring the security of the access accessory.
Corresponding to the foregoing method for secure access to an accessory, an embodiment of the apparatus of the present application further provides a server, as shown in fig. 6, where the server includes: a first memory 601 and a first processor 602; wherein:
a first memory 601 for storing a program;
a first processor 602 for uploading an attachment list having at least one cryptographic attachment identification by running the program;
receiving a signature verification character string encrypted by the access terminal for the encrypted attachment identification and the encrypted attachment identification;
verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result;
and determining whether to feed back the accessory corresponding to the accessory identification to the access terminal or not based on the verification result.
The first processor may encrypt each attachment identifier by using a preset first encryption algorithm and a first key to generate an encrypted attachment identifier, and upload the encrypted attachment identifier in the attachment list, specifically, may upload the encrypted attachment identifier to a platform accessible by the access terminal, such as an open-to-the-outside network platform.
The access terminal can access the attachment list and obtain the encrypted attachment identifier to be accessed from the attachment list, and if the access terminal has access authority, the access terminal can obtain a second encryption algorithm and a second secret key agreed with the server in advance, so that the obtained encrypted attachment identifier can be encrypted again by adopting the second encryption algorithm and the second secret key, a signature verification character string is generated, and the generated signature verification character string and the obtained encrypted attachment identifier are sent to the server.
Specifically, the server and the access terminal may pre-agree the second encryption algorithm and the second key in an offline manner. Optionally, the first processor may agree with the access terminal with a second encryption algorithm in advance, and allocate a second secret key corresponding to the encrypted accessory identifier to the access terminal, so that when the access terminal acquires the encrypted accessory identifier, the access terminal may determine the second secret key corresponding to the encrypted accessory identifier, and thereby encrypt the encrypted accessory identifier by using the agreed second encryption algorithm and the second secret key.
It should be noted that the first encryption algorithm and the second encryption algorithm may be the same, and the first secret key and the second secret key may be the same, and in order to improve the access security, it is preferable that the first encryption algorithm and the second encryption algorithm are different, and the first secret key and the second secret key are different.
Specifically, the determining whether to feed back the accessory corresponding to the accessory identifier to the access terminal based on the verification result may include the following steps:
if the verification fails, refusing to feed back the accessory corresponding to the accessory identification to the access terminal;
if the verification is passed, decrypting the encrypted accessory identifier based on the first encryption algorithm and the first secret key to obtain an accessory identifier;
searching an accessory storage path corresponding to the accessory identification in a preset corresponding relation;
and acquiring the attachment from the attachment storage path, and feeding back the attachment to the access terminal.
The first processor is pre-established with the corresponding relationship between various accessory identifications and accessory storage paths corresponding to the accessory identifications, and stores the accessory identifications and the accessory storage paths, for example, the accessory identifications can be stored in a data table, so that when the accessory identifications are decrypted, the accessory storage paths corresponding to the accessory identifications can be searched based on the pre-established corresponding relationship, and then the accessories are obtained.
It can be seen that, in the present embodiment, by uploading an attachment list having at least one encrypted attachment identifier; receiving a signature verification character string encrypted by the access terminal for the encrypted attachment identification and the encrypted attachment identification; verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result; and determining whether to feed back the accessory corresponding to the accessory identifier to the access terminal based on the verification result, thereby realizing access verification of the access terminal and ensuring the security of accessing the accessory.
In a second embodiment of the apparatus of the present application, the first processor verifies the access terminal based on the signature verification string and the encrypted accessory identifier, and obtains a verification result, where the method specifically includes: decrypting the signature verification character string by using an agreed second encryption algorithm and a second secret key corresponding to the encrypted accessory identifier, and determining that the verification fails if the decryption fails; if the decryption is successful, acquiring the decrypted encrypted attachment identifier; judging whether the decrypted encrypted attachment identification is consistent with the received encrypted attachment identification; if the verification is consistent, the verification is determined to be passed, and if the verification is not consistent, the verification is determined to be failed.
The server and the access terminal with the access authority can pre-agree a second encryption algorithm and a second secret key corresponding to the encryption secret key identifier, the first processor can determine the second secret key corresponding to the encryption accessory identifier and the second encryption algorithm pre-agreed with the access terminal after receiving the signature verification character string and the encryption accessory identifier, and then decrypt the signature verification character string by using the second encryption algorithm and the second secret key, so that whether decryption is successful is judged, if the second encryption algorithm used for decryption is consistent with the second encryption algorithm used for encryption of the access terminal, and the second secret key used for decryption is consistent with the second secret key used for encryption of the access terminal, decryption can be successful, otherwise, decryption can be failed.
In a third apparatus embodiment of the present application, the signature verification string is obtained by encrypting, by the access point, the encrypted attachment identifier and current timestamp information; the first processor verifies the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result, and the method comprises the following steps: decrypting the signature verification character string by using an agreed second encryption algorithm and a second secret key corresponding to the encrypted accessory identifier, and determining that the verification fails if the decryption fails; if the decryption is successful, acquiring the decrypted encrypted attachment identification and the current timestamp information; judging whether the access terminal is in the access timeliness or not based on the current timestamp information, and if not, determining that the verification fails; if yes, judging whether the decrypted encrypted attachment identification is consistent with the received encrypted attachment identification; if the verification is consistent, the verification is determined to be passed, and if the verification is not consistent, the verification is determined to be failed.
The server and the access terminal with the access authority can pre-agree a second encryption algorithm and a second secret key corresponding to the encryption secret key identifier, the first processor can determine the second secret key corresponding to the encryption accessory identifier and the second encryption algorithm pre-agreed with the access terminal after receiving the signature verification character string and the encryption accessory identifier, and then decrypt the signature verification character string by using the second encryption algorithm and the second secret key, so that whether decryption is successful is judged, if the second encryption algorithm used for decryption is consistent with the second encryption algorithm used for encryption of the access terminal, and the second secret key used for decryption is consistent with the second secret key used for encryption of the access terminal, decryption can be successful, otherwise, decryption can be failed.
And the current timestamp information is the current time information obtained when the access terminal encrypts the encrypted attachment identifier. The first processor may preset an access time limit, determine whether the time length from the current timestamp information to the current time is within the access time limit, if so, indicate that the access is valid, and if so, determine that the access is overtime, and fail to verify.
Corresponding to the foregoing method for secure access to an accessory, a fourth embodiment of the apparatus of the present application further provides an access end, as shown in fig. 7, where the access end includes: a second memory 701 and a second processor 702; wherein:
a second memory 701 for storing a program;
a second processor 702, configured to obtain an encrypted attachment identifier from the attachment list uploaded by the server by running the program; the encrypted attachment identifier is generated after the server encrypts the attachment identifier by adopting a first encryption algorithm and a first secret key;
encrypting the encrypted attachment identifier by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string;
sending the signature verification character string and the encrypted attachment identification to a server, so that the server verifies the access terminal based on the signature verification character string and the encrypted attachment identification to generate a verification result; and obtaining information fed back by the server based on the verification result.
The server can encrypt the attachment identifier by adopting a preset first encryption algorithm and a first key to generate an encrypted attachment identifier, and the encrypted attachment identifier is uploaded in the attachment list, and specifically can be uploaded to a platform which can be accessed by the access terminal, such as an externally open network platform.
And if the access terminal has the access right, the access terminal acquires a second encryption algorithm and a second secret key agreed with the server in advance, so that the acquired encrypted attachment identifier can be encrypted again by adopting the second encryption algorithm and the second secret key to generate a signature verification character string.
The server and the access terminal with the access authority can agree with a second encryption algorithm and a second secret key corresponding to the encryption secret key identifier in advance, after the server receives the signature verification character string and the encryption accessory identifier, the server can determine the second secret key corresponding to the encryption accessory identifier and the second encryption algorithm agreed with the access terminal in advance, and then decrypt the signature verification character string by using the second encryption algorithm and the second secret key, so that whether decryption is successful is judged, if the second encryption algorithm used for decryption is consistent with the second encryption algorithm used for encryption of the access terminal, and the second secret key used for decryption is consistent with the second secret key used for encryption of the access terminal, decryption can be successful, otherwise, decryption is failed, and if decryption is failed, verification is determined to be failed.
And under the condition of successful decryption, the server can judge whether the decrypted encrypted attachment identification is consistent with the received encrypted attachment identification, and if so, the server determines that the verification is successful or determines that the verification is failed due to inconsistency.
Preferably, the server may be provided with an access failure. Specifically, the second processor encrypts the encrypted accessory identifier by using a second encryption algorithm and a second key agreed with the server to generate a signature verification string, including:
determining current timestamp information;
and encrypting the encrypted attachment identifier and the current timestamp information by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string.
In this case, since the server and the access terminal having the access right may agree in advance with the second encryption algorithm and the second key corresponding to the encryption key identifier, after receiving the signature verification string and the encryption accessory identifier, the server may determine the second secret key corresponding to the encryption accessory identifier and the second encryption algorithm agreed in advance with the access terminal, and decrypt the signature verification string using the second encryption algorithm and the second key, thereby determining whether decryption is successful, where if the second encryption algorithm used for decryption is consistent with the second encryption algorithm used for encryption by the access terminal, and if the second secret key used for decryption is consistent with the second secret key used for encryption by the access terminal, decryption can be successful, otherwise, decryption may be failed, and if decryption is failed, it is determined that authentication is failed.
And under the condition of successful decryption, the server can acquire the decrypted encrypted attachment identification and the current timestamp information, judge whether the access terminal is in the access timeliness or not based on the current timestamp information, if so, determine that the authentication is passed, and if not, determine that the authentication is failed.
The second processor acquires information fed back by the server based on the verification result, and the information comprises:
and acquiring the attachment corresponding to the attachment identification fed back by the server after the authentication is successful.
Optionally, the second processor may be further configured to obtain a denial of provision of the accessory information fed back by the server after the authentication fails.
Specifically, the server may generate information for denying provision of the accessory to the access terminal when it is determined that the authentication fails; when the verification is confirmed to pass, decrypting the encrypted accessory identifier based on a preset first encryption algorithm and a first secret key to obtain the accessory identifier; searching an accessory storage path corresponding to the accessory identification in a preset corresponding relation; and acquiring the attachment from the attachment storage path, and feeding back the attachment to the access terminal.
The server pre-establishes the corresponding relationship between various accessory identifications and the accessory storage paths corresponding to the accessory identifications, stores the accessory identifications and stores the accessory identifications in a data table, for example, the accessory identifications can be decrypted by searching the accessory storage paths corresponding to the accessory identifications based on the pre-established corresponding relationship, and then acquires the accessories.
In a fifth embodiment of the apparatus of the present application, the second processor is further configured to agree with the server in advance for a second encryption algorithm; and receiving a second secret key which is distributed by the server and corresponds to the encrypted attachment identification.
Specifically, the access terminal and the server may pre-agree on the second encryption algorithm and the second key in an offline manner.
Features described in the embodiments in the present specification may be replaced with or combined with each other, each embodiment is described with a focus on differences from other embodiments, and the same and similar portions among the embodiments may be referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An attachment access method applied to a server, the method comprising:
uploading an attachment list having at least one cryptographic attachment identification; the encrypted accessory identifier is generated by encrypting the accessory identifier by adopting a first encryption algorithm and a first secret key;
receiving a signature verification character string encrypted by the access terminal for the encrypted attachment identification and the encrypted attachment identification;
verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result;
and determining whether to feed back the accessory corresponding to the accessory identification to the access terminal or not based on the verification result.
2. The method according to claim 1, wherein the deciding whether to feed back the accessory corresponding to the accessory identifier to the access terminal based on the authentication result comprises:
if the verification fails, refusing to feed back the accessory corresponding to the accessory identification to the access terminal;
if the verification is passed, decrypting the encrypted accessory identifier based on the first encryption algorithm and the first secret key to obtain an accessory identifier;
searching an accessory storage path corresponding to the accessory identification in a preset corresponding relation;
and acquiring the attachment from the attachment storage path, and feeding back the attachment to the access terminal.
3. The method according to claim 1, wherein the verifying the access terminal based on the signature verification string and the encrypted accessory identifier to obtain a verification result comprises:
decrypting the signature verification character string by using an agreed second encryption algorithm and a second secret key corresponding to the encrypted accessory identifier, and determining that the verification fails if the decryption fails;
if the decryption is successful, acquiring the decrypted encrypted attachment identifier;
judging whether the decrypted encrypted attachment identification is consistent with the received encrypted attachment identification;
if the verification is consistent, the verification is determined to be passed, and if the verification is not consistent, the verification is determined to be failed.
4. The method of claim 1, wherein the signature verification string is encrypted by the access terminal for the encrypted attachment identification and current timestamp information;
correspondingly, the verifying the access terminal based on the signature verification character string and the encrypted accessory identifier to obtain a verification result includes:
decrypting the signature verification character string by using an agreed second encryption algorithm and a second secret key corresponding to the encrypted accessory identifier, and determining that the verification fails if the decryption fails;
if the decryption is successful, acquiring the decrypted encrypted attachment identification and the current timestamp information;
judging whether the access terminal is in the access timeliness or not based on the current timestamp information, and if not, determining that the verification fails; if yes, judging whether the decrypted encrypted attachment identification is consistent with the received encrypted attachment identification;
if the verification is consistent, the verification is determined to be passed, and if the verification is not consistent, the verification is determined to be failed.
5. An attachment access method is applied to an access terminal, and comprises the following steps:
acquiring an encrypted attachment identifier from an attachment list uploaded by a server; the encrypted attachment identifier is generated after the server encrypts the attachment identifier by adopting a first encryption algorithm and a first secret key;
encrypting the encrypted attachment identifier by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string;
sending the signature verification character string and the encrypted attachment identification to a server, so that the server verifies the access terminal based on the signature verification character string and the encrypted attachment identification to generate a verification result;
and obtaining information fed back by the server based on the verification result.
6. The method of claim 5, the obtaining information fed back by the server based on the verification result, comprising:
and acquiring the attachment corresponding to the attachment identification fed back by the server after the authentication is successful.
7. The method according to claim 5, wherein the encrypting the encrypted attachment identifier by using a second encryption algorithm agreed upon by the server and a second key to generate a signature verification string comprises:
determining current timestamp information;
and encrypting the encrypted attachment identifier and the current timestamp information by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string.
8. The method of claim 5, further comprising:
appointing a second encryption algorithm with the server in advance;
and receiving a second secret key which is distributed by the server and corresponds to the encrypted attachment identification.
9. A server, comprising:
a first memory for storing a program;
a first processor for uploading an attachment list having at least one cryptographic attachment identification by running the program; the encrypted accessory identifier is generated by encrypting the accessory identifier by adopting a first encryption algorithm and a first secret key;
receiving a signature verification character string encrypted by the access terminal for the encrypted attachment identification and the encrypted attachment identification;
verifying the access terminal based on the signature verification character string and the encrypted accessory identification to obtain a verification result;
and determining whether to feed back the accessory corresponding to the accessory identification to the access terminal or not based on the verification result.
10. An access terminal, comprising:
a second memory for storing a program;
the second processor is used for acquiring the encrypted attachment identification from the attachment list uploaded by the server by running the program; the encrypted attachment identifier is generated after the server encrypts the attachment identifier by adopting a first encryption algorithm and a first secret key;
encrypting the encrypted attachment identifier by using a second encryption algorithm and a second secret key agreed with the server to generate a signature verification character string;
sending the signature verification character string and the encrypted attachment identification to a server, so that the server verifies the access terminal based on the signature verification character string and the encrypted attachment identification to generate a verification result; and obtaining information fed back by the server based on the verification result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011309094.2A CN112434315B (en) | 2020-11-20 | 2020-11-20 | Attachment access method, server and access terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011309094.2A CN112434315B (en) | 2020-11-20 | 2020-11-20 | Attachment access method, server and access terminal |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112434315A true CN112434315A (en) | 2021-03-02 |
CN112434315B CN112434315B (en) | 2022-09-20 |
Family
ID=74693054
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011309094.2A Active CN112434315B (en) | 2020-11-20 | 2020-11-20 | Attachment access method, server and access terminal |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112434315B (en) |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU6156886A (en) * | 1985-08-30 | 1987-03-05 | Newport, A.J. + Son Pty. Ltd. | Label |
JP2004110163A (en) * | 2002-09-13 | 2004-04-08 | Ntt Power & Building Facilities Inc | Method, device and program for encrypting information transmission and recording medium thereof |
CN101651714A (en) * | 2009-07-16 | 2010-02-17 | 深圳市酷开网络科技有限公司 | Downloading method and related system and equipment |
CN102420821A (en) * | 2011-11-28 | 2012-04-18 | 飞天诚信科技股份有限公司 | Method and system for improving transmission security of file |
CN103166958A (en) * | 2013-02-26 | 2013-06-19 | 深圳创维数字技术股份有限公司 | Protection method and protection system of file |
CN104113552A (en) * | 2014-07-28 | 2014-10-22 | 百度在线网络技术(北京)有限公司 | Platform authorization method, platform server side, application client side and system |
CN104915601A (en) * | 2014-03-12 | 2015-09-16 | 三星电子株式会社 | System and method of encrypting folder in device |
CN105827574A (en) * | 2015-01-07 | 2016-08-03 | 中国移动通信集团设计院有限公司 | File access system, file access method and file access device |
CN106657152A (en) * | 2017-02-07 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Authentication method, server and access control device |
CN110149354A (en) * | 2018-02-12 | 2019-08-20 | 北京京东尚科信息技术有限公司 | A kind of encryption and authentication method and device based on https agreement |
CN110771190A (en) * | 2017-06-22 | 2020-02-07 | 森特里克斯信息安全技术有限公司 | Controlling access to data |
CN110972070A (en) * | 2018-09-28 | 2020-04-07 | 苹果公司 | System and method for locating wireless accessories |
CN111177735A (en) * | 2019-07-30 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Identity authentication method, device, system and equipment and storage medium |
-
2020
- 2020-11-20 CN CN202011309094.2A patent/CN112434315B/en active Active
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU6156886A (en) * | 1985-08-30 | 1987-03-05 | Newport, A.J. + Son Pty. Ltd. | Label |
JP2004110163A (en) * | 2002-09-13 | 2004-04-08 | Ntt Power & Building Facilities Inc | Method, device and program for encrypting information transmission and recording medium thereof |
CN101651714A (en) * | 2009-07-16 | 2010-02-17 | 深圳市酷开网络科技有限公司 | Downloading method and related system and equipment |
CN102420821A (en) * | 2011-11-28 | 2012-04-18 | 飞天诚信科技股份有限公司 | Method and system for improving transmission security of file |
CN103166958A (en) * | 2013-02-26 | 2013-06-19 | 深圳创维数字技术股份有限公司 | Protection method and protection system of file |
CN104915601A (en) * | 2014-03-12 | 2015-09-16 | 三星电子株式会社 | System and method of encrypting folder in device |
CN104113552A (en) * | 2014-07-28 | 2014-10-22 | 百度在线网络技术(北京)有限公司 | Platform authorization method, platform server side, application client side and system |
CN105827574A (en) * | 2015-01-07 | 2016-08-03 | 中国移动通信集团设计院有限公司 | File access system, file access method and file access device |
CN106657152A (en) * | 2017-02-07 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Authentication method, server and access control device |
CN110771190A (en) * | 2017-06-22 | 2020-02-07 | 森特里克斯信息安全技术有限公司 | Controlling access to data |
CN110149354A (en) * | 2018-02-12 | 2019-08-20 | 北京京东尚科信息技术有限公司 | A kind of encryption and authentication method and device based on https agreement |
CN110972070A (en) * | 2018-09-28 | 2020-04-07 | 苹果公司 | System and method for locating wireless accessories |
CN111177735A (en) * | 2019-07-30 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Identity authentication method, device, system and equipment and storage medium |
Non-Patent Citations (1)
Title |
---|
王伟宾等: "一种基于Web服务器的文件加密授权保护系统设计与实现", 《软件导刊》 * |
Also Published As
Publication number | Publication date |
---|---|
CN112434315B (en) | 2022-09-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102018971B1 (en) | Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium | |
US7711122B2 (en) | Method and apparatus for cryptographic key storage wherein key servers are authenticated by possession and secure distribution of stored keys | |
US10454913B2 (en) | Device authentication agent | |
CN109005155B (en) | Identity authentication method and device | |
CN106571951B (en) | Audit log obtaining method, system and device | |
CN110990827A (en) | Identity information verification method, server and storage medium | |
US20030208681A1 (en) | Enforcing file authorization access | |
US20140281493A1 (en) | Provisioning sensitive data into third party | |
JP2013516685A (en) | System and method for enforcing computer policy | |
US20150052350A1 (en) | System and method for authenticating a user | |
CN112417385A (en) | Safety control method and system | |
CN113221128B (en) | Account and password storage method and registration management system | |
CN110505185A (en) | Auth method, equipment and system | |
CN112926046A (en) | Method and system for authenticating anonymous identification information of mobile terminal equipment for protecting equipment identification information | |
CN111639357A (en) | Encryption network disk system and authentication method and device thereof | |
CN117874806A (en) | Privacy joint computing method and device based on trusted execution environment | |
US8522046B2 (en) | Method, apparatus and system for acquiring service by portable device | |
US20090210719A1 (en) | Communication control method of determining whether communication is permitted/not permitted, and computer-readable recording medium recording communication control program | |
CN112261103A (en) | Node access method and related equipment | |
CN112434315B (en) | Attachment access method, server and access terminal | |
CN115941328A (en) | Sharable user data encryption processing method, device and system | |
CN115604034A (en) | Encryption and decryption method and system for communication connection and electronic equipment | |
CN114239000A (en) | Password processing method, device, computer equipment and storage medium | |
CN111181722A (en) | Authentication method and system | |
CN116318899B (en) | Data encryption and decryption processing method, system, equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |